From bcampbell@pingidentity.com  Thu Aug  1 00:11:09 2013
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBC1821F9D9C for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:11:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.841
X-Spam-Level: 
X-Spam-Status: No, score=-5.841 tagged_above=-999 required=5 tests=[AWL=0.135,  BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arzVSMcBdd+2 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:11:04 -0700 (PDT)
Received: from na3sys009aog116.obsmtp.com (na3sys009aog116.obsmtp.com [74.125.149.240]) by ietfa.amsl.com (Postfix) with ESMTP id D878A21F9DAD for <oauth@ietf.org>; Thu,  1 Aug 2013 00:11:01 -0700 (PDT)
Received: from mail-oa0-f48.google.com ([209.85.219.48]) (using TLSv1) by na3sys009aob116.postini.com ([74.125.148.12]) with SMTP ID DSNKUfoKAgTvzUV9tO/+74TI26E6jK0RRqwq@postini.com; Thu, 01 Aug 2013 00:11:01 PDT
Received: by mail-oa0-f48.google.com with SMTP id f4so3543070oah.21 for <oauth@ietf.org>; Thu, 01 Aug 2013 00:10:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=zNVEuXqfpGZrumzN0O15/JhRZJ6iqH70oc1pNJ2ZguY=; b=YSW/7bga/flaWSPP2SCFRaPEgE7Q2diToTzbWYTCchROoWyLdb3rDGxyv9Z0VFB3tg c7ISNzX9So6AxZVyVjfE5IEdj97afudPiwkspk98lfvDwIFEXJFdCtPDrArVWgls2gyG JTLaRW6L5Woi2kWmmCtHW+lmH973F7B5f/4BdF3Qy4O3JZ7oTXTmlBJ9QB8w/aiav6MQ +nb2efJYbUtyJO+Jg3xYYjb3G+bdcaEYRgEKskt2mAg7IKyWsR/wbWDgOFM930aaa5wp hx4/0dVLR7lVajp/7zfDQjQgsZvdIJ6bDxXVIYVFdTaOFP7s/COR5nfz69hehS/9R1kK Rb3g==
X-Received: by 10.42.123.139 with SMTP id s11mr10755icr.82.1375341057937; Thu, 01 Aug 2013 00:10:57 -0700 (PDT)
X-Received: by 10.42.123.139 with SMTP id s11mr10751icr.82.1375341057801; Thu, 01 Aug 2013 00:10:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.41.34 with HTTP; Thu, 1 Aug 2013 00:10:26 -0700 (PDT)
In-Reply-To: <05640ecf7f464bc7809aed3e40c8c192@BY2PR03MB189.namprd03.prod.outlook.com>
References: <4892E468-8076-41C7-9626-F39C21BECD15@gmx.net> <05640ecf7f464bc7809aed3e40c8c192@BY2PR03MB189.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 1 Aug 2013 09:10:26 +0200
Message-ID: <CA+k3eCQQ9EpU5xormicTLSoSG_jNT=6v8p0SPDbCBDesUd7oWw@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary=20cf3010e71932165f04e2dd8bd3
X-Gm-Message-State: ALoCoQmln8EVTFSADUB0WMcLLo+R1seVCWz6Y5KbeheEgY746XmASGDa393A+irZuHFMb7HLszDOuIpUE/pJNvTpyxoh2v8DDjBmbaXGl54/VbCxpjlKltKHsB2njuN8WPfk16HD4WgBe08IMrG1FDO/y+mJhLN7UQ==
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 07:11:09 -0000

--20cf3010e71932165f04e2dd8bd3
Content-Type: text/plain; charset=ISO-8859-1

That's a 35 minute walk each way. Will MSFT be providing transportation?




On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin <tonynad@microsoft.com>wrote:

> How about http://www.zollpackhof.de/english/restaurant/terrassen.html
>
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
> Hannes Tschofenig
> Sent: Wednesday, July 31, 2013 6:15 AM
> To: oauth mailing list
> Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi all,
>
> as mentioned during the OAuth WG meeting today we will meet for an
> informal discussion about the next steps in OAuth in the hotel lobby at
> 19:00 on Thursday.
> We have not yet decided where to go.
>
> Ciao
> Hannes
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iQEcBAEBCgAGBQJR+Q3gAAoJEGhJURNOOiAtrpwH/AiHFCzwq+5niigfTB5n25pq
> FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29S78UsVGOJBa5c2ji5
> xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrzVRc3qn1XYFU
> Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJUgwtL
> zjUVPzIBvkv+Fg716qCAgDL1+vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8
> fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=
> =1GDF
> -----END PGP SIGNATURE-----
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--20cf3010e71932165f04e2dd8bd3
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">That&#39;s a 35 minute walk each way. Will MSFT be providi=
ng transportation?<br><br><br></div><div class=3D"gmail_extra"><br><br><div=
 class=3D"gmail_quote">On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin <spa=
n dir=3D"ltr">&lt;<a href=3D"mailto:tonynad@microsoft.com" target=3D"_blank=
">tonynad@microsoft.com</a>&gt;</span> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">How about <a href=3D"http://www.zollpackhof.=
de/english/restaurant/terrassen.html" target=3D"_blank">http://www.zollpack=
hof.de/english/restaurant/terrassen.html</a><br>


<div class=3D"HOEnZb"><div class=3D"h5"><br>
<br>
-----Original Message-----<br>
From: <a href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> =
[mailto:<a href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a=
>] On Behalf Of Hannes Tschofenig<br>
Sent: Wednesday, July 31, 2013 6:15 AM<br>
To: oauth mailing list<br>
Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00<br>
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
Hi all,<br>
<br>
as mentioned during the OAuth WG meeting today we will meet for an informal=
 discussion about the next steps in OAuth in the hotel lobby at 19:00 on Th=
ursday.<br>
We have not yet decided where to go.<br>
<br>
Ciao<br>
Hannes<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"_blank">http:=
//gpgtools.org</a><br>
<br>
iQEcBAEBCgAGBQJR+Q3gAAoJEGhJURNOOiAtrpwH/AiHFCzwq+5niigfTB5n25pq<br>
FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29S78UsVGOJBa5c2ji5<br>
xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrzVRc3qn1XYFU<br>
Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJUgwtL<br>
zjUVPzIBvkv+Fg716qCAgDL1+vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8<br>
fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=3D<br>
=3D1GDF<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><br>
</div></div></blockquote></div><br></div>

--20cf3010e71932165f04e2dd8bd3--

From tonynad@microsoft.com  Thu Aug  1 00:14:28 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4320821F96B1 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:14:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.966
X-Spam-Level: 
X-Spam-Status: No, score=-2.966 tagged_above=-999 required=5 tests=[AWL=0.500,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nvul5+bzgkUK for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:14:23 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe004.messaging.microsoft.com [65.55.88.14]) by ietfa.amsl.com (Postfix) with ESMTP id 0103221F9635 for <oauth@ietf.org>; Thu,  1 Aug 2013 00:14:22 -0700 (PDT)
Received: from mail154-tx2-R.bigfish.com (10.9.14.233) by TX2EHSOBE009.bigfish.com (10.9.40.29) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 07:14:22 +0000
Received: from mail154-tx2 (localhost [127.0.0.1])	by mail154-tx2-R.bigfish.com (Postfix) with ESMTP id 443461E026B	for <oauth@ietf.org>; Thu,  1 Aug 2013 07:14:22 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC103.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -23
X-BigFish: VS-23(zz98dI154cP9371Ic85fh542I14ffIdbb0idbf2izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz1d7338h1de098h1033IL17326ah18c673h1de096h1954cbh1d68deh18de19h8275bh8275dh1de097hz2fh2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1bceh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail154-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC103.redmond.corp.microsoft.com ; icrosoft.com ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail154-tx2 (localhost.localdomain [127.0.0.1]) by mail154-tx2 (MessageSwitch) id 137534126035614_3626; Thu,  1 Aug 2013 07:14:20 +0000 (UTC)
Received: from TX2EHSMHS008.bigfish.com (unknown [10.9.14.241])	by mail154-tx2.bigfish.com (Postfix) with ESMTP id EF04B400049	for <oauth@ietf.org>; Thu,  1 Aug 2013 07:14:19 +0000 (UTC)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS008.bigfish.com (10.9.99.108) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 07:14:19 +0000
Received: from co1outboundpool.messaging.microsoft.com (157.54.51.112) by mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.3.136.1; Thu, 1 Aug 2013 07:14:18 +0000
Received: from mail123-co1-R.bigfish.com (10.243.78.240) by CO1EHSOBE013.bigfish.com (10.243.66.76) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 07:14:18 +0000
Received: from mail123-co1 (localhost [127.0.0.1])	by mail123-co1-R.bigfish.com (Postfix) with ESMTP id 05228400206	for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu,  1 Aug 2013 07:14:18 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(199002)(189002)(54524002)(53754006)(13464003)(377454003)(24454002)(74366001)(81342001)(51856001)(54356001)(83322001)(19580405001)(53806001)(16601075003)(15202345003)(74662001)(19580385001)(65816001)(77982001)(81542001)(31966008)(80976001)(74502001)(16406001)(16236675002)(74316001)(79102001)(80022001)(19580395003)(47446002)(59766001)(63696002)(76796001)(77096001)(4396001)(33646001)(19273905006)(56776001)(76576001)(56816003)(19300405004)(50986001)(47736001)(74706001)(74876001)(49866001)(46102001)(76786001)(83072001)(54316002)(47976001)(76482001)(69226001)(42262001)(3826001)(24736002)(562404015)(563064011); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB190; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:df8:0:16:d029:44f2:6a30:7b02; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Received: from mail123-co1 (localhost.localdomain [127.0.0.1]) by mail123-co1 (MessageSwitch) id 1375341254870450_5915; Thu,  1 Aug 2013 07:14:14 +0000 (UTC)
Received: from CO1EHSMHS021.bigfish.com (unknown [10.243.78.238])	by mail123-co1.bigfish.com (Postfix) with ESMTP id C60DDB4004D; Thu,  1 Aug 2013 07:14:14 +0000 (UTC)
Received: from BL2PRD0310HT002.namprd03.prod.outlook.com (157.56.240.21) by CO1EHSMHS021.bigfish.com (10.243.66.31) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 07:14:14 +0000
Received: from BY2PR03MB190.namprd03.prod.outlook.com (10.242.36.141) by BL2PRD0310HT002.namprd03.prod.outlook.com (10.255.97.37) with Microsoft SMTP Server (TLS) id 14.16.341.1; Thu, 1 Aug 2013 07:14:12 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB190.namprd03.prod.outlook.com (10.242.36.141) with Microsoft SMTP Server (TLS) id 15.0.731.16; Thu, 1 Aug 2013 07:14:10 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) with mapi id 15.00.0731.000; Thu, 1 Aug 2013 07:14:10 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
Thread-Index: AQHOjfAaD/90g3O2k0OXOJe4doP35Jl/6b5AgAAGxgCAAACVsA==
Date: Thu, 1 Aug 2013 07:14:09 +0000
Message-ID: <0601181f1554404395c6f04b95d7caee@BY2PR03MB189.namprd03.prod.outlook.com>
References: <4892E468-8076-41C7-9626-F39C21BECD15@gmx.net> <05640ecf7f464bc7809aed3e40c8c192@BY2PR03MB189.namprd03.prod.outlook.com> <CA+k3eCQQ9EpU5xormicTLSoSG_jNT=6v8p0SPDbCBDesUd7oWw@mail.gmail.com>
In-Reply-To: <CA+k3eCQQ9EpU5xormicTLSoSG_jNT=6v8p0SPDbCBDesUd7oWw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:df8:0:16:d029:44f2:6a30:7b02]
x-forefront-prvs: 0925081676
Content-Type: multipart/alternative; boundary="_000_0601181f1554404395c6f04b95d7caeeBY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB190.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMX.NET$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%PINGIDENTITY.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 07:14:28 -0000

--_000_0601181f1554404395c6f04b95d7caeeBY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

It's called exercise or take the S7, this also give you a culture experienc=
e of getting away from the hotel and IETF crowd.

From: Brian Campbell [mailto:bcampbell@pingidentity.com]
Sent: Thursday, August 1, 2013 12:10 AM
To: Anthony Nadalin
Cc: Hannes Tschofenig; oauth mailing list
Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00

That's a 35 minute walk each way. Will MSFT be providing transportation?


On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin <tonynad@microsoft.com<mail=
to:tonynad@microsoft.com>> wrote:
How about http://www.zollpackhof.de/english/restaurant/terrassen.html


-----Original Message-----
From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-b=
ounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf Of Hannes Tschofe=
nig
Sent: Wednesday, July 31, 2013 6:15 AM
To: oauth mailing list
Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi all,

as mentioned during the OAuth WG meeting today we will meet for an informal=
 discussion about the next steps in OAuth in the hotel lobby at 19:00 on Th=
ursday.
We have not yet decided where to go.

Ciao
Hannes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJR+Q3gAAoJEGhJURNOOiAtrpwH/AiHFCzwq+5niigfTB5n25pq
FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29S78UsVGOJBa5c2ji5
xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrzVRc3qn1XYFU
Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJUgwtL
zjUVPzIBvkv+Fg716qCAgDL1+vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8
fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=3D
=3D1GDF
-----END PGP SIGNATURE-----
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


--_000_0601181f1554404395c6f04b95d7caeeBY2PR03MB189namprd03pro_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">It&#8217;s called exercis=
e or take the S7, this also give you a culture experience of getting away f=
rom the hotel and IETF crowd.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D"><o:p>&nbsp;</o:p></span></a></p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Brian =
Campbell [mailto:bcampbell@pingidentity.com]
<br>
<b>Sent:</b> Thursday, August 1, 2013 12:10 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Hannes Tschofenig; oauth mailing list<br>
<b>Subject:</b> Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00=
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">That's a 35 minute wa=
lk each way. Will MSFT be providing transportation?<br>
<br>
<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin &lt;=
<a href=3D"mailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsof=
t.com</a>&gt; wrote:<o:p></o:p></p>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class=3D"MsoNormal">How about <a href=3D"http://www.zollpackhof.de/engli=
sh/restaurant/terrassen.html" target=3D"_blank">
http://www.zollpackhof.de/english/restaurant/terrassen.html</a><o:p></o:p><=
/p>
<div>
<div>
<p class=3D"MsoNormal"><br>
<br>
-----Original Message-----<br>
From: <a href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> =
[mailto:<a href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a=
>] On Behalf Of Hannes Tschofenig<br>
Sent: Wednesday, July 31, 2013 6:15 AM<br>
To: oauth mailing list<br>
Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00<br>
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
Hi all,<br>
<br>
as mentioned during the OAuth WG meeting today we will meet for an informal=
 discussion about the next steps in OAuth in the hotel lobby at 19:00 on Th=
ursday.<br>
We have not yet decided where to go.<br>
<br>
Ciao<br>
Hannes<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"_blank">http:=
//gpgtools.org</a><br>
<br>
iQEcBAEBCgAGBQJR&#43;Q3gAAoJEGhJURNOOiAtrpwH/AiHFCzwq&#43;5niigfTB5n25pq<br=
>
FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29S78UsVGOJBa5c2ji5<br>
xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrzVRc3qn1XYFU<br>
Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJUgwtL<br>
zjUVPzIBvkv&#43;Fg716qCAgDL1&#43;vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8<br=
>
fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=3D<br>
=3D1GDF<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</body>
</html>

--_000_0601181f1554404395c6f04b95d7caeeBY2PR03MB189namprd03pro_--

From phil.hunt@oracle.com  Thu Aug  1 00:18:14 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC1B921F9A98 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:18:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.985
X-Spam-Level: 
X-Spam-Status: No, score=-4.985 tagged_above=-999 required=5 tests=[AWL=0.216,  BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ny7iEAk7P5VG for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:18:06 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id D7F4421F894E for <oauth@ietf.org>; Thu,  1 Aug 2013 00:18:05 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r717I3H8018276 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 1 Aug 2013 07:18:04 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r717I3JF010579 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 1 Aug 2013 07:18:03 GMT
Received: from abhmt110.oracle.com (abhmt110.oracle.com [141.146.116.62]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r717I26s007080; Thu, 1 Aug 2013 07:18:02 GMT
Received: from dhcp-165e.meeting.ietf.org (/130.129.22.94) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 01 Aug 2013 00:18:02 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_8109DA78-F55C-4BE2-8293-922818566B24"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <0601181f1554404395c6f04b95d7caee@BY2PR03MB189.namprd03.prod.outlook.com>
Date: Thu, 1 Aug 2013 09:18:01 +0200
Message-Id: <B2251C38-87A2-45F4-B63E-6E89D04A21F1@oracle.com>
References: <4892E468-8076-41C7-9626-F39C21BECD15@gmx.net> <05640ecf7f464bc7809aed3e40c8c192@BY2PR03MB189.namprd03.prod.outlook.com> <CA+k3eCQQ9EpU5xormicTLSoSG_jNT=6v8p0SPDbCBDesUd7oWw@mail.gmail.com> <0601181f1554404395c6f04b95d7caee@BY2PR03MB189.namprd03.prod.outlook.com>
To: Anthony Nadalin <tonynad@microsoft.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 07:18:14 -0000

--Apple-Mail=_8109DA78-F55C-4BE2-8293-922818566B24
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

After about the 5th or 6th beer, the concern about Tony not wanting to =
take a cab starts to go away.=20

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2013-08-01, at 9:14 AM, Anthony Nadalin <tonynad@microsoft.com> =
wrote:

> It=92s called exercise or take the S7, this also give you a culture =
experience of getting away from the hotel and IETF crowd.
> =20
> From: Brian Campbell [mailto:bcampbell@pingidentity.com]=20
> Sent: Thursday, August 1, 2013 12:10 AM
> To: Anthony Nadalin
> Cc: Hannes Tschofenig; oauth mailing list
> Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
> =20
> That's a 35 minute walk each way. Will MSFT be providing =
transportation?
>=20
>=20
> =20
>=20
> On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin =
<tonynad@microsoft.com> wrote:
> How about http://www.zollpackhof.de/english/restaurant/terrassen.html
>=20
>=20
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf =
Of Hannes Tschofenig
> Sent: Wednesday, July 31, 2013 6:15 AM
> To: oauth mailing list
> Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
>=20
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>=20
> Hi all,
>=20
> as mentioned during the OAuth WG meeting today we will meet for an =
informal discussion about the next steps in OAuth in the hotel lobby at =
19:00 on Thursday.
> We have not yet decided where to go.
>=20
> Ciao
> Hannes
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>=20
> iQEcBAEBCgAGBQJR+Q3gAAoJEGhJURNOOiAtrpwH/AiHFCzwq+5niigfTB5n25pq
> FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29S78UsVGOJBa5c2ji5
> xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrzVRc3qn1XYFU
> Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJUgwtL
> zjUVPzIBvkv+Fg716qCAgDL1+vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8
> fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=3D
> =3D1GDF
> -----END PGP SIGNATURE-----
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20
>=20
>=20
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> =20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_8109DA78-F55C-4BE2-8293-922818566B24
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">After =
about the 5th or 6th beer, the concern about Tony not wanting to take a =
cab starts to go away.&nbsp;<div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br><br></div=
></span><br class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></span><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-01, at 9:14 AM, Anthony Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><div lang=3D"EN-US" link=3D"blue" vlink=3D"purple" =
style=3D"font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
"><div class=3D"WordSection1" style=3D"page: WordSection1; "><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times =
New Roman', serif; "><span style=3D"font-size: 11pt; font-family: =
Calibri, sans-serif; color: rgb(31, 73, 125); ">It=92s called exercise =
or take the S7, this also give you a culture experience of getting away =
from the hotel and IETF crowd.<o:p></o:p></span></div><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times =
New Roman', serif; "><a name=3D"_MailEndCompose"><span style=3D"font-size:=
 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); =
">&nbsp;</span></a></div><div style=3D"margin: 0in 0in 0.0001pt; =
font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span =
style=3D"font-size: 11pt; font-family: Calibri, sans-serif; =
">From:</span></b><span style=3D"font-size: 11pt; font-family: Calibri, =
sans-serif; "><span class=3D"Apple-converted-space">&nbsp;</span>Brian =
Campbell [mailto:bcampbell@<a =
href=3D"http://pingidentity.com">pingidentity.com</a>]<span =
class=3D"Apple-converted-space">&nbsp;</span><br><b>Sent:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Thursday, August 1, 2013 =
12:10 AM<br><b>To:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Anthony =
Nadalin<br><b>Cc:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Hannes Tschofenig; oauth =
mailing list<br><b>Subject:</b><span =
class=3D"Apple-converted-space">&nbsp;</span>Re: [OAUTH-WG] Informal =
Dinner Discussion; Thursday @ 19:00<o:p></o:p></span></div><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times =
New Roman', serif; "><o:p>&nbsp;</o:p></div><div><p class=3D"MsoNormal" =
style=3D"margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New =
Roman', serif; ">That's a 35 minute walk each way. Will MSFT be =
providing transportation?<br><br><o:p></o:p></p></div><div><p =
class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; =
font-family: 'Times New Roman', serif; "><o:p>&nbsp;</o:p></p><div><div =
style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times =
New Roman', serif; ">On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin =
&lt;<a href=3D"mailto:tonynad@microsoft.com" target=3D"_blank" =
style=3D"color: purple; text-decoration: underline; =
">tonynad@microsoft.com</a>&gt; wrote:<o:p></o:p></div><blockquote =
style=3D"border-style: none none none solid; border-left-width: 1pt; =
border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; =
margin-left: 4.8pt; margin-right: 0in; "><div style=3D"margin: 0in 0in =
0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">How =
about<span class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"http://www.zollpackhof.de/english/restaurant/terrassen.html" =
target=3D"_blank" style=3D"color: purple; text-decoration: underline; =
">http://www.zollpackhof.de/english/restaurant/terrassen.html</a><o:p></o:=
p></div><div><div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; =
font-family: 'Times New Roman', serif; "><br><br>-----Original =
Message-----<br>From:<span class=3D"Apple-converted-space">&nbsp;</span><a=
 href=3D"mailto:oauth-bounces@ietf.org" style=3D"color: purple; =
text-decoration: underline; ">oauth-bounces@ietf.org</a><span =
class=3D"Apple-converted-space">&nbsp;</span>[mailto:<a =
href=3D"mailto:oauth-bounces@ietf.org" style=3D"color: purple; =
text-decoration: underline; ">oauth-bounces@ietf.org</a>] On Behalf Of =
Hannes Tschofenig<br>Sent: Wednesday, July 31, 2013 6:15 AM<br>To: oauth =
mailing list<br>Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday =
@ 19:00<br><br>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: =
SHA512<br><br>Hi all,<br><br>as mentioned during the OAuth WG meeting =
today we will meet for an informal discussion about the next steps in =
OAuth in the hotel lobby at 19:00 on Thursday.<br>We have not yet =
decided where to go.<br><br>Ciao<br>Hannes<br><br>-----BEGIN PGP =
SIGNATURE-----<br>Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>Comment: =
GPGTools -<span class=3D"Apple-converted-space">&nbsp;</span><a =
href=3D"http://gpgtools.org/" target=3D"_blank" style=3D"color: purple; =
text-decoration: underline; =
">http://gpgtools.org</a><br><br>iQEcBAEBCgAGBQJR+Q3gAAoJEGhJURNOOiAtrpwH/=
AiHFCzwq+5niigfTB5n25pq<br>FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29=
S78UsVGOJBa5c2ji5<br>xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrz=
VRc3qn1XYFU<br>Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJ=
UgwtL<br>zjUVPzIBvkv+Fg716qCAgDL1+vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8<=
br>fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=3D<br>=3D=
1GDF<br>-----END PGP =
SIGNATURE-----<br>_______________________________________________<br>OAuth=
 mailing list<br><a href=3D"mailto:OAuth@ietf.org" style=3D"color: =
purple; text-decoration: underline; ">OAuth@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank" =
style=3D"color: purple; text-decoration: underline; =
">https://www.ietf.org/mailman/listinfo/oauth</a><br><br><br><br><br><br>_=
______________________________________________<br>OAuth mailing =
list<br><a href=3D"mailto:OAuth@ietf.org" style=3D"color: purple; =
text-decoration: underline; ">OAuth@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank" =
style=3D"color: purple; text-decoration: underline; =
">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></div></div></=
blockquote></div><div style=3D"margin: 0in 0in 0.0001pt; font-size: =
12pt; font-family: 'Times New Roman', serif; =
"><o:p>&nbsp;</o:p></div></div></div>_____________________________________=
__________<br>OAuth mailing list<br><a =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>https://www.ietf.org/=
mailman/listinfo/oauth</div></blockquote></div><br></div></body></html>=

--Apple-Mail=_8109DA78-F55C-4BE2-8293-922818566B24--

From bcampbell@pingidentity.com  Thu Aug  1 00:35:15 2013
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C47F421F85B3 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:35:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.856
X-Spam-Level: 
X-Spam-Status: No, score=-5.856 tagged_above=-999 required=5 tests=[AWL=0.120,  BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id haMSo8t1zqMP for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:35:11 -0700 (PDT)
Received: from na3sys009aog106.obsmtp.com (na3sys009aog106.obsmtp.com [74.125.149.77]) by ietfa.amsl.com (Postfix) with ESMTP id 1DAD321F9DC9 for <oauth@ietf.org>; Thu,  1 Aug 2013 00:35:11 -0700 (PDT)
Received: from mail-ob0-f181.google.com ([209.85.214.181]) (using TLSv1) by na3sys009aob106.postini.com ([74.125.148.12]) with SMTP ID DSNKUfoPrhh1hmd/SwoyA9X35+oX0WFfKX7I@postini.com; Thu, 01 Aug 2013 00:35:11 PDT
Received: by mail-ob0-f181.google.com with SMTP id dn14so3272696obc.12 for <oauth@ietf.org>; Thu, 01 Aug 2013 00:35:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=w9xI3f/wyU1la08bi7WNb3H0ZBWDGmWUTmlTyUNzC0Y=; b=nA3/3epoPlqyNiBDOqMYMLOQFBkxa+tAwp8MrbCOILp9ZUtIeLajkjKQIwCcnkXwna Q3x7sJmZ3yzJ8b7sphqYmywCE/yzoIuT3VvEMSUOGNscigcCtnLq10qJ6z7HzSeVuDBX pkCWxNf+FyIDzGyKdAO4dMwaVZNUO2LmRYgEdfb7dnD0C/N/PyynRcPDwNU2YiHEVjxd 3o5576jbsGX7BEhAn7t4FUYJJcf6xICy4fkKCryRqcEPBwrDKvi/CdwaZE3x7zK5/HK+ gWqdJ7GZjmmSs2QdbFJS/MY1Pww1W73w3UeWwzbZuvYxoIeXtBgzItrgJ5X7cRa/FPHl 1U2w==
X-Received: by 10.50.44.98 with SMTP id d2mr36251igm.28.1375342510420; Thu, 01 Aug 2013 00:35:10 -0700 (PDT)
X-Received: by 10.50.44.98 with SMTP id d2mr36249igm.28.1375342510325; Thu, 01 Aug 2013 00:35:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.41.34 with HTTP; Thu, 1 Aug 2013 00:34:40 -0700 (PDT)
In-Reply-To: <0601181f1554404395c6f04b95d7caee@BY2PR03MB189.namprd03.prod.outlook.com>
References: <4892E468-8076-41C7-9626-F39C21BECD15@gmx.net> <05640ecf7f464bc7809aed3e40c8c192@BY2PR03MB189.namprd03.prod.outlook.com> <CA+k3eCQQ9EpU5xormicTLSoSG_jNT=6v8p0SPDbCBDesUd7oWw@mail.gmail.com> <0601181f1554404395c6f04b95d7caee@BY2PR03MB189.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 1 Aug 2013 09:34:40 +0200
Message-ID: <CA+k3eCSjzC_+0mYL8Jh76vFzx-pHOAeomZbsLr3jn0SckG1_jQ@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary=e89a8f839371c5e07904e2dde17f
X-Gm-Message-State: ALoCoQmSPIvdt1qNUnFeK/OGQ1sIl06G/+lplpx+npQT6+unVC82Ryo6BBFew2z6jBp3VmBt0WwocGeyfKt2ozI0pIR4CNf4IRiE5VRs1xOWNXYoWMwN7abBDdb91cVgoxNvRvH2LPpkkyHp9HDo50UppSvXwdwIDw==
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 07:35:15 -0000

--e89a8f839371c5e07904e2dde17f
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

I wasn't concerned about the exercise but rather with having to spend that
much more time with you.


On Thu, Aug 1, 2013 at 9:14 AM, Anthony Nadalin <tonynad@microsoft.com>wrot=
e:

>  It=92s called exercise or take the S7, this also give you a culture
> experience of getting away from the hotel and IETF crowd.****
>
> ** **
>
> *From:* Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Thursday, August 1, 2013 12:10 AM
> *To:* Anthony Nadalin
> *Cc:* Hannes Tschofenig; oauth mailing list
> *Subject:* Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00***=
*
>
> ** **
>
> That's a 35 minute walk each way. Will MSFT be providing transportation?
>
> ****
>
> ** **
>
> On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:****
>
> How about http://www.zollpackhof.de/english/restaurant/terrassen.html****
>
>
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
> Hannes Tschofenig
> Sent: Wednesday, July 31, 2013 6:15 AM
> To: oauth mailing list
> Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi all,
>
> as mentioned during the OAuth WG meeting today we will meet for an
> informal discussion about the next steps in OAuth in the hotel lobby at
> 19:00 on Thursday.
> We have not yet decided where to go.
>
> Ciao
> Hannes
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>
> iQEcBAEBCgAGBQJR+Q3gAAoJEGhJURNOOiAtrpwH/AiHFCzwq+5niigfTB5n25pq
> FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29S78UsVGOJBa5c2ji5
> xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrzVRc3qn1XYFU
> Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJUgwtL
> zjUVPzIBvkv+Fg716qCAgDL1+vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8
> fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=3D
> =3D1GDF
> -----END PGP SIGNATURE-----
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>  ** **
>

--e89a8f839371c5e07904e2dde17f
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I wasn&#39;t concerned about the exercise but rather with =
having to spend that much more time with you.<br></div><div class=3D"gmail_=
extra"><br><br><div class=3D"gmail_quote">On Thu, Aug 1, 2013 at 9:14 AM, A=
nthony Nadalin <span dir=3D"ltr">&lt;<a href=3D"mailto:tonynad@microsoft.co=
m" target=3D"_blank">tonynad@microsoft.com</a>&gt;</span> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">





<div link=3D"blue" vlink=3D"purple" lang=3D"EN-US">
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">It=92s called exercise or=
 take the S7, this also give you a culture experience of getting away from =
the hotel and IETF crowd.<u></u><u></u></span></p>


<p class=3D"MsoNormal"><a name=3D"14038bb0d7c642aa__MailEndCompose"><span s=
tyle=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&q=
uot;;color:#1f497d"><u></u>=A0<u></u></span></a></p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Brian =
Campbell [mailto:<a href=3D"mailto:bcampbell@pingidentity.com" target=3D"_b=
lank">bcampbell@pingidentity.com</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 12:10 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Hannes Tschofenig; oauth mailing list<br>
<b>Subject:</b> Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00=
<u></u><u></u></span></p><div><div class=3D"h5">
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">That&#39;s a 35 minut=
e walk each way. Will MSFT be providing transportation?<br>
<br>
<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><u></u>=A0<u></u></p>
<div>
<p class=3D"MsoNormal">On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin &lt;=
<a href=3D"mailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsof=
t.com</a>&gt; wrote:<u></u><u></u></p>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class=3D"MsoNormal">How about <a href=3D"http://www.zollpackhof.de/engli=
sh/restaurant/terrassen.html" target=3D"_blank">
http://www.zollpackhof.de/english/restaurant/terrassen.html</a><u></u><u></=
u></p>
<div>
<div>
<p class=3D"MsoNormal"><br>
<br>
-----Original Message-----<br>
From: <a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bou=
nces@ietf.org</a> [mailto:<a href=3D"mailto:oauth-bounces@ietf.org" target=
=3D"_blank">oauth-bounces@ietf.org</a>] On Behalf Of Hannes Tschofenig<br>
Sent: Wednesday, July 31, 2013 6:15 AM<br>
To: oauth mailing list<br>
Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00<br>
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
Hi all,<br>
<br>
as mentioned during the OAuth WG meeting today we will meet for an informal=
 discussion about the next steps in OAuth in the hotel lobby at 19:00 on Th=
ursday.<br>
We have not yet decided where to go.<br>
<br>
Ciao<br>
Hannes<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"_blank">http:=
//gpgtools.org</a><br>
<br>
iQEcBAEBCgAGBQJR+Q3gAAoJEGhJURNOOiAtrpwH/AiHFCzwq+5niigfTB5n25pq<br>
FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29S78UsVGOJBa5c2ji5<br>
xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrzVRc3qn1XYFU<br>
Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJUgwtL<br>
zjUVPzIBvkv+Fg716qCAgDL1+vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8<br>
fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=3D<br>
=3D1GDF<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
</div></div></div>
</div>

</blockquote></div><br></div>

--e89a8f839371c5e07904e2dde17f--

From tonynad@microsoft.com  Thu Aug  1 00:43:27 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCB221F9DA5 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:43:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.566
X-Spam-Level: 
X-Spam-Status: No, score=-1.566 tagged_above=-999 required=5 tests=[AWL=-1.100, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7KJRNz7N3ra for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 00:43:22 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe004.messaging.microsoft.com [213.199.154.207]) by ietfa.amsl.com (Postfix) with ESMTP id C2B4C21F9D21 for <oauth@ietf.org>; Thu,  1 Aug 2013 00:43:19 -0700 (PDT)
Received: from mail3-am1-R.bigfish.com (10.3.201.234) by AM1EHSOBE015.bigfish.com (10.3.207.137) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 07:43:18 +0000
Received: from mail3-am1 (localhost [127.0.0.1])	by mail3-am1-R.bigfish.com (Postfix) with ESMTP id BA532460156	for <oauth@ietf.org>; Thu,  1 Aug 2013 07:43:18 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC104.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -23
X-BigFish: VS-23(zz98dI154cP9371Ic85fh542I14ffIdbb0idbf2izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz1d7338h1de098h1033IL17326ah18c673h1de096h1954cbh1d68deh18de19h8275bh8275dh1de097hz2fh2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1bceh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail3-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC104.redmond.corp.microsoft.com ; icrosoft.com ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail3-am1 (localhost.localdomain [127.0.0.1]) by mail3-am1 (MessageSwitch) id 1375342996163123_22564; Thu,  1 Aug 2013 07:43:16 +0000 (UTC)
Received: from AM1EHSMHS008.bigfish.com (unknown [10.3.201.229])	by mail3-am1.bigfish.com (Postfix) with ESMTP id 22F524E0048	for <oauth@ietf.org>; Thu,  1 Aug 2013 07:43:16 +0000 (UTC)
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS008.bigfish.com (10.3.207.108) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 07:43:13 +0000
Received: from va3outboundpool.messaging.microsoft.com (157.54.51.81) by mail.microsoft.com (157.54.80.25) with Microsoft SMTP Server (TLS) id 14.3.136.1; Thu, 1 Aug 2013 07:43:09 +0000
Received: from mail171-va3-R.bigfish.com (10.7.14.248) by VA3EHSOBE001.bigfish.com (10.7.40.21) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 07:43:08 +0000
Received: from mail171-va3 (localhost [127.0.0.1])	by mail171-va3-R.bigfish.com (Postfix) with ESMTP id 86B023000D9	for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu,  1 Aug 2013 07:43:08 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(199002)(189002)(54524002)(53754006)(13464003)(377454003)(24454002)(74366001)(81342001)(51856001)(54356001)(83322001)(19580405001)(53806001)(16601075003)(15202345003)(74662001)(31966008)(65816001)(77982001)(81542001)(80976001)(74502001)(16406001)(79102001)(16236675002)(74316001)(19580385001)(19580395003)(80022001)(47446002)(59766001)(63696002)(76796001)(77096001)(4396001)(33646001)(19273905006)(56776001)(76576001)(56816003)(19300405004)(50986001)(47736001)(74706001)(74876001)(49866001)(46102001)(76786001)(83072001)(54316002)(47976001)(76482001)(69226001)(42262001)(3826001)(24736002)(562404015)(563064011); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB190; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:df8:0:16:d029:44f2:6a30:7b02; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Received: from mail171-va3 (localhost.localdomain [127.0.0.1]) by mail171-va3 (MessageSwitch) id 1375342986641255_17187; Thu,  1 Aug 2013 07:43:06 +0000 (UTC)
Received: from VA3EHSMHS036.bigfish.com (unknown [10.7.14.237])	by mail171-va3.bigfish.com (Postfix) with ESMTP id 8E28C2E0047; Thu,  1 Aug 2013 07:43:06 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by VA3EHSMHS036.bigfish.com (10.7.99.46) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 07:43:06 +0000
Received: from BY2PR03MB190.namprd03.prod.outlook.com (10.242.36.141) by BL2PRD0310HT001.namprd03.prod.outlook.com (10.255.97.36) with Microsoft SMTP Server (TLS) id 14.16.341.1; Thu, 1 Aug 2013 07:43:05 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB190.namprd03.prod.outlook.com (10.242.36.141) with Microsoft SMTP Server (TLS) id 15.0.731.16; Thu, 1 Aug 2013 07:43:03 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) with mapi id 15.00.0731.000; Thu, 1 Aug 2013 07:43:03 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
Thread-Index: AQHOjfAaD/90g3O2k0OXOJe4doP35Jl/6b5AgAAGxgCAAACVsIAABjAAgAAB8OA=
Date: Thu, 1 Aug 2013 07:43:02 +0000
Message-ID: <b81dc930af854bb4be410780375b793b@BY2PR03MB189.namprd03.prod.outlook.com>
References: <4892E468-8076-41C7-9626-F39C21BECD15@gmx.net> <05640ecf7f464bc7809aed3e40c8c192@BY2PR03MB189.namprd03.prod.outlook.com> <CA+k3eCQQ9EpU5xormicTLSoSG_jNT=6v8p0SPDbCBDesUd7oWw@mail.gmail.com> <0601181f1554404395c6f04b95d7caee@BY2PR03MB189.namprd03.prod.outlook.com> <CA+k3eCSjzC_+0mYL8Jh76vFzx-pHOAeomZbsLr3jn0SckG1_jQ@mail.gmail.com>
In-Reply-To: <CA+k3eCSjzC_+0mYL8Jh76vFzx-pHOAeomZbsLr3jn0SckG1_jQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:df8:0:16:d029:44f2:6a30:7b02]
x-forefront-prvs: 0925081676
Content-Type: multipart/alternative; boundary="_000_b81dc930af854bb4be410780375b793bBY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB190.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMX.NET$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%PINGIDENTITY.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC104.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 07:43:27 -0000

--_000_b81dc930af854bb4be410780375b793bBY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Life is full of surprises and bountiful experiences

From: Brian Campbell [mailto:bcampbell@pingidentity.com]
Sent: Thursday, August 1, 2013 12:35 AM
To: Anthony Nadalin
Cc: Hannes Tschofenig; oauth mailing list
Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00

I wasn't concerned about the exercise but rather with having to spend that =
much more time with you.

On Thu, Aug 1, 2013 at 9:14 AM, Anthony Nadalin <tonynad@microsoft.com<mail=
to:tonynad@microsoft.com>> wrote:
It's called exercise or take the S7, this also give you a culture experienc=
e of getting away from the hotel and IETF crowd.

From: Brian Campbell [mailto:bcampbell@pingidentity.com<mailto:bcampbell@pi=
ngidentity.com>]
Sent: Thursday, August 1, 2013 12:10 AM
To: Anthony Nadalin
Cc: Hannes Tschofenig; oauth mailing list
Subject: Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00

That's a 35 minute walk each way. Will MSFT be providing transportation?

On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin <tonynad@microsoft.com<mail=
to:tonynad@microsoft.com>> wrote:
How about http://www.zollpackhof.de/english/restaurant/terrassen.html


-----Original Message-----
From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-b=
ounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf Of Hannes Tschofe=
nig
Sent: Wednesday, July 31, 2013 6:15 AM
To: oauth mailing list
Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi all,

as mentioned during the OAuth WG meeting today we will meet for an informal=
 discussion about the next steps in OAuth in the hotel lobby at 19:00 on Th=
ursday.
We have not yet decided where to go.

Ciao
Hannes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJR+Q3gAAoJEGhJURNOOiAtrpwH/AiHFCzwq+5niigfTB5n25pq
FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29S78UsVGOJBa5c2ji5
xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrzVRc3qn1XYFU
Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJUgwtL
zjUVPzIBvkv+Fg716qCAgDL1+vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8
fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=3D
=3D1GDF
-----END PGP SIGNATURE-----
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth





_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--_000_b81dc930af854bb4be410780375b793bBY2PR03MB189namprd03pro_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">Life is full of surprises=
 and bountiful experiences
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D"><o:p>&nbsp;</o:p></span></a></p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Brian =
Campbell [mailto:bcampbell@pingidentity.com]
<br>
<b>Sent:</b> Thursday, August 1, 2013 12:35 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Hannes Tschofenig; oauth mailing list<br>
<b>Subject:</b> Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00=
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">I wasn't concerned about the exercise but rather wit=
h having to spend that much more time with you.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">On Thu, Aug 1, 2013 at 9:14 AM, Anthony Nadalin &lt;=
<a href=3D"mailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsof=
t.com</a>&gt; wrote:<o:p></o:p></p>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&q=
uot;sans-serif&quot;;color:#1F497D">It&#8217;s called exercise or take the =
S7, this also give you a culture experience of getting away from
 the hotel and IETF crowd.</span><o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><a name=3D"14038bb0d7c642aa__MailEndCompose"><span style=3D"font-s=
ize:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F=
497D">&nbsp;</span></a><o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><b><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;=
,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-size:11.0pt;fo=
nt-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Brian Campbell [mail=
to:<a href=3D"mailto:bcampbell@pingidentity.com" target=3D"_blank">bcampbel=
l@pingidentity.com</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 12:10 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Hannes Tschofenig; oauth mailing list<br>
<b>Subject:</b> Re: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00=
</span><o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0p=
t">That's a 35 minute walk each way. Will MSFT be providing transportation?=
<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0p=
t">&nbsp;<o:p></o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">On Thu, Aug 1, 2013 at 8:52 AM, Anthony Nadalin &lt;<a href=3D"mai=
lto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsoft.com</a>&gt; =
wrote:<o:p></o:p></p>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">How about
<a href=3D"http://www.zollpackhof.de/english/restaurant/terrassen.html" tar=
get=3D"_blank">
http://www.zollpackhof.de/english/restaurant/terrassen.html</a><o:p></o:p><=
/p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><br>
<br>
-----Original Message-----<br>
From: <a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bou=
nces@ietf.org</a> [mailto:<a href=3D"mailto:oauth-bounces@ietf.org" target=
=3D"_blank">oauth-bounces@ietf.org</a>] On Behalf Of Hannes Tschofenig<br>
Sent: Wednesday, July 31, 2013 6:15 AM<br>
To: oauth mailing list<br>
Subject: [OAUTH-WG] Informal Dinner Discussion; Thursday @ 19:00<br>
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA512<br>
<br>
Hi all,<br>
<br>
as mentioned during the OAuth WG meeting today we will meet for an informal=
 discussion about the next steps in OAuth in the hotel lobby at 19:00 on Th=
ursday.<br>
We have not yet decided where to go.<br>
<br>
Ciao<br>
Hannes<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"_blank">http:=
//gpgtools.org</a><br>
<br>
iQEcBAEBCgAGBQJR&#43;Q3gAAoJEGhJURNOOiAtrpwH/AiHFCzwq&#43;5niigfTB5n25pq<br=
>
FxardCXE1cvsd/WVd5Kd1nzNNR9bgaGlMDDhsbPd0Ra//29S78UsVGOJBa5c2ji5<br>
xDcpnwAaLruxfEbdrwKHqH6IWDlh6WJyCh/2jpMGeXmXSKUm52rrzVRc3qn1XYFU<br>
Y2RDMhC2DgSjrauvxXO74IWJKVhIexr4bs/KoAqwvfEsD/RrIiwNeIq4FYJUgwtL<br>
zjUVPzIBvkv&#43;Fg716qCAgDL1&#43;vP0kw6YC58JEkAXiIjuZMrdrYS6Llm4hA3Pmuz8<br=
>
fWrHjNOjKZbHUlb9nwoNaViVLb4x7ny81NdYThZtsEvrI9U0DsYVnwl0urhvSDQ=3D<br>
=3D1GDF<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</body>
</html>

--_000_b81dc930af854bb4be410780375b793bBY2PR03MB189namprd03pro_--

From torsten@lodderstedt.net  Thu Aug  1 02:21:31 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D065121F85EB for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 02:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.351
X-Spam-Level: 
X-Spam-Status: No, score=0.351 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3NEJQlBMHXU for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 02:21:25 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.100]) by ietfa.amsl.com (Postfix) with ESMTP id DD79321E8089 for <oauth@ietf.org>; Thu,  1 Aug 2013 02:21:16 -0700 (PDT)
Received: from [80.67.16.116] (helo=webmail.df.eu) by smtprelay05.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1V4p4M-0006YN-99 for oauth@ietf.org; Thu, 01 Aug 2013 11:21:14 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Date: Thu, 01 Aug 2013 11:21:14 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Message-ID: <283bcef4609ade8c26429390c1c81f9e@lodderstedt-online.de>
X-Sender: torsten@lodderstedt.net
User-Agent: Roundcube Webmail/0.8.1
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Subject: [OAUTH-WG] JWT/JWT Bearer Token Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 09:21:31 -0000

Hi,

why does the JWT draft not specify any claim to represent information 
about the authentication transaction itself, such as acr, amr or 
auth_time? And in turn, JWT Bearer Token Profile also does not give any 
processing rules. In my opinion, this may require additional profiling 
of the JWT Bearer Token Profile for ID token processing, if the 
receiving AS wants to apply a policy on the authentication.

regards,
Torsten.

From torsten@lodderstedt.net  Thu Aug  1 02:34:58 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28FA421F8546 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 02:34:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.334
X-Spam-Level: 
X-Spam-Status: No, score=0.334 tagged_above=-999 required=5 tests=[AWL=0.017,  BAYES_40=-0.185, HELO_EQ_DE=0.35, SARE_SUB_ENC_UTF8=0.152]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMR7D7zVkse7 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 02:34:53 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.25]) by ietfa.amsl.com (Postfix) with ESMTP id 2273D21F93BF for <oauth@ietf.org>; Thu,  1 Aug 2013 02:34:44 -0700 (PDT)
Received: from [80.67.16.116] (helo=webmail.df.eu) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1V4pHL-0002mJ-D0 for oauth@ietf.org; Thu, 01 Aug 2013 11:34:39 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Date: Thu, 01 Aug 2013 11:34:39 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Message-ID: <e1cdc1b2a4d1841d12938a900355121f@lodderstedt-online.de>
X-Sender: torsten@lodderstedt.net
User-Agent: Roundcube Webmail/0.8.1
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Subject: [OAUTH-WG] =?utf-8?q?Authz_Header_+_client=5Fid_in_message_body?=
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 09:34:58 -0000

Hi,

while setting up our OIDC interop tests, we run into the following 
problem:

The test client sends a request to the token endpoint, which contains 
the client credentials in an authorization header. Additionally, it adds 
the client_id to the message body. Our server treats this as an invalid 
request and responds with HTTP status code 400.

Now my question: The last paragraph of RFC 6749, section 3.1 
(http://tools.ietf.org/html/rfc6749#section-3.2.1) states

"A client MAY use the "client_id" request parameter to identify itself
    when sending requests to the token endpoint."

This seems to allow the client to send the client_id in addition to any 
other credential used to authenticate it.

I'm not sure what the intension is/was. How is the server supposed to 
handle such cases? Shall it compare both ids (from the header and the 
body)? Must they match exactly?

Any feedback is appreciated.

regards,
Torsten.

From Michael.Jones@microsoft.com  Thu Aug  1 03:11:15 2013
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B18411E8112 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 03:11:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.27
X-Spam-Level: 
X-Spam-Status: No, score=-5.27 tagged_above=-999 required=5 tests=[AWL=1.329,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bkVZBpb-QDjt for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 03:11:06 -0700 (PDT)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe004.messaging.microsoft.com [207.46.163.27]) by ietfa.amsl.com (Postfix) with ESMTP id DD33821F9F9A for <oauth@ietf.org>; Thu,  1 Aug 2013 03:10:17 -0700 (PDT)
Received: from mail173-co9-R.bigfish.com (10.236.132.246) by CO9EHSOBE020.bigfish.com (10.236.130.83) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 10:09:31 +0000
Received: from mail173-co9 (localhost [127.0.0.1])	by mail173-co9-R.bigfish.com (Postfix) with ESMTP id 68CB8140081; Thu,  1 Aug 2013 10:09:31 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -22
X-BigFish: VS-22(zz9371I542Id799hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz8275ch1de098h1033IL177df4h17326ah1de096h8275dh1de097hz2fh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail173-co9: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ; 
Received: from mail173-co9 (localhost.localdomain [127.0.0.1]) by mail173-co9 (MessageSwitch) id 1375351769592957_25585; Thu,  1 Aug 2013 10:09:29 +0000 (UTC)
Received: from CO9EHSMHS027.bigfish.com (unknown [10.236.132.249])	by mail173-co9.bigfish.com (Postfix) with ESMTP id 871CE54004A; Thu,  1 Aug 2013 10:09:29 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by CO9EHSMHS027.bigfish.com (10.236.130.37) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 10:09:28 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.38]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0136.001; Thu, 1 Aug 2013 10:09:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, "oauth@ietf.org WG" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] JWT/JWT Bearer Token Profile
Thread-Index: AQHOjpkfpRjW+Ibd8UmTWBG/AVAfB5mAH0GA
Date: Thu, 1 Aug 2013 10:09:11 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B7394E4@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <283bcef4609ade8c26429390c1c81f9e@lodderstedt-online.de>
In-Reply-To: <283bcef4609ade8c26429390c1c81f9e@lodderstedt-online.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.35]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [OAUTH-WG] JWT/JWT Bearer Token Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 10:11:15 -0000

If you want to propose that specific claims be added that are already in wi=
despread use, I suspect that the working group might be amenable to that.  =
That being said, we've tried to be conservative and only define claims in t=
he JWT spec itself that there is clear prior art for and which are therefor=
e known to be of widespread general applicability.

Also, there's no reason for all claims to be defined in the JWT spec itself=
, since there's a JSON Web Token Claims Registry, and implementations are f=
ree to/expected to use claims defined in the registry that are not defined =
in the base spec.  In the case of the "acr", "amr", and "auth_time" claims,=
 those are already queued up to be added to the registry when the OpenID Co=
nnect specs complete (see the IANA Considerations section at http://openid.=
net/specs/openid-connect-messages-1_0.html#ClaimsRegistry), so there's not =
a compelling reason to also define them in the JWT spec, as they'll be avai=
lable in the registry whether we add them to the JWT spec or not.

				-- Mike

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of T=
orsten Lodderstedt
Sent: Thursday, August 01, 2013 2:21 AM
To: oauth@ietf.org WG
Subject: [OAUTH-WG] JWT/JWT Bearer Token Profile

Hi,

why does the JWT draft not specify any claim to represent information about=
 the authentication transaction itself, such as acr, amr or auth_time? And =
in turn, JWT Bearer Token Profile also does not give any processing rules. =
In my opinion, this may require additional profiling of the JWT Bearer Toke=
n Profile for ID token processing, if the receiving AS wants to apply a pol=
icy on the authentication.

regards,
Torsten.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



From torsten@lodderstedt.net  Thu Aug  1 04:29:13 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DEDC21F8EFE for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 04:29:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.958
X-Spam-Level: 
X-Spam-Status: No, score=-0.958 tagged_above=-999 required=5 tests=[AWL=1.292,  BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNy7GruPEXHl for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 04:29:08 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.31.30]) by ietfa.amsl.com (Postfix) with ESMTP id C26D421F91CA for <oauth@ietf.org>; Thu,  1 Aug 2013 04:29:03 -0700 (PDT)
Received: from [80.67.16.116] (helo=webmail.df.eu) by smtprelay03.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1V4r41-0002dD-M7; Thu, 01 Aug 2013 13:29:01 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Date: Thu, 01 Aug 2013 13:29:01 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: Mike Jones <Michael.Jones@microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436B7394E4@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <283bcef4609ade8c26429390c1c81f9e@lodderstedt-online.de> <4E1F6AAD24975D4BA5B16804296739436B7394E4@TK5EX14MBXC284.redmond.corp.microsoft.com>
Message-ID: <d779e887279f6db8f6bd976f67bd014d@lodderstedt-online.de>
X-Sender: torsten@lodderstedt.net
User-Agent: Roundcube Webmail/0.8.1
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT/JWT Bearer Token Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 11:29:13 -0000

Hi Mike,

thank you for your quick answer. Using the registry works for my use 
cases.

regards,
Torsten.

Am 01.08.2013 12:09, schrieb Mike Jones:
> If you want to propose that specific claims be added that are already
> in widespread use, I suspect that the working group might be amenable
> to that.  That being said, we've tried to be conservative and only
> define claims in the JWT spec itself that there is clear prior art for
> and which are therefore known to be of widespread general
> applicability.
> 
> Also, there's no reason for all claims to be defined in the JWT spec
> itself, since there's a JSON Web Token Claims Registry, and
> implementations are free to/expected to use claims defined in the
> registry that are not defined in the base spec.  In the case of the
> "acr", "amr", and "auth_time" claims, those are already queued up to
> be added to the registry when the OpenID Connect specs complete (see
> the IANA Considerations section at
> http://openid.net/specs/openid-connect-messages-1_0.html#ClaimsRegistry),
> so there's not a compelling reason to also define them in the JWT
> spec, as they'll be available in the registry whether we add them to
> the JWT spec or not.
> 
> 				-- Mike
> 
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> Behalf Of Torsten Lodderstedt
> Sent: Thursday, August 01, 2013 2:21 AM
> To: oauth@ietf.org WG
> Subject: [OAUTH-WG] JWT/JWT Bearer Token Profile
> 
> Hi,
> 
> why does the JWT draft not specify any claim to represent information
> about the authentication transaction itself, such as acr, amr or
> auth_time? And in turn, JWT Bearer Token Profile also does not give
> any processing rules. In my opinion, this may require additional
> profiling of the JWT Bearer Token Profile for ID token processing, if
> the receiving AS wants to apply a policy on the authentication.
> 
> regards,
> Torsten.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From tonynad@microsoft.com  Thu Aug  1 04:32:21 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3ED521F9F44 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 04:32:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.883
X-Spam-Level: 
X-Spam-Status: No, score=-0.883 tagged_above=-999 required=5 tests=[AWL=-1.417, BAYES_00=-2.599, HTML_MESSAGE=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qpidsKG2QLtT for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 04:32:17 -0700 (PDT)
Received: from db8outboundpool.messaging.microsoft.com (mail-db8lp0188.outbound.messaging.microsoft.com [213.199.154.188]) by ietfa.amsl.com (Postfix) with ESMTP id 7E7C321F97E6 for <oauth@ietf.org>; Thu,  1 Aug 2013 04:32:13 -0700 (PDT)
Received: from mail160-db8-R.bigfish.com (10.174.8.238) by DB8EHSOBE031.bigfish.com (10.174.4.94) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 11:32:10 +0000
Received: from mail160-db8 (localhost [127.0.0.1])	by mail160-db8-R.bigfish.com (Postfix) with ESMTP id C163B2E01A1	for <oauth@ietf.org>; Thu,  1 Aug 2013 11:32:10 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC104.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -24
X-BigFish: VS-24(zf7Izbb2dI98dI9371I936eIc85fh1b0bI4015I1447Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz8275ch16d858h1d7338h1de098h1033IL177df4h17326ah18c673h1de096h18602eh5eeeK18de19h8275bh8275dh1de097hz2fh2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1bceh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail160-db8: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC104.redmond.corp.microsoft.com ; icrosoft.com ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail160-db8 (localhost.localdomain [127.0.0.1]) by mail160-db8 (MessageSwitch) id 1375356727404799_4814; Thu,  1 Aug 2013 11:32:07 +0000 (UTC)
Received: from DB8EHSMHS028.bigfish.com (unknown [10.174.8.225])	by mail160-db8.bigfish.com (Postfix) with ESMTP id 585AAD80047	for <oauth@ietf.org>; Thu,  1 Aug 2013 11:32:07 +0000 (UTC)
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.8) by DB8EHSMHS028.bigfish.com (10.174.4.38) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 11:32:06 +0000
Received: from DB8EHSOBE029.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.80.25) with Microsoft SMTP Server (TLS) id 14.3.136.1; Thu, 1 Aug 2013 11:31:30 +0000
Received: from mail184-db8-R.bigfish.com (10.174.8.248) by DB8EHSOBE029.bigfish.com (10.174.4.92) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 11:31:28 +0000
Received: from mail184-db8 (localhost [127.0.0.1])	by mail184-db8-R.bigfish.com (Postfix) with ESMTP id 3ED91800CC	for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu,  1 Aug 2013 11:31:28 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(479174003)(377454003)(377424004)(243025003)(24454002)(51914003)(2473001)(164054003)(199002)(69234005)(189002)(80976001)(47736001)(33646001)(76796001)(81542001)(76786001)(53806001)(79102001)(83322001)(51856001)(77096001)(63696002)(54356001)(50986001)(4396001)(74366001)(65816001)(74706001)(49866001)(81342001)(19580405001)(74876001)(19300405004)(76576001)(76482001)(56816003)(54316002)(19580385001)(59766001)(47976001)(69226001)(77982001)(46102001)(31966008)(561944002)(74502001)(14971765001)(16236675002)(74316001)(15202345003)(47446002)(74662001)(16406001)(56776001)(15395725003)(19580395003)(80022001)(83072001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:df8:0:16:64be:106e:d85e:832c; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Received: from mail184-db8 (localhost.localdomain [127.0.0.1]) by mail184-db8 (MessageSwitch) id 137535668560542_32325; Thu,  1 Aug 2013 11:31:25 +0000 (UTC)
Received: from DB8EHSMHS002.bigfish.com (unknown [10.174.8.241])	by mail184-db8.bigfish.com (Postfix) with ESMTP id 0A040140047; Thu,  1 Aug 2013 11:31:25 +0000 (UTC)
Received: from BL2PRD0310HT002.namprd03.prod.outlook.com (157.56.240.21) by DB8EHSMHS002.bigfish.com (10.174.4.12) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 11:31:24 +0000
Received: from BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) by BL2PRD0310HT002.namprd03.prod.outlook.com (10.255.97.37) with Microsoft SMTP Server (TLS) id 14.16.341.1; Thu, 1 Aug 2013 11:31:21 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.731.16; Thu, 1 Aug 2013 11:31:19 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) with mapi id 15.00.0731.000; Thu, 1 Aug 2013 11:31:18 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Bill Mills <wmills_92105@yahoo.com>, Prateek Mishra <prateek.mishra@oracle.com>, Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
Thread-Index: AQHOjjg6UlqF56OBqE2BlNKc5o5FOZmAN+8g
Date: Thu, 1 Aug 2013 11:31:18 +0000
Message-ID: <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F83EF7.6040201@oracle	<51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com>
In-Reply-To: <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:df8:0:16:64be:106e:d85e:832c]
x-forefront-prvs: 0925081676
Content-Type: multipart/alternative; boundary="_000_5c5c607231e644f697c5a60b75688013BY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB192.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%YAHOO.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%ORACLE.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC104.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:	New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 11:32:21 -0000

--_000_5c5c607231e644f697c5a60b75688013BY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

The proposal does not duplicate what OpenID does, there is clear benefit fo=
r returning an authentication result in the token request result. This is b=
eing proposed as optional JSON structure.

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of B=
ill Mills
Sent: Wednesday, July 31, 2013 2:50 PM
To: Prateek Mishra; Nat Sakimura
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Rather than extending OAuth for something OpenID already does...  why don't=
 we get a simple informational example doc to show how to implement the mos=
t basic OpenID service, which is the same functionality on a standard that'=
s already written?

This is sounding more and mor elike a documentation problem.

________________________________
From: Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@oracl=
e.com>>
To: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>
Cc: "oauth@ietf.org WG<mailto:oauth@ietf.org%20WG>" <oauth@ietf.org<mailto:=
oauth@ietf.org>>
Sent: Wednesday, July 31, 2013 2:38 PM
Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New V=
ersion Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Nat -

thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests
that Section 2.3 is optional. I also could not find any definition for " no=
n-dynamic OpenID Connect Server".

I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

There are probably other smarter ways to achieve the same effect.

Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that
RFC 6749 is being misused for federated authentication, as explained in  -

http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what=
.html

and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned
out that OpenID Connect offered such a solution but that isn't clear to me.

Thx,
prateek


Inline:
2013/7/31 Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@o=
racle.com>>
Nat -

your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with
an authenticator.  Many implementors are seeking a modest extension of OAut=
h, not an entire new protocol
stack.   I believe that is the point of Phil Hunt's proposal to the OAuth c=
ommittee.

I do have some questions for about the statements made in the blog -

A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?

Actually, it is not a single spec, that the Standard is referencing others.
The Standard is kind of cluttered because it has 6 response types and three=
 request types in it.
I suppose it would be much easier for the readers to split them into cohere=
nt pieces, though that means duplicate texts.

The easiest approach here is to read the Basic Client Profile. http://openi=
d.net/specs/openid-connect-basic-1_0-28.html
Then, read OAuth 2.0 Multiple Response Type Encoding Practices http://openi=
d.net/specs/oauth-v2-multiple-response-types-1_0-08.html .


B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no
other MTI protocol exchanges in OpenID Connect?

Yes, for a non-dynamic OpenID Connect Server.

Nat


Thanks,
prateek




I have written a short blog post titled "Write an OpenID Connect server in =
three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-connect-=
server-in-three-simple-steps/>".

Really, there is not much you need to on top of OAuth 2.0.

It puzzles me why you need to create a draft with only minor variances in p=
arameter names.

e.g.,
session instead of id_token
lat instead of iat
alv instead of acr
etc.

If you change those parameter names, you will have a conformant profile of =
OpenID Connect.

Nat

2013/7/31 John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Connect dosen't require a userinfo endpoint.   It is required for interoper=
ability if you are building an open IdP.   For an enterprise type deploymen=
t discovery, registration, userifo are all optional.

The server is required to pass the nonce which is equivalent to a request I=
D through to the JWT if the client sends it in the request.

Justin is correct.

John B.

On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt=
@oracle.com>> wrote:


Forgot reply all.

Phil

Begin forwarded message:
From: Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>>
Date: 30 July, 2013 17:25:46 GMT+02:00
To: "Richer, Justin P." <jricher@mitre.org<mailto:jricher@mitre.org>>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-us=
er-a4c-00.txt
The whole point is authn only. Many do not want or need the userinfo endpoi=
nt.

Phil

On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
What do you mean? You absolutely can implement a compliant OIDC server near=
ly as simply as this. The things that you're missing I think are necessary =
for basic interoperable functionality, and are things that other folks usin=
g OAuth for authentication have also implemented. Namely:

 - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is e=
asy to do with JWT). Without a signed and verifiable ID token or equivalent=
, you're asking for all kinds of token injection problems.
 - Session management requests (max auth age, auth time)
 - Not fall over with other parameters that you don't support (display, pro=
mpt, etc).

See here for more information:

  http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI

Additionally, something that's really important to support is the User Info=
 Endpoint, so you can actually get user profile information beyond just the=
 simple "someone was here" claim -- this was the real value of Facebook Con=
nect from an RP's perspective. Some people will probably want to use SCIM f=
or this, too, and that's fine.

 -- Justin

On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.h=
unt@oracle.com>>
 wrote:


The oidc specs do not allow this simple an implementation. The spec members=
 have not shown interest in making changes as they say they are too far dow=
n the road.

I have tried to make my draft as close as possible to oidc but maybe it sho=
uldn't be clarity wise. I am interested in what the group feels is clearest=
.

>From an ietf perspective the concern is improper use of the 6749 for authn.=
 Is this a bug or gap we need to address?

Phil

On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
>From what I read, you've defined something that uses an OAuth 2 code flow t=
o get an extra token which is specified as a JWT. You named it "session_tok=
en" instead of "id_token", and you've left off the User Information Endpoin=
t -- but other than that, this is exactly the Basic Client for OpenID Conne=
ct. In other words, if you change the names on things you've got OIDC, but =
without the capabilities to go beyond a very basic "hey there's a user here=
" claim. This is the same place that OpenID 2.0 started, and it was very, v=
ery quickly extended with SREG, AX, PAPE, and others for it to be useful in=
 the real world of distributed logins. You've also left out discovery and r=
egistration which are required for distributed deployments, but I'm guessin=
g that those would be modular components that could be added in (like they =
are in OIDC).

I've heard complaints that OIDC is complicated, but it's really not. Yes, I=
 agree that the giant stack of documents is intimidating and in my opinion =
it's a bit of a mess with Messages and Standard split up (but I lost that a=
rgument years ago). However, at the core, you've got an OAuth2 authorizatio=
n server that spits out access tokens and id tokens. The id token is a JWT =
with some known claims (iss, sub, etc) and is issued along side the access =
token, and its audience is the *client* and not the *protected resource*. T=
he access token is a regular old access token and its format is undefined (=
so you can use it with an existing OAuth2 server setup, like we have), and =
it can be used at the User Info Endpoint to get profile information about t=
he user who authenticated. It could also be used for other services if your=
 AS/IdP protects multiple things.

So I guess what I'm missing is what's the value proposition in this spec wh=
en we have something that can do this already? And this doesn't seem to do =
anything different (apart from syntax changes)?

 -- Justin

On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hu=
nt@oracle.com>> wrote:


FYI.  I have been noticing a substantial number of sites acting as OAuth Cl=
ients using OAuth to authenticate users.

I know several of us have blogged on the issue over the past year so I won'=
t re-hash it here.  In short, many of us recommended OIDC as the correct me=
thodology.

Never-the-less, I've spoken with a number of service providers who indicate=
 they are not ready to make the jump to OIDC, yet they agree there is a des=
ire to support authentication only (where as OIDC does IDP-like services).

This draft is intended as a minimum authentication only specification.  I'v=
e tried to make it as compatible as possible with OIDC.

For now, I've just posted to keep track of the issue so we can address at t=
he next re-chartering.

Happy to answer questions and discuss.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>




Begin forwarded message:


From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
Date: 29 July, 2013 9:49:41 AM GMT+02:00
To: Phil Hunt <phil.hunt@yahoo.com<mailto:phil.hunt@yahoo.com>>, Phil Hunt =
<None@ietfa.amsl.com<mailto:None@ietfa.amsl.com>>, Phil Hunt <>


A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Filename: draft-hunt-oauth-v2-user-a4c
Revision: 00
Title: OAuth 2.0 User Authentication For Client
Creation date: 2013-07-29
Group: Individual Submission
Number of pages: 9
URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-us=
er-a4c-00.txt
Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a=
4c
Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00


Abstract:
  This specification defines a new OAuth2 endpoint that enables user
  authentication session information to be shared with client
  applications.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available at tools.ietf.org<http://=
tools.ietf.org/>.

The IETF Secretariat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


--_000_5c5c607231e644f697c5a60b75688013BY2PR03MB189namprd03pro_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Consolas","serif";}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">The proposal does not dup=
licate what OpenID does, there is clear benefit for returning an authentica=
tion result in the token request result. This is being proposed
 as optional JSON structure.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D"><o:p>&nbsp;</o:p></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> oauth-=
bounces@ietf.org [mailto:oauth-bounces@ietf.org]
<b>On Behalf Of </b>Bill Mills<br>
<b>Sent:</b> Wednesday, July 31, 2013 2:50 PM<br>
<b>To:</b> Prateek Mishra; Nat Sakimura<br>
<b>Cc:</b> oauth@ietf.org WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<o:p=
></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;;color:black">Rather than extending OAuth for some=
thing OpenID already does... &nbsp;why don't we get a simple informational =
example doc to show how to implement the most basic OpenID
 service, which is the same functionality on a standard that's already writ=
ten?<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;;c=
olor:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;;c=
olor:black">This is sounding more and mor elike a documentation problem.<o:=
p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;;color:black"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgr=
ound:white">
<span style=3D"color:black">
<hr size=3D"1" width=3D"100%" align=3D"center">
</span></div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:black"=
>From:</span></b><span style=3D"font-size:10.0pt;font-family:&quot;Arial&qu=
ot;,&quot;sans-serif&quot;;color:black"> Prateek Mishra &lt;<a href=3D"mail=
to:prateek.mishra@oracle.com">prateek.mishra@oracle.com</a>&gt;<br>
<b>To:</b> Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail.com">sakimura@=
gmail.com</a>&gt;
<br>
<b>Cc:</b> &quot;<a href=3D"mailto:oauth@ietf.org%20WG">oauth@ietf.org WG</=
a>&quot; &lt;<a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a>&gt;
<br>
<b>Sent:</b> Wednesday, July 31, 2013 2:38 PM<br>
<b>Subject:</b> [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd=
: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</span><=
span style=3D"color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Nat - <br>
<br>
thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for &quo=
t; non-dynamic OpenID Connect Server&quot;.<br>
<br>
I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different
<br>
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2=
.0-os.pdf" target=3D"_blank">http://docs.oasis-open.org/security/saml/v2.0/=
saml-conformance-2.0-os.pdf</a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for
<br>
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that
<br>
RFC 6749 is being misused for federated authentication, as explained in&nbs=
p; -&nbsp; <br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-o=
auth-2-what.html" target=3D"_blank">http://www.independentid.com/2013/07/si=
mple-authentication-for-oauth-2-what.html</a>
<br>
<br>
and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn't clear to me.=
<br>
<br>
Thx,<br>
prateek<o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><spa=
n style=3D"color:black">Inline:&nbsp;<o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">2013/7/31 Prateek Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com=
" target=3D"_blank">prateek.mishra@oracle.com</a>&gt;<o:p></o:p></span></p>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Nat - <br>
<br>
your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with
<br>
an authenticator.&nbsp; Many implementors are seeking a modest extension of=
 OAuth, not an entire new protocol<br>
stack. &nbsp; I believe that is the point of Phil Hunt's proposal to the OA=
uth committee.<br>
<br>
I do have some questions for about the statements made in the blog - <br>
<br>
A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?<o:p></o:p></span></p>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Actually, it is not a single spec, that the Standard is referencing othe=
rs.&nbsp;<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">The Standard is kind of cluttered because it has 6 response types and th=
ree request types in it.&nbsp;<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">I suppose it would be much easier for the readers to split them into coh=
erent pieces, though that means duplicate texts.&nbsp;<o:p></o:p></span></p=
>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">The easiest approach here is to read the Basic Client Profile.&nbsp;<a h=
ref=3D"http://openid.net/specs/openid-connect-basic-1_0-28.html" target=3D"=
_blank">http://openid.net/specs/openid-connect-basic-1_0-28.html</a><o:p></=
o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Then, read&nbsp;OAuth 2.0 Multiple Response Type Encoding Practices&nbsp=
;<a href=3D"http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08=
.html" target=3D"_blank">http://openid.net/specs/oauth-v2-multiple-response=
-types-1_0-08.html</a>&nbsp;.&nbsp;<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no
<br>
other MTI protocol exchanges in OpenID Connect?<o:p></o:p></span></p>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Yes, for a non-dynamic OpenID Connect Server.&nbsp;<o:p></o:p></span></p=
>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Nat<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">&nbsp;&nbsp;<o:p></o:p></span></p>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
Thanks,<br>
prateek <o:p></o:p></span></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
<br>
&nbsp; &nbsp; <o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">I have written a short blog post titled &quot;<a href=3D"http://nat.saki=
mura.org/2013/07/28/write-openid-connect-server-in-three-simple-steps/" tar=
get=3D"_blank">Write an OpenID Connect server in
 three simple steps</a>&quot;.&nbsp; <o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Really, there is not much you need to on top of OAuth 2.0.&nbsp;<o:p></o=
:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">It puzzles me why you need to create a draft with only minor variances i=
n parameter names.&nbsp;<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-right:0in">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">e.g.,&nbsp;<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">session instead of id_token<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">lat instead of iat<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">alv instead of acr<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">etc.&nbsp;<o:p></o:p></span></p>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">If you change those parameter names, you will have a conformant profile =
of OpenID Connect.&nbsp;<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Nat<o:p></o:p></span></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><spa=
n style=3D"color:black"><o:p>&nbsp;</o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">2013/7/31 John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=
=3D"_blank">ve7jtb@ve7jtb.com</a>&gt;<o:p></o:p></span></p>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Connect dosen't require a userinfo endpoint. &nbsp; It is required for i=
nteroperability if you are building an open IdP. &nbsp; For an enterprise t=
ype deployment discovery, registration, userifo
 are all optional. <o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">The server is required to pass the nonce which is equivalent to a reques=
t ID through to the JWT if the client sends it in the request.<o:p></o:p></=
span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Justin is correct.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">John B. <o:p>
</o:p></span></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">On 2013-07-30, at 5:30 PM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@ora=
cle.com" target=3D"_blank">phil.hunt@oracle.com</a>&gt; wrote:<o:p></o:p></=
span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
<br>
<o:p></o:p></span></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Forgot reply all.<br>
<br>
Phil<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><spa=
n style=3D"color:black"><br>
Begin forwarded message:<o:p></o:p></span></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><b><=
span style=3D"color:black">From:</span></b><span style=3D"color:black"> Phi=
l Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank">phil.h=
unt@oracle.com</a>&gt;<br>
<b>Date:</b> 30 July, 2013 17:25:46 GMT&#43;02:00<br>
<b>To:</b> &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailto:jricher@mitr=
e.org" target=3D"_blank">jricher@mitre.org</a>&gt;<br>
<b>Subject:</b> <b>Re: [OAUTH-WG] New Version Notification for draft-hunt-o=
auth-v2-user-a4c-00.txt</b><o:p></o:p></span></p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">The whole point is authn only. Many do not want or need the userinfo end=
point.&nbsp;<br>
<br>
Phil<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><spa=
n style=3D"color:black"><br>
On 2013-07-30, at 17:17, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank">jricher@mitre.org</a>&gt; wrote:<o:p=
></o:p></span></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">What do you mean? You absolutely can implement a compliant OIDC server n=
early as simply as this. The things that you're missing I think are necessa=
ry for basic interoperable functionality,
 and are things that other folks using OAuth for authentication have also i=
mplemented. Namely:
<o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">&nbsp;- Signing the ID token (OIDC specifies the RS256 flavor of JWS, wh=
ich is easy to do with JWT). Without a signed and verifiable ID token or eq=
uivalent, you're asking for all kinds of token
 injection problems.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">&nbsp;- Session management requests (max auth age, auth time)<o:p></o:p>=
</span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">&nbsp;- Not fall over with other parameters that you don't support (disp=
lay, prompt, etc).<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">See here for more information:<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">&nbsp; <a href=3D"http://openid.net/specs/openid-connect-messages-1_0.ht=
ml#ServerMTI" target=3D"_blank">
http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI</a><o:p>=
</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Additionally, something that's really important to support is the User I=
nfo Endpoint, so you can actually get user profile information beyond just =
the simple &quot;someone was here&quot; claim --
 this was the real value of Facebook Connect from an RP's perspective. Some=
 people will probably want to use SCIM for this, too, and that's fine.<o:p>=
</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">&nbsp;-- Justin<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">On Jul 30, 2013, at 10:54 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@=
oracle.com" target=3D"_blank">phil.hunt@oracle.com</a>&gt;<o:p></o:p></span=
></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">&nbsp;wrote:<o:p></o:p></span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
<br>
<o:p></o:p></span></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">The oidc specs do not allow this simple an implementation. The spec memb=
ers have not shown interest in making changes as they say they are too far =
down the road.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">I have tried to make my draft as close as possible to oidc but maybe it =
shouldn't be clarity wise. I am interested in what the group feels is clear=
est.&nbsp;<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">From an ietf perspective the concern is improper use of the 6749 for aut=
hn. Is this a bug or gap we need to address?<br>
<br>
Phil<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><spa=
n style=3D"color:black"><br>
On 2013-07-30, at 16:46, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank">jricher@mitre.org</a>&gt; wrote:<o:p=
></o:p></span></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">From what I read, you've defined something that uses an OAuth 2 code flo=
w to get an extra token which is specified as a JWT. You named it &quot;ses=
sion_token&quot; instead of &quot;id_token&quot;, and you've
 left off the User Information Endpoint -- but other than that, this is exa=
ctly the Basic Client for OpenID Connect. In other words, if you change the=
 names on things you've got OIDC, but without the capabilities to go beyond=
 a very basic &quot;hey there's a user
 here&quot; claim. This is the same place that OpenID 2.0 started, and it w=
as very, very quickly extended with SREG, AX, PAPE, and others for it to be=
 useful in the real world of distributed logins. You've also left out disco=
very and registration which are required
 for distributed deployments, but I'm guessing that those would be modular =
components that could be added in (like they are in OIDC).&nbsp;
<o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">I've heard complaints that OIDC is complicated, but it's really not. Yes=
, I agree that the giant stack of documents is intimidating and in my opini=
on it's a bit of a mess with Messages
 and Standard split up (but I lost that argument years ago). However, at th=
e core, you've got an OAuth2 authorization server that spits out access tok=
ens and id tokens. The id token is a JWT with some known claims (iss, sub, =
etc) and is issued along side the
 access token, and its audience is the *client* and not the *protected reso=
urce*. The access token is a regular old access token and its format is und=
efined (so you can use it with an existing OAuth2 server setup, like we hav=
e), and it can be used at the User
 Info Endpoint to get profile information about the user who authenticated.=
 It could also be used for other services if your AS/IdP protects multiple =
things.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">So I guess what I'm missing is what's the value proposition in this spec=
 when we have something that can do this already? And this doesn't seem to =
do anything different (apart from syntax
 changes)?<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">&nbsp;-- Justin<o:p></o:p></span></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">On Jul 29, 2013, at 4:14 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@o=
racle.com" target=3D"_blank">phil.hunt@oracle.com</a>&gt; wrote:<o:p></o:p>=
</span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
<br>
<o:p></o:p></span></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">FYI. &nbsp;I have been noticing a substantial number of sites acting as =
OAuth Clients using OAuth to authenticate users.
<o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">I know several of us have blogged on the issue over the past year so I w=
on't re-hash it here. &nbsp;In short, many of us recommended OIDC as the co=
rrect methodology.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Never-the-less, I've spoken with a number of service providers who indic=
ate they are not ready to make the jump to OIDC, yet they agree there is a =
desire to support authentication only
 (where as OIDC does IDP-like services).<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">This draft is intended as a minimum authentication only specification. &=
nbsp;I've tried to make it as compatible as possible with OIDC.<o:p></o:p><=
/span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">For now, I've just posted to keep track of the issue so we can address a=
t the next re-chartering.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Happy to answer questions and discuss.&nbsp;<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black"=
>Phil<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black"=
><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black"=
>@independentid<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black"=
><a href=3D"http://www.independentid.com/" target=3D"_blank">www.independen=
tid.com</a><o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt;background:white"><spa=
n style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-se=
rif&quot;;color:black"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_b=
lank">phil.hunt@oracle.com</a><o:p></o:p></span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:black=
"><o:p>&nbsp;</o:p></span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
<br>
<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Begin forwarded message:<o:p></o:p></span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
<br>
<o:p></o:p></span></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:bl=
ack">From:
</span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot=
;,&quot;sans-serif&quot;;color:black"><a href=3D"mailto:internet-drafts@iet=
f.org" target=3D"_blank">internet-drafts@ietf.org</a></span><span style=3D"=
color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:bl=
ack">Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.=
txt</span></b><span style=3D"color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:bl=
ack">Date:
</span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot=
;,&quot;sans-serif&quot;;color:black">29 July, 2013 9:49:41 AM GMT&#43;02:0=
0</span><span style=3D"color:black"><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:bl=
ack">To:
</span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot=
;,&quot;sans-serif&quot;;color:black">Phil Hunt &lt;<a href=3D"mailto:phil.=
hunt@yahoo.com" target=3D"_blank">phil.hunt@yahoo.com</a>&gt;, Phil Hunt &l=
t;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank">None@ietfa.amsl.=
com</a>&gt;,
 Phil Hunt &lt;&gt;</span><span style=3D"color:black"><o:p></o:p></span></p=
>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><spa=
n style=3D"color:black"><br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a=
4c-00.txt" target=3D"_blank">http://www.ietf.org/internet-drafts/draft-hunt=
-oauth-v2-user-a4c-00.txt</a><br>
Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"ht=
tp://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c" target=3D"_blan=
k">http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools=
.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00" target=3D"_blank">http://to=
ols.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00</a><br>
<br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables u=
ser<br>
&nbsp;&nbsp;authentication session information to be shared with client<br>
&nbsp;&nbsp;applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org/" target=3D"_blank">
tools.ietf.org</a>.<br>
<br>
The IETF Secretariat<o:p></o:p></span></p>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></span></p>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
</blockquote>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></span></p>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><spa=
n style=3D"color:black"><br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></span></p>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
<br clear=3D"all">
<o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">-- <br>
Nat Sakimura (=3Dnat) <o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Chairman, OpenID Foundation<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank">http://nat.sakimura.=
org/</a><br>
@_nat_en<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
<br>
<o:p></o:p></span></p>
<pre style=3D"background:white"><span style=3D"color:black">_______________=
________________________________<o:p></o:p></span></pre>
<pre style=3D"background:white"><span style=3D"color:black">OAuth mailing l=
ist<o:p></o:p></span></pre>
<pre style=3D"background:white"><span style=3D"color:black"><a href=3D"mail=
to:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><o:p></o:p></span></=
pre>
<pre style=3D"background:white"><span style=3D"color:black"><a href=3D"http=
s://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ietf=
.org/mailman/listinfo/oauth</a><o:p></o:p></span></pre>
</blockquote>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><br>
<br clear=3D"all">
<o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">-- <br>
Nat Sakimura (=3Dnat) <o:p></o:p></span></p>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k">Chairman, OpenID Foundation<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank">http://nat.sakimura.=
org/</a><br>
@_nat_en<o:p></o:p></span></p>
</div>
</div>
</div>
</blockquote>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"color:blac=
k"><o:p>&nbsp;</o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><spa=
n style=3D"color:black"><br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><br>
<br>
<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>

--_000_5c5c607231e644f697c5a60b75688013BY2PR03MB189namprd03pro_--

From ve7jtb@ve7jtb.com  Thu Aug  1 05:01:25 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7CCC21E80A3 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:01:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.001,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3kMgBn8fa4dY for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:00:44 -0700 (PDT)
Received: from mail-pb0-f41.google.com (mail-pb0-f41.google.com [209.85.160.41]) by ietfa.amsl.com (Postfix) with ESMTP id BA28611E8125 for <oauth@ietf.org>; Thu,  1 Aug 2013 05:00:17 -0700 (PDT)
Received: by mail-pb0-f41.google.com with SMTP id rp2so1510699pbb.14 for <oauth@ietf.org>; Thu, 01 Aug 2013 05:00:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=1KFg8KvhVTjv25BARgKZDUfYpL7AMdp3EneAp1bqvYA=; b=QCSaQcOxC7WSN1bvMIjscdeX6xN4Ps5UmqkQo4A8hPRrxul+bATmBjIeo/V6kT60zu TBBqwJNb8I/Ins7GFBE90h0DWv79jMZzCGixbXamzD4Q+jIKVb42RkLU5RN7AXOKzEhb BnzNYuedsFvbG6DyI23AEkrRA0zDuzCqOFvb9jJEgnbS+ZGROpYc0F1urp6DCZ+mi0nN TBaBaaTkECpNveaAURLX2VzZKvm8OalrS3UK8XmgO/v1x/lxg4tF1F5Ew4jJW8u5DUmw 01ho8QyCRre5zDYNEoOnL+tHzn5ZLMt4odsvfwHSLPVc8M8fa/m6EpXKSPLx5JkKB8lf GHFw==
X-Received: by 10.66.149.198 with SMTP id uc6mr3661646pab.61.1375358416907; Thu, 01 Aug 2013 05:00:16 -0700 (PDT)
Received: from ?IPv6:2001:df8::80:2ce6:8d9c:6283:8164? ([2001:df8:0:80:2ce6:8d9c:6283:8164]) by mx.google.com with ESMTPSA id r7sm3836367pao.18.2013.08.01.05.00.13 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 01 Aug 2013 05:00:15 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_37FC6A8E-28D2-49A0-811A-355071835062"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <d779e887279f6db8f6bd976f67bd014d@lodderstedt-online.de>
Date: Thu, 1 Aug 2013 14:00:10 +0200
Message-Id: <9D0630BF-4BC0-44A8-90F1-3A56C6C4E64F@ve7jtb.com>
References: <283bcef4609ade8c26429390c1c81f9e@lodderstedt-online.de> <4E1F6AAD24975D4BA5B16804296739436B7394E4@TK5EX14MBXC284.redmond.corp.microsoft.com> <d779e887279f6db8f6bd976f67bd014d@lodderstedt-online.de>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1508)
X-Gm-Message-State: ALoCoQkD7fcLm8hQ7xyop9+bPXS2B3T+S+TcI+TuHEJB5ls33T2rdroHmQDhLowlTzGfxksKSKeh
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT/JWT Bearer Token Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:01:27 -0000

--Apple-Mail=_37FC6A8E-28D2-49A0-811A-355071835062
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

That is what we are doing for connect.  If other applications like =
Persona wind up using the same claims that ids fine as long as the =
semantics are the same.
On 2013-08-01, at 1:29 PM, Torsten Lodderstedt <torsten@lodderstedt.net> =
wrote:

> Hi Mike,
>=20
> thank you for your quick answer. Using the registry works for my use =
cases.
>=20
> regards,
> Torsten.
>=20
> Am 01.08.2013 12:09, schrieb Mike Jones:
>> If you want to propose that specific claims be added that are already
>> in widespread use, I suspect that the working group might be amenable
>> to that.  That being said, we've tried to be conservative and only
>> define claims in the JWT spec itself that there is clear prior art =
for
>> and which are therefore known to be of widespread general
>> applicability.
>> Also, there's no reason for all claims to be defined in the JWT spec
>> itself, since there's a JSON Web Token Claims Registry, and
>> implementations are free to/expected to use claims defined in the
>> registry that are not defined in the base spec.  In the case of the
>> "acr", "amr", and "auth_time" claims, those are already queued up to
>> be added to the registry when the OpenID Connect specs complete (see
>> the IANA Considerations section at
>> =
http://openid.net/specs/openid-connect-messages-1_0.html#ClaimsRegistry),
>> so there's not a compelling reason to also define them in the JWT
>> spec, as they'll be available in the registry whether we add them to
>> the JWT spec or not.
>> 				-- Mike
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>> Behalf Of Torsten Lodderstedt
>> Sent: Thursday, August 01, 2013 2:21 AM
>> To: oauth@ietf.org WG
>> Subject: [OAUTH-WG] JWT/JWT Bearer Token Profile
>> Hi,
>> why does the JWT draft not specify any claim to represent information
>> about the authentication transaction itself, such as acr, amr or
>> auth_time? And in turn, JWT Bearer Token Profile also does not give
>> any processing rules. In my opinion, this may require additional
>> profiling of the JWT Bearer Token Profile for ID token processing, if
>> the receiving AS wants to apply a policy on the authentication.
>> regards,
>> Torsten.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_37FC6A8E-28D2-49A0-811A-355071835062
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODAxMTIwMDEwWjAjBgkqhkiG9w0BCQQxFgQUBaEOdiiD
K8RFTbm0GBxr6Sz6XpgwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEArUtKSQbeTWWMS/CMx9t08NdCHuARMdmIa1ntqDXR
RpyW0M3lOuak8yt0FgGlFGD5xb1zeBc0j9zWcNN+xpuveMTev0DwLZ35iXs7fikeeOFJ1D35TbOu
KbeOH56/RAXRVS/5Snmjvgl2Cl+PTDjMwMswT4VJRVaWYW0lZG5EcFiUQDuHYueAvzm2MaCjGWLM
mJSJZAu0MAhpZTfU8H1iH3abmAZD/NjKLd+I0Hvj/sTbhK4mBlusW/bzlwB/cprgeOeWOkzRJM5e
I/kF5EmFmW5uRIMR0XP0Ojs7E1F1OjZygc5PQSk13iC7hKe9bZ1x8KzG0CMfBilZJBdPDc7lSQAA
AAAAAA==

--Apple-Mail=_37FC6A8E-28D2-49A0-811A-355071835062--

From rlb@ipv.sx  Thu Aug  1 05:11:03 2013
Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1768D21F9E6E for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:11:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.975
X-Spam-Level: 
X-Spam-Status: No, score=-1.975 tagged_above=-999 required=5 tests=[AWL=-1.002, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u+6BKTjwSeOP for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:10:57 -0700 (PDT)
Received: from mail-ob0-f176.google.com (mail-ob0-f176.google.com [209.85.214.176]) by ietfa.amsl.com (Postfix) with ESMTP id 11D4321F9E35 for <oauth@ietf.org>; Thu,  1 Aug 2013 05:08:50 -0700 (PDT)
Received: by mail-ob0-f176.google.com with SMTP id uz19so3561783obc.7 for <oauth@ietf.org>; Thu, 01 Aug 2013 05:08:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=iYoQ6rhFmiSZA5rox+QzzisVr+5ukdwS6ZUxThakLxo=; b=eWgf0BgmjYu+bfaVw9REg1nO1UPOIqx4iHAT2OVPThx5Nu9l+I5dsepGDX7FlrVQoH yuiOPne0YAH9KUPAJrwsa5Dxg9mp3/OvMQ15tYCqNLNxRPeE//HJhN1CEFjM4hRZPhIC gIHTd7kAb8VKvBHASluNX76ShidmP8Cy/XW48nC3Hzzfuk9A/p3pCIZdhH5jvJOYR70Q I02IEHzGz905fwhiGI63eMIOYOEZMPb3rLE6IdQfHt6T4sBZW2ZmmCMY41Of2owiyy6y BFmFyyujSO6rAKvOQEQUFMqTtzP0RizdK3B0HVIGn0u+LLv61wwsXtO41MFfZBUKXMJb 3DFA==
MIME-Version: 1.0
X-Received: by 10.60.79.3 with SMTP id f3mr931445oex.50.1375358898237; Thu, 01 Aug 2013 05:08:18 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Thu, 1 Aug 2013 05:08:18 -0700 (PDT)
X-Originating-IP: [2001:df8:0:16:f466:6c65:b20d:90f6]
Date: Thu, 1 Aug 2013 14:08:18 +0200
Message-ID: <CAL02cgRusCLRxfUOYTcJyWYz9vQZa95DVkiy6ZvfMUW67NM-eg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=089e0117795b9182d304e2e1b2f9
X-Gm-Message-State: ALoCoQkFQcgH8bLXNFdy8BmIW2GexYVzRG6lSLJajDd/67O9h4fPSPfN+8rrF96lb8X+Z0eQOLRX
Subject: [OAUTH-WG] Plaintext JWT bug
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:11:03 -0000

--089e0117795b9182d304e2e1b2f9
Content-Type: text/plain; charset=ISO-8859-1

It has come to my attention that JWT is using "alg":"none" to create
"Plaintext JWTs".  Some of us in JOSE believe that this "alg" value should
be removed, because of a risk of downgrade attacks.  In order to do that, a
suggested revision to JWT is below.  To summarize:
-- Plaintext JWTs are not JWSs.
-- They just have a header and payload (separated by a '.')
-- The header MUST NOT contain "alg", since there's no crypto going on

Thanks,
--Richard


-----BEGIN-----
6.  Plaintext JWTs

   To support use cases where the JWT content is secured by a means
   other than a signature and/or encryption contained within the JWT
   (such as a signature on a data structure containing the JWT), JWTs
   MAY also be created without a signature or encryption.  A plaintext
   JWT is the concatenation of a base64url-encoded JWT Header, a
   period ('.') character, and the base64url-encoded JWT Claims Set.

   The header of a plaintext JWT contains parameters drawn from the
   set as the JWS header.  However, a JWT header MUST NOT contain an
   "alg" header parameter, since no cryptographic processing is being
   performed.

6.1.  Example Plaintext JWT

   The following example JWT Header declares that the encoded object is
   a Plaintext JWT:

     {"typ":"JWT"}

   Base64url encoding the octets of the UTF-8 representation of the JWT
   Header yields this Encoded JWT Header:

     eyJ0eXAiOiJKV1QifQ

   The following is an example of a JWT Claims Set:

     {"iss":"joe",
      "exp":1300819380,
      "http://example.com/is_root":true}

   Base64url encoding the octets of the UTF-8 representation of the JWT
   Claims Set yields this Encoded JWS Payload (with line breaks for
   display purposes only):

     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
     cGxlLmNvbS9pc19yb290Ijp0cnVlfQ

   Concatenating these parts in this order with aperiod ('.') character
   between the parts yields this complete JWT (with line breaks for
   display purposes only):

     eyJ0eXAiOiJKV1QifQ
     .
     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
     cGxlLmNvbS9pc19yb290Ijp0cnVlfQ


-----END-----

--089e0117795b9182d304e2e1b2f9
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">It has come to my attention that JWT is using &quot;alg&qu=
ot;:&quot;none&quot; to create &quot;Plaintext JWTs&quot;. =A0Some of us in=
 JOSE believe that this &quot;alg&quot; value should be removed, because of=
 a risk of downgrade attacks. =A0In order to do that, a suggested revision =
to JWT is below. =A0To summarize:<div>
-- Plaintext JWTs are not JWSs. =A0</div><div>-- They just have a header an=
d payload (separated by a &#39;.&#39;)</div><div>-- The header MUST NOT con=
tain &quot;alg&quot;, since there&#39;s no crypto going on</div><div><br>
</div><div>Thanks,</div><div>--Richard</div><div><br></div><div><br></div><=
div><div>-----BEGIN-----</div><div>6. =A0Plaintext JWTs</div><div><br></div=
><div>=A0 =A0To support use cases where the JWT content is secured by a mea=
ns</div>
<div>=A0 =A0other than a signature and/or encryption contained within the J=
WT</div><div>=A0 =A0(such as a signature on a data structure containing the=
 JWT), JWTs</div><div>=A0 =A0MAY also be created without a signature or enc=
ryption. =A0A plaintext</div>
<div>=A0 =A0JWT is the concatenation of a base64url-encoded JWT Header, a=
=A0</div><div>=A0 =A0period (&#39;.&#39;) character, and the base64url-enco=
ded JWT Claims Set.</div><div><br></div><div>=A0 =A0The header of a plainte=
xt JWT contains parameters drawn from the=A0</div>
<div>=A0 =A0set as the JWS header. =A0However, a JWT header MUST NOT contai=
n an</div><div>=A0 =A0&quot;alg&quot; header parameter, since no cryptograp=
hic processing is being</div><div>=A0 =A0performed.</div><div><br></div><di=
v>6.1. =A0Example Plaintext JWT</div>
<div><br></div><div>=A0 =A0The following example JWT Header declares that t=
he encoded object is</div><div>=A0 =A0a Plaintext JWT:</div><div><br></div>=
<div>=A0 =A0 =A0{&quot;typ&quot;:&quot;JWT&quot;}</div><div><br></div><div>=
=A0 =A0Base64url encoding the octets of the UTF-8 representation of the JWT=
</div>
<div>=A0 =A0Header yields this Encoded JWT Header:</div><div><br></div><div=
>=A0 =A0 =A0eyJ0eXAiOiJKV1QifQ</div><div><br></div><div>=A0 =A0The followin=
g is an example of a JWT Claims Set:</div><div><br></div><div>=A0 =A0 =A0{&=
quot;iss&quot;:&quot;joe&quot;,</div>
<div>=A0 =A0 =A0 &quot;exp&quot;:1300819380,</div><div>=A0 =A0 =A0 &quot;<a=
 href=3D"http://example.com/is_root">http://example.com/is_root</a>&quot;:t=
rue}</div><div><br></div><div>=A0 =A0Base64url encoding the octets of the U=
TF-8 representation of the JWT</div>
<div>=A0 =A0Claims Set yields this Encoded JWS Payload (with line breaks fo=
r</div><div>=A0 =A0display purposes only):</div><div><br></div><div>=A0 =A0=
 =A0eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt</div><=
div>=A0 =A0 =A0cGxlLmNvbS9pc19yb290Ijp0cnVlfQ</div>
<div><br></div><div>=A0 =A0Concatenating these parts in this order with ape=
riod (&#39;.&#39;) character</div><div>=A0 =A0between the parts yields this=
 complete JWT (with line breaks for</div><div>=A0 =A0display purposes only)=
:</div><div>
<br></div><div>=A0 =A0 =A0eyJ0eXAiOiJKV1QifQ</div><div>=A0 =A0 =A0.</div><d=
iv>=A0 =A0 =A0eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9le=
GFt</div><div>=A0 =A0 =A0cGxlLmNvbS9pc19yb290Ijp0cnVlfQ</div><div>=A0 =A0 =
=A0</div><div><br></div><div>
-----END-----</div></div><div><br></div></div>

--089e0117795b9182d304e2e1b2f9--

From ve7jtb@ve7jtb.com  Thu Aug  1 05:14:03 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C398821F9A81 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level: 
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.001,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lSdI5Zbo2JfD for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:13:57 -0700 (PDT)
Received: from mail-pa0-f51.google.com (mail-pa0-f51.google.com [209.85.220.51]) by ietfa.amsl.com (Postfix) with ESMTP id 60FBF21E80CC for <oauth@ietf.org>; Thu,  1 Aug 2013 05:13:11 -0700 (PDT)
Received: by mail-pa0-f51.google.com with SMTP id lf11so2057764pab.38 for <oauth@ietf.org>; Thu, 01 Aug 2013 05:13:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=EJgHf/hDqry097v0nT/6Sq+LO+3Yq0E5CnnqPNyKEtY=; b=dnojMqWXoRDQdt83gwnLoXqyLyNvBHiEHIrp7GLWidgleWNBK72ZJX+LDHhoqC6K6Z Ciu+RZs2qQt/2SUZTHeMfbDGSJzRxeURu7xRbLZ8YGuWGVInYOfkKHRezTWnAW18APzI XyofR9HN4SNGx89idvxIPx2ZGfjkBSCZacu7d3RmnV9iBQKxtFqAJ31dGOwmGIzvizMg up79I4U9Fw7PibTmTj0cm9jA1p+k/c36etwq/C3QRm9GPnQQgjsIZAL+sudqSF2L54su motDoja5AIUVHb3CFZV2OIgRdxEccqChOXc3Q6sU6OjiaYBX+FehKfjWSwFLxpALNjld YphA==
X-Received: by 10.66.144.199 with SMTP id so7mr3639445pab.99.1375359190136; Thu, 01 Aug 2013 05:13:10 -0700 (PDT)
Received: from dhcp-543c.meeting.ietf.org (dhcp-543c.meeting.ietf.org. [130.129.84.60]) by mx.google.com with ESMTPSA id tr10sm3751970pbc.22.2013.08.01.05.13.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 01 Aug 2013 05:13:08 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_EB1EBA0C-A598-4926-B66B-BCCB0C116B52"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <e1cdc1b2a4d1841d12938a900355121f@lodderstedt-online.de>
Date: Thu, 1 Aug 2013 14:13:03 +0200
Message-Id: <706472E2-DF7D-4963-8C07-552F3690D927@ve7jtb.com>
References: <e1cdc1b2a4d1841d12938a900355121f@lodderstedt-online.de>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: Apple Mail (2.1508)
X-Gm-Message-State: ALoCoQmo/QeXlEPdwx/IqT3uvXZBpsAovu2ByzxTLS9sBeSNtkTyfad5t/mMm5hiClHR7mcujr4b
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authz Header + client_id in message body
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:14:04 -0000

--Apple-Mail=_EB1EBA0C-A598-4926-B66B-BCCB0C116B52
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hmm allowing sending the client_id even if there is no authentication =
was intended to mitigate cases where the client presenting the code or =
refresh_token was not the one that requested it, and for logging.

I don't think the intention was to allow the client_id to be sent twice. =
=20

If it were my Token endpoint I would ignore the extra one and only =
processes the one sent as part of the authentication,  if there is no =
authentication then the value of the "client_id" parameter MUST match =
the client_id that was used to request the token.

It is probably a open question if the request should be considered =
malformed if it contains both.  =20

Personally I would recommend that the client not do that.

Others may remember it differently.

John B.

On 2013-08-01, at 11:34 AM, Torsten Lodderstedt =
<torsten@lodderstedt.net> wrote:

> Hi,
>=20
> while setting up our OIDC interop tests, we run into the following =
problem:
>=20
> The test client sends a request to the token endpoint, which contains =
the client credentials in an authorization header. Additionally, it adds =
the client_id to the message body. Our server treats this as an invalid =
request and responds with HTTP status code 400.
>=20
> Now my question: The last paragraph of RFC 6749, section 3.1 =
(http://tools.ietf.org/html/rfc6749#section-3.2.1) states
>=20
> "A client MAY use the "client_id" request parameter to identify itself
>   when sending requests to the token endpoint."
>=20
> This seems to allow the client to send the client_id in addition to =
any other credential used to authenticate it.
>=20
> I'm not sure what the intension is/was. How is the server supposed to =
handle such cases? Shall it compare both ids (from the header and the =
body)? Must they match exactly?
>=20
> Any feedback is appreciated.
>=20
> regards,
> Torsten.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_EB1EBA0C-A598-4926-B66B-BCCB0C116B52
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODAxMTIxMzA0WjAjBgkqhkiG9w0BCQQxFgQUjQV5Q/ek
02X3ssrS1TZnnI1i7yEwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEApkL4RVz4rewQHP5box5vSvJVd8wj3b1gE/cELPPR
dmpxXw3pDMlRTkM/OPnlHHFYdAxPFHLXtFCN5KPmilpVnTDASsGazcFuBvI75PDYKgbiiCed9oSZ
DZ8xqO88Cv4NWJAgZvbM6SGiqCdQ9vxVIohl8Wwt3F48EOMm3mnwsoDReU2QeV/0eIvWw/lot23t
TEl8ZTAOeblQyZudo2mdSAWVscybfHBnQoXZGI9gFzusMQBR8TYQKVCLRshnsDgdh0XtvBH92gRp
hd8cLu0UXP7QH+PIXlJcAekNGYk6LuOsoOEjSj6SvpGA9oNblPmmJUdr5OD7XWWEmkLE9sAJLgAA
AAAAAA==

--Apple-Mail=_EB1EBA0C-A598-4926-B66B-BCCB0C116B52--

From jricher@mitre.org  Thu Aug  1 05:15:49 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7941921E80EA for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:15:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.298
X-Spam-Level: 
X-Spam-Status: No, score=-6.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQTosCHWzyBw for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:15:45 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id DC20121E8157 for <oauth@ietf.org>; Thu,  1 Aug 2013 05:15:26 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 9A7891F03DD; Thu,  1 Aug 2013 08:15:25 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 738E61F02E1; Thu,  1 Aug 2013 08:15:25 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.45]) by IMCCAS02.MITRE.ORG ([129.83.29.69]) with mapi id 14.02.0342.003; Thu, 1 Aug 2013 08:15:25 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Anthony Nadalin <tonynad@microsoft.com>
Thread-Topic: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:	Fwd: New Version Notification for	draft-hunt-oauth-v2-user-a4c-00.txt)
Thread-Index: AQHOjjg6sjLzUwycnU6+35sJL4rSKJmAN+8ggABQRQA=
Date: Thu, 1 Aug 2013 12:15:24 +0000
Message-ID: <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F83EF7.6040201@oracle	<51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [172.31.5.65]
Content-Type: multipart/alternative; boundary="_000_5D020B1E531D444EA492046D444D48D2mitreorg_"
MIME-Version: 1.0
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:	Fwd:	New Version Notification for	draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:15:49 -0000

--_000_5D020B1E531D444EA492046D444D48D2mitreorg_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Tony, you can already return the authn result from the token request (we di=
scussed this specifically in May as I recall). That's what the "idtoken" an=
d "code idtoken" responses are for in OpenID Connect. The proposed draft is=
 nearly a duplicate of the core functionality of OIDC.

 -- Justin

On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com<mailto:t=
onynad@microsoft.com>>
 wrote:

The proposal does not duplicate what OpenID does, there is clear benefit fo=
r returning an authentication result in the token request result. This is b=
eing proposed as optional JSON structure.

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-b=
ounces@ietf.org<mailto:bounces@ietf.org>] On Behalf Of Bill Mills
Sent: Wednesday, July 31, 2013 2:50 PM
To: Prateek Mishra; Nat Sakimura
Cc: oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Rather than extending OAuth for something OpenID already does...  why don't=
 we get a simple informational example doc to show how to implement the mos=
t basic OpenID service, which is the same functionality on a standard that'=
s already written?

This is sounding more and mor elike a documentation problem.

________________________________
From: Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@oracl=
e.com>>
To: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>
Cc: "oauth@ietf.org WG<mailto:oauth@ietf.org%20WG>" <oauth@ietf.org<mailto:=
oauth@ietf.org>>
Sent: Wednesday, July 31, 2013 2:38 PM
Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New V=
ersion Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Nat -

thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests
that Section 2.3 is optional. I also could not find any definition for " no=
n-dynamic OpenID Connect Server".

I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

There are probably other smarter ways to achieve the same effect.

Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that
RFC 6749 is being misused for federated authentication, as explained in  -

http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what=
.html

and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned
out that OpenID Connect offered such a solution but that isn't clear to me.

Thx,
prateek


Inline:
2013/7/31 Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@o=
racle.com>>
Nat -

your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with
an authenticator.  Many implementors are seeking a modest extension of OAut=
h, not an entire new protocol
stack.   I believe that is the point of Phil Hunt's proposal to the OAuth c=
ommittee.

I do have some questions for about the statements made in the blog -

A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?

Actually, it is not a single spec, that the Standard is referencing others.
The Standard is kind of cluttered because it has 6 response types and three=
 request types in it.
I suppose it would be much easier for the readers to split them into cohere=
nt pieces, though that means duplicate texts.

The easiest approach here is to read the Basic Client Profile. http://openi=
d.net/specs/openid-connect-basic-1_0-28.html
Then, read OAuth 2.0 Multiple Response Type Encoding Practices http://openi=
d.net/specs/oauth-v2-multiple-response-types-1_0-08.html .


B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no
other MTI protocol exchanges in OpenID Connect?

Yes, for a non-dynamic OpenID Connect Server.

Nat


Thanks,
prateek




I have written a short blog post titled "Write an OpenID Connect server in =
three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-connect-=
server-in-three-simple-steps/>".

Really, there is not much you need to on top of OAuth 2.0.

It puzzles me why you need to create a draft with only minor variances in p=
arameter names.

e.g.,
session instead of id_token
lat instead of iat
alv instead of acr
etc.

If you change those parameter names, you will have a conformant profile of =
OpenID Connect.

Nat

2013/7/31 John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Connect dosen't require a userinfo endpoint.   It is required for interoper=
ability if you are building an open IdP.   For an enterprise type deploymen=
t discovery, registration, userifo are all optional.

The server is required to pass the nonce which is equivalent to a request I=
D through to the JWT if the client sends it in the request.

Justin is correct.

John B.

On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt=
@oracle.com>> wrote:


Forgot reply all.

Phil

Begin forwarded message:
From: Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>>
Date: 30 July, 2013 17:25:46 GMT+02:00
To: "Richer, Justin P." <jricher@mitre.org<mailto:jricher@mitre.org>>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-us=
er-a4c-00.txt
The whole point is authn only. Many do not want or need the userinfo endpoi=
nt.

Phil

On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
What do you mean? You absolutely can implement a compliant OIDC server near=
ly as simply as this. The things that you're missing I think are necessary =
for basic interoperable functionality, and are things that other folks usin=
g OAuth for authentication have also implemented. Namely:

 - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is e=
asy to do with JWT). Without a signed and verifiable ID token or equivalent=
, you're asking for all kinds of token injection problems.
 - Session management requests (max auth age, auth time)
 - Not fall over with other parameters that you don't support (display, pro=
mpt, etc).

See here for more information:

 http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI

Additionally, something that's really important to support is the User Info=
 Endpoint, so you can actually get user profile information beyond just the=
 simple "someone was here" claim -- this was the real value of Facebook Con=
nect from an RP's perspective. Some people will probably want to use SCIM f=
or this, too, and that's fine.

 -- Justin

On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.h=
unt@oracle.com>>
 wrote:


The oidc specs do not allow this simple an implementation. The spec members=
 have not shown interest in making changes as they say they are too far dow=
n the road.

I have tried to make my draft as close as possible to oidc but maybe it sho=
uldn't be clarity wise. I am interested in what the group feels is clearest=
.

>From an ietf perspective the concern is improper use of the 6749 for authn.=
 Is this a bug or gap we need to address?

Phil

On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
>From what I read, you've defined something that uses an OAuth 2 code flow t=
o get an extra token which is specified as a JWT. You named it "session_tok=
en" instead of "id_token", and you've left off the User Information Endpoin=
t -- but other than that, this is exactly the Basic Client for OpenID Conne=
ct. In other words, if you change the names on things you've got OIDC, but =
without the capabilities to go beyond a very basic "hey there's a user here=
" claim. This is the same place that OpenID 2.0 started, and it was very, v=
ery quickly extended with SREG, AX, PAPE, and others for it to be useful in=
 the real world of distributed logins. You've also left out discovery and r=
egistration which are required for distributed deployments, but I'm guessin=
g that those would be modular components that could be added in (like they =
are in OIDC).

I've heard complaints that OIDC is complicated, but it's really not. Yes, I=
 agree that the giant stack of documents is intimidating and in my opinion =
it's a bit of a mess with Messages and Standard split up (but I lost that a=
rgument years ago). However, at the core, you've got an OAuth2 authorizatio=
n server that spits out access tokens and id tokens. The id token is a JWT =
with some known claims (iss, sub, etc) and is issued along side the access =
token, and its audience is the *client* and not the *protected resource*. T=
he access token is a regular old access token and its format is undefined (=
so you can use it with an existing OAuth2 server setup, like we have), and =
it can be used at the User Info Endpoint to get profile information about t=
he user who authenticated. It could also be used for other services if your=
 AS/IdP protects multiple things.

So I guess what I'm missing is what's the value proposition in this spec wh=
en we have something that can do this already? And this doesn't seem to do =
anything different (apart from syntax changes)?

 -- Justin

On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hu=
nt@oracle.com>> wrote:


FYI.  I have been noticing a substantial number of sites acting as OAuth Cl=
ients using OAuth to authenticate users.

I know several of us have blogged on the issue over the past year so I won'=
t re-hash it here.  In short, many of us recommended OIDC as the correct me=
thodology.

Never-the-less, I've spoken with a number of service providers who indicate=
 they are not ready to make the jump to OIDC, yet they agree there is a des=
ire to support authentication only (where as OIDC does IDP-like services).

This draft is intended as a minimum authentication only specification.  I'v=
e tried to make it as compatible as possible with OIDC.

For now, I've just posted to keep track of the issue so we can address at t=
he next re-chartering.

Happy to answer questions and discuss.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>




Begin forwarded message:


From:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
Date:29 July, 2013 9:49:41 AM GMT+02:00
To:Phil Hunt <phil.hunt@yahoo.com<mailto:phil.hunt@yahoo.com>>, Phil Hunt <=
None@ietfa.amsl.com<mailto:None@ietfa.amsl.com>>, Phil Hunt <>


A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Filename: draft-hunt-oauth-v2-user-a4c
Revision: 00
Title: OAuth 2.0 User Authentication For Client
Creation date: 2013-07-29
Group: Individual Submission
Number of pages: 9
URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-us=
er-a4c-00.txt
Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a=
4c
Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00


Abstract:
  This specification defines a new OAuth2 endpoint that enables user
  authentication session information to be shared with client
  applications.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available attools.ietf.org<http://t=
ools.ietf.org/>.

The IETF Secretariat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


--_000_5D020B1E531D444EA492046D444D48D2mitreorg_
Content-Type: text/html; charset="us-ascii"
Content-ID: <9F6203540B5E1A489F4D9BD618DB0A93@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; ">
Tony, you can already return the authn result from the token request (we di=
scussed this specifically in May as I recall). That's what the &quot;idtoke=
n&quot; and &quot;code idtoken&quot; responses are for in OpenID Connect. T=
he proposed draft is nearly a duplicate of the core
 functionality of OIDC.
<div><br>
</div>
<div>&nbsp;-- Justin</div>
<div><br>
<div>
<div>On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a href=3D"mailto:tony=
nad@microsoft.com">tonynad@microsoft.com</a>&gt;</div>
<div>&nbsp;wrote:</div>
<br class=3D"Apple-interchange-newline">
<blockquote type=3D"cite">
<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple" style=3D"font-family: He=
lvetica; font-size: medium; font-style: normal; font-variant: normal; font-=
weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; te=
xt-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space=
: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -we=
bkit-text-stroke-width: 0px; ">
<div class=3D"WordSection1" style=3D"page: WordSection1; ">
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; ">
<span style=3D"font-size: 11pt; font-family: Calibri, sans-serif; color: rg=
b(31, 73, 125); ">The proposal does not duplicate what OpenID does, there i=
s clear benefit for returning an authentication result in the token request=
 result. This is being proposed as
 optional JSON structure.<o:p></o:p></span></div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; ">
<a name=3D"_MailEndCompose"><span style=3D"font-size: 11pt; font-family: Ca=
libri, sans-serif; color: rgb(31, 73, 125); ">&nbsp;</span></a></div>
<div>
<div style=3D"border-style: solid none none; border-top-width: 1pt; border-=
top-color: rgb(225, 225, 225); padding: 3pt 0in 0in; ">
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; ">
<b><span style=3D"font-size: 11pt; font-family: Calibri, sans-serif; ">From=
:</span></b><span style=3D"font-size: 11pt; font-family: Calibri, sans-seri=
f; "><span class=3D"Apple-converted-space">&nbsp;</span><a href=3D"mailto:o=
auth-bounces@ietf.org" style=3D"color: purple; text-decoration: underline; =
">oauth-bounces@ietf.org</a><span class=3D"Apple-converted-space">&nbsp;</s=
pan>[mailto:oauth-<a href=3D"mailto:bounces@ietf.org" style=3D"color: purpl=
e; text-decoration: underline; ">bounces@ietf.org</a>]<span class=3D"Apple-=
converted-space">&nbsp;</span><b>On
 Behalf Of<span class=3D"Apple-converted-space">&nbsp;</span></b>Bill Mills=
<br>
<b>Sent:</b><span class=3D"Apple-converted-space">&nbsp;</span>Wednesday, J=
uly 31, 2013 2:50 PM<br>
<b>To:</b><span class=3D"Apple-converted-space">&nbsp;</span>Prateek Mishra=
; Nat Sakimura<br>
<b>Cc:</b><span class=3D"Apple-converted-space">&nbsp;</span><a href=3D"mai=
lto:oauth@ietf.org" style=3D"color: purple; text-decoration: underline; ">o=
auth@ietf.org</a><span class=3D"Apple-converted-space">&nbsp;</span>WG<br>
<b>Subject:</b><span class=3D"Apple-converted-space">&nbsp;</span>Re: [OAUT=
H-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notific=
ation for draft-hunt-oauth-v2-user-a4c-00.txt)<o:p></o:p></span></div>
</div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; ">
<o:p>&nbsp;</o:p></div>
<div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"font-family: 'Courier New'; ">Rather than extending OAuth fo=
r something OpenID already does... &nbsp;why don't we get a simple informat=
ional example doc to show how to implement the most basic OpenID service, w=
hich is the same functionality on a standard
 that's already written?<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; ">
<span style=3D"font-family: 'Courier New'; ">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; ">
<span style=3D"font-family: 'Courier New'; ">This is sounding more and mor =
elike a documentation problem.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"font-family: 'Courier New'; ">&nbsp;</span></div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"margin: 0in 0in 0.0001pt=
; font-size: 12pt; font-family: 'Times New Roman', serif; text-align: cente=
r; background-color: white; background-position: initial initial; backgroun=
d-repeat: initial initial; ">
<span style=3D"">
<hr size=3D"1" width=3D"100%" align=3D"center">
</span></div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<b><span style=3D"font-size: 10pt; font-family: Arial, sans-serif; ">From:<=
/span></b><span style=3D"font-size: 10pt; font-family: Arial, sans-serif; "=
><span class=3D"Apple-converted-space">&nbsp;</span>Prateek Mishra &lt;<a h=
ref=3D"mailto:prateek.mishra@oracle.com" style=3D"color: purple; text-decor=
ation: underline; ">prateek.mishra@oracle.com</a>&gt;<br>
<b>To:</b><span class=3D"Apple-converted-space">&nbsp;</span>Nat Sakimura &=
lt;<a href=3D"mailto:sakimura@gmail.com" style=3D"color: purple; text-decor=
ation: underline; ">sakimura@gmail.com</a>&gt;<span class=3D"Apple-converte=
d-space">&nbsp;</span><br>
<b>Cc:</b><span class=3D"Apple-converted-space">&nbsp;</span>&quot;<a href=
=3D"mailto:oauth@ietf.org%20WG" style=3D"color: purple; text-decoration: un=
derline; ">oauth@ietf.org WG</a>&quot; &lt;<a href=3D"mailto:oauth@ietf.org=
" style=3D"color: purple; text-decoration: underline; ">oauth@ietf.org</a>&=
gt;<span class=3D"Apple-converted-space">&nbsp;</span><br>
<b>Sent:</b><span class=3D"Apple-converted-space">&nbsp;</span>Wednesday, J=
uly 31, 2013 2:38 PM<br>
<b>Subject:</b><span class=3D"Apple-converted-space">&nbsp;</span>[OAUTH-WG=
] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notificatio=
n for draft-hunt-oauth-v2-user-a4c-00.txt)</span><span style=3D""><o:p></o:=
p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Nat -<span class=3D"Apple-converted-space">&nbsp;</span><b=
r>
<br>
thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for &quo=
t; non-dynamic OpenID Connect Server&quot;.<br>
<br>
I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different<span class=3D"Apple-converted-space">&nbsp;</span><br=
>
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2=
.0-os.pdf" target=3D"_blank" style=3D"color: purple; text-decoration: under=
line; ">http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-=
os.pdf</a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for<span class=3D"Apple-converted-space">&nbsp;</s=
pan><br>
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that<span class=3D"Apple-converted-space">&nbsp;</sp=
an><br>
RFC 6749 is being misused for federated authentication, as explained in&nbs=
p; -&nbsp;<span class=3D"Apple-converted-space">&nbsp;</span><br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-o=
auth-2-what.html" target=3D"_blank" style=3D"color: purple; text-decoration=
: underline; ">http://www.independentid.com/2013/07/simple-authentication-f=
or-oauth-2-what.html</a><span class=3D"Apple-converted-space">&nbsp;</span>=
<br>
<br>
and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn't clear to me.=
<br>
<br>
Thx,<br>
prateek<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
<div>
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; font=
-family: 'Times New Roman', serif; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
<span style=3D"">Inline:&nbsp;<o:p></o:p></span></p>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">2013/7/31 Prateek Mishra &lt;<a href=3D"mailto:prateek.mis=
hra@oracle.com" target=3D"_blank" style=3D"color: purple; text-decoration: =
underline; ">prateek.mishra@oracle.com</a>&gt;<o:p></o:p></span></div>
<blockquote style=3D"border-style: none none none solid; border-left-width:=
 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; marg=
in-left: 4.8pt; margin-right: 0in; ">
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Nat -<span class=3D"Apple-converted-space">&nbsp;</span><b=
r>
<br>
your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with<span class=3D"Apple-converted-space">&nbsp;</span><b=
r>
an authenticator.&nbsp; Many implementors are seeking a modest extension of=
 OAuth, not an entire new protocol<br>
stack. &nbsp; I believe that is the point of Phil Hunt's proposal to the OA=
uth committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span c=
lass=3D"Apple-converted-space">&nbsp;</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?<o:p></o:p></span></div>
</blockquote>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Actually, it is not a single spec, that the Standard is re=
ferencing others.&nbsp;<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">The Standard is kind of cluttered because it has 6 respons=
e types and three request types in it.&nbsp;<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">I suppose it would be much easier for the readers to split=
 them into coherent pieces, though that means duplicate texts.&nbsp;<o:p></=
o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">The easiest approach here is to read the Basic Client Prof=
ile.&nbsp;<a href=3D"http://openid.net/specs/openid-connect-basic-1_0-28.ht=
ml" target=3D"_blank" style=3D"color: purple; text-decoration: underline; "=
>http://openid.net/specs/openid-connect-basic-1_0-28.html</a><o:p></o:p></s=
pan></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Then, read&nbsp;OAuth 2.0 Multiple Response Type Encoding =
Practices&nbsp;<a href=3D"http://openid.net/specs/oauth-v2-multiple-respons=
e-types-1_0-08.html" target=3D"_blank" style=3D"color: purple; text-decorat=
ion: underline; ">http://openid.net/specs/oauth-v2-multiple-response-types-=
1_0-08.html</a>&nbsp;.&nbsp;<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<blockquote style=3D"border-style: none none none solid; border-left-width:=
 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; marg=
in-left: 4.8pt; margin-right: 0in; ">
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no<span class=3D"Apple-converted-space">&nbsp;</=
span><br>
other MTI protocol exchanges in OpenID Connect?<o:p></o:p></span></div>
</blockquote>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Yes, for a non-dynamic OpenID Connect Server.&nbsp;<o:p></=
o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Nat<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;&nbsp;<o:p></o:p></span></div>
</div>
<blockquote style=3D"border-style: none none none solid; border-left-width:=
 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; marg=
in-left: 4.8pt; margin-right: 0in; ">
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
Thanks,<br>
prateek<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
<br>
&nbsp; &nbsp;<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">I have written a short blog post titled &quot;<a href=3D"h=
ttp://nat.sakimura.org/2013/07/28/write-openid-connect-server-in-three-simp=
le-steps/" target=3D"_blank" style=3D"color: purple; text-decoration: under=
line; ">Write an OpenID Connect server in three
 simple steps</a>&quot;.&nbsp;<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Really, there is not much you need to on top of OAuth 2.0.=
&nbsp;<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">It puzzles me why you need to create a draft with only min=
or variances in parameter names.&nbsp;<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<blockquote style=3D"margin-left: 30pt; margin-right: 0in; ">
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">e.g.,&nbsp;<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">session instead of id_token<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">lat instead of iat<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">alv instead of acr<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">etc.&nbsp;<o:p></o:p></span></div>
</div>
</blockquote>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">If you change those parameter names, you will have a confo=
rmant profile of OpenID Connect.&nbsp;<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Nat<o:p></o:p></span></div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; font=
-family: 'Times New Roman', serif; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
<span style=3D"">&nbsp;</span></p>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">2013/7/31 John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb=
.com" target=3D"_blank" style=3D"color: purple; text-decoration: underline;=
 ">ve7jtb@ve7jtb.com</a>&gt;<o:p></o:p></span></div>
<blockquote style=3D"border-style: none none none solid; border-left-width:=
 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; marg=
in-left: 4.8pt; margin-right: 0in; ">
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Connect dosen't require a userinfo endpoint. &nbsp; It is =
required for interoperability if you are building an open IdP. &nbsp; For a=
n enterprise type deployment discovery, registration, userifo are all optio=
nal.<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">The server is required to pass the nonce which is equivale=
nt to a request ID through to the JWT if the client sends it in the request=
.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Justin is correct.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">John B.<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
<div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">On 2013-07-30, at 5:30 PM, Phil Hunt &lt;<a href=3D"mailto=
:phil.hunt@oracle.com" target=3D"_blank" style=3D"color: purple; text-decor=
ation: underline; ">phil.hunt@oracle.com</a>&gt; wrote:<o:p></o:p></span></=
div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
<br>
<o:p></o:p></span></div>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Forgot reply all.<br>
<br>
Phil<o:p></o:p></span></div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; font=
-family: 'Times New Roman', serif; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
<span style=3D""><br>
Begin forwarded message:<o:p></o:p></span></p>
</div>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; font=
-family: 'Times New Roman', serif; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
<b>From:</b><span style=3D""><span class=3D"Apple-converted-space">&nbsp;</=
span>Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank=
" style=3D"color: purple; text-decoration: underline; ">phil.hunt@oracle.co=
m</a>&gt;<br>
<b>Date:</b><span class=3D"Apple-converted-space">&nbsp;</span>30 July, 201=
3 17:25:46 GMT&#43;02:00<br>
<b>To:</b><span class=3D"Apple-converted-space">&nbsp;</span>&quot;Richer, =
Justin P.&quot; &lt;<a href=3D"mailto:jricher@mitre.org" target=3D"_blank" =
style=3D"color: purple; text-decoration: underline; ">jricher@mitre.org</a>=
&gt;<br>
<b>Subject:</b><span class=3D"Apple-converted-space">&nbsp;</span><b>Re: [O=
AUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</=
b><o:p></o:p></span></p>
</blockquote>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">The whole point is authn only. Many do not want or need th=
e userinfo endpoint.&nbsp;<br>
<br>
Phil<o:p></o:p></span></div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; font=
-family: 'Times New Roman', serif; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
<span style=3D""><br>
On 2013-07-30, at 17:17, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank" style=3D"color: purple; text-decorat=
ion: underline; ">jricher@mitre.org</a>&gt; wrote:<o:p></o:p></span></p>
</div>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">What do you mean? You absolutely can implement a compliant=
 OIDC server nearly as simply as this. The things that you're missing I thi=
nk are necessary for basic interoperable functionality, and are things that=
 other folks using OAuth for authentication
 have also implemented. Namely:<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;- Signing the ID token (OIDC specifies the RS256 fla=
vor of JWS, which is easy to do with JWT). Without a signed and verifiable =
ID token or equivalent, you're asking for all kinds of token injection prob=
lems.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;- Session management requests (max auth age, auth ti=
me)<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;- Not fall over with other parameters that you don't=
 support (display, prompt, etc).<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">See here for more information:<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;<a href=3D"http://openid.net/specs/openid-connect-me=
ssages-1_0.html#ServerMTI" target=3D"_blank" style=3D"color: purple; text-d=
ecoration: underline; ">http://openid.net/specs/openid-connect-messages-1_0=
.html#ServerMTI</a><o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Additionally, something that's really important to support=
 is the User Info Endpoint, so you can actually get user profile informatio=
n beyond just the simple &quot;someone was here&quot; claim -- this was the=
 real value of Facebook Connect from an RP's
 perspective. Some people will probably want to use SCIM for this, too, and=
 that's fine.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;-- Justin<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
<div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">On Jul 30, 2013, at 10:54 AM, Phil Hunt &lt;<a href=3D"mai=
lto:phil.hunt@oracle.com" target=3D"_blank" style=3D"color: purple; text-de=
coration: underline; ">phil.hunt@oracle.com</a>&gt;<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;wrote:<o:p></o:p></span></div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
<br>
<o:p></o:p></span></div>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">The oidc specs do not allow this simple an implementation.=
 The spec members have not shown interest in making changes as they say the=
y are too far down the road.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">I have tried to make my draft as close as possible to oidc=
 but maybe it shouldn't be clarity wise. I am interested in what the group =
feels is clearest.&nbsp;<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">From an ietf perspective the concern is improper use of th=
e 6749 for authn. Is this a bug or gap we need to address?<br>
<br>
Phil<o:p></o:p></span></div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; font=
-family: 'Times New Roman', serif; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
<span style=3D""><br>
On 2013-07-30, at 16:46, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank" style=3D"color: purple; text-decorat=
ion: underline; ">jricher@mitre.org</a>&gt; wrote:<o:p></o:p></span></p>
</div>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">From what I read, you've defined something that uses an OA=
uth 2 code flow to get an extra token which is specified as a JWT. You name=
d it &quot;session_token&quot; instead of &quot;id_token&quot;, and you've =
left off the User Information Endpoint -- but other than
 that, this is exactly the Basic Client for OpenID Connect. In other words,=
 if you change the names on things you've got OIDC, but without the capabil=
ities to go beyond a very basic &quot;hey there's a user here&quot; claim. =
This is the same place that OpenID 2.0 started,
 and it was very, very quickly extended with SREG, AX, PAPE, and others for=
 it to be useful in the real world of distributed logins. You've also left =
out discovery and registration which are required for distributed deploymen=
ts, but I'm guessing that those
 would be modular components that could be added in (like they are in OIDC)=
.&nbsp;<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">I've heard complaints that OIDC is complicated, but it's r=
eally not. Yes, I agree that the giant stack of documents is intimidating a=
nd in my opinion it's a bit of a mess with Messages and Standard split up (=
but I lost that argument years ago).
 However, at the core, you've got an OAuth2 authorization server that spits=
 out access tokens and id tokens. The id token is a JWT with some known cla=
ims (iss, sub, etc) and is issued along side the access token, and its audi=
ence is the *client* and not the
 *protected resource*. The access token is a regular old access token and i=
ts format is undefined (so you can use it with an existing OAuth2 server se=
tup, like we have), and it can be used at the User Info Endpoint to get pro=
file information about the user
 who authenticated. It could also be used for other services if your AS/IdP=
 protects multiple things.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">So I guess what I'm missing is what's the value propositio=
n in this spec when we have something that can do this already? And this do=
esn't seem to do anything different (apart from syntax changes)?<o:p></o:p>=
</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;-- Justin<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
<div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">On Jul 29, 2013, at 4:14 AM, Phil Hunt &lt;<a href=3D"mail=
to:phil.hunt@oracle.com" target=3D"_blank" style=3D"color: purple; text-dec=
oration: underline; ">phil.hunt@oracle.com</a>&gt; wrote:<o:p></o:p></span>=
</div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
<br>
<o:p></o:p></span></div>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">FYI. &nbsp;I have been noticing a substantial number of si=
tes acting as OAuth Clients using OAuth to authenticate users.<o:p></o:p></=
span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">I know several of us have blogged on the issue over the pa=
st year so I won't re-hash it here. &nbsp;In short, many of us recommended =
OIDC as the correct methodology.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Never-the-less, I've spoken with a number of service provi=
ders who indicate they are not ready to make the jump to OIDC, yet they agr=
ee there is a desire to support authentication only (where as OIDC does IDP=
-like services).<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">This draft is intended as a minimum authentication only sp=
ecification. &nbsp;I've tried to make it as compatible as possible with OID=
C.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">For now, I've just posted to keep track of the issue so we=
 can address at the next re-chartering.<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Happy to answer questions and discuss.&nbsp;<o:p></o:p></s=
pan></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"font-size: 9pt; font-family: Helvetica, sans-serif; ">Phil<o=
:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"font-size: 9pt; font-family: Helvetica, sans-serif; ">&nbsp;=
</span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"font-size: 9pt; font-family: Helvetica, sans-serif; ">@indep=
endentid<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"font-size: 9pt; font-family: Helvetica, sans-serif; "><a hre=
f=3D"http://www.independentid.com/" target=3D"_blank" style=3D"color: purpl=
e; text-decoration: underline; ">www.independentid.com</a><o:p></o:p></span=
></div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 13.5pt; font-size: 12pt; fo=
nt-family: 'Times New Roman', serif; background-color: white; background-po=
sition: initial initial; background-repeat: initial initial; ">
<span style=3D"font-size: 13.5pt; font-family: Helvetica, sans-serif; "><a =
href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank" style=3D"color: purp=
le; text-decoration: underline; ">phil.hunt@oracle.com</a><o:p></o:p></span=
></p>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"font-size: 13.5pt; font-family: Helvetica, sans-serif; ">&nb=
sp;</span></div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
<br>
<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Begin forwarded message:<o:p></o:p></span></div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
<br>
<o:p></o:p></span></div>
<blockquote style=3D"margin-top: 5pt; margin-bottom: 5pt; ">
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<b><span style=3D"font-size: 13.5pt; font-family: Helvetica, sans-serif; ">=
From:</span></b><span style=3D"font-size: 13.5pt; font-family: Helvetica, s=
ans-serif; "><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_blank" =
style=3D"color: purple; text-decoration: underline; ">internet-drafts@ietf.=
org</a></span><span style=3D""><o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<b><span style=3D"font-size: 13.5pt; font-family: Helvetica, sans-serif; ">=
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</=
span></b><span style=3D""><o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<b><span style=3D"font-size: 13.5pt; font-family: Helvetica, sans-serif; ">=
Date:</span></b><span style=3D"font-size: 13.5pt; font-family: Helvetica, s=
ans-serif; ">29 July, 2013 9:49:41 AM GMT&#43;02:00</span><span style=3D"">=
<o:p></o:p></span></div>
</div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<b><span style=3D"font-size: 13.5pt; font-family: Helvetica, sans-serif; ">=
To:</span></b><span style=3D"font-size: 13.5pt; font-family: Helvetica, san=
s-serif; ">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com" target=3D"_=
blank" style=3D"color: purple; text-decoration: underline; ">phil.hunt@yaho=
o.com</a>&gt;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank" sty=
le=3D"color: purple; text-decoration: underline; ">None@ietfa.amsl.com</a>&=
gt;, Phil Hunt &lt;&gt;</span><span style=3D""><o:p></o:p></span></div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
<div>
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; font=
-family: 'Times New Roman', serif; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
<span style=3D""><br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a=
4c-00.txt" target=3D"_blank" style=3D"color: purple; text-decoration: under=
line; ">http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00=
.txt</a><br>
Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"ht=
tp://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c" target=3D"_blan=
k" style=3D"color: purple; text-decoration: underline; ">http://datatracker=
.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools=
.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00" target=3D"_blank" style=3D"=
color: purple; text-decoration: underline; ">http://tools.ietf.org/html/dra=
ft-hunt-oauth-v2-user-a4c-00</a><br>
<br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables u=
ser<br>
&nbsp;&nbsp;authentication session information to be shared with client<br>
&nbsp;&nbsp;applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at<a href=3D"http://tools=
.ietf.org/" target=3D"_blank" style=3D"color: purple; text-decoration: unde=
rline; ">tools.ietf.org</a>.<br>
<br>
The IETF Secretariat<o:p></o:p></span></p>
</div>
</blockquote>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank" style=3D"color: purple;=
 text-decoration: underline; ">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank" s=
tyle=3D"color: purple; text-decoration: underline; ">https://www.ietf.org/m=
ailman/listinfo/oauth</a><o:p></o:p></span></div>
</blockquote>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
</blockquote>
</blockquote>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
</blockquote>
</blockquote>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank" style=3D"color: purple;=
 text-decoration: underline; ">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank" s=
tyle=3D"color: purple; text-decoration: underline; ">https://www.ietf.org/m=
ailman/listinfo/oauth</a><o:p></o:p></span></div>
</blockquote>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; font=
-family: 'Times New Roman', serif; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
<span style=3D""><br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank" style=3D"color: purple;=
 text-decoration: underline; ">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank" s=
tyle=3D"color: purple; text-decoration: underline; ">https://www.ietf.org/m=
ailman/listinfo/oauth</a><o:p></o:p></span></p>
</blockquote>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
<br clear=3D"all">
<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">--<span class=3D"Apple-converted-space">&nbsp;</span><br>
Nat Sakimura (=3Dnat)<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Chairman, OpenID Foundation<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank" style=3D"color: purp=
le; text-decoration: underline; ">http://nat.sakimura.org/</a><br>
@_nat_en<o:p></o:p></span></div>
</div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
<br>
<o:p></o:p></span></div>
<pre style=3D"margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Cour=
ier New'; background-color: white; background-position: initial initial; ba=
ckground-repeat: initial initial; "><span style=3D"">______________________=
_________________________<o:p></o:p></span></pre>
<pre style=3D"margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Cour=
ier New'; background-color: white; background-position: initial initial; ba=
ckground-repeat: initial initial; "><span style=3D"">OAuth mailing list<o:p=
></o:p></span></pre>
<pre style=3D"margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Cour=
ier New'; background-color: white; background-position: initial initial; ba=
ckground-repeat: initial initial; "><span style=3D""><a href=3D"mailto:OAut=
h@ietf.org" target=3D"_blank" style=3D"color: purple; text-decoration: unde=
rline; ">OAuth@ietf.org</a><o:p></o:p></span></pre>
<pre style=3D"margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Cour=
ier New'; background-color: white; background-position: initial initial; ba=
ckground-repeat: initial initial; "><span style=3D""><a href=3D"https://www=
.ietf.org/mailman/listinfo/oauth" target=3D"_blank" style=3D"color: purple;=
 text-decoration: underline; ">https://www.ietf.org/mailman/listinfo/oauth<=
/a><o:p></o:p></span></pre>
</blockquote>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
</blockquote>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D""><br>
<br clear=3D"all">
<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">--<span class=3D"Apple-converted-space">&nbsp;</span><br>
Nat Sakimura (=3Dnat)<o:p></o:p></span></div>
<div>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">Chairman, OpenID Foundation<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank" style=3D"color: purp=
le; text-decoration: underline; ">http://nat.sakimura.org/</a><br>
@_nat_en<o:p></o:p></span></div>
</div>
</div>
</blockquote>
<div style=3D"margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Time=
s New Roman', serif; background-color: white; ">
<span style=3D"">&nbsp;</span></div>
</div>
<p class=3D"MsoNormal" style=3D"margin: 0in 0in 12pt; font-size: 12pt; font=
-family: 'Times New Roman', serif; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
<span style=3D""><br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" style=3D"color: purple; text-decoration: =
underline; ">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank" s=
tyle=3D"color: purple; text-decoration: underline; ">https://www.ietf.org/m=
ailman/listinfo/oauth</a><br>
<br>
<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" style=3D"color: purple; text-decoration: =
underline; ">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" style=3D"color: pur=
ple; text-decoration: underline; ">https://www.ietf.org/mailman/listinfo/oa=
uth</a></div>
</blockquote>
</div>
<br>
</div>
</body>
</html>

--_000_5D020B1E531D444EA492046D444D48D2mitreorg_--

From Michael.Jones@microsoft.com  Thu Aug  1 05:26:56 2013
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69DD121F9DA3 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:26:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.286
X-Spam-Level: 
X-Spam-Status: No, score=-2.286 tagged_above=-999 required=5 tests=[AWL=-1.691, BAYES_00=-2.599, HTML_MESSAGE=0.001, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Hby6xR5Pfnt for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:26:46 -0700 (PDT)
Received: from db9outboundpool.messaging.microsoft.com (mail-db9lp0253.outbound.messaging.microsoft.com [213.199.154.253]) by ietfa.amsl.com (Postfix) with ESMTP id 231F821E83A0 for <oauth@ietf.org>; Thu,  1 Aug 2013 05:22:48 -0700 (PDT)
Received: from mail92-db9-R.bigfish.com (10.174.16.239) by DB9EHSOBE041.bigfish.com (10.174.14.104) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 12:22:43 +0000
Received: from mail92-db9 (localhost [127.0.0.1])	by mail92-db9-R.bigfish.com (Postfix) with ESMTP id 57666480192; Thu,  1 Aug 2013 12:22:43 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -22
X-BigFish: VS-22(zz9371Ic85fh4015Izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1d7338h1de098h1033IL177df4h17326ah18c673h1de096h8275bh8275dh1de097hz2fh2a8h668h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail92-db9: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ; 
Received: from mail92-db9 (localhost.localdomain [127.0.0.1]) by mail92-db9 (MessageSwitch) id 1375359704560261_30333; Thu,  1 Aug 2013 12:21:44 +0000 (UTC)
Received: from DB9EHSMHS014.bigfish.com (unknown [10.174.16.241])	by mail92-db9.bigfish.com (Postfix) with ESMTP id A847E34007A; Thu,  1 Aug 2013 12:21:39 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by DB9EHSMHS014.bigfish.com (10.174.14.24) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 12:21:39 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.38]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0136.001; Thu, 1 Aug 2013 12:20:16 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>, "oauth@ietf.org WG" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Plaintext JWT bug
Thread-Index: AQHOjrFBukeaH+7+vU+VIhCHaU+nW5mART4g
Date: Thu, 1 Aug 2013 12:20:15 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B739BAB@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CAL02cgRusCLRxfUOYTcJyWYz9vQZa95DVkiy6ZvfMUW67NM-eg@mail.gmail.com>
In-Reply-To: <CAL02cgRusCLRxfUOYTcJyWYz9vQZa95DVkiy6ZvfMUW67NM-eg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B739BABTK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [OAUTH-WG] Plaintext JWT bug
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:26:56 -0000

--_000_4E1F6AAD24975D4BA5B16804296739436B739BABTK5EX14MBXC284r_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

This is useful because it means that you can pass both unsigned and signed =
content using the same syntax, with no special parsing required.  This is u=
sed in practice, for instance, to enable both unsigned and signed request o=
bjects, signed and unsigned ID Tokens, etc.



This is already in widespread use.



I'm kind of surprised that this is coming up now.  This has been in JWT sin=
ce March 2011 and in the JOSE specs since the working group versions, so it=
's not exactly a surprise.  (The biggest change was that we moved it from J=
WT to JWS in March 2012, at Jim Schaad's suggestion, because it is generall=
y useful outside of just JWTs.)  Yes, an alternative syntax could have been=
 used, but using the "alg":"none" value to express this works fine in pract=
ice.  I don't perceive a compelling reason to change it at this point.



                                                            -- Mike

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of R=
ichard Barnes
Sent: Thursday, August 01, 2013 5:08 AM
To: oauth@ietf.org WG
Subject: [OAUTH-WG] Plaintext JWT bug

It has come to my attention that JWT is using "alg":"none" to create "Plain=
text JWTs".  Some of us in JOSE believe that this "alg" value should be rem=
oved, because of a risk of downgrade attacks.  In order to do that, a sugge=
sted revision to JWT is below.  To summarize:
-- Plaintext JWTs are not JWSs.
-- They just have a header and payload (separated by a '.')
-- The header MUST NOT contain "alg", since there's no crypto going on

Thanks,
--Richard


-----BEGIN-----
6.  Plaintext JWTs

   To support use cases where the JWT content is secured by a means
   other than a signature and/or encryption contained within the JWT
   (such as a signature on a data structure containing the JWT), JWTs
   MAY also be created without a signature or encryption.  A plaintext
   JWT is the concatenation of a base64url-encoded JWT Header, a
   period ('.') character, and the base64url-encoded JWT Claims Set.

   The header of a plaintext JWT contains parameters drawn from the
   set as the JWS header.  However, a JWT header MUST NOT contain an
   "alg" header parameter, since no cryptographic processing is being
   performed.

6.1.  Example Plaintext JWT

   The following example JWT Header declares that the encoded object is
   a Plaintext JWT:

     {"typ":"JWT"}

   Base64url encoding the octets of the UTF-8 representation of the JWT
   Header yields this Encoded JWT Header:

     eyJ0eXAiOiJKV1QifQ

   The following is an example of a JWT Claims Set:

     {"iss":"joe",
      "exp":1300819380,
      "http://example.com/is_root":true}

   Base64url encoding the octets of the UTF-8 representation of the JWT
   Claims Set yields this Encoded JWS Payload (with line breaks for
   display purposes only):

     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
     cGxlLmNvbS9pc19yb290Ijp0cnVlfQ

   Concatenating these parts in this order with aperiod ('.') character
   between the parts yields this complete JWT (with line breaks for
   display purposes only):

     eyJ0eXAiOiJKV1QifQ
     .
     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
     cGxlLmNvbS9pc19yb290Ijp0cnVlfQ


-----END-----


--_000_4E1F6AAD24975D4BA5B16804296739436B739BABTK5EX14MBXC284r_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{mso-style-priority:99;
	mso-style-link:"Plain Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.PlainTextChar
	{mso-style-name:"Plain Text Char";
	mso-style-priority:99;
	mso-style-link:"Plain Text";
	font-family:"Calibri","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoPlainText">This is useful because it means that you can pass=
 both unsigned and signed content using the same syntax, with no special pa=
rsing required.&nbsp; This is used in practice, for instance, to enable bot=
h unsigned and signed request objects,
 signed and unsigned ID Tokens, etc.<o:p></o:p></p>
<p class=3D"MsoPlainText"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoPlainText">This is already in widespread use.<o:p></o:p></p>
<p class=3D"MsoPlainText"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoPlainText">I'm kind of surprised that this is coming up now.=
&nbsp; This has been in JWT since March 2011 and in the JOSE specs since th=
e working group versions, so it's not exactly a surprise.&nbsp; (The bigges=
t change was that we moved it from JWT to JWS
 in March 2012, at Jim Schaad's suggestion, because it is generally useful =
outside of just JWTs.)&nbsp; Yes, an alternative syntax could have been use=
d, but using the &quot;alg&quot;:&quot;none&quot; value to express this wor=
ks fine in practice.&nbsp; I don't perceive a compelling reason
 to change it at this point.<o:p></o:p></p>
<p class=3D"MsoPlainText"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoPlainText">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp; -- Mike<o:p></o:p></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot=
;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> oauth-bo=
unces@ietf.org [mailto:oauth-bounces@ietf.org]
<b>On Behalf Of </b>Richard Barnes<br>
<b>Sent:</b> Thursday, August 01, 2013 5:08 AM<br>
<b>To:</b> oauth@ietf.org WG<br>
<b>Subject:</b> [OAUTH-WG] Plaintext JWT bug<o:p></o:p></span></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">It has come to my attention that JWT is using &quot;=
alg&quot;:&quot;none&quot; to create &quot;Plaintext JWTs&quot;. &nbsp;Some=
 of us in JOSE believe that this &quot;alg&quot; value should be removed, b=
ecause of a risk of downgrade attacks. &nbsp;In order to do that, a suggest=
ed revision
 to JWT is below. &nbsp;To summarize:<o:p></o:p></p>
<div>
<p class=3D"MsoNormal">-- Plaintext JWTs are not JWSs. &nbsp;<o:p></o:p></p=
>
</div>
<div>
<p class=3D"MsoNormal">-- They just have a header and payload (separated by=
 a '.')<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">-- The header MUST NOT contain &quot;alg&quot;, sinc=
e there's no crypto going on<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">--Richard<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">-----BEGIN-----<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">6. &nbsp;Plaintext JWTs<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;To support use cases where the JWT cont=
ent is secured by a means<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;other than a signature and/or encryptio=
n contained within the JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;(such as a signature on a data structur=
e containing the JWT), JWTs<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;MAY also be created without a signature=
 or encryption. &nbsp;A plaintext<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;JWT is the concatenation of a base64url=
-encoded JWT Header, a&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;period ('.') character, and the base64u=
rl-encoded JWT Claims Set.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;The header of a plaintext JWT contains =
parameters drawn from the&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;set as the JWS header. &nbsp;However, a=
 JWT header MUST NOT contain an<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;&quot;alg&quot; header parameter, since=
 no cryptographic processing is being<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;performed.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">6.1. &nbsp;Example Plaintext JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;The following example JWT Header declar=
es that the encoded object is<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;a Plaintext JWT:<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;{&quot;typ&quot;:&quot;JWT&quot;=
}<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;Base64url encoding the octets of the UT=
F-8 representation of the JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;Header yields this Encoded JWT Header:<=
o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;eyJ0eXAiOiJKV1QifQ<o:p></o:p></p=
>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;The following is an example of a JWT Cl=
aims Set:<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;{&quot;iss&quot;:&quot;joe&quot;=
,<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp; &quot;exp&quot;:1300819380,<o:p=
></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp; &quot;<a href=3D"http://example=
.com/is_root">http://example.com/is_root</a>&quot;:true}<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;Base64url encoding the octets of the UT=
F-8 representation of the JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;Claims Set yields this Encoded JWS Payl=
oad (with line breaks for<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;display purposes only):<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;eyJpc3MiOiJqb2UiLA0KICJleHAiOjEz=
MDA4MTkzODAsDQogImh0dHA6Ly9leGFt<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;cGxlLmNvbS9pc19yb290Ijp0cnVlfQ<o=
:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;Concatenating these parts in this order=
 with aperiod ('.') character<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;between the parts yields this complete =
JWT (with line breaks for<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp;display purposes only):<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;eyJ0eXAiOiJKV1QifQ<o:p></o:p></p=
>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;eyJpc3MiOiJqb2UiLA0KICJleHAiOjEz=
MDA4MTkzODAsDQogImh0dHA6Ly9leGFt<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;cGxlLmNvbS9pc19yb290Ijp0cnVlfQ<o=
:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; &nbsp; &nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">-----END-----<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</div>
</body>
</html>

--_000_4E1F6AAD24975D4BA5B16804296739436B739BABTK5EX14MBXC284r_--

From rlb@ipv.sx  Thu Aug  1 05:28:46 2013
Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E391311E81BA for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.812
X-Spam-Level: 
X-Spam-Status: No, score=-1.812 tagged_above=-999 required=5 tests=[AWL=-0.839, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g76sMU+7ENVA for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:28:37 -0700 (PDT)
Received: from mail-ob0-f181.google.com (mail-ob0-f181.google.com [209.85.214.181]) by ietfa.amsl.com (Postfix) with ESMTP id B20FF21E82E7 for <oauth@ietf.org>; Thu,  1 Aug 2013 05:23:57 -0700 (PDT)
Received: by mail-ob0-f181.google.com with SMTP id dn14so3649681obc.40 for <oauth@ietf.org>; Thu, 01 Aug 2013 05:23:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=m2fdG6ELdohVyX2YOR3fnjqPGgZwZ6UNz9IjnhE3q9c=; b=G+tljpyYIFKsdfnkAU900MQ76oF66aMMh0ge2Wtp7LiAFtFEpRx2tJbCsoyGKCd9mA 5zHCYlTMm0P+Ti5PlyjEvCylW5sA/GRo6b6QucKawvdj9h8vP5BhBzgeUchBFb+7tinb Vc/c0651vHi8iDuaA2hE/kugn0kFqxlzF5j+g4yFkWl9UWKlP2gyGXsmTp9r5LX1rciM TtcuqId4VyfFW/WAaE82T1UL2JisMbuVzX3tNQgJ1gjt+m0qx4+q6hWIZ0hqDg/s5nQw 8RPwpVbl1po9/la5CLdDiuTiFBKNm76+ff7x9EMdu/pN11LjtAY76TvN4q7JjA1MlHXm HoVw==
MIME-Version: 1.0
X-Received: by 10.60.97.74 with SMTP id dy10mr987239oeb.27.1375359835780; Thu, 01 Aug 2013 05:23:55 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Thu, 1 Aug 2013 05:23:55 -0700 (PDT)
X-Originating-IP: [2001:df8:0:16:f466:6c65:b20d:90f6]
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436B739BAB@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CAL02cgRusCLRxfUOYTcJyWYz9vQZa95DVkiy6ZvfMUW67NM-eg@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436B739BAB@TK5EX14MBXC284.redmond.corp.microsoft.com>
Date: Thu, 1 Aug 2013 14:23:55 +0200
Message-ID: <CAL02cgT5sbiFCdm7iGvhGcPg_+ro4E-tVdtGnfOLcF-S+z40dg@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=089e0115e9fa7349f004e2e1ead8
X-Gm-Message-State: ALoCoQkKyjFI4rf6C5qJvLF0T16scpXRG2Hr6Qk2VxCZyDnZguFlnZF7lHDzMgAJkO+xw25LEC/o
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Plaintext JWT bug
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:28:46 -0000

--089e0115e9fa7349f004e2e1ead8
Content-Type: text/plain; charset=ISO-8859-1

You don't view downgrade attacks as a compelling reason?

I look forward to your attempt to get this through SECDIR review.


On Thu, Aug 1, 2013 at 2:20 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  This is useful because it means that you can pass both unsigned and
> signed content using the same syntax, with no special parsing required.
> This is used in practice, for instance, to enable both unsigned and signed
> request objects, signed and unsigned ID Tokens, etc.****
>
> ** **
>
> This is already in widespread use.****
>
> ** **
>
> I'm kind of surprised that this is coming up now.  This has been in JWT
> since March 2011 and in the JOSE specs since the working group versions, so
> it's not exactly a surprise.  (The biggest change was that we moved it from
> JWT to JWS in March 2012, at Jim Schaad's suggestion, because it is
> generally useful outside of just JWTs.)  Yes, an alternative syntax could
> have been used, but using the "alg":"none" value to express this works fine
> in practice.  I don't perceive a compelling reason to change it at this
> point.****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *Richard Barnes
> *Sent:* Thursday, August 01, 2013 5:08 AM
> *To:* oauth@ietf.org WG
> *Subject:* [OAUTH-WG] Plaintext JWT bug****
>
> ** **
>
> It has come to my attention that JWT is using "alg":"none" to create
> "Plaintext JWTs".  Some of us in JOSE believe that this "alg" value should
> be removed, because of a risk of downgrade attacks.  In order to do that, a
> suggested revision to JWT is below.  To summarize:****
>
> -- Plaintext JWTs are not JWSs.  ****
>
> -- They just have a header and payload (separated by a '.')****
>
> -- The header MUST NOT contain "alg", since there's no crypto going on****
>
> ** **
>
> Thanks,****
>
> --Richard****
>
> ** **
>
> ** **
>
> -----BEGIN-----****
>
> 6.  Plaintext JWTs****
>
> ** **
>
>    To support use cases where the JWT content is secured by a means****
>
>    other than a signature and/or encryption contained within the JWT****
>
>    (such as a signature on a data structure containing the JWT), JWTs****
>
>    MAY also be created without a signature or encryption.  A plaintext****
>
>    JWT is the concatenation of a base64url-encoded JWT Header, a ****
>
>    period ('.') character, and the base64url-encoded JWT Claims Set.****
>
> ** **
>
>    The header of a plaintext JWT contains parameters drawn from the ****
>
>    set as the JWS header.  However, a JWT header MUST NOT contain an****
>
>    "alg" header parameter, since no cryptographic processing is being****
>
>    performed.****
>
> ** **
>
> 6.1.  Example Plaintext JWT****
>
> ** **
>
>    The following example JWT Header declares that the encoded object is***
> *
>
>    a Plaintext JWT:****
>
> ** **
>
>      {"typ":"JWT"}****
>
> ** **
>
>    Base64url encoding the octets of the UTF-8 representation of the JWT***
> *
>
>    Header yields this Encoded JWT Header:****
>
> ** **
>
>      eyJ0eXAiOiJKV1QifQ****
>
> ** **
>
>    The following is an example of a JWT Claims Set:****
>
> ** **
>
>      {"iss":"joe",****
>
>       "exp":1300819380,****
>
>       "http://example.com/is_root":true}****
>
> ** **
>
>    Base64url encoding the octets of the UTF-8 representation of the JWT***
> *
>
>    Claims Set yields this Encoded JWS Payload (with line breaks for****
>
>    display purposes only):****
>
> ** **
>
>      eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt****
>
>      cGxlLmNvbS9pc19yb290Ijp0cnVlfQ****
>
> ** **
>
>    Concatenating these parts in this order with aperiod ('.') character***
> *
>
>    between the parts yields this complete JWT (with line breaks for****
>
>    display purposes only):****
>
> ** **
>
>      eyJ0eXAiOiJKV1QifQ****
>
>      .****
>
>      eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt****
>
>      cGxlLmNvbS9pc19yb290Ijp0cnVlfQ****
>
>      ****
>
> ** **
>
> -----END-----****
>
> ** **
>

--089e0115e9fa7349f004e2e1ead8
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><span style=3D"font-family:arial,sans-serif;font-size:13px=
">You don&#39;t view downgrade attacks as a compelling reason?</span><div s=
tyle=3D"font-family:arial,sans-serif;font-size:13px"><br></div><div style=
=3D"font-family:arial,sans-serif;font-size:13px">
I look forward to your attempt to get this through SECDIR review.</div></di=
v><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Thu, Aug=
 1, 2013 at 2:20 PM, Mike Jones <span dir=3D"ltr">&lt;<a href=3D"mailto:Mic=
hael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@microsoft.com</a>=
&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">





<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div>
<p>This is useful because it means that you can pass both unsigned and sign=
ed content using the same syntax, with no special parsing required.=A0 This=
 is used in practice, for instance, to enable both unsigned and signed requ=
est objects,
 signed and unsigned ID Tokens, etc.<u></u><u></u></p>
<p><u></u>=A0<u></u></p>
<p>This is already in widespread use.<u></u><u></u></p>
<p><u></u>=A0<u></u></p>
<p>I&#39;m kind of surprised that this is coming up now.=A0 This has been i=
n JWT since March 2011 and in the JOSE specs since the working group versio=
ns, so it&#39;s not exactly a surprise.=A0 (The biggest change was that we =
moved it from JWT to JWS
 in March 2012, at Jim Schaad&#39;s suggestion, because it is generally use=
ful outside of just JWTs.)=A0 Yes, an alternative syntax could have been us=
ed, but using the &quot;alg&quot;:&quot;none&quot; value to express this wo=
rks fine in practice.=A0 I don&#39;t perceive a compelling reason
 to change it at this point.<u></u><u></u></p>
<p><u></u>=A0<u></u></p>
<p>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 -- Mike<u></u><u></u></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u>=A0<u></u></span><=
/p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot=
;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> <a href=
=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounces@ietf.org=
</a> [mailto:<a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oa=
uth-bounces@ietf.org</a>]
<b>On Behalf Of </b>Richard Barnes<br>
<b>Sent:</b> Thursday, August 01, 2013 5:08 AM<br>
<b>To:</b> <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.o=
rg</a> WG<br>
<b>Subject:</b> [OAUTH-WG] Plaintext JWT bug<u></u><u></u></span></p><div><=
div class=3D"h5">
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
<div>
<p class=3D"MsoNormal">It has come to my attention that JWT is using &quot;=
alg&quot;:&quot;none&quot; to create &quot;Plaintext JWTs&quot;. =A0Some of=
 us in JOSE believe that this &quot;alg&quot; value should be removed, beca=
use of a risk of downgrade attacks. =A0In order to do that, a suggested rev=
ision
 to JWT is below. =A0To summarize:<u></u><u></u></p>
<div>
<p class=3D"MsoNormal">-- Plaintext JWTs are not JWSs. =A0<u></u><u></u></p=
>
</div>
<div>
<p class=3D"MsoNormal">-- They just have a header and payload (separated by=
 a &#39;.&#39;)<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">-- The header MUST NOT contain &quot;alg&quot;, sinc=
e there&#39;s no crypto going on<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">--Richard<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">-----BEGIN-----<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">6. =A0Plaintext JWTs<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0To support use cases where the JWT content is=
 secured by a means<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0other than a signature and/or encryption cont=
ained within the JWT<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0(such as a signature on a data structure cont=
aining the JWT), JWTs<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0MAY also be created without a signature or en=
cryption. =A0A plaintext<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0JWT is the concatenation of a base64url-encod=
ed JWT Header, a=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0period (&#39;.&#39;) character, and the base6=
4url-encoded JWT Claims Set.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0The header of a plaintext JWT contains parame=
ters drawn from the=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0set as the JWS header. =A0However, a JWT head=
er MUST NOT contain an<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0&quot;alg&quot; header parameter, since no cr=
yptographic processing is being<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0performed.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">6.1. =A0Example Plaintext JWT<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0The following example JWT Header declares tha=
t the encoded object is<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0a Plaintext JWT:<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0{&quot;typ&quot;:&quot;JWT&quot;}<u></u><=
u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Base64url encoding the octets of the UTF-8 re=
presentation of the JWT<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Header yields this Encoded JWT Header:<u></u>=
<u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0eyJ0eXAiOiJKV1QifQ<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0The following is an example of a JWT Claims S=
et:<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0{&quot;iss&quot;:&quot;joe&quot;,<u></u><=
u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0 &quot;exp&quot;:1300819380,<u></u><u></u=
></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0 &quot;<a href=3D"http://example.com/is_r=
oot" target=3D"_blank">http://example.com/is_root</a>&quot;:true}<u></u><u>=
</u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Base64url encoding the octets of the UTF-8 re=
presentation of the JWT<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Claims Set yields this Encoded JWS Payload (w=
ith line breaks for<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0display purposes only):<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzO=
DAsDQogImh0dHA6Ly9leGFt<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0cGxlLmNvbS9pc19yb290Ijp0cnVlfQ<u></u><u><=
/u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Concatenating these parts in this order with =
aperiod (&#39;.&#39;) character<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0between the parts yields this complete JWT (w=
ith line breaks for<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0display purposes only):<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0eyJ0eXAiOiJKV1QifQ<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzO=
DAsDQogImh0dHA6Ly9leGFt<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0cGxlLmNvbS9pc19yb290Ijp0cnVlfQ<u></u><u><=
/u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">-----END-----<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
</div>
</div></div></div>
</div>

</blockquote></div><br></div>

--089e0115e9fa7349f004e2e1ead8--

From tonynad@microsoft.com  Thu Aug  1 05:30:26 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AA3921F9C59 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:30:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.881
X-Spam-Level: 
X-Spam-Status: No, score=-0.881 tagged_above=-999 required=5 tests=[AWL=-1.014, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-4IiRJb2WPm for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:30:09 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe003.messaging.microsoft.com [213.199.154.206]) by ietfa.amsl.com (Postfix) with ESMTP id CC12B21F9950 for <oauth@ietf.org>; Thu,  1 Aug 2013 05:24:38 -0700 (PDT)
Received: from mail108-am1-R.bigfish.com (10.3.201.234) by AM1EHSOBE023.bigfish.com (10.3.207.145) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 12:24:25 +0000
Received: from mail108-am1 (localhost [127.0.0.1])	by mail108-am1-R.bigfish.com (Postfix) with ESMTP id E1895100366	for <oauth@ietf.org>; Thu,  1 Aug 2013 12:24:24 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -24
X-BigFish: VS-24(zf7Izbb2dI98dI9371I936eIc85fh1b0bI4015I1447Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz8275ch16d858h1d7338h1de098h1033IL177df4h17326ah18c673h1de096h18602eh5eeeK8275bh8275dh1de097hz2fh2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1bceh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail108-am1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT002.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail108-am1 (localhost.localdomain [127.0.0.1]) by mail108-am1 (MessageSwitch) id 1375359834100958_31881; Thu,  1 Aug 2013 12:23:54 +0000 (UTC)
Received: from AM1EHSMHS016.bigfish.com (unknown [10.3.201.248])	by mail108-am1.bigfish.com (Postfix) with ESMTP id 0A44F3C0048	for <oauth@ietf.org>; Thu,  1 Aug 2013 12:23:54 +0000 (UTC)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by AM1EHSMHS016.bigfish.com (10.3.207.154) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 12:23:53 +0000
Received: from ch1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.3.136.1; Thu, 1 Aug 2013 12:23:06 +0000
Received: from mail89-ch1-R.bigfish.com (10.43.68.240) by CH1EHSOBE010.bigfish.com (10.43.70.60) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 12:22:53 +0000
Received: from mail89-ch1 (localhost [127.0.0.1])	by mail89-ch1-R.bigfish.com (Postfix) with ESMTP id 3F2EF4200B0	for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu,  1 Aug 2013 12:22:53 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(2473001)(199002)(189002)(377424004)(243025003)(51914003)(377454003)(164054003)(479174003)(69234005)(24454002)(46102001)(16236675002)(56816003)(54316002)(77982001)(81342001)(74502001)(80022001)(51856001)(76796001)(15395725003)(14971765001)(65816001)(4396001)(74662001)(31966008)(47446002)(77096001)(76786001)(79102001)(33646001)(19580395003)(19300405004)(74366001)(19580405001)(74316001)(83322001)(47736001)(49866001)(19580385001)(76482001)(59766001)(50986001)(69226001)(561944002)(63696002)(74876001)(76576001)(83072001)(54356001)(47976001)(15202345003)(16406001)(53806001)(80976001)(81542001)(74706001)(56776001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:df8:0:16:2936:7b62:ca0d:28aa; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Received: from mail89-ch1 (localhost.localdomain [127.0.0.1]) by mail89-ch1 (MessageSwitch) id 137535977065885_24962; Thu,  1 Aug 2013 12:22:50 +0000 (UTC)
Received: from CH1EHSMHS041.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.240])	by mail89-ch1.bigfish.com (Postfix) with ESMTP id 079D86023C; Thu,  1 Aug 2013 12:22:50 +0000 (UTC)
Received: from BL2PRD0310HT002.namprd03.prod.outlook.com (157.56.240.21) by CH1EHSMHS041.bigfish.com (10.43.69.250) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 12:22:49 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BL2PRD0310HT002.namprd03.prod.outlook.com (10.255.97.37) with Microsoft SMTP Server (TLS) id 14.16.341.1; Thu, 1 Aug 2013 12:22:49 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.731.16; Thu, 1 Aug 2013 12:22:46 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) with mapi id 15.00.0731.000; Thu, 1 Aug 2013 12:22:46 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "Richer, Justin P." <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:	Fwd: New Version Notification for	draft-hunt-oauth-v2-user-a4c-00.txt)
Thread-Index: AQHOjrDys5K6io1CckKJgpg5/urE9pmARZog
Date: Thu, 1 Aug 2013 12:22:46 +0000
Message-ID: <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F83EF7.6040201@oracle	<51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org>
In-Reply-To: <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:df8:0:16:2936:7b62:ca0d:28aa]
x-forefront-prvs: 0925081676
Content-Type: multipart/alternative; boundary="_000_e68801da9fa547c69fee43b9cd7b22b8BY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB189.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%ORACLE.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%YAHOO.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC102.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:	Fwd:	New Version Notification for	draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:30:26 -0000
X-List-Received-Date: Thu, 01 Aug 2013 12:30:26 -0000

--_000_e68801da9fa547c69fee43b9cd7b22b8BY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

You can't do this, first openid uses a token and second it's signed, third =
there is no specification to just return a authentication JSON structure

From: Richer, Justin P. [mailto:jricher@mitre.org]
Sent: Thursday, August 1, 2013 5:15 AM
To: Anthony Nadalin
Cc: Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Tony, you can already return the authn result from the token request (we di=
scussed this specifically in May as I recall). That's what the "idtoken" an=
d "code idtoken" responses are for in OpenID Connect. The proposed draft is=
 nearly a duplicate of the core functionality of OIDC.

 -- Justin

On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com<mailto:t=
onynad@microsoft.com>>
 wrote:


The proposal does not duplicate what OpenID does, there is clear benefit fo=
r returning an authentication result in the token request result. This is b=
eing proposed as optional JSON structure.

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-b=
ounces@ietf.org<mailto:bounces@ietf.org>] On Behalf Of Bill Mills
Sent: Wednesday, July 31, 2013 2:50 PM
To: Prateek Mishra; Nat Sakimura
Cc: oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Rather than extending OAuth for something OpenID already does...  why don't=
 we get a simple informational example doc to show how to implement the mos=
t basic OpenID service, which is the same functionality on a standard that'=
s already written?

This is sounding more and mor elike a documentation problem.

________________________________
From: Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@oracl=
e.com>>
To: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>
Cc: "oauth@ietf.org WG<mailto:oauth@ietf.org%20WG>" <oauth@ietf.org<mailto:=
oauth@ietf.org>>
Sent: Wednesday, July 31, 2013 2:38 PM
Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New V=
ersion Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Nat -

thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests
that Section 2.3 is optional. I also could not find any definition for " no=
n-dynamic OpenID Connect Server".

I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

There are probably other smarter ways to achieve the same effect.

Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that
RFC 6749 is being misused for federated authentication, as explained in  -

http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what=
.html

and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned
out that OpenID Connect offered such a solution but that isn't clear to me.

Thx,
prateek


Inline:
2013/7/31 Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@o=
racle.com>>
Nat -

your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with
an authenticator.  Many implementors are seeking a modest extension of OAut=
h, not an entire new protocol
stack.   I believe that is the point of Phil Hunt's proposal to the OAuth c=
ommittee.

I do have some questions for about the statements made in the blog -

A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?

Actually, it is not a single spec, that the Standard is referencing others.
The Standard is kind of cluttered because it has 6 response types and three=
 request types in it.
I suppose it would be much easier for the readers to split them into cohere=
nt pieces, though that means duplicate texts.

The easiest approach here is to read the Basic Client Profile. http://openi=
d.net/specs/openid-connect-basic-1_0-28.html
Then, read OAuth 2.0 Multiple Response Type Encoding Practices http://openi=
d.net/specs/oauth-v2-multiple-response-types-1_0-08.html .


B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no
other MTI protocol exchanges in OpenID Connect?

Yes, for a non-dynamic OpenID Connect Server.

Nat


Thanks,
prateek




I have written a short blog post titled "Write an OpenID Connect server in =
three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-connect-=
server-in-three-simple-steps/>".

Really, there is not much you need to on top of OAuth 2.0.

It puzzles me why you need to create a draft with only minor variances in p=
arameter names.

e.g.,
session instead of id_token
lat instead of iat
alv instead of acr
etc.

If you change those parameter names, you will have a conformant profile of =
OpenID Connect.

Nat

2013/7/31 John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Connect dosen't require a userinfo endpoint.   It is required for interoper=
ability if you are building an open IdP.   For an enterprise type deploymen=
t discovery, registration, userifo are all optional.

The server is required to pass the nonce which is equivalent to a request I=
D through to the JWT if the client sends it in the request.

Justin is correct.

John B.

On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt=
@oracle.com>> wrote:



Forgot reply all.

Phil

Begin forwarded message:
From: Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>>
Date: 30 July, 2013 17:25:46 GMT+02:00
To: "Richer, Justin P." <jricher@mitre.org<mailto:jricher@mitre.org>>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-us=
er-a4c-00.txt
The whole point is authn only. Many do not want or need the userinfo endpoi=
nt.

Phil

On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
What do you mean? You absolutely can implement a compliant OIDC server near=
ly as simply as this. The things that you're missing I think are necessary =
for basic interoperable functionality, and are things that other folks usin=
g OAuth for authentication have also implemented. Namely:

 - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is e=
asy to do with JWT). Without a signed and verifiable ID token or equivalent=
, you're asking for all kinds of token injection problems.
 - Session management requests (max auth age, auth time)
 - Not fall over with other parameters that you don't support (display, pro=
mpt, etc).

See here for more information:

 http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI

Additionally, something that's really important to support is the User Info=
 Endpoint, so you can actually get user profile information beyond just the=
 simple "someone was here" claim -- this was the real value of Facebook Con=
nect from an RP's perspective. Some people will probably want to use SCIM f=
or this, too, and that's fine.

 -- Justin

On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.h=
unt@oracle.com>>
 wrote:



The oidc specs do not allow this simple an implementation. The spec members=
 have not shown interest in making changes as they say they are too far dow=
n the road.

I have tried to make my draft as close as possible to oidc but maybe it sho=
uldn't be clarity wise. I am interested in what the group feels is clearest=
.

>From an ietf perspective the concern is improper use of the 6749 for authn.=
 Is this a bug or gap we need to address?

Phil

On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
>From what I read, you've defined something that uses an OAuth 2 code flow t=
o get an extra token which is specified as a JWT. You named it "session_tok=
en" instead of "id_token", and you've left off the User Information Endpoin=
t -- but other than that, this is exactly the Basic Client for OpenID Conne=
ct. In other words, if you change the names on things you've got OIDC, but =
without the capabilities to go beyond a very basic "hey there's a user here=
" claim. This is the same place that OpenID 2.0 started, and it was very, v=
ery quickly extended with SREG, AX, PAPE, and others for it to be useful in=
 the real world of distributed logins. You've also left out discovery and r=
egistration which are required for distributed deployments, but I'm guessin=
g that those would be modular components that could be added in (like they =
are in OIDC).

I've heard complaints that OIDC is complicated, but it's really not. Yes, I=
 agree that the giant stack of documents is intimidating and in my opinion =
it's a bit of a mess with Messages and Standard split up (but I lost that a=
rgument years ago). However, at the core, you've got an OAuth2 authorizatio=
n server that spits out access tokens and id tokens. The id token is a JWT =
with some known claims (iss, sub, etc) and is issued along side the access =
token, and its audience is the *client* and not the *protected resource*. T=
he access token is a regular old access token and its format is undefined (=
so you can use it with an existing OAuth2 server setup, like we have), and =
it can be used at the User Info Endpoint to get profile information about t=
he user who authenticated. It could also be used for other services if your=
 AS/IdP protects multiple things.

So I guess what I'm missing is what's the value proposition in this spec wh=
en we have something that can do this already? And this doesn't seem to do =
anything different (apart from syntax changes)?

 -- Justin

On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hu=
nt@oracle.com>> wrote:



FYI.  I have been noticing a substantial number of sites acting as OAuth Cl=
ients using OAuth to authenticate users.

I know several of us have blogged on the issue over the past year so I won'=
t re-hash it here.  In short, many of us recommended OIDC as the correct me=
thodology.

Never-the-less, I've spoken with a number of service providers who indicate=
 they are not ready to make the jump to OIDC, yet they agree there is a des=
ire to support authentication only (where as OIDC does IDP-like services).

This draft is intended as a minimum authentication only specification.  I'v=
e tried to make it as compatible as possible with OIDC.

For now, I've just posted to keep track of the issue so we can address at t=
he next re-chartering.

Happy to answer questions and discuss.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>





Begin forwarded message:



From:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
Date:29 July, 2013 9:49:41 AM GMT+02:00
To:Phil Hunt <phil.hunt@yahoo.com<mailto:phil.hunt@yahoo.com>>, Phil Hunt <=
None@ietfa.amsl.com<mailto:None@ietfa.amsl.com>>, Phil Hunt <>


A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Filename: draft-hunt-oauth-v2-user-a4c
Revision: 00
Title: OAuth 2.0 User Authentication For Client
Creation date: 2013-07-29
Group: Individual Submission
Number of pages: 9
URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-us=
er-a4c-00.txt
Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a=
4c
Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00


Abstract:
  This specification defines a new OAuth2 endpoint that enables user
  authentication session information to be shared with client
  applications.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available attools.ietf.org<http://t=
ools.ietf.org/>.

The IETF Secretariat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


--_000_e68801da9fa547c69fee43b9cd7b22b8BY2PR03MB189namprd03pro_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.apple-converted-space
	{mso-style-name:apple-converted-space;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">You can&#8217;t do this, =
first openid uses a token and second it&#8217;s signed, third there is no s=
pecification to just return a authentication JSON structure<o:p></o:p></spa=
n></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D"><o:p>&nbsp;</o:p></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer=
, Justin P. [mailto:jricher@mitre.org]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<o:p=
></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Tony, you can already return the authn result from t=
he token request (we discussed this specifically in May as I recall). That'=
s what the &quot;idtoken&quot; and &quot;code idtoken&quot; responses are f=
or in OpenID Connect. The proposed draft is nearly a duplicate
 of the core functionality of OIDC. <o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;-- Justin<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a h=
ref=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;<o:p></o:=
p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;wrote:<o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">The proposal does not dup=
licate what OpenID does, there is clear benefit for returning an authentica=
tion result in the token request result. This is being proposed
 as optional JSON structure.</span><o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p><=
/p>
</div>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span class=3D"apple=
-converted-space"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri=
&quot;,&quot;sans-serif&quot;">&nbsp;</span></span><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"><a href=3D"=
mailto:oauth-bounces@ietf.org"><span style=3D"color:purple">oauth-bounces@i=
etf.org</span></a><span class=3D"apple-converted-space">&nbsp;</span>[mailt=
o:oauth-<a href=3D"mailto:bounces@ietf.org"><span style=3D"color:purple">bo=
unces@ietf.org</span></a>]<span class=3D"apple-converted-space">&nbsp;</spa=
n><b>On
 Behalf Of<span class=3D"apple-converted-space">&nbsp;</span></b>Bill Mills=
<br>
<b>Sent:</b><span class=3D"apple-converted-space">&nbsp;</span>Wednesday, J=
uly 31, 2013 2:50 PM<br>
<b>To:</b><span class=3D"apple-converted-space">&nbsp;</span>Prateek Mishra=
; Nat Sakimura<br>
<b>Cc:</b><span class=3D"apple-converted-space">&nbsp;</span><a href=3D"mai=
lto:oauth@ietf.org"><span style=3D"color:purple">oauth@ietf.org</span></a><=
span class=3D"apple-converted-space">&nbsp;</span>WG<br>
<b>Subject:</b><span class=3D"apple-converted-space">&nbsp;</span>Re: [OAUT=
H-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notific=
ation for draft-hunt-oauth-v2-user-a4c-00.txt)</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">Rather than extending OAuth for something OpenID=
 already does... &nbsp;why don't we get a simple informational example doc =
to show how to implement the most basic OpenID service,
 which is the same functionality on a standard that's already written?</spa=
n><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
&nbsp;</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
This is sounding more and mor elike a documentation problem.</span><o:p></o=
:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">&nbsp;</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgr=
ound:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span=
></b><span class=3D"apple-converted-space"><span style=3D"font-size:10.0pt;=
font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">&nbsp;</span></span><=
span style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-ser=
if&quot;">Prateek
 Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com"><span style=3D"col=
or:purple">prateek.mishra@oracle.com</span></a>&gt;<br>
<b>To:</b><span class=3D"apple-converted-space">&nbsp;</span>Nat Sakimura &=
lt;<a href=3D"mailto:sakimura@gmail.com"><span style=3D"color:purple">sakim=
ura@gmail.com</span></a>&gt;<span class=3D"apple-converted-space">&nbsp;</s=
pan><br>
<b>Cc:</b><span class=3D"apple-converted-space">&nbsp;</span>&quot;<a href=
=3D"mailto:oauth@ietf.org%20WG"><span style=3D"color:purple">oauth@ietf.org=
 WG</span></a>&quot; &lt;<a href=3D"mailto:oauth@ietf.org"><span style=3D"c=
olor:purple">oauth@ietf.org</span></a>&gt;<span class=3D"apple-converted-sp=
ace">&nbsp;</span><br>
<b>Sent:</b><span class=3D"apple-converted-space">&nbsp;</span>Wednesday, J=
uly 31, 2013 2:38 PM<br>
<b>Subject:</b><span class=3D"apple-converted-space">&nbsp;</span>[OAUTH-WG=
] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notificatio=
n for draft-hunt-oauth-v2-user-a4c-00.txt)</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span class=3D"apple=
-converted-space">&nbsp;</span><br>
<br>
thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for &quo=
t; non-dynamic OpenID Connect Server&quot;.<br>
<br>
I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different<span class=3D"apple-converted-space">&nbsp;</span><br=
>
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2=
.0-os.pdf" target=3D"_blank"><span style=3D"color:purple">http://docs.oasis=
-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</span></a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for<span class=3D"apple-converted-space">&nbsp;</s=
pan><br>
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that<span class=3D"apple-converted-space">&nbsp;</sp=
an><br>
RFC 6749 is being misused for federated authentication, as explained in&nbs=
p; -&nbsp;<span class=3D"apple-converted-space">&nbsp;</span><br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-o=
auth-2-what.html" target=3D"_blank"><span style=3D"color:purple">http://www=
.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html</spa=
n></a><span class=3D"apple-converted-space">&nbsp;</span><br>
<br>
and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn't clear to me.=
<br>
<br>
Thx,<br>
prateek<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
Inline:&nbsp;<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 Prateek Mishra =
&lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><span st=
yle=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<o:p></o:p></p=
>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span class=3D"apple=
-converted-space">&nbsp;</span><br>
<br>
your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with<span class=3D"apple-converted-space">&nbsp;</span><b=
r>
an authenticator.&nbsp; Many implementors are seeking a modest extension of=
 OAuth, not an entire new protocol<br>
stack. &nbsp; I believe that is the point of Phil Hunt's proposal to the OA=
uth committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span c=
lass=3D"apple-converted-space">&nbsp;</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?<o:p></o:p></p>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Actually, it is not a sin=
gle spec, that the Standard is referencing others.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The Standard is kind of c=
luttered because it has 6 response types and three request types in it.&nbs=
p;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I suppose it would be muc=
h easier for the readers to split them into coherent pieces, though that me=
ans duplicate texts.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The easiest approach here=
 is to read the Basic Client Profile.&nbsp;<a href=3D"http://openid.net/spe=
cs/openid-connect-basic-1_0-28.html" target=3D"_blank"><span style=3D"color=
:purple">http://openid.net/specs/openid-connect-basic-1_0-28.html</span></a=
><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Then, read&nbsp;OAuth 2.0=
 Multiple Response Type Encoding Practices&nbsp;<a href=3D"http://openid.ne=
t/specs/oauth-v2-multiple-response-types-1_0-08.html" target=3D"_blank"><sp=
an style=3D"color:purple">http://openid.net/specs/oauth-v2-multiple-respons=
e-types-1_0-08.html</span></a>&nbsp;.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no<span class=3D"apple-converted-space">&nbsp;</=
span><br>
other MTI protocol exchanges in OpenID Connect?<o:p></o:p></p>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Yes, for a non-dynamic Op=
enID Connect Server.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;&nbsp;<o:p></o:p></=
p>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
Thanks,<br>
prateek<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
&nbsp; &nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have written a short bl=
og post titled &quot;<a href=3D"http://nat.sakimura.org/2013/07/28/write-op=
enid-connect-server-in-three-simple-steps/" target=3D"_blank"><span style=
=3D"color:purple">Write an OpenID Connect server
 in three simple steps</span></a>&quot;.&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Really, there is not much=
 you need to on top of OAuth 2.0.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">It puzzles me why you nee=
d to create a draft with only minor variances in parameter names.&nbsp;<o:p=
></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;m=
argin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">e.g.,&nbsp;<o:p></o:p></p=
>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">session instead of id_tok=
en<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">lat instead of iat<o:p></=
o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">alv instead of acr<o:p></=
o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">etc.&nbsp;<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">If you change those param=
eter names, you will have a conformant profile of OpenID Connect.&nbsp;<o:p=
></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
&nbsp;<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 John Bradley &l=
t;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank"><span style=3D"col=
or:purple">ve7jtb@ve7jtb.com</span></a>&gt;<o:p></o:p></p>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Connect dosen't require a=
 userinfo endpoint. &nbsp; It is required for interoperability if you are b=
uilding an open IdP. &nbsp; For an enterprise type deployment discovery, re=
gistration, userifo are all optional.<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The server is required to=
 pass the nonce which is equivalent to a request ID through to the JWT if t=
he client sends it in the request.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Justin is correct.<o:p></=
o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">John B.<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On 2013-07-30, at 5:30 PM=
, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<o:p>=
</o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Forgot reply all.<br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
<br>
Begin forwarded message:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
<b>From:</b><span class=3D"apple-converted-space">&nbsp;</span>Phil Hunt &l=
t;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><span style=3D"=
color:purple">phil.hunt@oracle.com</span></a>&gt;<br>
<b>Date:</b><span class=3D"apple-converted-space">&nbsp;</span>30 July, 201=
3 17:25:46 GMT&#43;02:00<br>
<b>To:</b><span class=3D"apple-converted-space">&nbsp;</span>&quot;Richer, =
Justin P.&quot; &lt;<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">=
<span style=3D"color:purple">jricher@mitre.org</span></a>&gt;<br>
<b>Subject:</b><span class=3D"apple-converted-space">&nbsp;</span><b>Re: [O=
AUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</=
b><o:p></o:p></p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The whole point is authn =
only. Many do not want or need the userinfo endpoint.&nbsp;<br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
<br>
On 2013-07-30, at 17:17, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">What do you mean? You abs=
olutely can implement a compliant OIDC server nearly as simply as this. The=
 things that you're missing I think are necessary for basic interoperable f=
unctionality, and are things that other
 folks using OAuth for authentication have also implemented. Namely:<o:p></=
o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Signing the ID to=
ken (OIDC specifies the RS256 flavor of JWS, which is easy to do with JWT).=
 Without a signed and verifiable ID token or equivalent, you're asking for =
all kinds of token injection problems.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Session managemen=
t requests (max auth age, auth time)<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Not fall over wit=
h other parameters that you don't support (display, prompt, etc).<o:p></o:p=
></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">See here for more informa=
tion:<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<a href=3D"http://o=
penid.net/specs/openid-connect-messages-1_0.html#ServerMTI" target=3D"_blan=
k"><span style=3D"color:purple">http://openid.net/specs/openid-connect-mess=
ages-1_0.html#ServerMTI</span></a><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Additionally, something t=
hat's really important to support is the User Info Endpoint, so you can act=
ually get user profile information beyond just the simple &quot;someone was=
 here&quot; claim -- this was the real value of
 Facebook Connect from an RP's perspective. Some people will probably want =
to use SCIM for this, too, and that's fine.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin<o:p></o:p=
></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 30, 2013, at 10:54=
 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank=
"><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt;<o:p></o:=
p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;wrote:<o:p></o:p></=
p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The oidc specs do not all=
ow this simple an implementation. The spec members have not shown interest =
in making changes as they say they are too far down the road.<o:p></o:p></p=
>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have tried to make my d=
raft as close as possible to oidc but maybe it shouldn't be clarity wise. I=
 am interested in what the group feels is clearest.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">From an ietf perspective =
the concern is improper use of the 6749 for authn. Is this a bug or gap we =
need to address?<br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
<br>
On 2013-07-30, at 16:46, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">From what I read, you've =
defined something that uses an OAuth 2 code flow to get an extra token whic=
h is specified as a JWT. You named it &quot;session_token&quot; instead of =
&quot;id_token&quot;, and you've left off the User Information
 Endpoint -- but other than that, this is exactly the Basic Client for Open=
ID Connect. In other words, if you change the names on things you've got OI=
DC, but without the capabilities to go beyond a very basic &quot;hey there'=
s a user here&quot; claim. This is the same
 place that OpenID 2.0 started, and it was very, very quickly extended with=
 SREG, AX, PAPE, and others for it to be useful in the real world of distri=
buted logins. You've also left out discovery and registration which are req=
uired for distributed deployments,
 but I'm guessing that those would be modular components that could be adde=
d in (like they are in OIDC).&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I've heard complaints tha=
t OIDC is complicated, but it's really not. Yes, I agree that the giant sta=
ck of documents is intimidating and in my opinion it's a bit of a mess with=
 Messages and Standard split up (but
 I lost that argument years ago). However, at the core, you've got an OAuth=
2 authorization server that spits out access tokens and id tokens. The id t=
oken is a JWT with some known claims (iss, sub, etc) and is issued along si=
de the access token, and its audience
 is the *client* and not the *protected resource*. The access token is a re=
gular old access token and its format is undefined (so you can use it with =
an existing OAuth2 server setup, like we have), and it can be used at the U=
ser Info Endpoint to get profile
 information about the user who authenticated. It could also be used for ot=
her services if your AS/IdP protects multiple things.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">So I guess what I'm missi=
ng is what's the value proposition in this spec when we have something that=
 can do this already? And this doesn't seem to do anything different (apart=
 from syntax changes)?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin<o:p></o:p=
></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 29, 2013, at 4:14 =
AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"=
><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<o:=
p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">FYI. &nbsp;I have been no=
ticing a substantial number of sites acting as OAuth Clients using OAuth to=
 authenticate users.<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I know several of us have=
 blogged on the issue over the past year so I won't re-hash it here. &nbsp;=
In short, many of us recommended OIDC as the correct methodology.<o:p></o:p=
></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Never-the-less, I've spok=
en with a number of service providers who indicate they are not ready to ma=
ke the jump to OIDC, yet they agree there is a desire to support authentica=
tion only (where as OIDC does IDP-like
 services).<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">This draft is intended as=
 a minimum authentication only specification. &nbsp;I've tried to make it a=
s compatible as possible with OIDC.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">For now, I've just posted=
 to keep track of the issue so we can address at the next re-chartering.<o:=
p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Happy to answer questions=
 and discuss.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Phil</span>=
<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">&nbsp;</spa=
n><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">@independen=
tid</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><a href=3D"=
http://www.independentid.com/" target=3D"_blank"><span style=3D"color:purpl=
e">www.independentid.com</span></a></span><o:p></o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;san=
s-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><s=
pan style=3D"color:purple">phil.hunt@oracle.com</span></a></span><o:p></o:p=
></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">&nbsp;</sp=
an><o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Begin forwarded message:<=
o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">From:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org" target=
=3D"_blank"><span style=3D"color:purple">internet-drafts@ietf.org</span></a=
></span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Subject=
: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</span></=
b><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Date:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;">29 July, 2013 9:49:41 AM GMT&#43;02:00</span><o:p><=
/o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">To:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&q=
uot;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com" =
target=3D"_blank"><span style=3D"color:purple">phil.hunt@yahoo.com</span></=
a>&gt;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank"><sp=
an style=3D"color:purple">None@ietfa.amsl.com</span></a>&gt;, Phil Hunt &lt=
;&gt;</span><o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a=
4c-00.txt" target=3D"_blank"><span style=3D"color:purple">http://www.ietf.o=
rg/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt</span></a><br>
Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"ht=
tp://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c" target=3D"_blan=
k"><span style=3D"color:purple">http://datatracker.ietf.org/doc/draft-hunt-=
oauth-v2-user-a4c</span></a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools=
.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span sty=
le=3D"color:purple">http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c=
-00</span></a><br>
<br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables u=
ser<br>
&nbsp;&nbsp;authentication session information to be shared with client<br>
&nbsp;&nbsp;applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at<a href=3D"http://tools=
.ietf.org/" target=3D"_blank"><span style=3D"color:purple">tools.ietf.org</=
span></a>.<br>
<br>
The IETF Secretariat<o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><o:p></o:p></p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span class=3D"apple-co=
nverted-space">&nbsp;</span><br>
Nat Sakimura (=3Dnat)<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
<o:p></o:p></p>
</div>
<pre style=3D"background:white;background-position:initial initial;backgrou=
nd-repeat:initial initial">_______________________________________________<=
o:p></o:p></pre>
<pre style=3D"background:white;background-position:initial initial;backgrou=
nd-repeat:initial initial">OAuth mailing list<o:p></o:p></pre>
<pre style=3D"background:white;background-position:initial initial;backgrou=
nd-repeat:initial initial"><a href=3D"mailto:OAuth@ietf.org" target=3D"_bla=
nk"><span style=3D"color:purple">OAuth@ietf.org</span></a><o:p></o:p></pre>
<pre style=3D"background:white;background-position:initial initial;backgrou=
nd-repeat:initial initial"><a href=3D"https://www.ietf.org/mailman/listinfo=
/oauth" target=3D"_blank"><span style=3D"color:purple">https://www.ietf.org=
/mailman/listinfo/oauth</span></a><o:p></o:p></pre>
</blockquote>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span class=3D"apple-co=
nverted-space">&nbsp;</span><br>
Nat Sakimura (=3Dnat)<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-position:initial initial;background-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org"><span style=3D"color:purple">OAuth@ietf.o=
rg</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;">_____________________________________=
__________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org"><span style=3D"color:purple">OAuth@ietf.o=
rg</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth"><span style=3D"colo=
r:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a><o:p></o:p>=
</span></p>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</body>
</html>

--_000_e68801da9fa547c69fee43b9cd7b22b8BY2PR03MB189namprd03pro_--

From Michael.Jones@microsoft.com  Thu Aug  1 05:32:50 2013
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B128521F9B26 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:32:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[AWL=-1.106, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sX-H-T1SUbyL for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:32:41 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe001.messaging.microsoft.com [216.32.180.184]) by ietfa.amsl.com (Postfix) with ESMTP id 39F3021E81FF for <oauth@ietf.org>; Thu,  1 Aug 2013 05:26:23 -0700 (PDT)
Received: from mail141-co1-R.bigfish.com (10.243.78.254) by CO1EHSOBE014.bigfish.com (10.243.66.77) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 12:26:15 +0000
Received: from mail141-co1 (localhost [127.0.0.1])	by mail141-co1-R.bigfish.com (Postfix) with ESMTP id E9B7B54006E; Thu,  1 Aug 2013 12:26:14 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -24
X-BigFish: VS-24(zz98dI9371Ic85fh4015I1415Izz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz1d7338h1de098h1033IL177df4h17326ah18c673h1de096h8275bh8275dh1de097hz2fh2a8h668h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail141-co1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ; 
Received: from mail141-co1 (localhost.localdomain [127.0.0.1]) by mail141-co1 (MessageSwitch) id 137535997344327_13069; Thu,  1 Aug 2013 12:26:13 +0000 (UTC)
Received: from CO1EHSMHS022.bigfish.com (unknown [10.243.78.231])	by mail141-co1.bigfish.com (Postfix) with ESMTP id 06406880048; Thu,  1 Aug 2013 12:26:13 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by CO1EHSMHS022.bigfish.com (10.243.66.32) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 12:26:12 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.38]) by TK5EX14MLTC102.redmond.corp.microsoft.com ([157.54.79.180]) with mapi id 14.03.0136.001; Thu, 1 Aug 2013 12:26:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Richard Barnes <rlb@ipv.sx>
Thread-Topic: [OAUTH-WG] Plaintext JWT bug
Thread-Index: AQHOjrFBukeaH+7+vU+VIhCHaU+nW5mART4ggAABWoCAAAAkoA==
Date: Thu, 1 Aug 2013 12:26:11 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B739C6F@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CAL02cgRusCLRxfUOYTcJyWYz9vQZa95DVkiy6ZvfMUW67NM-eg@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436B739BAB@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgT5sbiFCdm7iGvhGcPg_+ro4E-tVdtGnfOLcF-S+z40dg@mail.gmail.com>
In-Reply-To: <CAL02cgT5sbiFCdm7iGvhGcPg_+ro4E-tVdtGnfOLcF-S+z40dg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.36]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B739C6FTK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Plaintext JWT bug
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:32:51 -0000

--_000_4E1F6AAD24975D4BA5B16804296739436B739C6FTK5EX14MBXC284r_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

You prevent downgrade attacks by having your application reject algorithms =
that don't meet their security requirements.  Unless your application expli=
citly chooses to accept "alg":"none", the same code that would reject "alg"=
:"rot13" would reject "alg":"none".

If your application isn't rejecting unacceptable algorithms, that's an appl=
ication bug - not a spec bug.

                                                            -- Mike

From: Richard Barnes [mailto:rlb@ipv.sx]
Sent: Thursday, August 01, 2013 5:24 AM
To: Mike Jones
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Plaintext JWT bug

You don't view downgrade attacks as a compelling reason?

I look forward to your attempt to get this through SECDIR review.

On Thu, Aug 1, 2013 at 2:20 PM, Mike Jones <Michael.Jones@microsoft.com<mai=
lto:Michael.Jones@microsoft.com>> wrote:

This is useful because it means that you can pass both unsigned and signed =
content using the same syntax, with no special parsing required.  This is u=
sed in practice, for instance, to enable both unsigned and signed request o=
bjects, signed and unsigned ID Tokens, etc.



This is already in widespread use.



I'm kind of surprised that this is coming up now.  This has been in JWT sin=
ce March 2011 and in the JOSE specs since the working group versions, so it=
's not exactly a surprise.  (The biggest change was that we moved it from J=
WT to JWS in March 2012, at Jim Schaad's suggestion, because it is generall=
y useful outside of just JWTs.)  Yes, an alternative syntax could have been=
 used, but using the "alg":"none" value to express this works fine in pract=
ice.  I don't perceive a compelling reason to change it at this point.



                                                            -- Mike

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-b=
ounces@ietf.org<mailto:oauth-bounces@ietf.org>] On Behalf Of Richard Barnes
Sent: Thursday, August 01, 2013 5:08 AM
To: oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: [OAUTH-WG] Plaintext JWT bug

It has come to my attention that JWT is using "alg":"none" to create "Plain=
text JWTs".  Some of us in JOSE believe that this "alg" value should be rem=
oved, because of a risk of downgrade attacks.  In order to do that, a sugge=
sted revision to JWT is below.  To summarize:
-- Plaintext JWTs are not JWSs.
-- They just have a header and payload (separated by a '.')
-- The header MUST NOT contain "alg", since there's no crypto going on

Thanks,
--Richard


-----BEGIN-----
6.  Plaintext JWTs

   To support use cases where the JWT content is secured by a means
   other than a signature and/or encryption contained within the JWT
   (such as a signature on a data structure containing the JWT), JWTs
   MAY also be created without a signature or encryption.  A plaintext
   JWT is the concatenation of a base64url-encoded JWT Header, a
   period ('.') character, and the base64url-encoded JWT Claims Set.

   The header of a plaintext JWT contains parameters drawn from the
   set as the JWS header.  However, a JWT header MUST NOT contain an
   "alg" header parameter, since no cryptographic processing is being
   performed.

6.1.  Example Plaintext JWT

   The following example JWT Header declares that the encoded object is
   a Plaintext JWT:

     {"typ":"JWT"}

   Base64url encoding the octets of the UTF-8 representation of the JWT
   Header yields this Encoded JWT Header:

     eyJ0eXAiOiJKV1QifQ

   The following is an example of a JWT Claims Set:

     {"iss":"joe",
      "exp":1300819380,
      "http://example.com/is_root":true}

   Base64url encoding the octets of the UTF-8 representation of the JWT
   Claims Set yields this Encoded JWS Payload (with line breaks for
   display purposes only):

     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
     cGxlLmNvbS9pc19yb290Ijp0cnVlfQ

   Concatenating these parts in this order with aperiod ('.') character
   between the parts yields this complete JWT (with line breaks for
   display purposes only):

     eyJ0eXAiOiJKV1QifQ
     .
     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt
     cGxlLmNvbS9pc19yb290Ijp0cnVlfQ


-----END-----



--_000_4E1F6AAD24975D4BA5B16804296739436B739C6FTK5EX14MBXC284r_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p
	{mso-style-priority:99;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">You prevent downgrade att=
acks by having your application reject algorithms that don&#8217;t meet the=
ir security requirements.&nbsp; Unless your application explicitly
 chooses to accept &#8220;alg&#8221;:&#8221;none&#8221;, the same code that=
 would reject &#8220;alg&#8221;:&#8221;rot13&#8221; would reject &#8220;alg=
&#8221;:&#8221;none&#8221;.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">If your application isn&#=
8217;t rejecting unacceptable algorithms, that&#8217;s an application bug &=
#8211; not a spec bug.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot=
;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> Richard =
Barnes [mailto:rlb@ipv.sx]
<br>
<b>Sent:</b> Thursday, August 01, 2013 5:24 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> oauth@ietf.org WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Plaintext JWT bug<o:p></o:p></span></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Ar=
ial&quot;,&quot;sans-serif&quot;">You don't view downgrade attacks as a com=
pelling reason?</span><o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Ar=
ial&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Ar=
ial&quot;,&quot;sans-serif&quot;">I look forward to your attempt to get thi=
s through SECDIR review.<o:p></o:p></span></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">On Thu, Aug 1, 2013 at 2:20 PM, Mike Jones &lt;<a hr=
ef=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@m=
icrosoft.com</a>&gt; wrote:<o:p></o:p></p>
<div>
<div>
<p>This is useful because it means that you can pass both unsigned and sign=
ed content using the same syntax, with no special parsing required.&nbsp; T=
his is used in practice, for instance, to enable both unsigned and signed r=
equest objects, signed and unsigned ID
 Tokens, etc.<o:p></o:p></p>
<p>&nbsp;<o:p></o:p></p>
<p>This is already in widespread use.<o:p></o:p></p>
<p>&nbsp;<o:p></o:p></p>
<p>I'm kind of surprised that this is coming up now.&nbsp; This has been in=
 JWT since March 2011 and in the JOSE specs since the working group version=
s, so it's not exactly a surprise.&nbsp; (The biggest change was that we mo=
ved it from JWT to JWS in March 2012, at Jim
 Schaad's suggestion, because it is generally useful outside of just JWTs.)=
&nbsp; Yes, an alternative syntax could have been used, but using the &quot=
;alg&quot;:&quot;none&quot; value to express this works fine in practice.&n=
bsp; I don't perceive a compelling reason to change it at this
 point.<o:p></o:p></p>
<p>&nbsp;<o:p></o:p></p>
<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<o:p></o:p=
></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&q=
uot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto"><b><span style=3D"font-size:10.0pt;font-family:&quot;Tahoma&quot;,=
&quot;sans-serif&quot;">From:</span></b><span style=3D"font-size:10.0pt;fon=
t-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">
<a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounces@i=
etf.org</a> [mailto:<a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_bl=
ank">oauth-bounces@ietf.org</a>]
<b>On Behalf Of </b>Richard Barnes<br>
<b>Sent:</b> Thursday, August 01, 2013 5:08 AM<br>
<b>To:</b> <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.o=
rg</a> WG<br>
<b>Subject:</b> [OAUTH-WG] Plaintext JWT bug</span><o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">It has come to my attention that JWT is using &quot;alg&quot;:&quo=
t;none&quot; to create &quot;Plaintext JWTs&quot;. &nbsp;Some of us in JOSE=
 believe that this &quot;alg&quot; value should be removed, because of a ri=
sk of
 downgrade attacks. &nbsp;In order to do that, a suggested revision to JWT =
is below. &nbsp;To summarize:<o:p></o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">-- Plaintext JWTs are not JWSs. &nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">-- They just have a header and payload (separated by a '.')<o:p></=
o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">-- The header MUST NOT contain &quot;alg&quot;, since there's no c=
rypto going on<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">Thanks,<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">--Richard<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">-----BEGIN-----<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">6. &nbsp;Plaintext JWTs<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;To support use cases where the JWT content is secured=
 by a means<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;other than a signature and/or encryption contained wi=
thin the JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;(such as a signature on a data structure containing t=
he JWT), JWTs<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;MAY also be created without a signature or encryption=
. &nbsp;A plaintext<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;JWT is the concatenation of a base64url-encoded JWT H=
eader, a&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;period ('.') character, and the base64url-encoded JWT=
 Claims Set.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;The header of a plaintext JWT contains parameters dra=
wn from the&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;set as the JWS header. &nbsp;However, a JWT header MU=
ST NOT contain an<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;&quot;alg&quot; header parameter, since no cryptograp=
hic processing is being<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;performed.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">6.1. &nbsp;Example Plaintext JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;The following example JWT Header declares that the en=
coded object is<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;a Plaintext JWT:<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;{&quot;typ&quot;:&quot;JWT&quot;}<o:p></o:p></=
p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;Base64url encoding the octets of the UTF-8 representa=
tion of the JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;Header yields this Encoded JWT Header:<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;eyJ0eXAiOiJKV1QifQ<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;The following is an example of a JWT Claims Set:<o:p>=
</o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;{&quot;iss&quot;:&quot;joe&quot;,<o:p></o:p></=
p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp; &quot;exp&quot;:1300819380,<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp; &quot;<a href=3D"http://example.com/is_root" =
target=3D"_blank">http://example.com/is_root</a>&quot;:true}<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;Base64url encoding the octets of the UTF-8 representa=
tion of the JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;Claims Set yields this Encoded JWS Payload (with line=
 breaks for<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;display purposes only):<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ=
ogImh0dHA6Ly9leGFt<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;cGxlLmNvbS9pc19yb290Ijp0cnVlfQ<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;Concatenating these parts in this order with aperiod =
('.') character<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;between the parts yields this complete JWT (with line=
 breaks for<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp;display purposes only):<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;eyJ0eXAiOiJKV1QifQ<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ=
ogImh0dHA6Ly9leGFt<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;cGxlLmNvbS9pc19yb290Ijp0cnVlfQ<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp; &nbsp; &nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">-----END-----<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-a=
lt:auto">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</body>
</html>

--_000_4E1F6AAD24975D4BA5B16804296739436B739C6FTK5EX14MBXC284r_--

From rlb@ipv.sx  Thu Aug  1 05:39:39 2013
Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 338CC21E8103 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:39:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.744
X-Spam-Level: 
X-Spam-Status: No, score=-1.744 tagged_above=-999 required=5 tests=[AWL=-0.771, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z-Yo5SCS3RMk for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 05:39:33 -0700 (PDT)
Received: from mail-oa0-f54.google.com (mail-oa0-f54.google.com [209.85.219.54]) by ietfa.amsl.com (Postfix) with ESMTP id 0712621F9476 for <oauth@ietf.org>; Thu,  1 Aug 2013 05:36:05 -0700 (PDT)
Received: by mail-oa0-f54.google.com with SMTP id o6so4135270oag.41 for <oauth@ietf.org>; Thu, 01 Aug 2013 05:35:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=qzLOQA5i9Qo22f1481V7Wp61li3uJzPojvKM0nMVdeQ=; b=DYPbVEimAWevrUUWCIzHef7h5fwc7LSSk6XOa1gwdCuLgX0lYI4AjexcOTTUHXGbjR bBWY7hchjbJR0aOhSx/LyMeB//LkCKbmyhCOQ4fHraPsEf2svhZ9Q0CZD9rFJ8X1UGPz a8+8GjtBoffoUyspse5h8+Dfhdid+EMqKabfiS0eTpf1ZXJKImOs0gmTCLOes0nud/kB aiyMO03BLwkGDDJ8iMf6X/unnyfl9LO1aI/qgVDZj5t+QVNy2e3B21rc9VhhW18kXJvZ bqzDfRD79wICPn7W06FeVpodFgeFM/JdloPghfdSBLwQtb7lQwFk2ecTNbusoO53VdiM mhBQ==
MIME-Version: 1.0
X-Received: by 10.182.27.74 with SMTP id r10mr1001259obg.63.1375360558712; Thu, 01 Aug 2013 05:35:58 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Thu, 1 Aug 2013 05:35:58 -0700 (PDT)
X-Originating-IP: [2001:df8:0:16:f466:6c65:b20d:90f6]
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436B739C6F@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <CAL02cgRusCLRxfUOYTcJyWYz9vQZa95DVkiy6ZvfMUW67NM-eg@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436B739BAB@TK5EX14MBXC284.redmond.corp.microsoft.com> <CAL02cgT5sbiFCdm7iGvhGcPg_+ro4E-tVdtGnfOLcF-S+z40dg@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739436B739C6F@TK5EX14MBXC284.redmond.corp.microsoft.com>
Date: Thu, 1 Aug 2013 14:35:58 +0200
Message-ID: <CAL02cgRBpqMpBF5=r-Bga_wzeDUA6ZwDNkoKkLWa6SUkjtYjzQ@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary=089e01184b2e8a4db304e2e215c6
X-Gm-Message-State: ALoCoQmdElFloPsWZKBaFcSLldd842Yz5I2e2GnO1agE2IH2RMDxd0L8njudwM/8g8L8mAdxk1PD
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Plaintext JWT bug
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:39:39 -0000

--089e01184b2e8a4db304e2e215c6
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

This thread is about the proposed change to JWT.  Further discussion of the
risks of "alg":"none" will be on the JOSE list.

--Richard




On Thu, Aug 1, 2013 at 2:26 PM, Mike Jones <Michael.Jones@microsoft.com>wro=
te:

>  You prevent downgrade attacks by having your application reject
> algorithms that don=92t meet their security requirements.  Unless your
> application explicitly chooses to accept =93alg=94:=94none=94, the same c=
ode that
> would reject =93alg=94:=94rot13=94 would reject =93alg=94:=94none=94.****
>
> ** **
>
> If your application isn=92t rejecting unacceptable algorithms, that=92s a=
n
> application bug =96 not a spec bug.****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* Richard Barnes [mailto:rlb@ipv.sx]
> *Sent:* Thursday, August 01, 2013 5:24 AM
> *To:* Mike Jones
> *Cc:* oauth@ietf.org WG
> *Subject:* Re: [OAUTH-WG] Plaintext JWT bug****
>
> ** **
>
> You don't view downgrade attacks as a compelling reason?****
>
> ** **
>
> I look forward to your attempt to get this through SECDIR review.****
>
> ** **
>
> On Thu, Aug 1, 2013 at 2:20 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:****
>
> This is useful because it means that you can pass both unsigned and signe=
d
> content using the same syntax, with no special parsing required.  This is
> used in practice, for instance, to enable both unsigned and signed reques=
t
> objects, signed and unsigned ID Tokens, etc.****
>
>  ****
>
> This is already in widespread use.****
>
>  ****
>
> I'm kind of surprised that this is coming up now.  This has been in JWT
> since March 2011 and in the JOSE specs since the working group versions, =
so
> it's not exactly a surprise.  (The biggest change was that we moved it fr=
om
> JWT to JWS in March 2012, at Jim Schaad's suggestion, because it is
> generally useful outside of just JWTs.)  Yes, an alternative syntax could
> have been used, but using the "alg":"none" value to express this works fi=
ne
> in practice.  I don't perceive a compelling reason to change it at this
> point.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *Richard Barnes
> *Sent:* Thursday, August 01, 2013 5:08 AM
> *To:* oauth@ietf.org WG
> *Subject:* [OAUTH-WG] Plaintext JWT bug****
>
>  ****
>
> It has come to my attention that JWT is using "alg":"none" to create
> "Plaintext JWTs".  Some of us in JOSE believe that this "alg" value shoul=
d
> be removed, because of a risk of downgrade attacks.  In order to do that,=
 a
> suggested revision to JWT is below.  To summarize:****
>
> -- Plaintext JWTs are not JWSs.  ****
>
> -- They just have a header and payload (separated by a '.')****
>
> -- The header MUST NOT contain "alg", since there's no crypto going on***=
*
>
>  ****
>
> Thanks,****
>
> --Richard****
>
>  ****
>
>  ****
>
> -----BEGIN-----****
>
> 6.  Plaintext JWTs****
>
>  ****
>
>    To support use cases where the JWT content is secured by a means****
>
>    other than a signature and/or encryption contained within the JWT****
>
>    (such as a signature on a data structure containing the JWT), JWTs****
>
>    MAY also be created without a signature or encryption.  A plaintext***=
*
>
>    JWT is the concatenation of a base64url-encoded JWT Header, a ****
>
>    period ('.') character, and the base64url-encoded JWT Claims Set.****
>
>  ****
>
>    The header of a plaintext JWT contains parameters drawn from the ****
>
>    set as the JWS header.  However, a JWT header MUST NOT contain an****
>
>    "alg" header parameter, since no cryptographic processing is being****
>
>    performed.****
>
>  ****
>
> 6.1.  Example Plaintext JWT****
>
>  ****
>
>    The following example JWT Header declares that the encoded object is**=
*
> *
>
>    a Plaintext JWT:****
>
>  ****
>
>      {"typ":"JWT"}****
>
>  ****
>
>    Base64url encoding the octets of the UTF-8 representation of the JWT**=
*
> *
>
>    Header yields this Encoded JWT Header:****
>
>  ****
>
>      eyJ0eXAiOiJKV1QifQ****
>
>  ****
>
>    The following is an example of a JWT Claims Set:****
>
>  ****
>
>      {"iss":"joe",****
>
>       "exp":1300819380,****
>
>       "http://example.com/is_root":true}****
>
>  ****
>
>    Base64url encoding the octets of the UTF-8 representation of the JWT**=
*
> *
>
>    Claims Set yields this Encoded JWS Payload (with line breaks for****
>
>    display purposes only):****
>
>  ****
>
>      eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt****
>
>      cGxlLmNvbS9pc19yb290Ijp0cnVlfQ****
>
>  ****
>
>    Concatenating these parts in this order with aperiod ('.') character**=
*
> *
>
>    between the parts yields this complete JWT (with line breaks for****
>
>    display purposes only):****
>
>  ****
>
>      eyJ0eXAiOiJKV1QifQ****
>
>      .****
>
>      eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt****
>
>      cGxlLmNvbS9pc19yb290Ijp0cnVlfQ****
>
>      ****
>
>  ****
>
> -----END-----****
>
>  ****
>
> ** **
>

--089e01184b2e8a4db304e2e215c6
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">This thread is about the proposed change to JWT. =A0Furthe=
r discussion of the risks of &quot;alg&quot;:&quot;none&quot; will be on th=
e JOSE list.<div><br></div><div>--Richard<br><div><div><br></div><div><br><=
div class=3D"gmail_extra">
<br><br><div class=3D"gmail_quote">On Thu, Aug 1, 2013 at 2:26 PM, Mike Jon=
es <span dir=3D"ltr">&lt;<a href=3D"mailto:Michael.Jones@microsoft.com" tar=
get=3D"_blank">Michael.Jones@microsoft.com</a>&gt;</span> wrote:<br><blockq=
uote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex">






<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">You prevent downgrade att=
acks by having your application reject algorithms that don=92t meet their s=
ecurity requirements.=A0 Unless your application explicitly
 chooses to accept =93alg=94:=94none=94, the same code that would reject =
=93alg=94:=94rot13=94 would reject =93alg=94:=94none=94.<u></u><u></u></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u>=A0<u></u></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">If your application isn=
=92t rejecting unacceptable algorithms, that=92s an application bug =96 not=
 a spec bug.<u></u><u></u></span></p>

<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u>=A0<u></u></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0 -- Mike<u></u><u></u></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u>=A0<u></u></span><=
/p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot=
;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> Richard =
Barnes [mailto:<a href=3D"mailto:rlb@ipv.sx" target=3D"_blank">rlb@ipv.sx</=
a>]
<br>
<b>Sent:</b> Thursday, August 01, 2013 5:24 AM<br>
<b>To:</b> Mike Jones<br>
<b>Cc:</b> <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.o=
rg</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Plaintext JWT bug<u></u><u></u></span></p><d=
iv><div class=3D"h5">
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Ar=
ial&quot;,&quot;sans-serif&quot;">You don&#39;t view downgrade attacks as a=
 compelling reason?</span><u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Ar=
ial&quot;,&quot;sans-serif&quot;"><u></u>=A0<u></u></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:10.0pt;font-family:&quot;Ar=
ial&quot;,&quot;sans-serif&quot;">I look forward to your attempt to get thi=
s through SECDIR review.<u></u><u></u></span></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><u></u>=A0<u></u></p>
<div>
<p class=3D"MsoNormal">On Thu, Aug 1, 2013 at 2:20 PM, Mike Jones &lt;<a hr=
ef=3D"mailto:Michael.Jones@microsoft.com" target=3D"_blank">Michael.Jones@m=
icrosoft.com</a>&gt; wrote:<u></u><u></u></p>
<div>
<div>
<p>This is useful because it means that you can pass both unsigned and sign=
ed content using the same syntax, with no special parsing required.=A0 This=
 is used in practice, for instance, to enable both unsigned and signed requ=
est objects, signed and unsigned ID
 Tokens, etc.<u></u><u></u></p>
<p>=A0<u></u><u></u></p>
<p>This is already in widespread use.<u></u><u></u></p>
<p>=A0<u></u><u></u></p>
<p>I&#39;m kind of surprised that this is coming up now.=A0 This has been i=
n JWT since March 2011 and in the JOSE specs since the working group versio=
ns, so it&#39;s not exactly a surprise.=A0 (The biggest change was that we =
moved it from JWT to JWS in March 2012, at Jim
 Schaad&#39;s suggestion, because it is generally useful outside of just JW=
Ts.)=A0 Yes, an alternative syntax could have been used, but using the &quo=
t;alg&quot;:&quot;none&quot; value to express this works fine in practice.=
=A0 I don&#39;t perceive a compelling reason to change it at this
 point.<u></u><u></u></p>
<p>=A0<u></u><u></u></p>
<p>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 -- Mike<u></u><u></u></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">=A0</span><u></u><u></u><=
/p>
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot=
;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">
<a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank">oauth-bounces@i=
etf.org</a> [mailto:<a href=3D"mailto:oauth-bounces@ietf.org" target=3D"_bl=
ank">oauth-bounces@ietf.org</a>]
<b>On Behalf Of </b>Richard Barnes<br>
<b>Sent:</b> Thursday, August 01, 2013 5:08 AM<br>
<b>To:</b> <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.o=
rg</a> WG<br>
<b>Subject:</b> [OAUTH-WG] Plaintext JWT bug</span><u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
<div>
<p class=3D"MsoNormal">It has come to my attention that JWT is using &quot;=
alg&quot;:&quot;none&quot; to create &quot;Plaintext JWTs&quot;. =A0Some of=
 us in JOSE believe that this &quot;alg&quot; value should be removed, beca=
use of a risk of
 downgrade attacks. =A0In order to do that, a suggested revision to JWT is =
below. =A0To summarize:<u></u><u></u></p>
<div>
<p class=3D"MsoNormal">-- Plaintext JWTs are not JWSs. =A0<u></u><u></u></p=
>
</div>
<div>
<p class=3D"MsoNormal">-- They just have a header and payload (separated by=
 a &#39;.&#39;)<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">-- The header MUST NOT contain &quot;alg&quot;, sinc=
e there&#39;s no crypto going on<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">--Richard<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">-----BEGIN-----<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">6. =A0Plaintext JWTs<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0To support use cases where the JWT content is=
 secured by a means<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0other than a signature and/or encryption cont=
ained within the JWT<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0(such as a signature on a data structure cont=
aining the JWT), JWTs<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0MAY also be created without a signature or en=
cryption. =A0A plaintext<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0JWT is the concatenation of a base64url-encod=
ed JWT Header, a=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0period (&#39;.&#39;) character, and the base6=
4url-encoded JWT Claims Set.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0The header of a plaintext JWT contains parame=
ters drawn from the=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0set as the JWS header. =A0However, a JWT head=
er MUST NOT contain an<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0&quot;alg&quot; header parameter, since no cr=
yptographic processing is being<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0performed.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">6.1. =A0Example Plaintext JWT<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0The following example JWT Header declares tha=
t the encoded object is<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0a Plaintext JWT:<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0{&quot;typ&quot;:&quot;JWT&quot;}<u></u><=
u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Base64url encoding the octets of the UTF-8 re=
presentation of the JWT<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Header yields this Encoded JWT Header:<u></u>=
<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0eyJ0eXAiOiJKV1QifQ<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0The following is an example of a JWT Claims S=
et:<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0{&quot;iss&quot;:&quot;joe&quot;,<u></u><=
u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0 &quot;exp&quot;:1300819380,<u></u><u></u=
></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0 &quot;<a href=3D"http://example.com/is_r=
oot" target=3D"_blank">http://example.com/is_root</a>&quot;:true}<u></u><u>=
</u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Base64url encoding the octets of the UTF-8 re=
presentation of the JWT<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Claims Set yields this Encoded JWS Payload (w=
ith line breaks for<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0display purposes only):<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzO=
DAsDQogImh0dHA6Ly9leGFt<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0cGxlLmNvbS9pc19yb290Ijp0cnVlfQ<u></u><u><=
/u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0Concatenating these parts in this order with =
aperiod (&#39;.&#39;) character<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0between the parts yields this complete JWT (w=
ith line breaks for<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0display purposes only):<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0eyJ0eXAiOiJKV1QifQ<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0.<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzO=
DAsDQogImh0dHA6Ly9leGFt<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0cGxlLmNvbS9pc19yb290Ijp0cnVlfQ<u></u><u><=
/u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0 =A0 =A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">-----END-----<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
</div></div></div>
</div>

</blockquote></div><br></div></div></div></div></div>

--089e01184b2e8a4db304e2e215c6--

From sakimura@gmail.com  Thu Aug  1 06:40:43 2013
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C37B221E8167 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 06:40:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Level: 
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043,  BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDaNtNc68uYr for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 06:40:40 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 06DEC21E81A9 for <oauth@ietf.org>; Thu,  1 Aug 2013 06:40:37 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id ec20so1442014lab.0 for <oauth@ietf.org>; Thu, 01 Aug 2013 06:40:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:from:mime-version:in-reply-to:date:message-id:subject:to :cc:content-type; bh=DQ5NTX3rqggd88vP+nFldb/W75dbHkhpOrw643dh+Cs=; b=DWiSuoaNv3COKhmkSQHUjUCw8BJKAeBCjHjSCSO6XzAsxhO7PJ14IhAnJwwh64MPKn il3aY4C3YSYBevL6R39ZYTniwrZygvFrs1K1hrdSam7TuD2jWmhKvtZR9YOpGMNNSVQr m6ni8dInstWM8ZV41kb62BlrjA4iMDrmrc2XgpLsxmOB6QbmDyWREEKwRwBwSFxr5fyB DDupUe1FhGX1SX7uAwsxvDaJWmlsWxR/Dauo/NNW76HzqCHlWzITCwtiYpRGibyVP52h wspeOOF62elbj5FIILdJJN3YtXh2pyhSFIWS/Ti4Z5147qopGTYblWPRT7DxnLISo/cn 6tcQ==
X-Received: by 10.112.53.10 with SMTP id x10mr1487696lbo.28.1375364436841; Thu, 01 Aug 2013 06:40:36 -0700 (PDT)
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F83EF7.6040201@oracle	<51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com>
From: Nat Sakimura <sakimura@gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com>
Date: Thu, 1 Aug 2013 15:40:34 +0200
Message-ID: <2117136733141454493@unknownmsgid>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary=001a11c3bb0cb1dc0204e2e2fcfe
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 13:40:43 -0000

--001a11c3bb0cb1dc0204e2e2fcfe
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Yes, it is a Token.
No, it does not have to be signed.

As to be a token or not to be a token question, it has been discussed in
the WG before, and if I remember correctly,  Microsoft argued for token
saying that it is just base64 decoding and I lost there.

Nat

On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com> wrote:

  You can=92t do this, first openid uses a token and second it=92s signed,
third there is no specification to just return a authentication JSON
structure



*From:* Richer, Justin P. [mailto:jricher@mitre.org <jricher@mitre.org>]
*Sent:* Thursday, August 1, 2013 5:15 AM
*To:* Anthony Nadalin
*Cc:* Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org WG
*Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:
New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)



Tony, you can already return the authn result from the token request (we
discussed this specifically in May as I recall). That's what the "idtoken"
and "code idtoken" responses are for in OpenID Connect. The proposed draft
is nearly a duplicate of the core functionality of OIDC.



 -- Justin



On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com>

 wrote:



  The proposal does not duplicate what OpenID does, there is clear benefit
for returning an authentication result in the token request result. This is
being proposed as optional JSON structure.



*From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf O=
f
 *Bill Mills
*Sent:* Wednesday, July 31, 2013 2:50 PM
*To:* Prateek Mishra; Nat Sakimura
*Cc:* oauth@ietf.org WG
*Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:
New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)



Rather than extending OAuth for something OpenID already does...  why don't
we get a simple informational example doc to show how to implement the most
basic OpenID service, which is the same functionality on a standard that's
already written?



This is sounding more and mor elike a documentation problem.


   ------------------------------

*From:* Prateek Mishra <prateek.mishra@oracle.com>
*To:* Nat Sakimura <sakimura@gmail.com>
*Cc:* "oauth@ietf.org WG" <oauth@ietf.org>
*Sent:* Wednesday, July 31, 2013 2:38 PM
*Subject:* [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New
Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)



Nat -

thanks for the detailed response. I did review the links you sent out but
it remained unclear to me which
features are MTI and which are not. For example, there is nothing in the
Basic Client Profile that suggests
that Section 2.3 is optional. I also could not find any definition for "
non-dynamic OpenID Connect Server".

I dont think there is a need to duplicate portions of the draft
specification text in a new document. One solution
that was used in SAML 2.0 was to define a conformance document which
described several different
operational modes and explained how only a small set of features needed to
be implemented in certain modes.

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

There are probably other smarter ways to achieve the same effect.

Given this situation, I do think its a reasonable task for the OAuth
community to consider the need for
a minimal extension to OAuth that accommodates authentication. The
community should be made aware that
RFC 6749 is being misused for federated authentication, as explained in  -

http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what=
.html


and that there doesn't appear to be a simple solution that is currently
available. It would be great if it turned
out that OpenID Connect offered such a solution but that isn't clear to me.

Thx,
prateek





Inline:

2013/7/31 Prateek Mishra <prateek.mishra@oracle.com>

 Nat -

your blog posting is helpful to those of us who are looking for a minimal
extension of OAuth with
an authenticator.  Many implementors are seeking a modest extension of
OAuth, not an entire new protocol
stack.   I believe that is the point of Phil Hunt's proposal to the OAuth
committee.

I do have some questions for about the statements made in the blog -

A) Can you direct me to a single OpenID Connect draft specification
document where steps 1 and 2 are described?



Actually, it is not a single spec, that the Standard is referencing others.

The Standard is kind of cluttered because it has 6 response types and three
request types in it.

I suppose it would be much easier for the readers to split them into
coherent pieces, though that means duplicate texts.



The easiest approach here is to read the Basic Client Profile.
http://openid.net/specs/openid-connect-basic-1_0-28.html

Then, read OAuth 2.0 Multiple Response Type Encoding Practices
http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html .




B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect
implementation? Are there no
other MTI protocol exchanges in OpenID Connect?



Yes, for a non-dynamic OpenID Connect Server.



Nat




Thanks,
prateek







 I have written a short blog post titled "Write an OpenID Connect server in
three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-connect-=
server-in-three-simple-steps/>
".



Really, there is not much you need to on top of OAuth 2.0.



It puzzles me why you need to create a draft with only minor variances in
parameter names.



 e.g.,

session instead of id_token

lat instead of iat

alv instead of acr

etc.



If you change those parameter names, you will have a conformant profile of
OpenID Connect.



Nat



2013/7/31 John Bradley <ve7jtb@ve7jtb.com>

 Connect dosen't require a userinfo endpoint.   It is required for
interoperability if you are building an open IdP.   For an enterprise type
deployment discovery, registration, userifo are all optional.



The server is required to pass the nonce which is equivalent to a request
ID through to the JWT if the client sends it in the request.



Justin is correct.



John B.



On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote:




   Forgot reply all.

Phil


Begin forwarded message:

 *From:* Phil Hunt <phil.hunt@oracle.com>
*Date:* 30 July, 2013 17:25:46 GMT+02:00
*To:* "Richer, Justin P." <jricher@mitre.org>
*Subject:* *Re: [OAUTH-WG] New Version Notification for
draft-hunt-oauth-v2-user-a4c-00.txt*

  The whole point is authn only. Many do not want or need the userinfo
endpoint.

Phil


On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org> wrote:

 What do you mean? You absolutely can implement a compliant OIDC server
nearly as simply as this. The things that you're missing I think are
necessary for basic interoperable functionality, and are things that other
folks using OAuth for authentication have also implemented. Namely:



 - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is
easy to do with JWT). Without a signed and verifiable ID token or
equivalent, you're asking for all kinds of token injection problems.

 - Session management requests (max auth age, auth time)

 - Not fall over with other parameters that you don't support (display,
prompt, etc).



See here for more information:



 http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI



Additionally, something that's really important to support is the User Info
Endpoint, so you can actually get user profile information beyond just the
simple "someone was here" claim -- this was the real value of Facebook
Connect from an RP's perspective. Some people will probably want to use
SCIM for this, too, and that's fine.



 -- Justin



On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com>

 wrote:




   The oidc specs do not allow this simple an implementation. The spec
members have not shown interest in making changes as they say they are too
far down the road.



I have tried to make my draft as close as possible to oidc but maybe it
shouldn't be clarity wise. I am interested in what the group feels is
clearest.



>From an ietf perspective the concern is improper use of the 6749 for authn.
Is this a bug or gap we need to address?

Phil


On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org> wrote:

 From what I read, you've defined something that uses an OAuth 2 code flow
to get an extra token which is specified as a JWT. You named it
"session_token" instead of "id_token", and you've left off the User
Information Endpoint -- but other than that, this is exactly the Basic
Client for OpenID Connect. In other words, if you change the names on
things you've got OIDC, but without the capabilities to go beyond a very
basic "hey there's a user here" claim. This is the same place that OpenID
2.0 started, and it was very, very quickly extended with SREG, AX, PAPE,
and others for it to be useful in the real world of distributed logins.
You've also left out discovery and registration which are required for
distributed deployments, but I'm guessing that those would be modular
components that could be added in (like they are in OIDC).



I've heard complaints that OIDC is complicated, but it's really not. Yes, I
agree that the giant stack of documents is intimidating and in my opinion
it's a bit of a mess with Messages and Standard split up (but I lost that
argument years ago). However, at the core, you've got an OAuth2
authorization server that spits out access tokens and id tokens. The id
token is a JWT with some known claims (iss, sub, etc) and is issued along
side the access token, and its audience is the *client* and not the
*protected resource*. The access token is a regular old access token and
its format is undefined (so you can use it with an existing OAuth2 server
setup, like we have), and it can be used at the User Info Endpoint to get
profile information about the user who authenticated. It could also be used
for other services if your AS/IdP protects multiple things.



So I guess what I'm missing is what's the value proposition in this spec
when we have something that can do this already? And this doesn't seem to
do anything different (apart from syntax changes)?



 -- Justin



On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com> wrote:




   FYI.  I have been noticing a substantial number of sites acting as OAuth
Clients using OAuth to authenticate users.



I know several of us have blogged on the issue over the past year so I
won't re-hash it here.  In short, many of us recommended OIDC as the
correct methodology.



Never-the-less, I've spoken with a number of service providers who indicate
they are not ready to make the jump to OIDC, yet they agree there is a
desire to support authentication only (where as OIDC does IDP-like
services).



This draft is intended as a minimum authentication only specification.
 I've tried to make it as compatible as possible with OIDC.



For now, I've just posted to keep track of the issue so we can address at
the next re-chartering.



Happy to answer questions and discuss.



Phil



@independentid

www.independentid.com

phil.hunt@oracle.com








Begin forwarded message:




   *From:*internet-drafts@ietf.org

*Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt*

*Date:*29 July, 2013 9:49:41 AM GMT+02:00

*To:*Phil Hunt <phil.hunt@yahoo.com>, Phil Hunt <None@ietfa.amsl.com>, Phil
Hunt <>




A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Filename: draft-hunt-oauth-v2-user-a4c
Revision: 00
Title: OAuth 2.0 User Authentication For Client
Creation date: 2013-07-29
Group: Individual Submission
Number of pages: 9
URL:
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt
Status:
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00


Abstract:
  This specification defines a new OAuth2 endpoint that enables user
  authentication session information to be shared with client
  applications.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available attools.ietf.org.

The IETF Secretariat



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





  _______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth





--=20
Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




 _______________________________________________

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth







--=20
Nat Sakimura (=3Dnat)

Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


  _______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--001a11c3bb0cb1dc0204e2e2fcfe
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=
=3Dutf-8"></head><body dir=3D"auto"><div>Yes, it is a Token.=A0</div><div>N=
o, it does not have to be signed.=A0</div><div><br></div><div>As to be a to=
ken or not to be a token question, it has been discussed in the WG before, =
and if I remember correctly, =A0Microsoft argued for token saying that it i=
s just base64 decoding and I lost there. =A0<br>
<br></div><div>Nat</div><div><br>On Aug 1, 2013, at 14:24, Anthony Nadalin =
&lt;<a href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt; =
wrote:<br><br></div><blockquote type=3D"cite"><div>

<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.apple-converted-space
	{mso-style-name:apple-converted-space;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style>


<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">You can=92t do this, firs=
t openid uses a token and second it=92s signed, third there is no specifica=
tion to just return a authentication JSON structure</span></p>

<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497=
d">=A0</span></a></p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer=
, Justin P. [<a href=3D"mailto:jricher@mitre.org">mailto:jricher@mitre.org<=
/a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a href=3D"mailto:oaut=
h@ietf.org">oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</sp=
an></p>
</div>
</div>
<p class=3D"MsoNormal">=A0</p>
<p class=3D"MsoNormal">Tony, you can already return the authn result from t=
he token request (we discussed this specifically in May as I recall). That&=
#39;s what the &quot;idtoken&quot; and &quot;code idtoken&quot; responses a=
re for in OpenID Connect. The proposed draft is nearly a duplicate
 of the core functionality of OIDC. </p>
<div>
<p class=3D"MsoNormal">=A0</p>
</div>
<div>
<p class=3D"MsoNormal">=A0-- Justin</p>
</div>
<div>
<p class=3D"MsoNormal">=A0</p>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a h=
ref=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;</p>
</div>
<div>
<p class=3D"MsoNormal">=A0wrote:</p>
</div>
<p class=3D"MsoNormal"><br>
<br>
</p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">The proposal does not dup=
licate what OpenID does, there is clear benefit for returning an authentica=
tion result in the token request result. This is being proposed
 as optional JSON structure.</span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">=A0</span></p>
</div>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span class=3D"apple=
-converted-space"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri=
&quot;,&quot;sans-serif&quot;">=A0</span></span><span style=3D"font-size:11=
.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"><a href=3D"mai=
lto:oauth-bounces@ietf.org"><span style=3D"color:purple">oauth-bounces@ietf=
.org</span></a><span class=3D"apple-converted-space">=A0</span>[mailto:<a h=
ref=3D"mailto:oauth-">oauth-</a><a href=3D"mailto:bounces@ietf.org"><span s=
tyle=3D"color:purple">bounces@ietf.org</span></a>]<span class=3D"apple-conv=
erted-space">=A0</span><b>On
 Behalf Of<span class=3D"apple-converted-space">=A0</span></b>Bill Mills<br=
>
<b>Sent:</b><span class=3D"apple-converted-space">=A0</span>Wednesday, July=
 31, 2013 2:50 PM<br>
<b>To:</b><span class=3D"apple-converted-space">=A0</span>Prateek Mishra; N=
at Sakimura<br>
<b>Cc:</b><span class=3D"apple-converted-space">=A0</span><a href=3D"mailto=
:oauth@ietf.org"><span style=3D"color:purple">oauth@ietf.org</span></a><spa=
n class=3D"apple-converted-space">=A0</span>WG<br>
<b>Subject:</b><span class=3D"apple-converted-space">=A0</span>Re: [OAUTH-W=
G] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notificati=
on for draft-hunt-oauth-v2-user-a4c-00.txt)</span></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal">=A0</p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">Rather than extending OAuth for something OpenID=
 already does... =A0why don&#39;t we get a simple informational example doc=
 to show how to implement the most basic OpenID service,
 which is the same functionality on a standard that&#39;s already written?<=
/span></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
=A0</span></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
This is sounding more and mor elike a documentation problem.</span></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">=A0</span></p>
</div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgr=
ound:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span=
></b><span class=3D"apple-converted-space"><span style=3D"font-size:10.0pt;=
font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">=A0</span></span><spa=
n style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&=
quot;">Prateek
 Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com"><span style=3D"col=
or:purple">prateek.mishra@oracle.com</span></a>&gt;<br>
<b>To:</b><span class=3D"apple-converted-space">=A0</span>Nat Sakimura &lt;=
<a href=3D"mailto:sakimura@gmail.com"><span style=3D"color:purple">sakimura=
@gmail.com</span></a>&gt;<span class=3D"apple-converted-space">=A0</span><b=
r>
<b>Cc:</b><span class=3D"apple-converted-space">=A0</span>&quot;<a href=3D"=
mailto:oauth@ietf.org%20WG"><span style=3D"color:purple">oauth@ietf.org WG<=
/span></a>&quot; &lt;<a href=3D"mailto:oauth@ietf.org"><span style=3D"color=
:purple">oauth@ietf.org</span></a>&gt;<span class=3D"apple-converted-space"=
>=A0</span><br>

<b>Sent:</b><span class=3D"apple-converted-space">=A0</span>Wednesday, July=
 31, 2013 2:38 PM<br>
<b>Subject:</b><span class=3D"apple-converted-space">=A0</span>[OAUTH-WG] N=
eed for Extending OAuth with AuthN (was Re: Fwd: New Version Notification f=
or draft-hunt-oauth-v2-user-a4c-00.txt)</span></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span class=3D"apple=
-converted-space">=A0</span><br>
<br>
thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for &quo=
t; non-dynamic OpenID Connect Server&quot;.<br>
<br>
I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different<span class=3D"apple-converted-space">=A0</span><br>
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2=
.0-os.pdf" target=3D"_blank"><span style=3D"color:purple">http://docs.oasis=
-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</span></a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for<span class=3D"apple-converted-space">=A0</span=
><br>
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that<span class=3D"apple-converted-space">=A0</span>=
<br>
RFC 6749 is being misused for federated authentication, as explained in=A0 =
-=A0<span class=3D"apple-converted-space">=A0</span><br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-o=
auth-2-what.html" target=3D"_blank"><span style=3D"color:purple">http://www=
.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html</spa=
n></a><span class=3D"apple-converted-space">=A0</span><br>

<br>
and that there doesn&#39;t appear to be a simple solution that is currently=
 available. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn&#39;t clear to=
 me.<br>
<br>
Thx,<br>
prateek</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
Inline:=A0</p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 Prateek Mishra =
&lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><span st=
yle=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;</p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span class=3D"apple=
-converted-space">=A0</span><br>
<br>
your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with<span class=3D"apple-converted-space">=A0</span><br>
an authenticator.=A0 Many implementors are seeking a modest extension of OA=
uth, not an entire new protocol<br>
stack. =A0 I believe that is the point of Phil Hunt&#39;s proposal to the O=
Auth committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span c=
lass=3D"apple-converted-space">=A0</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?</p>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Actually, it is not a sin=
gle spec, that the Standard is referencing others.=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The Standard is kind of c=
luttered because it has 6 response types and three request types in it.=A0<=
/p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I suppose it would be muc=
h easier for the readers to split them into coherent pieces, though that me=
ans duplicate texts.=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The easiest approach here=
 is to read the Basic Client Profile.=A0<a href=3D"http://openid.net/specs/=
openid-connect-basic-1_0-28.html" target=3D"_blank"><span style=3D"color:pu=
rple">http://openid.net/specs/openid-connect-basic-1_0-28.html</span></a></=
p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Then, read=A0OAuth 2.0 Mu=
ltiple Response Type Encoding Practices=A0<a href=3D"http://openid.net/spec=
s/oauth-v2-multiple-response-types-1_0-08.html" target=3D"_blank"><span sty=
le=3D"color:purple">http://openid.net/specs/oauth-v2-multiple-response-type=
s-1_0-08.html</span></a>=A0.=A0</p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no<span class=3D"apple-converted-space">=A0</spa=
n><br>
other MTI protocol exchanges in OpenID Connect?</p>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Yes, for a non-dynamic Op=
enID Connect Server.=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0=A0</p>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
Thanks,<br>
prateek</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
=A0 =A0</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have written a short bl=
og post titled &quot;<a href=3D"http://nat.sakimura.org/2013/07/28/write-op=
enid-connect-server-in-three-simple-steps/" target=3D"_blank"><span style=
=3D"color:purple">Write an OpenID Connect server
 in three simple steps</span></a>&quot;.=A0</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Really, there is not much=
 you need to on top of OAuth 2.0.=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">It puzzles me why you nee=
d to create a draft with only minor variances in parameter names.=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;m=
argin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">e.g.,=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">session instead of id_tok=
en</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">lat instead of iat</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">alv instead of acr</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">etc.=A0</p>
</div>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">If you change those param=
eter names, you will have a conformant profile of OpenID Connect.=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat</p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
=A0</p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 John Bradley &l=
t;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank"><span style=3D"col=
or:purple">ve7jtb@ve7jtb.com</span></a>&gt;</p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Connect dosen&#39;t requi=
re a userinfo endpoint. =A0 It is required for interoperability if you are =
building an open IdP. =A0 For an enterprise type deployment discovery, regi=
stration, userifo are all optional.</p>

</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The server is required to=
 pass the nonce which is equivalent to a request ID through to the JWT if t=
he client sends it in the request.</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Justin is correct.</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">John B.</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On 2013-07-30, at 5:30 PM=
, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Forgot reply all.<br>
<br>
Phil</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
Begin forwarded message:</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<b>From:</b><span class=3D"apple-converted-space">=A0</span>Phil Hunt &lt;<=
a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><span style=3D"col=
or:purple">phil.hunt@oracle.com</span></a>&gt;<br>
<b>Date:</b><span class=3D"apple-converted-space">=A0</span>30 July, 2013 1=
7:25:46 GMT+02:00<br>
<b>To:</b><span class=3D"apple-converted-space">=A0</span>&quot;Richer, Jus=
tin P.&quot; &lt;<a href=3D"mailto:jricher@mitre.org" target=3D"_blank"><sp=
an style=3D"color:purple">jricher@mitre.org</span></a>&gt;<br>
<b>Subject:</b><span class=3D"apple-converted-space">=A0</span><b>Re: [OAUT=
H-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</b><=
/p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The whole point is authn =
only. Many do not want or need the userinfo endpoint.=A0<br>
<br>
Phil</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 17:17, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">What do you mean? You abs=
olutely can implement a compliant OIDC server nearly as simply as this. The=
 things that you&#39;re missing I think are necessary for basic interoperab=
le functionality, and are things that other
 folks using OAuth for authentication have also implemented. Namely:</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0- Signing the ID token=
 (OIDC specifies the RS256 flavor of JWS, which is easy to do with JWT). Wi=
thout a signed and verifiable ID token or equivalent, you&#39;re asking for=
 all kinds of token injection problems.</p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0- Session management r=
equests (max auth age, auth time)</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0- Not fall over with o=
ther parameters that you don&#39;t support (display, prompt, etc).</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">See here for more informa=
tion:</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<a href=3D"http://open=
id.net/specs/openid-connect-messages-1_0.html#ServerMTI" target=3D"_blank">=
<span style=3D"color:purple">http://openid.net/specs/openid-connect-message=
s-1_0.html#ServerMTI</span></a></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Additionally, something t=
hat&#39;s really important to support is the User Info Endpoint, so you can=
 actually get user profile information beyond just the simple &quot;someone=
 was here&quot; claim -- this was the real value of
 Facebook Connect from an RP&#39;s perspective. Some people will probably w=
ant to use SCIM for this, too, and that&#39;s fine.</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0-- Justin</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 30, 2013, at 10:54=
 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank=
"><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt;</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0wrote:</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The oidc specs do not all=
ow this simple an implementation. The spec members have not shown interest =
in making changes as they say they are too far down the road.</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have tried to make my d=
raft as close as possible to oidc but maybe it shouldn&#39;t be clarity wis=
e. I am interested in what the group feels is clearest.=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">From an ietf perspective =
the concern is improper use of the 6749 for authn. Is this a bug or gap we =
need to address?<br>
<br>
Phil</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 16:46, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">From what I read, you&#39=
;ve defined something that uses an OAuth 2 code flow to get an extra token =
which is specified as a JWT. You named it &quot;session_token&quot; instead=
 of &quot;id_token&quot;, and you&#39;ve left off the User Information
 Endpoint -- but other than that, this is exactly the Basic Client for Open=
ID Connect. In other words, if you change the names on things you&#39;ve go=
t OIDC, but without the capabilities to go beyond a very basic &quot;hey th=
ere&#39;s a user here&quot; claim. This is the same
 place that OpenID 2.0 started, and it was very, very quickly extended with=
 SREG, AX, PAPE, and others for it to be useful in the real world of distri=
buted logins. You&#39;ve also left out discovery and registration which are=
 required for distributed deployments,
 but I&#39;m guessing that those would be modular components that could be =
added in (like they are in OIDC).=A0</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I&#39;ve heard complaints=
 that OIDC is complicated, but it&#39;s really not. Yes, I agree that the g=
iant stack of documents is intimidating and in my opinion it&#39;s a bit of=
 a mess with Messages and Standard split up (but
 I lost that argument years ago). However, at the core, you&#39;ve got an O=
Auth2 authorization server that spits out access tokens and id tokens. The =
id token is a JWT with some known claims (iss, sub, etc) and is issued alon=
g side the access token, and its audience
 is the *client* and not the *protected resource*. The access token is a re=
gular old access token and its format is undefined (so you can use it with =
an existing OAuth2 server setup, like we have), and it can be used at the U=
ser Info Endpoint to get profile
 information about the user who authenticated. It could also be used for ot=
her services if your AS/IdP protects multiple things.</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">So I guess what I&#39;m m=
issing is what&#39;s the value proposition in this spec when we have someth=
ing that can do this already? And this doesn&#39;t seem to do anything diff=
erent (apart from syntax changes)?</p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0-- Justin</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 29, 2013, at 4:14 =
AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"=
><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:</p=
>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">FYI. =A0I have been notic=
ing a substantial number of sites acting as OAuth Clients using OAuth to au=
thenticate users.</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I know several of us have=
 blogged on the issue over the past year so I won&#39;t re-hash it here. =
=A0In short, many of us recommended OIDC as the correct methodology.</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Never-the-less, I&#39;ve =
spoken with a number of service providers who indicate they are not ready t=
o make the jump to OIDC, yet they agree there is a desire to support authen=
tication only (where as OIDC does IDP-like
 services).</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">This draft is intended as=
 a minimum authentication only specification. =A0I&#39;ve tried to make it =
as compatible as possible with OIDC.</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">For now, I&#39;ve just po=
sted to keep track of the issue so we can address at the next re-chartering=
.</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Happy to answer questions=
 and discuss.=A0</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Phil</span>=
</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">=A0</span><=
/p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">@independen=
tid</span></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><a href=3D"=
http://www.independentid.com/" target=3D"_blank"><span style=3D"color:purpl=
e">www.independentid.com</span></a></span></p>

</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt;background:white;backg=
round-repeat:initial initial">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;san=
s-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><s=
pan style=3D"color:purple">phil.hunt@oracle.com</span></a></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">=A0</span>=
</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Begin forwarded message:<=
/p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">From:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org" target=
=3D"_blank"><span style=3D"color:purple">internet-drafts@ietf.org</span></a=
></span></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Subject=
: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</span></=
b></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Date:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;">29 July, 2013 9:49:41 AM GMT+02:00</span></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">To:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&q=
uot;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com" =
target=3D"_blank"><span style=3D"color:purple">phil.hunt@yahoo.com</span></=
a>&gt;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank"><sp=
an style=3D"color:purple">None@ietfa.amsl.com</span></a>&gt;, Phil Hunt &lt=
;&gt;</span></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0<a href=3D"http://www.ietf.org/int=
ernet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt" target=3D"_blank"><span s=
tyle=3D"color:purple">http://www.ietf.org/internet-drafts/draft-hunt-oauth-=
v2-user-a4c-00.txt</span></a><br>

Status: =A0=A0=A0=A0=A0=A0=A0=A0=A0<a href=3D"http://datatracker.ietf.org/d=
oc/draft-hunt-oauth-v2-user-a4c" target=3D"_blank"><span style=3D"color:pur=
ple">http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</span></a=
><br>
Htmlized: =A0=A0=A0=A0=A0=A0=A0<a href=3D"http://tools.ietf.org/html/draft-=
hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span style=3D"color:purple">h=
ttp://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00</span></a><br>
<br>
<br>
Abstract:<br>
=A0=A0This specification defines a new OAuth2 endpoint that enables user<br=
>
=A0=A0authentication session information to be shared with client<br>
=A0=A0applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at<a href=3D"http://tools=
.ietf.org/" target=3D"_blank"><span style=3D"color:purple">tools.ietf.org</=
span></a>.<br>
<br>
The IETF Secretariat</p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a></p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span class=3D"apple-co=
nverted-space">=A0</span><br>
Nat Sakimura (=3Dnat)</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en</p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<pre style=3D"background:white;background-repeat:initial initial">_________=
______________________________________</pre>
<pre style=3D"background:white;background-repeat:initial initial">OAuth mai=
ling list</pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:purple">O=
Auth@ietf.org</span></a></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><span st=
yle=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a>=
</pre>

</blockquote>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span class=3D"apple-co=
nverted-space">=A0</span><br>
Nat Sakimura (=3Dnat)</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en</p>
</div>
</div>
</div>
</blockquote>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0</p>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org"><span style=3D"color:purple">OAuth@ietf.o=
rg</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><br>
<br>
<br>
</p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;">_____________________________________=
__________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org"><span style=3D"color:purple">OAuth@ietf.o=
rg</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth"><span style=3D"colo=
r:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a></span></p>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal">=A0</p>
</div>
</div>


</div></blockquote></body></html>

--001a11c3bb0cb1dc0204e2e2fcfe--

From bcampbell@pingidentity.com  Thu Aug  1 06:58:04 2013
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E794A11E810F for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 06:57:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.868
X-Spam-Level: 
X-Spam-Status: No, score=-5.868 tagged_above=-999 required=5 tests=[AWL=0.108,  BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0fDo7JKgTVuz for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 06:57:47 -0700 (PDT)
Received: from na3sys009aog109.obsmtp.com (na3sys009aog109.obsmtp.com [74.125.149.201]) by ietfa.amsl.com (Postfix) with ESMTP id A6C8911E8118 for <oauth@ietf.org>; Thu,  1 Aug 2013 06:57:46 -0700 (PDT)
Received: from mail-oa0-f47.google.com ([209.85.219.47]) (using TLSv1) by na3sys009aob109.postini.com ([74.125.148.12]) with SMTP ID DSNKUfppWR3Ngfoj7AaAVUuO2BLOjQ/0og18@postini.com; Thu, 01 Aug 2013 06:57:46 PDT
Received: by mail-oa0-f47.google.com with SMTP id g12so3840708oah.20 for <oauth@ietf.org>; Thu, 01 Aug 2013 06:57:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=wbfKG69QwBDBWS/1BeNeshx3zenOMxFDaNbSPYU7xo8=; b=OZaUdDWWN/9t3Ecaq7uC/D8N0WgOxjs4vnIFDKiqF2ajUx59WlHTiRenYWq8RwLTvy 0mlRak8OCkZn3P5qZ8KaKkfXV9UlzyUVFKOPplP5gY+FToSC3LBENGAU8YiQIwdouwq/ UI+D+OxM110N4pdjGaSm6f+iBC4fjrPXAaxKrIonPeWRi7uM7ts80jhetWRmu3exV67C 0knjkaXDTE6CzRjTiNW8DeGSOqumgekvTeMgGohEK0zLmBiBRwfeD5QFjYONut7wnIx0 B6Yc2gXsGNfgKKua2lx1j+o+3WSy8MmzPAozPLFeedvxYsin06jlDk7uNxiPqcp0Y5KZ CTsw==
X-Received: by 10.50.60.103 with SMTP id g7mr1261082igr.47.1375365464908; Thu, 01 Aug 2013 06:57:44 -0700 (PDT)
X-Received: by 10.50.60.103 with SMTP id g7mr1261080igr.47.1375365464824; Thu, 01 Aug 2013 06:57:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.41.34 with HTTP; Thu, 1 Aug 2013 06:57:14 -0700 (PDT)
In-Reply-To: <706472E2-DF7D-4963-8C07-552F3690D927@ve7jtb.com>
References: <e1cdc1b2a4d1841d12938a900355121f@lodderstedt-online.de> <706472E2-DF7D-4963-8C07-552F3690D927@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 1 Aug 2013 15:57:14 +0200
Message-ID: <CA+k3eCR+0MCLC5F5ZtAt28vcn0mCfM9kHOHcc2nO4BQY3vt73A@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=047d7b1117c1f7b3e504e2e339a7
X-Gm-Message-State: ALoCoQlu5wtwUBKD+OyZhK+e87LtUkscMmVKPPFjbK/CNq65DwjpeDovH+7ZzTe/8gMrZ28THSj/Wb0HELVqacDCijD5zth+DJ5xwpm3aIXgPPCSYLRM7I2Moe/UKgQztzcn43VG+wCZL7+fIXYyaOXn26BtRsL8fw==
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authz Header + client_id in message body
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 13:58:05 -0000

--047d7b1117c1f7b3e504e2e339a7
Content-Type: text/plain; charset=ISO-8859-1

I thought I remembered that text from RFC 6749, section 3.1 as saying that
a *public* client MAY use the "client_id" request parameter to identify
itself...

Apparently that's not what it says. But I believe that was the intent - hat
a client with no means of authentication could identify itself by sending
only the "client_id" request parameter to the token endpoint.

Sec 2.3 (http://tools.ietf.org/html/rfc6749#section-2.3) says, "The client
MUST NOT use more than one authentication method in each  request."

And 5.2 (http://tools.ietf.org/html/rfc6749#section-5.2) has

         "invalid_request
               The request is missing a required parameter, includes an
               unsupported parameter value (other than grant type),
               repeats a parameter,* includes multiple credentials,*
               utilizes more than one mechanism for authenticating the
               client, or is otherwise malformed."

There is some room for ambiguity in all that but, based on the above, I'd
say that the way your server is behaving is correct Torsten.



On Thu, Aug 1, 2013 at 2:13 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> Hmm allowing sending the client_id even if there is no authentication was
> intended to mitigate cases where the client presenting the code or
> refresh_token was not the one that requested it, and for logging.
>
> I don't think the intention was to allow the client_id to be sent twice.
>
> If it were my Token endpoint I would ignore the extra one and only
> processes the one sent as part of the authentication,  if there is no
> authentication then the value of the "client_id" parameter MUST match the
> client_id that was used to request the token.
>
> It is probably a open question if the request should be considered
> malformed if it contains both.
>
> Personally I would recommend that the client not do that.
>
> Others may remember it differently.
>
> John B.
>
> On 2013-08-01, at 11:34 AM, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
>
> > Hi,
> >
> > while setting up our OIDC interop tests, we run into the following
> problem:
> >
> > The test client sends a request to the token endpoint, which contains
> the client credentials in an authorization header. Additionally, it adds
> the client_id to the message body. Our server treats this as an invalid
> request and responds with HTTP status code 400.
> >
> > Now my question: The last paragraph of RFC 6749, section 3.1 (
> http://tools.ietf.org/html/rfc6749#section-3.2.1) states
> >
> > "A client MAY use the "client_id" request parameter to identify itself
> >   when sending requests to the token endpoint."
> >
> > This seems to allow the client to send the client_id in addition to any
> other credential used to authenticate it.
> >
> > I'm not sure what the intension is/was. How is the server supposed to
> handle such cases? Shall it compare both ids (from the header and the
> body)? Must they match exactly?
> >
> > Any feedback is appreciated.
> >
> > regards,
> > Torsten.
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--047d7b1117c1f7b3e504e2e339a7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div>I thought I remembered that text from RFC 6=
749, section 3.1 as saying that a *public* client MAY use the &quot;client_=
id&quot; request parameter to identify itself...<br><br></div>Apparently th=
at&#39;s not what it says. But I believe that was the intent - hat a client=
 with no means of authentication could identify itself by sending only the =
&quot;client_id&quot; request parameter to the token endpoint. <br>

<br>Sec 2.3 (<a href=3D"http://tools.ietf.org/html/rfc6749#section-2.3">htt=
p://tools.ietf.org/html/rfc6749#section-2.3</a>) says, &quot;The client MUS=
T NOT use more than one authentication method in each=A0 request.&quot;<br>

<br></div>And 5.2 (<a href=3D"http://tools.ietf.org/html/rfc6749#section-5.=
2">http://tools.ietf.org/html/rfc6749#section-5.2</a>) has<br><br>=A0=A0=A0=
=A0=A0=A0=A0=A0 &quot;invalid_request<br>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0 The request is missing a required parameter, includes an<br>

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 unsupported parameter value (oth=
er than grant type),<br>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 repeats =
a parameter,<b> includes multiple credentials,</b><br>=A0=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0 utilizes more than one mechanism for authenticating t=
he<br>

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 client, or is otherwise malforme=
d.&quot;<br><br></div>There is some room for ambiguity in all that but, bas=
ed on the above, I&#39;d say that the way your server is behaving is correc=
t Torsten. <br><div><div>

<br></div></div></div><div class=3D"gmail_extra"><br><br><div class=3D"gmai=
l_quote">On Thu, Aug 1, 2013 at 2:13 PM, John Bradley <span dir=3D"ltr">&lt=
;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank">ve7jtb@ve7jtb.com</=
a>&gt;</span> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Hmm allowing sending the client_id even if t=
here is no authentication was intended to mitigate cases where the client p=
resenting the code or refresh_token was not the one that requested it, and =
for logging.<br>


<br>
I don&#39;t think the intention was to allow the client_id to be sent twice=
.<br>
<br>
If it were my Token endpoint I would ignore the extra one and only processe=
s the one sent as part of the authentication, =A0if there is no authenticat=
ion then the value of the &quot;client_id&quot; parameter MUST match the cl=
ient_id that was used to request the token.<br>


<br>
It is probably a open question if the request should be considered malforme=
d if it contains both.<br>
<br>
Personally I would recommend that the client not do that.<br>
<br>
Others may remember it differently.<br>
<br>
John B.<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
On 2013-08-01, at 11:34 AM, Torsten Lodderstedt &lt;<a href=3D"mailto:torst=
en@lodderstedt.net">torsten@lodderstedt.net</a>&gt; wrote:<br>
<br>
&gt; Hi,<br>
&gt;<br>
&gt; while setting up our OIDC interop tests, we run into the following pro=
blem:<br>
&gt;<br>
&gt; The test client sends a request to the token endpoint, which contains =
the client credentials in an authorization header. Additionally, it adds th=
e client_id to the message body. Our server treats this as an invalid reque=
st and responds with HTTP status code 400.<br>


&gt;<br>
&gt; Now my question: The last paragraph of RFC 6749, section 3.1 (<a href=
=3D"http://tools.ietf.org/html/rfc6749#section-3.2.1" target=3D"_blank">htt=
p://tools.ietf.org/html/rfc6749#section-3.2.1</a>) states<br>
&gt;<br>
&gt; &quot;A client MAY use the &quot;client_id&quot; request parameter to =
identify itself<br>
&gt; =A0 when sending requests to the token endpoint.&quot;<br>
&gt;<br>
&gt; This seems to allow the client to send the client_id in addition to an=
y other credential used to authenticate it.<br>
&gt;<br>
&gt; I&#39;m not sure what the intension is/was. How is the server supposed=
 to handle such cases? Shall it compare both ids (from the header and the b=
ody)? Must they match exactly?<br>
&gt;<br>
&gt; Any feedback is appreciated.<br>
&gt;<br>
&gt; regards,<br>
&gt; Torsten.<br>
&gt; _______________________________________________<br>
&gt; OAuth mailing list<br>
&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_bla=
nk">https://www.ietf.org/mailman/listinfo/oauth</a><br>
<br>
</div></div><br>_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><br>
<br></blockquote></div><br></div>

--047d7b1117c1f7b3e504e2e339a7--

From moransar@cisco.com  Tue Jul 30 05:06:16 2013
Return-Path: <moransar@cisco.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94F4011E810F for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 05:06:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level: 
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uR-knMCzEtym for <oauth@ietfa.amsl.com>; Tue, 30 Jul 2013 05:06:11 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) by ietfa.amsl.com (Postfix) with ESMTP id 8A60521E80C3 for <oauth@ietf.org>; Tue, 30 Jul 2013 05:06:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8464; q=dns/txt; s=iport; t=1375185970; x=1376395570; h=from:to:subject:date:message-id:in-reply-to:mime-version; bh=OPIXVtU3GNUZzAVGN7XDRSmRKC8CSOaRD8ELHn5uknE=; b=hWqc76uFKDhHf5uUaPyYSZlh72YgClUftuI73lRjFJW4n5kvvOxv1xz/ 1BI/GME2FqfDtPxAe/uclidCRad6xDYSX1GhFmtbaHn6f6kRGaWUPXwkq p0PNJO5xIgfTePpTDWY41usfQe9u+yQKE3J9b7/5DFw9SttznRMkD+Xg+ Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ak0GALyr91GtJXG9/2dsb2JhbABbgkJENVCsH4k2iDqBHhZ0giQBAQEEdxQBCBEDAQILHSgRFAkIAgQBEggBh3UDDwywGg2IXo0NgkAgFwEGgxJvA5V2gxKKfYUmgVuBOYIq
X-IronPort-AV: E=Sophos;i="4.89,778,1367971200";  d="scan'208,217";a="241243972"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by rcdn-iport-8.cisco.com with ESMTP; 30 Jul 2013 12:06:09 +0000
Received: from xhc-aln-x08.cisco.com (xhc-aln-x08.cisco.com [173.36.12.82]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id r6UC690E020048 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 30 Jul 2013 12:06:09 GMT
Received: from xmb-rcd-x08.cisco.com ([169.254.8.40]) by xhc-aln-x08.cisco.com ([173.36.12.82]) with mapi id 14.02.0318.004; Tue, 30 Jul 2013 07:06:08 -0500
From: "Morteza Ansari (moransar)" <moransar@cisco.com>
To: Nat Sakimura <sakimura@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-00.txt
Thread-Index: AQHOjR0szKw5Xncs6kOvJy5Xlryqlg==
Date: Tue, 30 Jul 2013 12:06:08 +0000
Message-ID: <CA3B67220D628A4780D6FEB31F18A3E32AB6F0AE@xmb-rcd-x08.cisco.com>
In-Reply-To: <CABzCy2CC3Oi2J7GZJVBa07=xtjMXvy9ah_h_ZwwZQXDd4qtSzw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.6.130613
x-originating-ip: [10.21.145.8]
Content-Type: multipart/alternative; boundary="_000_CA3B67220D628A4780D6FEB31F18A3E32AB6F0AExmbrcdx08ciscoc_"
MIME-Version: 1.0
X-Mailman-Approved-At: Thu, 01 Aug 2013 06:58:38 -0700
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-tcse-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 12:06:17 -0000

--_000_CA3B67220D628A4780D6FEB31F18A3E32AB6F0AExmbrcdx08ciscoc_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

This solves a real and common problem with public client implementations. I=
 certainly would like to see it move forward.  Thanks for publishing it Nat=
.


Cheers,
Morteza

From: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>
Date: Tuesday, July 30, 2013 11:58 AM
To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-sakimura-oauth-=
tcse-00.txt

As some of you know, passing the authorization code securely to a native ap=
p on iOS platform is next to impossible. Malicious application may register=
 the same custom scheme as the victim application and hope to obtain the co=
de, whose success rate is rather high.

We have discussed about it during the OpenID Conenct Meeting at IETF 87 on =
Sunday, and over a lengthy thread on the OpenID AB/Connect work group list.=
 I have captured the discussion in the form of I-D. It is pretty short and =
hopefully easy to read.

IMHO, although it came up as an issue in OpenID Connect, this is a quite us=
eful extension to OAuth 2.0 in general.

Best,

Nat Sakimura

---------- Forwarded message ----------
From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: 2013/7/30
Subject: New Version Notification for draft-sakimura-oauth-tcse-00.txt
To: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>, John Brad=
ley <jbradley@pingidentity.com<mailto:jbradley@pingidentity.com>>, Naveen A=
garwal <naa@google.com<mailto:naa@google.com>>



A new version of I-D, draft-sakimura-oauth-tcse-00.txt
has been successfully submitted by Nat Sakimura and posted to the
IETF repository.

Filename:        draft-sakimura-oauth-tcse
Revision:        00
Title:           OAuth Transient Client Secret Extension for Public Clients
Creation date:   2013-07-29
Group:           Individual Submission
Number of pages: 7
URL:             http://www.ietf.org/internet-drafts/draft-sakimura-oauth-t=
cse-00.txt
Status:          http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
Htmlized:        http://tools.ietf.org/html/draft-sakimura-oauth-tcse-00


Abstract:
   The OAuth 2.0 public client utilizing code flow is susceptible to the
   code interception attack.  This specification describe a mechanism
   that acts as a control against this threat.





Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available at tools.ietf.org<http://=
tools.ietf.org>.

The IETF Secretariat




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

--_000_CA3B67220D628A4780D6FEB31F18A3E32AB6F0AExmbrcdx08ciscoc_
Content-Type: text/html; charset="us-ascii"
Content-ID: <EBAC343851841D4EA745C2E18703C7D9@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
ly: Calibri, sans-serif; ">
<div>This solves a real and common problem with public client implementatio=
ns. I certainly would like to see it move forward. &nbsp;Thanks for publish=
ing it Nat.</div>
<div><br>
</div>
<div><br>
</div>
<div>Cheers,</div>
<div>Morteza</div>
<div><br>
</div>
<span id=3D"OLK_SRC_BODY_SECTION">
<div style=3D"font-family:Calibri; font-size:11pt; text-align:left; color:b=
lack; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM:=
 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;=
 BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style=3D"font-weight:bold">From: </span>Nat Sakimura &lt;<a href=3D"m=
ailto:sakimura@gmail.com">sakimura@gmail.com</a>&gt;<br>
<span style=3D"font-weight:bold">Date: </span>Tuesday, July 30, 2013 11:58 =
AM<br>
<span style=3D"font-weight:bold">To: </span>oauth &lt;<a href=3D"mailto:oau=
th@ietf.org">oauth@ietf.org</a>&gt;<br>
<span style=3D"font-weight:bold">Subject: </span>[OAUTH-WG] Fwd: New Versio=
n Notification for draft-sakimura-oauth-tcse-00.txt<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir=3D"ltr"><span style=3D"font-family: arial, sans-serif; font-size: =
18px; ">As some of you know, passing the authorization code securely to a n=
ative app on iOS platform is next to impossible. Malicious application may =
register the same custom scheme as the
 victim application and hope to obtain the code, whose success rate is rath=
er high.&nbsp;</span>
<div style=3D"font-family:arial,sans-serif;font-size:18px"><br>
</div>
<div style=3D"font-family:arial,sans-serif;font-size:18px">We have discusse=
d about it during the OpenID Conenct Meeting at IETF 87 on Sunday, and over=
 a lengthy thread on the OpenID AB/Connect work group list. I have captured=
 the discussion in the form of I-D.
 It is pretty short and hopefully easy to read.&nbsp;</div>
<div style=3D"font-family:arial,sans-serif;font-size:18px"><br>
</div>
<div style=3D"font-family:arial,sans-serif;font-size:18px">IMHO, although i=
t came up as an issue in OpenID Connect, this is a quite useful extension t=
o OAuth 2.0 in general.&nbsp;</div>
<div style=3D"font-family:arial,sans-serif;font-size:18px"><br>
</div>
<div style=3D"font-family:arial,sans-serif;font-size:18px">Best,&nbsp;</div=
>
<div style=3D"font-family:arial,sans-serif;font-size:18px"><br>
</div>
<div style=3D"font-family:arial,sans-serif;font-size:18px">Nat Sakimura</di=
v>
<br>
<div class=3D"gmail_quote">---------- Forwarded message ----------<br>
From: <b class=3D"gmail_sendername"></b><span dir=3D"ltr">&lt;<a href=3D"ma=
ilto:internet-drafts@ietf.org">internet-drafts@ietf.org</a>&gt;</span><br>
Date: 2013/7/30<br>
Subject: New Version Notification for draft-sakimura-oauth-tcse-00.txt<br>
To: Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail.com">sakimura@gmail.c=
om</a>&gt;, John Bradley &lt;<a href=3D"mailto:jbradley@pingidentity.com">j=
bradley@pingidentity.com</a>&gt;, Naveen Agarwal &lt;<a href=3D"mailto:naa@=
google.com">naa@google.com</a>&gt;<br>
<br>
<br>
<br>
A new version of I-D, draft-sakimura-oauth-tcse-00.txt<br>
has been successfully submitted by Nat Sakimura and posted to the<br>
IETF repository.<br>
<br>
Filename: &nbsp; &nbsp; &nbsp; &nbsp;draft-sakimura-oauth-tcse<br>
Revision: &nbsp; &nbsp; &nbsp; &nbsp;00<br>
Title: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; OAuth Transient Client Secret Ext=
ension for Public Clients<br>
Creation date: &nbsp; 2013-07-29<br>
Group: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Individual Submission<br>
Number of pages: 7<br>
URL: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <a href=3D"http://www.ietf.o=
rg/internet-drafts/draft-sakimura-oauth-tcse-00.txt" target=3D"_blank">
http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-00.txt</a><br=
>
Status: &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<a href=3D"http://datatracker.iet=
f.org/doc/draft-sakimura-oauth-tcse" target=3D"_blank">http://datatracker.i=
etf.org/doc/draft-sakimura-oauth-tcse</a><br>
Htmlized: &nbsp; &nbsp; &nbsp; &nbsp;<a href=3D"http://tools.ietf.org/html/=
draft-sakimura-oauth-tcse-00" target=3D"_blank">http://tools.ietf.org/html/=
draft-sakimura-oauth-tcse-00</a><br>
<br>
<br>
Abstract:<br>
&nbsp; &nbsp;The OAuth 2.0 public client utilizing code flow is susceptible=
 to the<br>
&nbsp; &nbsp;code interception attack. &nbsp;This specification describe a =
mechanism<br>
&nbsp; &nbsp;that acts as a control against this threat.<br>
<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org" target=3D"_blank">
tools.ietf.org</a>.<br>
<br>
The IETF Secretariat<br>
<br>
</div>
<br>
<br clear=3D"all">
<div><br>
</div>
-- <br>
Nat Sakimura (=3Dnat)
<div>Chairman, OpenID Foundation<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank">http://nat.sakimura.=
org/</a><br>
@_nat_en</div>
</div>
</div>
</div>
</span>
</body>
</html>

--_000_CA3B67220D628A4780D6FEB31F18A3E32AB6F0AExmbrcdx08ciscoc_--

From jricher@mitre.org  Thu Aug  1 07:15:05 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F41BD21E81E0 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 07:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.261
X-Spam-Level: 
X-Spam-Status: No, score=-6.261 tagged_above=-999 required=5 tests=[AWL=-0.263, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DKc2+4ZoO+1G for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 07:14:59 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id A22DB21E819E for <oauth@ietf.org>; Thu,  1 Aug 2013 07:14:55 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E41F21F06E9; Thu,  1 Aug 2013 10:14:54 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D17421F03FC; Thu,  1 Aug 2013 10:14:54 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.45]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.02.0342.003; Thu, 1 Aug 2013 10:14:54 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
Thread-Index: AQHOjry18EhqomHPmUqyr9S6Nk6qQZmAqJCA
Date: Thu, 1 Aug 2013 14:14:54 +0000
Message-ID: <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F83EF7.6040201@oracle	<51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid>
In-Reply-To: <2117136733141454493@unknownmsgid>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [172.31.5.153]
Content-Type: multipart/alternative; boundary="_000_8E6F38BAE6BF40E5818A45F506BB181Dmitreorg_"
MIME-Version: 1.0
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 14:15:05 -0000

--_000_8E6F38BAE6BF40E5818A45F506BB181Dmitreorg_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Also, it's (optionally) a token in the proposed document we're discussing (=
=A72.4.1), which means there are two ways to parse the same information. OI=
DC uses JWTs for everything, signed and unsigned. This means that OIDC is a=
ctually simpler from an implementation perspective, wouldn't you say? Inste=
ad of having two parsers, you have one to cover both cases.

(And given your tendency to throw signed assertions at every problem, I wou=
ld have thought that you'd prefer this anyway.)

 -- Justin

On Aug 1, 2013, at 9:40 AM, Nat Sakimura <sakimura@gmail.com<mailto:sakimur=
a@gmail.com>>
 wrote:

Yes, it is a Token.
No, it does not have to be signed.

As to be a token or not to be a token question, it has been discussed in th=
e WG before, and if I remember correctly,  Microsoft argued for token sayin=
g that it is just base64 decoding and I lost there.

Nat

On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com<mailto:ton=
ynad@microsoft.com>> wrote:

You can=92t do this, first openid uses a token and second it=92s signed, th=
ird there is no specification to just return a authentication JSON structur=
e

From: Richer, Justin P. [mailto:jricher@mitre.org]
Sent: Thursday, August 1, 2013 5:15 AM
To: Anthony Nadalin
Cc: Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org<mailto:oauth@i=
etf.org> WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Tony, you can already return the authn result from the token request (we di=
scussed this specifically in May as I recall). That's what the "idtoken" an=
d "code idtoken" responses are for in OpenID Connect. The proposed draft is=
 nearly a duplicate of the core functionality of OIDC.

 -- Justin

On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com<mailto:t=
onynad@microsoft.com>>
 wrote:


The proposal does not duplicate what OpenID does, there is clear benefit fo=
r returning an authentication result in the token request result. This is b=
eing proposed as optional JSON structure.

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-<=
mailto:oauth->bounces@ietf.org<mailto:bounces@ietf.org>] On Behalf Of Bill =
Mills
Sent: Wednesday, July 31, 2013 2:50 PM
To: Prateek Mishra; Nat Sakimura
Cc: oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Rather than extending OAuth for something OpenID already does...  why don't=
 we get a simple informational example doc to show how to implement the mos=
t basic OpenID service, which is the same functionality on a standard that'=
s already written?

This is sounding more and mor elike a documentation problem.

________________________________
From: Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@oracl=
e.com>>
To: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>
Cc: "oauth@ietf.org WG<mailto:oauth@ietf.org%20WG>" <oauth@ietf.org<mailto:=
oauth@ietf.org>>
Sent: Wednesday, July 31, 2013 2:38 PM
Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New V=
ersion Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Nat -

thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests
that Section 2.3 is optional. I also could not find any definition for " no=
n-dynamic OpenID Connect Server".

I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

There are probably other smarter ways to achieve the same effect.

Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that
RFC 6749 is being misused for federated authentication, as explained in  -

http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what=
.html

and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned
out that OpenID Connect offered such a solution but that isn't clear to me.

Thx,
prateek


Inline:
2013/7/31 Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@o=
racle.com>>
Nat -

your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with
an authenticator.  Many implementors are seeking a modest extension of OAut=
h, not an entire new protocol
stack.   I believe that is the point of Phil Hunt's proposal to the OAuth c=
ommittee.

I do have some questions for about the statements made in the blog -

A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?

Actually, it is not a single spec, that the Standard is referencing others.
The Standard is kind of cluttered because it has 6 response types and three=
 request types in it.
I suppose it would be much easier for the readers to split them into cohere=
nt pieces, though that means duplicate texts.

The easiest approach here is to read the Basic Client Profile. http://openi=
d.net/specs/openid-connect-basic-1_0-28.html
Then, read OAuth 2.0 Multiple Response Type Encoding Practices http://openi=
d.net/specs/oauth-v2-multiple-response-types-1_0-08.html .


B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no
other MTI protocol exchanges in OpenID Connect?

Yes, for a non-dynamic OpenID Connect Server.

Nat


Thanks,
prateek




I have written a short blog post titled "Write an OpenID Connect server in =
three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-connect-=
server-in-three-simple-steps/>".

Really, there is not much you need to on top of OAuth 2.0.

It puzzles me why you need to create a draft with only minor variances in p=
arameter names.

e.g.,
session instead of id_token
lat instead of iat
alv instead of acr
etc.

If you change those parameter names, you will have a conformant profile of =
OpenID Connect.

Nat

2013/7/31 John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Connect dosen't require a userinfo endpoint.   It is required for interoper=
ability if you are building an open IdP.   For an enterprise type deploymen=
t discovery, registration, userifo are all optional.

The server is required to pass the nonce which is equivalent to a request I=
D through to the JWT if the client sends it in the request.

Justin is correct.

John B.

On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt=
@oracle.com>> wrote:



Forgot reply all.

Phil

Begin forwarded message:
From: Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>>
Date: 30 July, 2013 17:25:46 GMT+02:00
To: "Richer, Justin P." <jricher@mitre.org<mailto:jricher@mitre.org>>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-us=
er-a4c-00.txt
The whole point is authn only. Many do not want or need the userinfo endpoi=
nt.

Phil

On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
What do you mean? You absolutely can implement a compliant OIDC server near=
ly as simply as this. The things that you're missing I think are necessary =
for basic interoperable functionality, and are things that other folks usin=
g OAuth for authentication have also implemented. Namely:

 - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is e=
asy to do with JWT). Without a signed and verifiable ID token or equivalent=
, you're asking for all kinds of token injection problems.
 - Session management requests (max auth age, auth time)
 - Not fall over with other parameters that you don't support (display, pro=
mpt, etc).

See here for more information:

 http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI

Additionally, something that's really important to support is the User Info=
 Endpoint, so you can actually get user profile information beyond just the=
 simple "someone was here" claim -- this was the real value of Facebook Con=
nect from an RP's perspective. Some people will probably want to use SCIM f=
or this, too, and that's fine.

 -- Justin

On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.h=
unt@oracle.com>>
 wrote:



The oidc specs do not allow this simple an implementation. The spec members=
 have not shown interest in making changes as they say they are too far dow=
n the road.

I have tried to make my draft as close as possible to oidc but maybe it sho=
uldn't be clarity wise. I am interested in what the group feels is clearest=
.

>From an ietf perspective the concern is improper use of the 6749 for authn.=
 Is this a bug or gap we need to address?

Phil

On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
>From what I read, you've defined something that uses an OAuth 2 code flow t=
o get an extra token which is specified as a JWT. You named it "session_tok=
en" instead of "id_token", and you've left off the User Information Endpoin=
t -- but other than that, this is exactly the Basic Client for OpenID Conne=
ct. In other words, if you change the names on things you've got OIDC, but =
without the capabilities to go beyond a very basic "hey there's a user here=
" claim. This is the same place that OpenID 2.0 started, and it was very, v=
ery quickly extended with SREG, AX, PAPE, and others for it to be useful in=
 the real world of distributed logins. You've also left out discovery and r=
egistration which are required for distributed deployments, but I'm guessin=
g that those would be modular components that could be added in (like they =
are in OIDC).

I've heard complaints that OIDC is complicated, but it's really not. Yes, I=
 agree that the giant stack of documents is intimidating and in my opinion =
it's a bit of a mess with Messages and Standard split up (but I lost that a=
rgument years ago). However, at the core, you've got an OAuth2 authorizatio=
n server that spits out access tokens and id tokens. The id token is a JWT =
with some known claims (iss, sub, etc) and is issued along side the access =
token, and its audience is the *client* and not the *protected resource*. T=
he access token is a regular old access token and its format is undefined (=
so you can use it with an existing OAuth2 server setup, like we have), and =
it can be used at the User Info Endpoint to get profile information about t=
he user who authenticated. It could also be used for other services if your=
 AS/IdP protects multiple things.

So I guess what I'm missing is what's the value proposition in this spec wh=
en we have something that can do this already? And this doesn't seem to do =
anything different (apart from syntax changes)?

 -- Justin

On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hu=
nt@oracle.com>> wrote:



FYI.  I have been noticing a substantial number of sites acting as OAuth Cl=
ients using OAuth to authenticate users.

I know several of us have blogged on the issue over the past year so I won'=
t re-hash it here.  In short, many of us recommended OIDC as the correct me=
thodology.

Never-the-less, I've spoken with a number of service providers who indicate=
 they are not ready to make the jump to OIDC, yet they agree there is a des=
ire to support authentication only (where as OIDC does IDP-like services).

This draft is intended as a minimum authentication only specification.  I'v=
e tried to make it as compatible as possible with OIDC.

For now, I've just posted to keep track of the issue so we can address at t=
he next re-chartering.

Happy to answer questions and discuss.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>





Begin forwarded message:



From:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
Date:29 July, 2013 9:49:41 AM GMT+02:00
To:Phil Hunt <phil.hunt@yahoo.com<mailto:phil.hunt@yahoo.com>>, Phil Hunt <=
None@ietfa.amsl.com<mailto:None@ietfa.amsl.com>>, Phil Hunt <>


A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Filename: draft-hunt-oauth-v2-user-a4c
Revision: 00
Title: OAuth 2.0 User Authentication For Client
Creation date: 2013-07-29
Group: Individual Submission
Number of pages: 9
URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-us=
er-a4c-00.txt
Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a=
4c
Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00


Abstract:
  This specification defines a new OAuth2 endpoint that enables user
  authentication session information to be shared with client
  applications.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available attools.ietf.org<http://t=
ools.ietf.org/>.

The IETF Secretariat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en




_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--_000_8E6F38BAE6BF40E5818A45F506BB181Dmitreorg_
Content-Type: text/html; charset="Windows-1252"
Content-ID: <E1E271759516114EB0D27EC433FC7EE1@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; ">
Also, it's (optionally) a token in the proposed document we're discussing (=
=A72.4.1), which means there are two ways to parse the same information. OI=
DC uses JWTs for everything, signed and unsigned. This means that OIDC is a=
ctually simpler from an implementation
 perspective, wouldn't you say? Instead of having two parsers, you have one=
 to cover both cases.&nbsp;
<div><br>
</div>
<div>(And given your tendency to throw signed assertions at every problem, =
I would have thought that you'd prefer this anyway.)
<div><br>
</div>
<div>&nbsp;-- Justin</div>
<div><br>
<div>
<div>On Aug 1, 2013, at 9:40 AM, Nat Sakimura &lt;<a href=3D"mailto:sakimur=
a@gmail.com">sakimura@gmail.com</a>&gt;</div>
<div>&nbsp;wrote:</div>
<br class=3D"Apple-interchange-newline">
<blockquote type=3D"cite">
<div dir=3D"auto">
<div>Yes, it is a Token.&nbsp;</div>
<div>No, it does not have to be signed.&nbsp;</div>
<div><br>
</div>
<div>As to be a token or not to be a token question, it has been discussed =
in the WG before, and if I remember correctly, &nbsp;Microsoft argued for t=
oken saying that it is just base64 decoding and I lost there. &nbsp;<br>
<br>
</div>
<div>Nat</div>
<div><br>
On Aug 1, 2013, at 14:24, Anthony Nadalin &lt;<a href=3D"mailto:tonynad@mic=
rosoft.com">tonynad@microsoft.com</a>&gt; wrote:<br>
<br>
</div>
<blockquote type=3D"cite">
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.apple-converted-space
	{mso-style-name:apple-converted-space;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style>
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">You can=92t do this, firs=
t openid uses a token and second it=92s signed, third there is no specifica=
tion to just return a authentication JSON structure</span></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497=
d">&nbsp;</span></a></p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer=
, Justin P. [<a href=3D"mailto:jricher@mitre.org">mailto:jricher@mitre.org<=
/a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a href=3D"mailto:oaut=
h@ietf.org">
oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</sp=
an></p>
</div>
</div>
<div>&nbsp;<br class=3D"webkit-block-placeholder">
</div>
<p class=3D"MsoNormal">Tony, you can already return the authn result from t=
he token request (we discussed this specifically in May as I recall). That'=
s what the &quot;idtoken&quot; and &quot;code idtoken&quot; responses are f=
or in OpenID Connect. The proposed draft is nearly a duplicate
 of the core functionality of OIDC. </p>
<div>
<div>&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;-- Justin</p>
</div>
<div>
<div>&nbsp;<br class=3D"webkit-block-placeholder">
</div>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a h=
ref=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;</p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;wrote:</p>
</div>
<p class=3D"MsoNormal"><br>
<br>
</p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">The proposal does not dup=
licate what OpenID does, there is clear benefit for returning an authentica=
tion result in the token request result. This is being proposed
 as optional JSON structure.</span></p>
</div>
<div>
<div><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;=
sans-serif&quot;;color:#1f497d">&nbsp;</span><br class=3D"webkit-block-plac=
eholder">
</div>
</div>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span class=3D"apple=
-converted-space"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri=
&quot;,&quot;sans-serif&quot;">&nbsp;</span></span><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"><a href=3D"=
mailto:oauth-bounces@ietf.org"><span style=3D"color:purple">oauth-bounces@i=
etf.org</span></a><span class=3D"apple-converted-space">&nbsp;</span>[mailt=
o:<a href=3D"mailto:oauth-">oauth-</a><a href=3D"mailto:bounces@ietf.org"><=
span style=3D"color:purple">bounces@ietf.org</span></a>]<span class=3D"appl=
e-converted-space">&nbsp;</span><b>On
 Behalf Of<span class=3D"apple-converted-space">&nbsp;</span></b>Bill Mills=
<br>
<b>Sent:</b><span class=3D"apple-converted-space">&nbsp;</span>Wednesday, J=
uly 31, 2013 2:50 PM<br>
<b>To:</b><span class=3D"apple-converted-space">&nbsp;</span>Prateek Mishra=
; Nat Sakimura<br>
<b>Cc:</b><span class=3D"apple-converted-space">&nbsp;</span><a href=3D"mai=
lto:oauth@ietf.org"><span style=3D"color:purple">oauth@ietf.org</span></a><=
span class=3D"apple-converted-space">&nbsp;</span>WG<br>
<b>Subject:</b><span class=3D"apple-converted-space">&nbsp;</span>Re: [OAUT=
H-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notific=
ation for draft-hunt-oauth-v2-user-a4c-00.txt)</span></p>
</div>
</div>
</div>
<div>
<div>&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">Rather than extending OAuth for something OpenID=
 already does... &nbsp;why don't we get a simple informational example doc =
to show how to implement the most basic OpenID service,
 which is the same functionality on a standard that's already written?</spa=
n></p>
</div>
</div>
<div>
<div>
<div><span style=3D"font-family:&quot;Courier New&quot;">&nbsp;</span><br c=
lass=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
This is sounding more and mor elike a documentation problem.</span></p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
<span style=3D"font-family:&quot;Courier New&quot;">&nbsp;</span><br class=
=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgr=
ound:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span=
></b><span class=3D"apple-converted-space"><span style=3D"font-size:10.0pt;=
font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">&nbsp;</span></span><=
span style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-ser=
if&quot;">Prateek
 Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com"><span style=3D"col=
or:purple">prateek.mishra@oracle.com</span></a>&gt;<br>
<b>To:</b><span class=3D"apple-converted-space">&nbsp;</span>Nat Sakimura &=
lt;<a href=3D"mailto:sakimura@gmail.com"><span style=3D"color:purple">sakim=
ura@gmail.com</span></a>&gt;<span class=3D"apple-converted-space">&nbsp;</s=
pan><br>
<b>Cc:</b><span class=3D"apple-converted-space">&nbsp;</span>&quot;<a href=
=3D"mailto:oauth@ietf.org%20WG"><span style=3D"color:purple">oauth@ietf.org=
 WG</span></a>&quot; &lt;<a href=3D"mailto:oauth@ietf.org"><span style=3D"c=
olor:purple">oauth@ietf.org</span></a>&gt;<span class=3D"apple-converted-sp=
ace">&nbsp;</span><br>
<b>Sent:</b><span class=3D"apple-converted-space">&nbsp;</span>Wednesday, J=
uly 31, 2013 2:38 PM<br>
<b>Subject:</b><span class=3D"apple-converted-space">&nbsp;</span>[OAUTH-WG=
] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notificatio=
n for draft-hunt-oauth-v2-user-a4c-00.txt)</span></p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span class=3D"apple=
-converted-space">&nbsp;</span><br>
<br>
thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for &quo=
t; non-dynamic OpenID Connect Server&quot;.<br>
<br>
I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different<span class=3D"apple-converted-space">&nbsp;</span><br=
>
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2=
.0-os.pdf" target=3D"_blank"><span style=3D"color:purple">http://docs.oasis=
-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</span></a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for<span class=3D"apple-converted-space">&nbsp;</s=
pan><br>
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that<span class=3D"apple-converted-space">&nbsp;</sp=
an><br>
RFC 6749 is being misused for federated authentication, as explained in&nbs=
p; -&nbsp;<span class=3D"apple-converted-space">&nbsp;</span><br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-o=
auth-2-what.html" target=3D"_blank"><span style=3D"color:purple">http://www=
.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html</spa=
n></a><span class=3D"apple-converted-space">&nbsp;</span><br>
<br>
and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn't clear to me.=
<br>
<br>
Thx,<br>
prateek</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
Inline:&nbsp;</p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 Prateek Mishra =
&lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><span st=
yle=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;</p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span class=3D"apple=
-converted-space">&nbsp;</span><br>
<br>
your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with<span class=3D"apple-converted-space">&nbsp;</span><b=
r>
an authenticator.&nbsp; Many implementors are seeking a modest extension of=
 OAuth, not an entire new protocol<br>
stack. &nbsp; I believe that is the point of Phil Hunt's proposal to the OA=
uth committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span c=
lass=3D"apple-converted-space">&nbsp;</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?</p>
</div>
</blockquote>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Actually, it is not a sin=
gle spec, that the Standard is referencing others.&nbsp;</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The Standard is kind of c=
luttered because it has 6 response types and three request types in it.&nbs=
p;</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I suppose it would be muc=
h easier for the readers to split them into coherent pieces, though that me=
ans duplicate texts.&nbsp;</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The easiest approach here=
 is to read the Basic Client Profile.&nbsp;<a href=3D"http://openid.net/spe=
cs/openid-connect-basic-1_0-28.html" target=3D"_blank"><span style=3D"color=
:purple">http://openid.net/specs/openid-connect-basic-1_0-28.html</span></a=
></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Then, read&nbsp;OAuth 2.0=
 Multiple Response Type Encoding Practices&nbsp;<a href=3D"http://openid.ne=
t/specs/oauth-v2-multiple-response-types-1_0-08.html" target=3D"_blank"><sp=
an style=3D"color:purple">http://openid.net/specs/oauth-v2-multiple-respons=
e-types-1_0-08.html</span></a>&nbsp;.&nbsp;</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no<span class=3D"apple-converted-space">&nbsp;</=
span><br>
other MTI protocol exchanges in OpenID Connect?</p>
</div>
</blockquote>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Yes, for a non-dynamic Op=
enID Connect Server.&nbsp;</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
Thanks,<br>
prateek</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
&nbsp; &nbsp;</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have written a short bl=
og post titled &quot;<a href=3D"http://nat.sakimura.org/2013/07/28/write-op=
enid-connect-server-in-three-simple-steps/" target=3D"_blank"><span style=
=3D"color:purple">Write an OpenID Connect server
 in three simple steps</span></a>&quot;.&nbsp;</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Really, there is not much=
 you need to on top of OAuth 2.0.&nbsp;</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">It puzzles me why you nee=
d to create a draft with only minor variances in parameter names.&nbsp;</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;m=
argin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">e.g.,&nbsp;</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">session instead of id_tok=
en</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">lat instead of iat</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">alv instead of acr</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">etc.&nbsp;</p>
</div>
</div>
</blockquote>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">If you change those param=
eter names, you will have a conformant profile of OpenID Connect.&nbsp;</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat</p>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom: 12pt; background-color: white; background-posi=
tion: initial initial; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 John Bradley &l=
t;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank"><span style=3D"col=
or:purple">ve7jtb@ve7jtb.com</span></a>&gt;</p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Connect dosen't require a=
 userinfo endpoint. &nbsp; It is required for interoperability if you are b=
uilding an open IdP. &nbsp; For an enterprise type deployment discovery, re=
gistration, userifo are all optional.</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The server is required to=
 pass the nonce which is equivalent to a request ID through to the JWT if t=
he client sends it in the request.</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Justin is correct.</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">John B.</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On 2013-07-30, at 5:30 PM=
, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Forgot reply all.<br>
<br>
Phil</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
Begin forwarded message:</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<b>From:</b><span class=3D"apple-converted-space">&nbsp;</span>Phil Hunt &l=
t;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><span style=3D"=
color:purple">phil.hunt@oracle.com</span></a>&gt;<br>
<b>Date:</b><span class=3D"apple-converted-space">&nbsp;</span>30 July, 201=
3 17:25:46 GMT&#43;02:00<br>
<b>To:</b><span class=3D"apple-converted-space">&nbsp;</span>&quot;Richer, =
Justin P.&quot; &lt;<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">=
<span style=3D"color:purple">jricher@mitre.org</span></a>&gt;<br>
<b>Subject:</b><span class=3D"apple-converted-space">&nbsp;</span><b>Re: [O=
AUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</=
b></p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The whole point is authn =
only. Many do not want or need the userinfo endpoint.&nbsp;<br>
<br>
Phil</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 17:17, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">What do you mean? You abs=
olutely can implement a compliant OIDC server nearly as simply as this. The=
 things that you're missing I think are necessary for basic interoperable f=
unctionality, and are things that other
 folks using OAuth for authentication have also implemented. Namely:</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Signing the ID to=
ken (OIDC specifies the RS256 flavor of JWS, which is easy to do with JWT).=
 Without a signed and verifiable ID token or equivalent, you're asking for =
all kinds of token injection problems.</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Session managemen=
t requests (max auth age, auth time)</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Not fall over wit=
h other parameters that you don't support (display, prompt, etc).</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">See here for more informa=
tion:</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<a href=3D"http://o=
penid.net/specs/openid-connect-messages-1_0.html#ServerMTI" target=3D"_blan=
k"><span style=3D"color:purple">http://openid.net/specs/openid-connect-mess=
ages-1_0.html#ServerMTI</span></a></p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Additionally, something t=
hat's really important to support is the User Info Endpoint, so you can act=
ually get user profile information beyond just the simple &quot;someone was=
 here&quot; claim -- this was the real value of
 Facebook Connect from an RP's perspective. Some people will probably want =
to use SCIM for this, too, and that's fine.</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 30, 2013, at 10:54=
 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank=
"><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt;</p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;wrote:</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The oidc specs do not all=
ow this simple an implementation. The spec members have not shown interest =
in making changes as they say they are too far down the road.</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have tried to make my d=
raft as close as possible to oidc but maybe it shouldn't be clarity wise. I=
 am interested in what the group feels is clearest.&nbsp;</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">From an ietf perspective =
the concern is improper use of the 6749 for authn. Is this a bug or gap we =
need to address?<br>
<br>
Phil</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 16:46, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">From what I read, you've =
defined something that uses an OAuth 2 code flow to get an extra token whic=
h is specified as a JWT. You named it &quot;session_token&quot; instead of =
&quot;id_token&quot;, and you've left off the User Information
 Endpoint -- but other than that, this is exactly the Basic Client for Open=
ID Connect. In other words, if you change the names on things you've got OI=
DC, but without the capabilities to go beyond a very basic &quot;hey there'=
s a user here&quot; claim. This is the same
 place that OpenID 2.0 started, and it was very, very quickly extended with=
 SREG, AX, PAPE, and others for it to be useful in the real world of distri=
buted logins. You've also left out discovery and registration which are req=
uired for distributed deployments,
 but I'm guessing that those would be modular components that could be adde=
d in (like they are in OIDC).&nbsp;</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I've heard complaints tha=
t OIDC is complicated, but it's really not. Yes, I agree that the giant sta=
ck of documents is intimidating and in my opinion it's a bit of a mess with=
 Messages and Standard split up (but
 I lost that argument years ago). However, at the core, you've got an OAuth=
2 authorization server that spits out access tokens and id tokens. The id t=
oken is a JWT with some known claims (iss, sub, etc) and is issued along si=
de the access token, and its audience
 is the *client* and not the *protected resource*. The access token is a re=
gular old access token and its format is undefined (so you can use it with =
an existing OAuth2 server setup, like we have), and it can be used at the U=
ser Info Endpoint to get profile
 information about the user who authenticated. It could also be used for ot=
her services if your AS/IdP protects multiple things.</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">So I guess what I'm missi=
ng is what's the value proposition in this spec when we have something that=
 can do this already? And this doesn't seem to do anything different (apart=
 from syntax changes)?</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 29, 2013, at 4:14 =
AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"=
><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:</p=
>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">FYI. &nbsp;I have been no=
ticing a substantial number of sites acting as OAuth Clients using OAuth to=
 authenticate users.</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I know several of us have=
 blogged on the issue over the past year so I won't re-hash it here. &nbsp;=
In short, many of us recommended OIDC as the correct methodology.</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Never-the-less, I've spok=
en with a number of service providers who indicate they are not ready to ma=
ke the jump to OIDC, yet they agree there is a desire to support authentica=
tion only (where as OIDC does IDP-like
 services).</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">This draft is intended as=
 a minimum authentication only specification. &nbsp;I've tried to make it a=
s compatible as possible with OIDC.</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">For now, I've just posted=
 to keep track of the issue so we can address at the next re-chartering.</p=
>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Happy to answer questions=
 and discuss.&nbsp;</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Phil</span>=
</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
<span style=3D"font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans=
-serif&quot;">&nbsp;</span><br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">@independen=
tid</span></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><a href=3D"=
http://www.independentid.com/" target=3D"_blank"><span style=3D"color:purpl=
e">www.independentid.com</span></a></span></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt;background:white;backg=
round-repeat:initial initial">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;san=
s-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><s=
pan style=3D"color:purple">phil.hunt@oracle.com</span></a></span></p>
</div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;san=
s-serif&quot;">&nbsp;</span><br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Begin forwarded message:<=
/p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">From:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org" target=
=3D"_blank"><span style=3D"color:purple">internet-drafts@ietf.org</span></a=
></span></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Subject=
: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</span></=
b></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Date:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;">29 July, 2013 9:49:41 AM GMT&#43;02:00</span></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">To:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&q=
uot;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com" =
target=3D"_blank"><span style=3D"color:purple">phil.hunt@yahoo.com</span></=
a>&gt;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank"><sp=
an style=3D"color:purple">None@ietfa.amsl.com</span></a>&gt;, Phil Hunt &lt=
;&gt;</span></p>
</div>
</div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a=
4c-00.txt" target=3D"_blank"><span style=3D"color:purple">http://www.ietf.o=
rg/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt</span></a><br>
Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"ht=
tp://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c" target=3D"_blan=
k"><span style=3D"color:purple">http://datatracker.ietf.org/doc/draft-hunt-=
oauth-v2-user-a4c</span></a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools=
.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span sty=
le=3D"color:purple">http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c=
-00</span></a><br>
<br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables u=
ser<br>
&nbsp;&nbsp;authentication session information to be shared with client<br>
&nbsp;&nbsp;applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at<a href=3D"http://tools=
.ietf.org/" target=3D"_blank"><span style=3D"color:purple">tools.ietf.org</=
span></a>.<br>
<br>
The IETF Secretariat</p>
</div>
</blockquote>
</div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a></p>
</div>
</blockquote>
</div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a></p>
</div>
</blockquote>
</div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a></p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span class=3D"apple-co=
nverted-space">&nbsp;</span><br>
Nat Sakimura (=3Dnat)</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en</p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
<br>
</p>
</div>
<pre style=3D"background:white;background-repeat:initial initial">_________=
______________________________________</pre>
<pre style=3D"background:white;background-repeat:initial initial">OAuth mai=
ling list</pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:purple">O=
Auth@ietf.org</span></a></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><span st=
yle=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a>=
</pre>
</blockquote>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
</p>
</div>
<div>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span class=3D"apple-co=
nverted-space">&nbsp;</span><br>
Nat Sakimura (=3Dnat)</p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en</p>
</div>
</div>
</div>
</blockquote>
<div>
<div style=3D"background-color: white; background-position: initial initial=
; background-repeat: initial initial; ">
&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org"><span style=3D"color:purple">OAuth@ietf.o=
rg</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><br>
<br>
<br>
</p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;">_____________________________________=
__________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org"><span style=3D"color:purple">OAuth@ietf.o=
rg</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth"><span style=3D"colo=
r:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a></span></p>
</div>
</blockquote>
</div>
<div>&nbsp;<br class=3D"webkit-block-placeholder">
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</body>
</html>

--_000_8E6F38BAE6BF40E5818A45F506BB181Dmitreorg_--

From tonynad@microsoft.com  Thu Aug  1 07:26:41 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B106521E81D1 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 07:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.754
X-Spam-Level: 
X-Spam-Status: No, score=-0.754 tagged_above=-999 required=5 tests=[AWL=-0.888, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0kLfnN9-cSG for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 07:26:11 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe006.messaging.microsoft.com [216.32.181.186]) by ietfa.amsl.com (Postfix) with ESMTP id 9D35121E81D0 for <oauth@ietf.org>; Thu,  1 Aug 2013 07:25:59 -0700 (PDT)
Received: from mail64-ch1-R.bigfish.com (10.43.68.249) by CH1EHSOBE020.bigfish.com (10.43.70.77) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 14:25:58 +0000
Received: from mail64-ch1 (localhost [127.0.0.1])	by mail64-ch1-R.bigfish.com (Postfix) with ESMTP id E1A332E011E	for <oauth@ietf.org>; Thu,  1 Aug 2013 14:25:57 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC104.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -24
X-BigFish: VS-24(zf7Izbb2dI98dI9371I936eI1b0bIc85dh4015I1447Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz8275ch16d858h1de098h1033IL177df4h17326ah18c673h1de096h18602eh5eeeK8275bh8275dh1de097hz2fh2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1bceh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail64-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14MLTC104.redmond.corp.microsoft.com ; icrosoft.com ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail64-ch1 (localhost.localdomain [127.0.0.1]) by mail64-ch1 (MessageSwitch) id 1375367154242787_25857; Thu,  1 Aug 2013 14:25:54 +0000 (UTC)
Received: from CH1EHSMHS031.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.249])	by mail64-ch1.bigfish.com (Postfix) with ESMTP id 368C240047 for <oauth@ietf.org>; Thu,  1 Aug 2013 14:25:54 +0000 (UTC)
Received: from TK5EX14MLTC104.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS031.bigfish.com (10.43.70.31) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 14:25:51 +0000
Received: from ch1outboundpool.messaging.microsoft.com (157.54.51.80) by mail.microsoft.com (157.54.79.159) with Microsoft SMTP Server (TLS) id 14.3.136.1; Thu, 1 Aug 2013 14:25:06 +0000
Received: from mail64-ch1-R.bigfish.com (10.43.68.234) by CH1EHSOBE001.bigfish.com (10.43.70.51) with Microsoft SMTP Server id 14.1.225.22; Thu, 1 Aug 2013 14:24:56 +0000
Received: from mail64-ch1 (localhost [127.0.0.1])	by mail64-ch1-R.bigfish.com (Postfix) with ESMTP id 50A902E026B	for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu,  1 Aug 2013 14:24:56 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(164054003)(69234005)(479174003)(2473001)(377454003)(377424004)(199002)(189002)(24454002)(51914003)(243025003)(56816003)(77096001)(16236675002)(19580385001)(54356001)(83322001)(53806001)(51856001)(15395725003)(83072001)(76482001)(74876001)(69226001)(59766001)(77982001)(80976001)(74706001)(65816001)(50986001)(47976001)(49866001)(4396001)(14971765001)(54316002)(46102001)(74662001)(74316001)(19580405001)(19300405004)(80022001)(16406001)(33646001)(79102001)(15202345003)(74366001)(76786001)(56776001)(76796001)(74502001)(76576001)(47446002)(63696002)(81542001)(31966008)(19580395003)(47736001)(561944002)(81342001)(42262001)(3826001)(24736002)(579004); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:df8:0:16:64be:106e:d85e:832c; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Received: from mail64-ch1 (localhost.localdomain [127.0.0.1]) by mail64-ch1 (MessageSwitch) id 1375367093706879_25153; Thu,  1 Aug 2013 14:24:53 +0000 (UTC)
Received: from CH1EHSMHS019.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.252])	by mail64-ch1.bigfish.com (Postfix) with ESMTP id 9993540047; Thu,  1 Aug 2013 14:24:53 +0000 (UTC)
Received: from BL2PRD0310HT001.namprd03.prod.outlook.com (157.56.240.21) by CH1EHSMHS019.bigfish.com (10.43.70.19) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 1 Aug 2013 14:24:51 +0000
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BL2PRD0310HT001.namprd03.prod.outlook.com (10.255.97.36) with Microsoft SMTP Server (TLS) id 14.16.341.1; Thu, 1 Aug 2013 14:24:48 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.731.16; Thu, 1 Aug 2013 14:24:46 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.234]) with mapi id 15.00.0731.000; Thu, 1 Aug 2013 14:24:45 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "Richer, Justin P." <jricher@mitre.org>, Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
Thread-Index: AQHOjrzrB7oIuEtdp0eKYUYk4XQsUpmAZYIAgAABQmA=
Date: Thu, 1 Aug 2013 14:24:44 +0000
Message-ID: <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F83EF7.6040201@oracle	<51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org>
In-Reply-To: <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:df8:0:16:64be:106e:d85e:832c]
x-forefront-prvs: 0925081676
Content-Type: multipart/alternative; boundary="_000_f4b99e49fbdd4e22b19391cdb720b15dBY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB191.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%ORACLE.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%YAHOO.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC104.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 14:26:42 -0000

--_000_f4b99e49fbdd4e22b19391cdb720b15dBY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I believe it beneficial to have a common format and common values, and 1 wa=
y to handle the format and values. I believe that having this in oauth is b=
eneficial, I believe that it would also be beneficial for OpenID if this we=
re in oauth. There are cases for signed and unsigned formats.

From: Richer, Justin P. [mailto:jricher@mitre.org]
Sent: Thursday, August 1, 2013 7:15 AM
To: Nat Sakimura
Cc: Anthony Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Also, it's (optionally) a token in the proposed document we're discussing (=
=A72.4.1), which means there are two ways to parse the same information. OI=
DC uses JWTs for everything, signed and unsigned. This means that OIDC is a=
ctually simpler from an implementation perspective, wouldn't you say? Inste=
ad of having two parsers, you have one to cover both cases.

(And given your tendency to throw signed assertions at every problem, I wou=
ld have thought that you'd prefer this anyway.)

 -- Justin

On Aug 1, 2013, at 9:40 AM, Nat Sakimura <sakimura@gmail.com<mailto:sakimur=
a@gmail.com>>
 wrote:


Yes, it is a Token.
No, it does not have to be signed.

As to be a token or not to be a token question, it has been discussed in th=
e WG before, and if I remember correctly,  Microsoft argued for token sayin=
g that it is just base64 decoding and I lost there.
Nat

On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com<mailto:ton=
ynad@microsoft.com>> wrote:
You can't do this, first openid uses a token and second it's signed, third =
there is no specification to just return a authentication JSON structure

From: Richer, Justin P. [mailto:jricher@mitre.org]
Sent: Thursday, August 1, 2013 5:15 AM
To: Anthony Nadalin
Cc: Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org<mailto:oauth@i=
etf.org> WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Tony, you can already return the authn result from the token request (we di=
scussed this specifically in May as I recall). That's what the "idtoken" an=
d "code idtoken" responses are for in OpenID Connect. The proposed draft is=
 nearly a duplicate of the core functionality of OIDC.

 -- Justin

On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com<mailto:t=
onynad@microsoft.com>>
 wrote:

The proposal does not duplicate what OpenID does, there is clear benefit fo=
r returning an authentication result in the token request result. This is b=
eing proposed as optional JSON structure.

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-<=
mailto:oauth->bounces@ietf.org<mailto:bounces@ietf.org>] On Behalf Of Bill =
Mills
Sent: Wednesday, July 31, 2013 2:50 PM
To: Prateek Mishra; Nat Sakimura
Cc: oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Rather than extending OAuth for something OpenID already does...  why don't=
 we get a simple informational example doc to show how to implement the mos=
t basic OpenID service, which is the same functionality on a standard that'=
s already written?

This is sounding more and mor elike a documentation problem.

________________________________
From: Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@oracl=
e.com>>
To: Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>>
Cc: "oauth@ietf.org WG<mailto:oauth@ietf.org%20WG>" <oauth@ietf.org<mailto:=
oauth@ietf.org>>
Sent: Wednesday, July 31, 2013 2:38 PM
Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New V=
ersion Notification for draft-hunt-oauth-v2-user-a4c-00.txt)

Nat -

thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests
that Section 2.3 is optional. I also could not find any definition for " no=
n-dynamic OpenID Connect Server".

I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.

http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf

There are probably other smarter ways to achieve the same effect.

Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that
RFC 6749 is being misused for federated authentication, as explained in  -

http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what=
.html

and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned
out that OpenID Connect offered such a solution but that isn't clear to me.

Thx,
prateek


Inline:
2013/7/31 Prateek Mishra <prateek.mishra@oracle.com<mailto:prateek.mishra@o=
racle.com>>
Nat -

your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with
an authenticator.  Many implementors are seeking a modest extension of OAut=
h, not an entire new protocol
stack.   I believe that is the point of Phil Hunt's proposal to the OAuth c=
ommittee.

I do have some questions for about the statements made in the blog -

A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?

Actually, it is not a single spec, that the Standard is referencing others.
The Standard is kind of cluttered because it has 6 response types and three=
 request types in it.
I suppose it would be much easier for the readers to split them into cohere=
nt pieces, though that means duplicate texts.

The easiest approach here is to read the Basic Client Profile. http://openi=
d.net/specs/openid-connect-basic-1_0-28.html
Then, read OAuth 2.0 Multiple Response Type Encoding Practices http://openi=
d.net/specs/oauth-v2-multiple-response-types-1_0-08.html .


B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no
other MTI protocol exchanges in OpenID Connect?

Yes, for a non-dynamic OpenID Connect Server.

Nat


Thanks,
prateek




I have written a short blog post titled "Write an OpenID Connect server in =
three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-connect-=
server-in-three-simple-steps/>".

Really, there is not much you need to on top of OAuth 2.0.

It puzzles me why you need to create a draft with only minor variances in p=
arameter names.

e.g.,
session instead of id_token
lat instead of iat
alv instead of acr
etc.

If you change those parameter names, you will have a conformant profile of =
OpenID Connect.

Nat

2013/7/31 John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Connect dosen't require a userinfo endpoint.   It is required for interoper=
ability if you are building an open IdP.   For an enterprise type deploymen=
t discovery, registration, userifo are all optional.

The server is required to pass the nonce which is equivalent to a request I=
D through to the JWT if the client sends it in the request.

Justin is correct.

John B.

On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt=
@oracle.com>> wrote:


Forgot reply all.

Phil

Begin forwarded message:
From: Phil Hunt <phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>>
Date: 30 July, 2013 17:25:46 GMT+02:00
To: "Richer, Justin P." <jricher@mitre.org<mailto:jricher@mitre.org>>
Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-us=
er-a4c-00.txt
The whole point is authn only. Many do not want or need the userinfo endpoi=
nt.

Phil

On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
What do you mean? You absolutely can implement a compliant OIDC server near=
ly as simply as this. The things that you're missing I think are necessary =
for basic interoperable functionality, and are things that other folks usin=
g OAuth for authentication have also implemented. Namely:

 - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is e=
asy to do with JWT). Without a signed and verifiable ID token or equivalent=
, you're asking for all kinds of token injection problems.
 - Session management requests (max auth age, auth time)
 - Not fall over with other parameters that you don't support (display, pro=
mpt, etc).

See here for more information:

 http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI

Additionally, something that's really important to support is the User Info=
 Endpoint, so you can actually get user profile information beyond just the=
 simple "someone was here" claim -- this was the real value of Facebook Con=
nect from an RP's perspective. Some people will probably want to use SCIM f=
or this, too, and that's fine.

 -- Justin

On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.h=
unt@oracle.com>>
 wrote:


The oidc specs do not allow this simple an implementation. The spec members=
 have not shown interest in making changes as they say they are too far dow=
n the road.

I have tried to make my draft as close as possible to oidc but maybe it sho=
uldn't be clarity wise. I am interested in what the group feels is clearest=
.

>From an ietf perspective the concern is improper use of the 6749 for authn.=
 Is this a bug or gap we need to address?

Phil

On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org<mailto:jric=
her@mitre.org>> wrote:
>From what I read, you've defined something that uses an OAuth 2 code flow t=
o get an extra token which is specified as a JWT. You named it "session_tok=
en" instead of "id_token", and you've left off the User Information Endpoin=
t -- but other than that, this is exactly the Basic Client for OpenID Conne=
ct. In other words, if you change the names on things you've got OIDC, but =
without the capabilities to go beyond a very basic "hey there's a user here=
" claim. This is the same place that OpenID 2.0 started, and it was very, v=
ery quickly extended with SREG, AX, PAPE, and others for it to be useful in=
 the real world of distributed logins. You've also left out discovery and r=
egistration which are required for distributed deployments, but I'm guessin=
g that those would be modular components that could be added in (like they =
are in OIDC).

I've heard complaints that OIDC is complicated, but it's really not. Yes, I=
 agree that the giant stack of documents is intimidating and in my opinion =
it's a bit of a mess with Messages and Standard split up (but I lost that a=
rgument years ago). However, at the core, you've got an OAuth2 authorizatio=
n server that spits out access tokens and id tokens. The id token is a JWT =
with some known claims (iss, sub, etc) and is issued along side the access =
token, and its audience is the *client* and not the *protected resource*. T=
he access token is a regular old access token and its format is undefined (=
so you can use it with an existing OAuth2 server setup, like we have), and =
it can be used at the User Info Endpoint to get profile information about t=
he user who authenticated. It could also be used for other services if your=
 AS/IdP protects multiple things.

So I guess what I'm missing is what's the value proposition in this spec wh=
en we have something that can do this already? And this doesn't seem to do =
anything different (apart from syntax changes)?

 -- Justin

On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hu=
nt@oracle.com>> wrote:


FYI.  I have been noticing a substantial number of sites acting as OAuth Cl=
ients using OAuth to authenticate users.

I know several of us have blogged on the issue over the past year so I won'=
t re-hash it here.  In short, many of us recommended OIDC as the correct me=
thodology.

Never-the-less, I've spoken with a number of service providers who indicate=
 they are not ready to make the jump to OIDC, yet they agree there is a des=
ire to support authentication only (where as OIDC does IDP-like services).

This draft is intended as a minimum authentication only specification.  I'v=
e tried to make it as compatible as possible with OIDC.

For now, I've just posted to keep track of the issue so we can address at t=
he next re-chartering.

Happy to answer questions and discuss.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>




Begin forwarded message:


From:internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
Date:29 July, 2013 9:49:41 AM GMT+02:00
To:Phil Hunt <phil.hunt@yahoo.com<mailto:phil.hunt@yahoo.com>>, Phil Hunt <=
None@ietfa.amsl.com<mailto:None@ietfa.amsl.com>>, Phil Hunt <>


A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Filename: draft-hunt-oauth-v2-user-a4c
Revision: 00
Title: OAuth 2.0 User Authentication For Client
Creation date: 2013-07-29
Group: Individual Submission
Number of pages: 9
URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-us=
er-a4c-00.txt
Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a=
4c
Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00


Abstract:
  This specification defines a new OAuth2 endpoint that enables user
  authentication session information to be shared with client
  applications.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available attools.ietf.org<http://t=
ools.ietf.org/>.

The IETF Secretariat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth




--
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--_000_f4b99e49fbdd4e22b19391cdb720b15dBY2PR03MB189namprd03pro_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
span.apple-converted-space
	{mso-style-name:apple-converted-space;}
span.EmailStyle20
	{mso-style-type:personal;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.EmailStyle21
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">I believe it beneficial t=
o have a common format and common values, and 1 way to handle the format an=
d values. I believe that having this in oauth is beneficial,
 I believe that it would also be beneficial for OpenID if this were in oaut=
h. There are cases for signed and unsigned formats.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D"><o:p>&nbsp;</o:p></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer=
, Justin P. [mailto:jricher@mitre.org]
<br>
<b>Sent:</b> Thursday, August 1, 2013 7:15 AM<br>
<b>To:</b> Nat Sakimura<br>
<b>Cc:</b> Anthony Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG<b=
r>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<o:p=
></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Also, it's (optionally) a token in the proposed docu=
ment we're discussing (=A72.4.1), which means there are two ways to parse t=
he same information. OIDC uses JWTs for everything, signed and unsigned. Th=
is means that OIDC is actually simpler
 from an implementation perspective, wouldn't you say? Instead of having tw=
o parsers, you have one to cover both cases.&nbsp;
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">(And given your tendency to throw signed assertions =
at every problem, I would have thought that you'd prefer this anyway.)
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;-- Justin<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 9:40 AM, Nat Sakimura &lt;<a href=
=3D"mailto:sakimura@gmail.com">sakimura@gmail.com</a>&gt;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;wrote:<o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal">Yes, it is a Token.&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">No, it does not have to be signed.&nbsp;<o:p></o:p><=
/p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">As to be a token or n=
ot to be a token question, it has been discussed in the WG before, and if I=
 remember correctly, &nbsp;Microsoft argued for token saying that it is jus=
t base64 decoding and I lost there. &nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Nat<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
On Aug 1, 2013, at 14:24, Anthony Nadalin &lt;<a href=3D"mailto:tonynad@mic=
rosoft.com">tonynad@microsoft.com</a>&gt; wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">You can&#8217;t do this, =
first openid uses a token and second it&#8217;s signed, third there is no s=
pecification to just return a authentication JSON structure</span><o:p></o:=
p></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p><=
/p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer=
, Justin P. [<a href=3D"mailto:jricher@mitre.org">mailto:jricher@mitre.org<=
/a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a href=3D"mailto:oaut=
h@ietf.org">
oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</sp=
an><o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;<o:p></o:p></p>
</div>
<p class=3D"MsoNormal">Tony, you can already return the authn result from t=
he token request (we discussed this specifically in May as I recall). That'=
s what the &quot;idtoken&quot; and &quot;code idtoken&quot; responses are f=
or in OpenID Connect. The proposed draft is nearly a duplicate
 of the core functionality of OIDC. <o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;-- Justin<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a h=
ref=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;<o:p></o:=
p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;wrote:<o:p></o:p></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">The proposal does not dup=
licate what OpenID does, there is clear benefit for returning an authentica=
tion result in the token request result. This is being proposed
 as optional JSON structure.</span><o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p><=
/p>
</div>
</div>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span class=3D"apple=
-converted-space"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri=
&quot;,&quot;sans-serif&quot;">&nbsp;</span></span><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"><a href=3D"=
mailto:oauth-bounces@ietf.org"><span style=3D"color:purple">oauth-bounces@i=
etf.org</span></a><span class=3D"apple-converted-space">&nbsp;</span>[mailt=
o:<a href=3D"mailto:oauth-">oauth-</a><a href=3D"mailto:bounces@ietf.org"><=
span style=3D"color:purple">bounces@ietf.org</span></a>]<span class=3D"appl=
e-converted-space">&nbsp;</span><b>On
 Behalf Of<span class=3D"apple-converted-space">&nbsp;</span></b>Bill Mills=
<br>
<b>Sent:</b><span class=3D"apple-converted-space">&nbsp;</span>Wednesday, J=
uly 31, 2013 2:50 PM<br>
<b>To:</b><span class=3D"apple-converted-space">&nbsp;</span>Prateek Mishra=
; Nat Sakimura<br>
<b>Cc:</b><span class=3D"apple-converted-space">&nbsp;</span><a href=3D"mai=
lto:oauth@ietf.org"><span style=3D"color:purple">oauth@ietf.org</span></a><=
span class=3D"apple-converted-space">&nbsp;</span>WG<br>
<b>Subject:</b><span class=3D"apple-converted-space">&nbsp;</span>Re: [OAUT=
H-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notific=
ation for draft-hunt-oauth-v2-user-a4c-00.txt)</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">Rather than extending OAuth for something OpenID=
 already does... &nbsp;why don't we get a simple informational example doc =
to show how to implement the most basic OpenID service,
 which is the same functionality on a standard that's already written?</spa=
n><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
&nbsp;</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
This is sounding more and mor elike a documentation problem.</span><o:p></o=
:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">&nbsp;</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgr=
ound:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span=
></b><span class=3D"apple-converted-space"><span style=3D"font-size:10.0pt;=
font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">&nbsp;</span></span><=
span style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-ser=
if&quot;">Prateek
 Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com"><span style=3D"col=
or:purple">prateek.mishra@oracle.com</span></a>&gt;<br>
<b>To:</b><span class=3D"apple-converted-space">&nbsp;</span>Nat Sakimura &=
lt;<a href=3D"mailto:sakimura@gmail.com"><span style=3D"color:purple">sakim=
ura@gmail.com</span></a>&gt;<span class=3D"apple-converted-space">&nbsp;</s=
pan><br>
<b>Cc:</b><span class=3D"apple-converted-space">&nbsp;</span>&quot;<a href=
=3D"mailto:oauth@ietf.org%20WG"><span style=3D"color:purple">oauth@ietf.org=
 WG</span></a>&quot; &lt;<a href=3D"mailto:oauth@ietf.org"><span style=3D"c=
olor:purple">oauth@ietf.org</span></a>&gt;<span class=3D"apple-converted-sp=
ace">&nbsp;</span><br>
<b>Sent:</b><span class=3D"apple-converted-space">&nbsp;</span>Wednesday, J=
uly 31, 2013 2:38 PM<br>
<b>Subject:</b><span class=3D"apple-converted-space">&nbsp;</span>[OAUTH-WG=
] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notificatio=
n for draft-hunt-oauth-v2-user-a4c-00.txt)</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span class=3D"apple=
-converted-space">&nbsp;</span><br>
<br>
thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for &quo=
t; non-dynamic OpenID Connect Server&quot;.<br>
<br>
I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different<span class=3D"apple-converted-space">&nbsp;</span><br=
>
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2=
.0-os.pdf" target=3D"_blank"><span style=3D"color:purple">http://docs.oasis=
-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</span></a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for<span class=3D"apple-converted-space">&nbsp;</s=
pan><br>
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that<span class=3D"apple-converted-space">&nbsp;</sp=
an><br>
RFC 6749 is being misused for federated authentication, as explained in&nbs=
p; -&nbsp;<span class=3D"apple-converted-space">&nbsp;</span><br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-o=
auth-2-what.html" target=3D"_blank"><span style=3D"color:purple">http://www=
.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html</spa=
n></a><span class=3D"apple-converted-space">&nbsp;</span><br>
<br>
and that there doesn't appear to be a simple solution that is currently ava=
ilable. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn't clear to me.=
<br>
<br>
Thx,<br>
prateek<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
Inline:&nbsp;<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 Prateek Mishra =
&lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><span st=
yle=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<o:p></o:p></p=
>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span class=3D"apple=
-converted-space">&nbsp;</span><br>
<br>
your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with<span class=3D"apple-converted-space">&nbsp;</span><b=
r>
an authenticator.&nbsp; Many implementors are seeking a modest extension of=
 OAuth, not an entire new protocol<br>
stack. &nbsp; I believe that is the point of Phil Hunt's proposal to the OA=
uth committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span c=
lass=3D"apple-converted-space">&nbsp;</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?<o:p></o:p></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Actually, it is not a sin=
gle spec, that the Standard is referencing others.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The Standard is kind of c=
luttered because it has 6 response types and three request types in it.&nbs=
p;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I suppose it would be muc=
h easier for the readers to split them into coherent pieces, though that me=
ans duplicate texts.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The easiest approach here=
 is to read the Basic Client Profile.&nbsp;<a href=3D"http://openid.net/spe=
cs/openid-connect-basic-1_0-28.html" target=3D"_blank"><span style=3D"color=
:purple">http://openid.net/specs/openid-connect-basic-1_0-28.html</span></a=
><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Then, read&nbsp;OAuth 2.0=
 Multiple Response Type Encoding Practices&nbsp;<a href=3D"http://openid.ne=
t/specs/oauth-v2-multiple-response-types-1_0-08.html" target=3D"_blank"><sp=
an style=3D"color:purple">http://openid.net/specs/oauth-v2-multiple-respons=
e-types-1_0-08.html</span></a>&nbsp;.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no<span class=3D"apple-converted-space">&nbsp;</=
span><br>
other MTI protocol exchanges in OpenID Connect?<o:p></o:p></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Yes, for a non-dynamic Op=
enID Connect Server.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;&nbsp;<o:p></o:p></=
p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
Thanks,<br>
prateek<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
&nbsp; &nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have written a short bl=
og post titled &quot;<a href=3D"http://nat.sakimura.org/2013/07/28/write-op=
enid-connect-server-in-three-simple-steps/" target=3D"_blank"><span style=
=3D"color:purple">Write an OpenID Connect server
 in three simple steps</span></a>&quot;.&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Really, there is not much=
 you need to on top of OAuth 2.0.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">It puzzles me why you nee=
d to create a draft with only minor variances in parameter names.&nbsp;<o:p=
></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;m=
argin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">e.g.,&nbsp;<o:p></o:p></p=
>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">session instead of id_tok=
en<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">lat instead of iat<o:p></=
o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">alv instead of acr<o:p></=
o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">etc.&nbsp;<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">If you change those param=
eter names, you will have a conformant profile of OpenID Connect.&nbsp;<o:p=
></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background-position:initial initial;back=
ground-repeat:initial initial">
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 John Bradley &l=
t;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank"><span style=3D"col=
or:purple">ve7jtb@ve7jtb.com</span></a>&gt;<o:p></o:p></p>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Connect dosen't require a=
 userinfo endpoint. &nbsp; It is required for interoperability if you are b=
uilding an open IdP. &nbsp; For an enterprise type deployment discovery, re=
gistration, userifo are all optional.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The server is required to=
 pass the nonce which is equivalent to a request ID through to the JWT if t=
he client sends it in the request.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Justin is correct.<o:p></=
o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">John B.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On 2013-07-30, at 5:30 PM=
, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<o:p>=
</o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Forgot reply all.<br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
Begin forwarded message:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<b>From:</b><span class=3D"apple-converted-space">&nbsp;</span>Phil Hunt &l=
t;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><span style=3D"=
color:purple">phil.hunt@oracle.com</span></a>&gt;<br>
<b>Date:</b><span class=3D"apple-converted-space">&nbsp;</span>30 July, 201=
3 17:25:46 GMT&#43;02:00<br>
<b>To:</b><span class=3D"apple-converted-space">&nbsp;</span>&quot;Richer, =
Justin P.&quot; &lt;<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">=
<span style=3D"color:purple">jricher@mitre.org</span></a>&gt;<br>
<b>Subject:</b><span class=3D"apple-converted-space">&nbsp;</span><b>Re: [O=
AUTH-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</=
b><o:p></o:p></p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The whole point is authn =
only. Many do not want or need the userinfo endpoint.&nbsp;<br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 17:17, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">What do you mean? You abs=
olutely can implement a compliant OIDC server nearly as simply as this. The=
 things that you're missing I think are necessary for basic interoperable f=
unctionality, and are things that other
 folks using OAuth for authentication have also implemented. Namely:<o:p></=
o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Signing the ID to=
ken (OIDC specifies the RS256 flavor of JWS, which is easy to do with JWT).=
 Without a signed and verifiable ID token or equivalent, you're asking for =
all kinds of token injection problems.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Session managemen=
t requests (max auth age, auth time)<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Not fall over wit=
h other parameters that you don't support (display, prompt, etc).<o:p></o:p=
></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">See here for more informa=
tion:<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<a href=3D"http://o=
penid.net/specs/openid-connect-messages-1_0.html#ServerMTI" target=3D"_blan=
k"><span style=3D"color:purple">http://openid.net/specs/openid-connect-mess=
ages-1_0.html#ServerMTI</span></a><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Additionally, something t=
hat's really important to support is the User Info Endpoint, so you can act=
ually get user profile information beyond just the simple &quot;someone was=
 here&quot; claim -- this was the real value of
 Facebook Connect from an RP's perspective. Some people will probably want =
to use SCIM for this, too, and that's fine.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin<o:p></o:p=
></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 30, 2013, at 10:54=
 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank=
"><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt;<o:p></o:=
p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;wrote:<o:p></o:p></=
p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The oidc specs do not all=
ow this simple an implementation. The spec members have not shown interest =
in making changes as they say they are too far down the road.<o:p></o:p></p=
>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have tried to make my d=
raft as close as possible to oidc but maybe it shouldn't be clarity wise. I=
 am interested in what the group feels is clearest.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">From an ietf perspective =
the concern is improper use of the 6749 for authn. Is this a bug or gap we =
need to address?<br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 16:46, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">From what I read, you've =
defined something that uses an OAuth 2 code flow to get an extra token whic=
h is specified as a JWT. You named it &quot;session_token&quot; instead of =
&quot;id_token&quot;, and you've left off the User Information
 Endpoint -- but other than that, this is exactly the Basic Client for Open=
ID Connect. In other words, if you change the names on things you've got OI=
DC, but without the capabilities to go beyond a very basic &quot;hey there'=
s a user here&quot; claim. This is the same
 place that OpenID 2.0 started, and it was very, very quickly extended with=
 SREG, AX, PAPE, and others for it to be useful in the real world of distri=
buted logins. You've also left out discovery and registration which are req=
uired for distributed deployments,
 but I'm guessing that those would be modular components that could be adde=
d in (like they are in OIDC).&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I've heard complaints tha=
t OIDC is complicated, but it's really not. Yes, I agree that the giant sta=
ck of documents is intimidating and in my opinion it's a bit of a mess with=
 Messages and Standard split up (but
 I lost that argument years ago). However, at the core, you've got an OAuth=
2 authorization server that spits out access tokens and id tokens. The id t=
oken is a JWT with some known claims (iss, sub, etc) and is issued along si=
de the access token, and its audience
 is the *client* and not the *protected resource*. The access token is a re=
gular old access token and its format is undefined (so you can use it with =
an existing OAuth2 server setup, like we have), and it can be used at the U=
ser Info Endpoint to get profile
 information about the user who authenticated. It could also be used for ot=
her services if your AS/IdP protects multiple things.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">So I guess what I'm missi=
ng is what's the value proposition in this spec when we have something that=
 can do this already? And this doesn't seem to do anything different (apart=
 from syntax changes)?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin<o:p></o:p=
></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 29, 2013, at 4:14 =
AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"=
><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<o:=
p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">FYI. &nbsp;I have been no=
ticing a substantial number of sites acting as OAuth Clients using OAuth to=
 authenticate users.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I know several of us have=
 blogged on the issue over the past year so I won't re-hash it here. &nbsp;=
In short, many of us recommended OIDC as the correct methodology.<o:p></o:p=
></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Never-the-less, I've spok=
en with a number of service providers who indicate they are not ready to ma=
ke the jump to OIDC, yet they agree there is a desire to support authentica=
tion only (where as OIDC does IDP-like
 services).<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">This draft is intended as=
 a minimum authentication only specification. &nbsp;I've tried to make it a=
s compatible as possible with OIDC.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">For now, I've just posted=
 to keep track of the issue so we can address at the next re-chartering.<o:=
p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Happy to answer questions=
 and discuss.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Phil</span>=
<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">&nbsp;</spa=
n><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">@independen=
tid</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><a href=3D"=
http://www.independentid.com/" target=3D"_blank"><span style=3D"color:purpl=
e">www.independentid.com</span></a></span><o:p></o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt;background:white;backg=
round-repeat:initial initial">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;san=
s-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><s=
pan style=3D"color:purple">phil.hunt@oracle.com</span></a></span><o:p></o:p=
></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">&nbsp;</sp=
an><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Begin forwarded message:<=
o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">From:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org" target=
=3D"_blank"><span style=3D"color:purple">internet-drafts@ietf.org</span></a=
></span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Subject=
: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</span></=
b><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Date:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;">29 July, 2013 9:49:41 AM GMT&#43;02:00</span><o:p><=
/o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">To:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&q=
uot;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com" =
target=3D"_blank"><span style=3D"color:purple">phil.hunt@yahoo.com</span></=
a>&gt;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank"><sp=
an style=3D"color:purple">None@ietfa.amsl.com</span></a>&gt;, Phil Hunt &lt=
;&gt;</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a=
4c-00.txt" target=3D"_blank"><span style=3D"color:purple">http://www.ietf.o=
rg/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt</span></a><br>
Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"ht=
tp://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c" target=3D"_blan=
k"><span style=3D"color:purple">http://datatracker.ietf.org/doc/draft-hunt-=
oauth-v2-user-a4c</span></a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools=
.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span sty=
le=3D"color:purple">http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c=
-00</span></a><br>
<br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables u=
ser<br>
&nbsp;&nbsp;authentication session information to be shared with client<br>
&nbsp;&nbsp;applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at<a href=3D"http://tools=
.ietf.org/" target=3D"_blank"><span style=3D"color:purple">tools.ietf.org</=
span></a>.<br>
<br>
The IETF Secretariat<o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><o:p></o:p></p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span class=3D"apple-co=
nverted-space">&nbsp;</span><br>
Nat Sakimura (=3Dnat)<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<o:p></o:p></p>
</div>
<pre style=3D"background:white;background-repeat:initial initial">_________=
______________________________________<o:p></o:p></pre>
<pre style=3D"background:white;background-repeat:initial initial">OAuth mai=
ling list<o:p></o:p></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:purple">O=
Auth@ietf.org</span></a><o:p></o:p></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><span st=
yle=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a>=
<o:p></o:p></pre>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span class=3D"apple-co=
nverted-space">&nbsp;</span><br>
Nat Sakimura (=3Dnat)<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org"><span style=3D"color:purple">OAuth@ietf.o=
rg</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><br>
<br>
<o:p></o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;">_____________________________________=
__________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org"><span style=3D"color:purple">OAuth@ietf.o=
rg</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth"><span style=3D"colo=
r:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a></span><o:p=
></o:p></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</div>
</body>
</html>

--_000_f4b99e49fbdd4e22b19391cdb720b15dBY2PR03MB189namprd03pro_--

From torsten@lodderstedt.net  Thu Aug  1 08:05:18 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AECCF21E8150 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 08:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level: 
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[AWL=0.861,  BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yXAxVk4a+8QW for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 08:05:14 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.25]) by ietfa.amsl.com (Postfix) with ESMTP id F295821E80FF for <oauth@ietf.org>; Thu,  1 Aug 2013 08:05:10 -0700 (PDT)
Received: from [80.67.16.116] (helo=webmail.df.eu) by smtprelay02.ispgateway.de with esmtpa (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1V4uR8-0006zT-SD for oauth@ietf.org; Thu, 01 Aug 2013 17:05:06 +0200
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_5f514e0eced4ef7784555da6ec50d0cc"
Date: Thu, 01 Aug 2013 17:05:06 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
To: <oauth@ietf.org>
In-Reply-To: <CABzCy2A2PDZ-We_ZCkYTz1qn2y5HhyfX_HJeFwdDQTztqZNh4Q@mail.gmail.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F83EF7.6040201@oracle.com> <CABzCy2D4CJUMEQ32JNba8H4veBfgXOvj_J0rT7VmTtT-N_7BKQ@mail.gmail.com> <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <E53E403B-BC52-4221-91E4-4884D7520A13@mitre.org> <CABzCy2A2PDZ-We_ZCkYTz1qn2y5HhyfX_HJeFwdDQTztqZNh4Q@mail.gmail.com>
Message-ID: <e8c67520b2a42f5de111e8aa1f75f204@lodderstedt-online.de>
X-Sender: torsten@lodderstedt.net
User-Agent: Roundcube Webmail/0.8.1
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 15:05:18 -0000

--=_5f514e0eced4ef7784555da6ec50d0cc
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=UTF-8

 

Hi Nat, 

I think your are going in the right direction. Here are my
comments: 

- Authentication and attribute providing can be treated
separately. I therefore would recommend you move the claim stuff into a
separate specification, which includes standard claims, respective scope
values, user info endpoint and the claims parameter. This would leave
the base specification a small but reasonable extension to OAuth to
handle authentication properly. Everyone interested in claims can
implemented the complementary claims spec. Service provider wishing to
use other interfaces for claim providing can do that. I would not care.


- Use normativ language only to ensure proper implementation of the
protocol, e.g. with respect to security, not for MTI requirements. 

As
an example: "id tokens must be signed when sent via the user agent, they
may be signed when issued at the token endpoint" 

- I would recommend
to handle MTI in a separate document. Do not clutter the base spec with
MTI stuff, such as 

"OpenID Providers that are not Self-Issued OPs MUST
support this "response_type"." 

First, you are forward referencing to
concepts introduced in other documents. Moreover, there are so many
different scenarios I can think of where Connect could be used. They
have rather different requirements, so having a document with different
profile definitions is better suited (IMHO). A good starting point is
section 13, where the definition of open and closed systems and
respective MTIs is given. 

- Omit duplication of OAuth text. For
example, there is another description of the state parameter or there is
this statement: "In OpenID Connect, this communication MUST be over
TLS." As far as I remember, the same holds true for plain OAuth. 

-
3.2. Server Processings - it is the discretion of the server when the id
token is actually created. So don't make this part of the normative
text. 

- I would recommend to move "3.2.1. ID Token after the authz
response section". The description of the ID Token contents does not
help the reader at that point. 

- I would suggest to organize the doc
around the response types, i.e. describe the whole flow for code. Right
now it is distributed over 2 sections (incl. Section 4 "Tokens
Endpoint"). 

regards,
Torsten. 

Am 01.08.2013 06:27, schrieb Nat
Sakimura: 

> +1 
> 
> I am trying to figure out how we can streamline
the documentations. 
> Now that we are done with the implementer's draft
vote that diff is not that important any more as technical content is
determined and IPR is locked in, now is the time to do a major surgery
to fix the documentation clutter that is caused by its history. 
> 
>
There are several proposals on the table right now in the AB/Connect WG
at OIDF. 
> 
> My proposal at the moment is to reorganize the doc into:

> 
> * OpenID Connect Core
> * OpenID Connect Discovery
> * OpenID
Connect Dynamic Registration
> * OpenID Connect Advanced Claims
Extension
> * OpenID Connect Advanced Client Authentication Methods
Extension
> * OpenID Connect Self-Issued Provider Extension
> * OpenID
Connect JSON Based Request Extension
> 
> Currently, I am experimenting
with whether keeping the different flows in the Core makes sense or it
is better to split them out. 
> 
> Here is the link to the Core draft I
am experimenting with: http://bit.ly/19yHvJB [14] 
> XML and HTML
versions are in the same repository as well. 
> 
> Your input will be
most welcome. 
> 
> Nat 
> 
> 2013/8/1 Richer, Justin P.
<jricher@mitre.org>
> 
>> +1 
>> 
>> On Jul 31, 2013, at 5:49 PM, Bill
Mills <wmills_92105@yahoo.com> wrote: 
>> 
>>> Rather than extending
OAuth for something OpenID already does... why don't we get a simple
informational example doc to show how to implement the most basic OpenID
service, which is the same functionality on a standard that's already
written? 
>>> 
>>> This is sounding more and mor elike a documentation
problem. 
>>> 
>>> -------------------------
>>> FROM: Prateek Mishra
<prateek.mishra@oracle.com>
>>> TO: Nat Sakimura <sakimura@gmail.com>

>>> CC: "oauth@ietf.org WG" <oauth@ietf.org> 
>>> SENT: Wednesday, July
31, 2013 2:38 PM
>>> SUBJECT: [OAUTH-WG] Need for Extending OAuth with
AuthN (was Re: Fwd: New Version Notification for
draft-hunt-oauth-v2-user-a4c-00.txt)
>>> 
>>> Nat - 
>>> 
>>> thanks for
the detailed response. I did review the links you sent out but it
remained unclear to me which
>>> features are MTI and which are not. For
example, there is nothing in the Basic Client Profile that suggests
>>>
that Section 2.3 is optional. I also could not find any definition for "
non-dynamic OpenID Connect Server".
>>> 
>>> I dont think there is a
need to duplicate portions of the draft specification text in a new
document. One solution
>>> that was used in SAML 2.0 was to define a
conformance document which described several different 
>>> operational
modes and explained how only a small set of features needed to be
implemented in certain modes.
>>> 
>>>
http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf
[12]
>>> 
>>> There are probably other smarter ways to achieve the same
effect.
>>> 
>>> Given this situation, I do think its a reasonable task
for the OAuth community to consider the need for 
>>> a minimal
extension to OAuth that accommodates authentication. The community
should be made aware that 
>>> RFC 6749 is being misused for federated
authentication, as explained in - 
>>> 
>>>
http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html
[13] 
>>> 
>>> and that there doesn't appear to be a simple solution
that is currently available. It would be great if it turned
>>> out that
OpenID Connect offered such a solution but that isn't clear to me.
>>>

>>> Thx,
>>> prateek
>>> 
>>>> Inline: 
>>>> 
>>>> 2013/7/31 Prateek
Mishra <prateek.mishra@oracle.com>
>>>> 
>>>>> Nat - 
>>>>> 
>>>>> your
blog posting is helpful to those of us who are looking for a minimal
extension of OAuth with 
>>>>> an authenticator. Many implementors are
seeking a modest extension of OAuth, not an entire new protocol
>>>>>
stack. I believe that is the point of Phil Hunt's proposal to the OAuth
committee.
>>>>> 
>>>>> I do have some questions for about the
statements made in the blog - 
>>>>> 
>>>>> A) Can you direct me to a
single OpenID Connect draft specification document where steps 1 and 2
are described?
>>>> 
>>>> Actually, it is not a single spec, that the
Standard is referencing others. 
>>>> The Standard is kind of cluttered
because it has 6 response types and three request types in it. 
>>>> I
suppose it would be much easier for the readers to split them into
coherent pieces, though that means duplicate texts. 
>>>> 
>>>> The
easiest approach here is to read the Basic Client Profile.
http://openid.net/specs/openid-connect-basic-1_0-28.html [10] 
>>>>
Then, read OAuth 2.0 Multiple Response Type Encoding Practices
http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html
[11] . 
>>>> 
>>>>> B) If I implement steps 1 and 2, do I then have a
conformant OpenID Connect implementation? Are there no 
>>>>> other MTI
protocol exchanges in OpenID Connect?
>>>> 
>>>> Yes, for a non-dynamic
OpenID Connect Server. 
>>>> 
>>>> Nat 
>>>> 
>>>> Thanks,
>>>> 
>>>>>
px solid; margin-left:5px; width:100%"> 
>>>>> I have written a short
blog post titled "Write an OpenID Connect server in three simple steps
[8]". 
>>>>> 
>>>>> Really, there is not much you need to on top of
OAuth 2.0. 
>>>>> 
>>>>> It puzzles me why you need to create a draft
with only minor variances in parameter names. 
>>>>> 
>>>>>> e.g.,

>>>>>> session instead of id_token 
>>>>>> lat instead of iat 
>>>>>>
alv instead of acr 
>>>>>> etc.
>>>>> 
>>>>> If you change those
parameter names, you will have a conformant profile of OpenID Connect.

>>>>> 
>>>>> Nat 
>>>>> 
>>>>> 2013/7/31 John Bradley
<ve7jtb@ve7jtb.com>
>>>>> 
>>>>>> Connect dosen't require a userinfo
endpoint. It is required for interoperability if you are building an
open IdP. For an enterprise type deployment discovery, registration,
userifo are all optional. 
>>>>>> 
>>>>>> The server is required to pass
the nonce which is equivalent to a request ID through to the JWT if the
client sends it in the request. 
>>>>>> 
>>>>>> Justin is correct.

>>>>>> 
>>>>>> John B. 
>>>>>> 
>>>>>> On 2013-07-30, at 5:30 PM, Phil
Hunt <phil.hunt@oracle.com> wrote: 
>>>>>> 
>>>>>>> Forgot reply
all.
>>>>>>> 
>>>>>>> Phil 
>>>>>>> 
>>>>>>> Begin forwarded
message:
>>>>>>> 
>>>>>>>> FROM: Phil Hunt
<phil.hunt@oracle.com>
>>>>>>>> DATE: 30 July, 2013 17:25:46
GMT+02:00
>>>>>>>> TO: "Richer, Justin P." <jricher@mitre.org>
>>>>>>>>
SUBJECT: RE: [OAUTH-WG] NEW VERSION NOTIFICATION FOR
DRAFT-HUNT-OAUTH-V2-USER-A4C-00.TXT
>>>>>>> 
>>>>>>>> The whole point is
authn only. Many do not want or need the userinfo endpoint. 
>>>>>>>>

>>>>>>>> Phil 
>>>>>>>> 
>>>>>>>> On 2013-07-30, at 17:17, "Richer,
Justin P." <jricher@mitre.org> wrote:
>>>>>>>> 
>>>>>>>>> What do you
mean? You absolutely can implement a compliant OIDC server nearly as
simply as this. The things that you're missing I think are necessary for
basic interoperable functionality, and are things that other folks using
OAuth for authentication have also implemented. Namely: 
>>>>>>>>>

>>>>>>>>> - Signing the ID token (OIDC specifies the RS256 flavor of
JWS, which is easy to do with JWT). Without a signed and verifiable ID
token or equivalent, you're asking for all kinds of token injection
problems. 
>>>>>>>>> - Session management requests (max auth age, auth
time) 
>>>>>>>>> - Not fall over with other parameters that you don't
support (display, prompt, etc). 
>>>>>>>>> 
>>>>>>>>> See here for more
information: 
>>>>>>>>> 
>>>>>>>>>
http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI [7]

>>>>>>>>> 
>>>>>>>>> Additionally, something that's really important to
support is the User Info Endpoint, so you can actually get user profile
information beyond just the simple "someone was here" claim -- this was
the real value of Facebook Connect from an RP's perspective. Some people
will probably want to use SCIM for this, too, and that's fine.

>>>>>>>>> 
>>>>>>>>> -- Justin 
>>>>>>>>> 
>>>>>>>>> On Jul 30, 2013,
at 10:54 AM, Phil Hunt <phil.hunt@oracle.com> 
>>>>>>>>> wrote:

>>>>>>>>> 
>>>>>>>>>> The oidc specs do not allow this simple an
implementation. The spec members have not shown interest in making
changes as they say they are too far down the road. 
>>>>>>>>>>

>>>>>>>>>> I have tried to make my draft as close as possible to oidc
but maybe it shouldn't be clarity wise. I am interested in what the
group feels is clearest. 
>>>>>>>>>> 
>>>>>>>>>> From an ietf
perspective the concern is improper use of the 6749 for authn. Is this a
bug or gap we need to address?
>>>>>>>>>> 
>>>>>>>>>> Phil 
>>>>>>>>>>

>>>>>>>>>> On 2013-07-30, at 16:46, "Richer, Justin P."
<jricher@mitre.org> wrote:
>>>>>>>>>> 
>>>>>>>>>>> From what I read,
you've defined something that uses an OAuth 2 code flow to get an extra
token which is specified as a JWT. You named it "session_token" instead
of "id_token", and you've left off the User Information Endpoint -- but
other than that, this is exactly the Basic Client for OpenID Connect. In
other words, if you change the names on things you've got OIDC, but
without the capabilities to go beyond a very basic "hey there's a user
here" claim. This is the same place that OpenID 2.0 started, and it was
very, very quickly extended with SREG, AX, PAPE, and others for it to be
useful in the real world of distributed logins. You've also left out
discovery and registration which are required for distributed
deployments, but I'm guessing that those would be modular components
that could be added in (like they are in OIDC). 
>>>>>>>>>>>

>>>>>>>>>>> I've heard complaints that OIDC is complicated, but it's
really not. Yes, I agree that the giant stack of documents is
intimidating and in my opinion it's a bit of a mess with Messages and
Standard split up (but I lost that argument years ago). However, at the
core, you've got an OAuth2 authorization server that spits out access
tokens and id tokens. The id token is a JWT with some known claims (iss,
sub, etc) and is issued along side the access token, and its audience is
the *client* and not the *protected resource*. The access token is a
regular old access token and its format is undefined (so you can use it
with an existing OAuth2 server setup, like we have), and it can be used
at the User Info Endpoint to get profile information about the user who
authenticated. It could also be used for other services if your AS/IdP
protects multiple things. 
>>>>>>>>>>> 
>>>>>>>>>>> So I guess what I'm
missing is what's the value proposition in this spec when we have
something that can do this already? And this doesn't seem to do anything
different (apart from syntax changes)? 
>>>>>>>>>>> 
>>>>>>>>>>> --
Justin 
>>>>>>>>>>> 
>>>>>>>>>>> On Jul 29, 2013, at 4:14 AM, Phil Hunt
<phil.hunt@oracle.com> wrote: 
>>>>>>>>>>> 
>>>>>>>>>>>> FYI. I have
been noticing a substantial number of sites acting as OAuth Clients
using OAuth to authenticate users. 
>>>>>>>>>>>> 
>>>>>>>>>>>> I know
several of us have blogged on the issue over the past year so I won't
re-hash it here. In short, many of us recommended OIDC as the correct
methodology. 
>>>>>>>>>>>> 
>>>>>>>>>>>> Never-the-less, I've spoken
with a number of service providers who indicate they are not ready to
make the jump to OIDC, yet they agree there is a desire to support
authentication only (where as OIDC does IDP-like services).

>>>>>>>>>>>> 
>>>>>>>>>>>> This draft is intended as a minimum
authentication only specification. I've tried to make it as compatible
as possible with OIDC. 
>>>>>>>>>>>> 
>>>>>>>>>>>> For now, I've just
posted to keep track of the issue so we can address at the next
re-chartering. 
>>>>>>>>>>>> 
>>>>>>>>>>>> Happy to answer questions and
discuss. 
>>>>>>>>>>>> 
>>>>>>>>>>>> Phil 
>>>>>>>>>>>> 
>>>>>>>>>>>>
@independentid 
>>>>>>>>>>>> www.independentid.com [5]
phil.hunt@oracle.com
>>>>>>>>>>>> 
>>>>>>>>>>>> Begin forwarded message:

>>>>>>>>>>>> 
>>>>>>>>>>>>> FROM:
internet-drafts@ietf.org
>>>>>>>>>>>>> 
>>>>>>>>>>>>> SUBJECT: NEW
VERSION NOTIFICATION FOR
DRAFT-HUNT-OAUTH-V2-USER-A4C-00.TXT
>>>>>>>>>>>>> 
>>>>>>>>>>>>> DATE:
29 July, 2013 9:49:41 AM GMT+02:00
>>>>>>>>>>>>> 
>>>>>>>>>>>>> TO: Phil
Hunt <phil.hunt@yahoo.com>, Phil Hunt <None@ietfa.amsl.com>, Phil Hunt
<>
>>>>>>>>>>>>> 
>>>>>>>>>>>>> A new version of I-D,
draft-hunt-oauth-v2-user-a4c-00.txt
>>>>>>>>>>>>> has been successfully
submitted by Phil Hunt and posted to the
>>>>>>>>>>>>> IETF
repository.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Filename:
draft-hunt-oauth-v2-user-a4c
>>>>>>>>>>>>> Revision: 00
>>>>>>>>>>>>>
Title: OAuth 2.0 User Authentication For Client
>>>>>>>>>>>>> Creation
date: 2013-07-29
>>>>>>>>>>>>> Group: Individual
Submission
>>>>>>>>>>>>> Number of pages: 9
>>>>>>>>>>>>> URL:
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt
[1]
>>>>>>>>>>>>> Status:
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
[2]
>>>>>>>>>>>>> Htmlized:
http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00
[3]
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Abstract:
>>>>>>>>>>>>> This
specification defines a new OAuth2 endpoint that enables
user
>>>>>>>>>>>>> authentication session information to be shared with
client
>>>>>>>>>>>>> applications.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Please
note that it may take a couple of minutes from the time of
submission
>>>>>>>>>>>>> until the htmlized version and diff are
available at tools.ietf.org [4].
>>>>>>>>>>>>> 
>>>>>>>>>>>>> The IETF
Secretariat
>>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>>> OAuth
mailing list
>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>>
https://www.ietf.org/mailman/listinfo/oauth [6]
>>>>>>>
_______________________________________________
>>>>>>> OAuth mailing
list
>>>>>>> OAuth@ietf.org
>>>>>>>
https://www.ietf.org/mailman/listinfo/oauth [6]
>>>>>> 
>>>>>>
_______________________________________________
>>>>>> OAuth mailing
list
>>>>>> OAuth@ietf.org
>>>>>>
https://www.ietf.org/mailman/listinfo/oauth [6]
>>>>> 
>>>>> -- 
>>>>>
Nat Sakimura (=nat) 
>>>>> Chairman, OpenID Foundation
>>>>>
http://nat.sakimura.org/ [9]
>>>>> @_nat_en 
>>>>> 
>>>>>
_______________________________________________
>>>>> OAuth mailing
list
>>>>> OAuth@ietf.org
>>>>>
https://www.ietf.org/mailman/listinfo/oauth [6]
>>>>> 
>>>>> -- 
>>>>>
Nat Sakimura (=nat) 
>>>>> Chairman, OpenID Foundation
>>>>> h
>>>>
imura.org/
>>>> @_nat_en
>>> 
>>>
_______________________________________________
>>> OAuth mailing
list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
[6]
>>> 
>>> _______________________________________________
>>> OAuth
mailing list
>>> OAuth@ietf.org
>>>
https://www.ietf.org/mailman/listinfo/oauth [6]
> 
> -- 
> Nat Sakimura
(=nat) 
> Chairman, OpenID Foundation
> http://nat.sakimura.org/ [9]
>
@_nat_en 
> 
> _______________________________________________
> OAuth
mailing list
> OAuth@ietf.org
>
https://www.ietf.org/mailman/listinfo/oauth [6]

 

Links:
------
[1]
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt
[2]
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
[3]
http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00
[4]
http://tools.ietf.org/
[5] http://www.independentid.com/
[6]
https://www.ietf.org/mailman/listinfo/oauth
[7]
http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI
[8]
http://nat.sakimura.org/2013/07/28/write-openid-connect-server-in-three-simple-steps/
[9]
http://nat.sakimura.org/
[10]
http://openid.net/specs/openid-connect-basic-1_0-28.html
[11]
http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html
[12]
http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf
[13]
http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html
[14]
http://bit.ly/19yHvJB

--=_5f514e0eced4ef7784555da6ec50d0cc
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body>
<p>Hi Nat,</p>
<p>I think your are going in the right direction. Here are my comments:</p>
<p>- Authentication and attribute providing can be treated separately. I th=
erefore would recommend you move the claim stuff into a separate specificat=
ion, which includes standard claims, respective scope values, user info end=
point and the claims parameter. This would leave the base specification a s=
mall but reasonable extension to OAuth to handle authentication properly. E=
veryone interested in claims can implemented the complementary claims spec=
=2E Service provider wishing to use other interfaces for claim providing ca=
n do that. I would not care.</p>
<p>- Use normativ language only to ensure proper implementation of the prot=
ocol, e.g. with respect to security, not for MTI requirements.</p>
<p>As an example: "id tokens must be signed when sent via the user agent, t=
hey may be signed when issued at the token endpoint"</p>
<p>- I would recommend to handle MTI in a separate document. Do not clutter=
 the base spec with MTI stuff, such as&nbsp;</p>
<p>"OpenID Providers that are not Self-Issued OPs MUST support this "respon=
se_type"."</p>
<p>First, you are forward referencing to concepts introduced in other docum=
ents. Moreover, there are so many different scenarios I can think of where =
Connect could be used. They have rather different requirements, so having a=
 document with different profile definitions is better suited (IMHO). A goo=
d starting point is section 13, where the definition of open and closed sys=
tems and respective MTIs is given.</p>
<p>- Omit duplication of OAuth text. For example, there is another descript=
ion of the state parameter or there is this statement: "In OpenID Connect, =
this communication MUST be over TLS." As far as I remember, the same holds =
true for plain OAuth.</p>
<p>- 3.2. Server Processings - it is the discretion of the server when the =
id token is actually created. So don't make this part of the normative text=
=2E</p>
<p>- I would recommend to move "3.2.1. ID Token after the authz response se=
ction". The description of the ID Token contents does not help the reader a=
t that point.</p>
<p>- I would suggest to organize the doc around the response types, i.e. de=
scribe the whole flow for code. Right now it is distributed over 2 sections=
 (incl. Section 4 "Tokens Endpoint").</p>
<p>regards,<br />Torsten.</p>
<p>Am 01.08.2013 06:27, schrieb Nat Sakimura:</p>
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%"><!-- html ignored --><!-- head ignore=
d --><!-- meta ignored -->
<div dir=3D"ltr">+1
<div>&nbsp;</div>
<div>I am trying to figure out how we can streamline the documentations.&nb=
sp;</div>
<div>Now that we are done with the implementer's draft vote that diff is no=
t that important any more as technical content is determined and IPR is loc=
ked in, now is the time to do a major surgery to fix the documentation clut=
ter that is caused by its history.&nbsp;</div>
<div>&nbsp;</div>
<div>There are several proposals on the table right now in the AB/Connect W=
G at OIDF.&nbsp;</div>
<div>&nbsp;</div>
<div>My proposal at the moment is to reorganize the doc into:&nbsp;</div>
<div>
<pre style=3D"white-space: pre-wrap; color: #000000;">&nbsp;</pre>
<ul>
<li><span style=3D"font-family: arial;">OpenID Connect Core</span></li>
<li><span style=3D"font-family: arial;">OpenID Connect Discovery</span></li=
>
<li><span style=3D"font-family: arial;">OpenID Connect Dynamic Registration=
</span></li>
<li><span style=3D"font-family: arial;">OpenID Connect Advanced Claims Exte=
nsion</span></li>
<li><span style=3D"font-family: arial;">OpenID Connect Advanced Client Auth=
entication Methods Extension</span></li>
<li><span style=3D"font-family: arial;">OpenID Connect Self-Issued Provider=
 Extension</span></li>
<li><span style=3D"font-family: arial;">OpenID Connect JSON Based Request E=
xtension</span></li>
</ul>
</div>
<div>Currently, I am experimenting with whether keeping the different flows=
 in the Core makes sense or it is better to split them out.&nbsp;</div>
<div>&nbsp;</div>
<div>Here is the link to the Core draft I am experimenting with:&nbsp;<a hr=
ef=3D"http://bit.ly/19yHvJB">http://bit.ly/19yHvJB</a></div>
<div>XML and HTML versions are in the same repository as well.&nbsp;</div>
<div>&nbsp;</div>
<div>Your input will be most welcome.&nbsp;</div>
<div>&nbsp;</div>
<div>Nat</div>
</div>
<div class=3D"gmail_extra"><br /><br />
<div class=3D"gmail_quote">2013/8/1 Richer, Justin P. <span>&lt;<a href=3D"=
mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;</span><br />
<blockquote class=3D"gmail_quote" style=3D"margin: 0  0  0  .8ex; border-le=
ft: 1px  #ccc  solid; padding-left: 1ex;">
<div style=3D"word-wrap: break-word;">+1
<div>
<div class=3D"h5">
<div><br />
<div>
<div>On Jul 31, 2013, at 5:49 PM, Bill Mills &lt;<a href=3D"mailto:wmills_9=
2105@yahoo.com">wmills_92105@yahoo.com</a>&gt; wrote:</div>
<br />
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">
<div>
<div style=3D"font-size: 12pt;">
<div><span>Rather than extending OAuth for something OpenID already does.=
=2E. &nbsp;why don't we get a simple informational example doc to show how =
to implement the most basic OpenID service, which is the same functionality=
 on a standard that's already written?</span></div>
<div style=3D"font-size: 16px; background-color: transparent; font-style: n=
ormal;"><span>&nbsp;</span></div>
<div style=3D"font-size: 16px; background-color: transparent; font-style: n=
ormal;"><span>This is sounding more and mor elike a documentation problem=
=2E</span></div>
<div>&nbsp;</div>
<div style=3D"font-size: 12pt;">
<div style=3D"font-size: 12pt;">
<div dir=3D"ltr"><hr size=3D"1" /><span style=3D"font-family: Arial;"><stro=
ng><span style=3D"font-weight: bold;">From:</span></strong> Prateek Mishra =
&lt;<a href=3D"mailto:prateek.mishra@oracle.com">prateek.mishra@oracle.com<=
/a>&gt;<br /><strong><span style=3D"font-weight: bold;">To:</span></strong>=
 Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail.com">sakimura@gmail.com<=
/a>&gt; <br /><strong><span style=3D"font-weight: bold;">Cc:</span></strong=
> "<a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a> WG" &lt;<a href=3D"=
mailto:oauth@ietf.org">oauth@ietf.org</a>&gt; <br /><strong><span style=3D"=
font-weight: bold;">Sent:</span></strong> Wednesday, July 31, 2013 2:38 PM<=
br /><strong><span style=3D"font-weight: bold;">Subject:</span></strong> [O=
AUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Noti=
fication for draft-hunt-oauth-v2-user-a4c-00.txt)<br /></span></div>
<div><br />
<div>
<div>Nat - <br /><br /> thanks for the detailed response. I did review the =
links you sent out but it remained unclear to me which<br /> features are M=
TI and which are not. For example, there is nothing in the Basic Client Pro=
file that suggests<br /> that Section 2.3 is optional. I also could not fin=
d any definition for " non-dynamic OpenID Connect Server".<br /><br /> I do=
nt think there is a need to duplicate portions of the draft specification t=
ext in a new document. One solution<br /> that was used in SAML 2.0 was to =
define a conformance document which described several different <br /> oper=
ational modes and explained how only a small set of features needed to be i=
mplemented in certain modes.<br /><br /><a href=3D"http://docs.oasis-open=
=2Eorg/security/saml/v2.0/saml-conformance-2.0-os.pdf">http://docs.oasis-op=
en.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</a><br /><br /> There=
 are probably other smarter ways to achieve the same effect.<br /><br /> Gi=
ven this situation, I do think its a reasonable task for the OAuth communit=
y to consider the need for <br /> a minimal extension to OAuth that accommo=
dates authentication. The community should be made aware that <br /> RFC 67=
49 is being misused for federated authentication, as explained in&nbsp; -&n=
bsp; <br /><br /><a href=3D"http://www.independentid.com/2013/07/simple-aut=
hentication-for-oauth-2-what.html">http://www.independentid.com/2013/07/sim=
ple-authentication-for-oauth-2-what.html</a> <br /><br /> and that there do=
esn't appear to be a simple solution that is currently available. It would =
be great if it turned<br /> out that OpenID Connect offered such a solution=
 but that isn't clear to me.<br /><br /> Thx,<br /> prateek<br />
<div>&nbsp;</div>
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">
<div dir=3D"ltr"><br />
<div>Inline:&nbsp;<br /><br />
<div>2013/7/31 Prateek Mishra <span>&lt;<a href=3D"mailto:prateek.mishra@or=
acle.com">prateek.mishra@oracle.com</a>&gt;</span><br />
<blockquote style=3D"margin: 0px  0px  0px  0.8ex; border-left-width: 1px; =
border-left-color: #cccccc; border-left-style: solid; padding-left: 1ex;">
<div>Nat - <br /><br /> your blog posting is helpful to those of us who are=
 looking for a minimal extension of OAuth with <br /> an authenticator.&nbs=
p; Many implementors are seeking a modest extension of OAuth, not an entire=
 new protocol<br /> stack. &nbsp; I believe that is the point of Phil Hunt'=
s proposal to the OAuth committee.<br /><br /> I do have some questions for=
 about the statements made in the blog - <br /><br /> A) Can you direct me =
to a single OpenID Connect draft specification document where steps 1 and 2=
 are described?</div>
</blockquote>
<div>&nbsp;</div>
<div>Actually, it is not a single spec, that the Standard is referencing ot=
hers.&nbsp;</div>
<div>The Standard is kind of cluttered because it has 6 response types and =
three request types in it.&nbsp;</div>
<div>I suppose it would be much easier for the readers to split them into c=
oherent pieces, though that means duplicate texts.&nbsp;</div>
<div>&nbsp;</div>
<div>The easiest approach here is to read the Basic Client Profile.&nbsp;<a=
 href=3D"http://openid.net/specs/openid-connect-basic-1_0-28.html">http://o=
penid.net/specs/openid-connect-basic-1_0-28.html</a></div>
<div>Then, read&nbsp;OAuth 2.0 Multiple Response Type Encoding Practices&nb=
sp;<a href=3D"http://openid.net/specs/oauth-v2-multiple-response-types-1_0-=
08.html">http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.ht=
ml</a>&nbsp;.&nbsp;</div>
<div>&nbsp;</div>
<blockquote style=3D"margin: 0px  0px  0px  0.8ex; border-left-width: 1px; =
border-left-color: #cccccc; border-left-style: solid; padding-left: 1ex;">
<div><br /> B) If I implement steps 1 and 2, do I then have a conformant Op=
enID Connect implementation? Are there no <br /> other MTI protocol exchang=
es in OpenID Connect?</div>
</blockquote>
<div>&nbsp;</div>
<div>Yes, for a non-dynamic OpenID Connect Server.&nbsp;</div>
<div>&nbsp;</div>
<div>Nat</div>
<div>&nbsp;&nbsp;</div>
<blockquote style=3D"margin: 0px  0px  0px  0.8ex; border-left-width: 1px; =
border-left-color: #cccccc; border-left-style: solid; padding-left: 1ex;">
<div><br /> Thanks,<br />prateek
<div>
<div><br /><br /> &nbsp; &nbsp; <br />
<div>&nbsp;</div>
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">
<div dir=3D"ltr">I have written a short blog post titled "<a href=3D"http:/=
/nat.sakimura.org/2013/07/28/write-openid-connect-server-in-three-simple-st=
eps/">Write an OpenID Connect server in three simple steps</a>".&nbsp;
<div>&nbsp;</div>
<div>Really, there is not much you need to on top of OAuth 2.0.&nbsp;</div>
<div>&nbsp;</div>
<div>It puzzles me why you need to create a draft with only minor variances=
 in parameter names.&nbsp;</div>
<div>&nbsp;</div>
<blockquote style=3D"margin: 0px  0px  0px  40px; border: none; padding: 0p=
x;">
<div>e.g.,&nbsp;</div>
<div>session instead of id_token</div>
<div>lat instead of iat</div>
<div>alv instead of acr</div>
<div>etc.&nbsp;</div>
</blockquote>
<div>&nbsp;</div>
<div>If you change those parameter names, you will have a conformant profil=
e of OpenID Connect.&nbsp;</div>
<div>&nbsp;</div>
<div>Nat</div>
</div>
<div><br /><br />
<div>2013/7/31 John Bradley <span>&lt;<a href=3D"mailto:ve7jtb@ve7jtb.com">=
ve7jtb@ve7jtb.com</a>&gt;</span><br />
<blockquote style=3D"margin: 0px  0px  0px  0.8ex; border-left-width: 1px; =
border-left-color: #cccccc; border-left-style: solid; padding-left: 1ex;">
<div style=3D"word-wrap: break-word;">Connect dosen't require a userinfo en=
dpoint. &nbsp; It is required for interoperability if you are building an o=
pen IdP. &nbsp; For an enterprise type deployment discovery, registration, =
userifo are all optional.
<div>&nbsp;</div>
<div>The server is required to pass the nonce which is equivalent to a requ=
est ID through to the JWT if the client sends it in the request.</div>
<div>&nbsp;</div>
<div>Justin is correct.</div>
<div>&nbsp;</div>
<div>John B.
<div>
<div><br />
<div>
<div>On 2013-07-30, at 5:30 PM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@o=
racle.com">phil.hunt@oracle.com</a>&gt; wrote:</div>
<br />
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">
<div>
<div>Forgot reply all.<br /><br /> Phil</div>
<div><br /> Begin forwarded message:<br /><br /></div>
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%"><strong>From:</strong> Phil Hunt &lt;=
<a href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt;<br /><=
strong>Date:</strong> 30 July, 2013 17:25:46 GMT+02:00<br /><strong>To:</st=
rong> "Richer, Justin P." &lt;<a href=3D"mailto:jricher@mitre.org">jricher@=
mitre.org</a>&gt;<br /><strong>Subject:</strong> <strong>Re: [OAUTH-WG] New=
 Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</strong><br /=
><br /></blockquote>
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">
<div>The whole point is authn only. Many do not want or need the userinfo e=
ndpoint.&nbsp;<br /><br /> Phil</div>
<div><br /> On 2013-07-30, at 17:17, "Richer, Justin P." &lt;<a href=3D"mai=
lto:jricher@mitre.org">jricher@mitre.org</a>&gt; wrote:<br /><br /></div>
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">What do you mean? You absolutely can =
implement a compliant OIDC server nearly as simply as this. The things that=
 you're missing I think are necessary for basic interoperable functionality=
, and are things that other folks using OAuth for authentication have also =
implemented. Namely:
<div>&nbsp;</div>
<div>&nbsp;- Signing the ID token (OIDC specifies the RS256 flavor of JWS, =
which is easy to do with JWT). Without a signed and verifiable ID token or =
equivalent, you're asking for all kinds of token injection problems.</div>
<div>&nbsp;- Session management requests (max auth age, auth time)</div>
<div>&nbsp;- Not fall over with other parameters that you don't support (di=
splay, prompt, etc).</div>
<div>&nbsp;</div>
<div>See here for more information:</div>
<div>&nbsp;</div>
<div>&nbsp; <a href=3D"http://openid.net/specs/openid-connect-messages-1_0=
=2Ehtml#ServerMTI"> http://openid.net/specs/openid-connect-messages-1_0.htm=
l#ServerMTI</a></div>
<div>&nbsp;</div>
<div>Additionally, something that's really important to support is the User=
 Info Endpoint, so you can actually get user profile information beyond jus=
t the simple "someone was here" claim -- this was the real value of Faceboo=
k Connect from an RP's perspective. Some people will probably want to use S=
CIM for this, too, and that's fine.</div>
<div>&nbsp;</div>
<div>&nbsp;-- Justin</div>
<div><br />
<div>
<div>On Jul 30, 2013, at 10:54 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hun=
t@oracle.com">phil.hunt@oracle.com</a>&gt;</div>
<div>&nbsp;wrote:</div>
<br />
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">
<div>
<div>The oidc specs do not allow this simple an implementation. The spec me=
mbers have not shown interest in making changes as they say they are too fa=
r down the road.</div>
<div>&nbsp;</div>
<div>I have tried to make my draft as close as possible to oidc but maybe i=
t shouldn't be clarity wise. I am interested in what the group feels is cle=
arest.&nbsp;</div>
<div>&nbsp;</div>
<div>From an ietf perspective the concern is improper use of the 6749 for a=
uthn. Is this a bug or gap we need to address?<br /><br /> Phil</div>
<div><br /> On 2013-07-30, at 16:46, "Richer, Justin P." &lt;<a href=3D"mai=
lto:jricher@mitre.org">jricher@mitre.org</a>&gt; wrote:<br /><br /></div>
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">From what I read, you've defined some=
thing that uses an OAuth 2 code flow to get an extra token which is specifi=
ed as a JWT. You named it "session_token" instead of "id_token", and you've=
 left off the User Information Endpoint -- but other than that, this is exa=
ctly the Basic Client for OpenID Connect. In other words, if you change the=
 names on things you've got OIDC, but without the capabilities to go beyond=
 a very basic "hey there's a user here" claim. This is the same place that =
OpenID 2.0 started, and it was very, very quickly extended with SREG, AX, P=
APE, and others for it to be useful in the real world of distributed logins=
=2E You've also left out discovery and registration which are required for =
distributed deployments, but I'm guessing that those would be modular compo=
nents that could be added in (like they are in OIDC).&nbsp;
<div>&nbsp;</div>
<div>I've heard complaints that OIDC is complicated, but it's really not. Y=
es, I agree that the giant stack of documents is intimidating and in my opi=
nion it's a bit of a mess with Messages and Standard split up (but I lost t=
hat argument years ago). However, at the core, you've got an OAuth2 authori=
zation server that spits out access tokens and id tokens. The id token is a=
 JWT with some known claims (iss, sub, etc) and is issued along side the ac=
cess token, and its audience is the *client* and not the *protected resourc=
e*. The access token is a regular old access token and its format is undefi=
ned (so you can use it with an existing OAuth2 server setup, like we have),=
 and it can be used at the User Info Endpoint to get profile information ab=
out the user who authenticated. It could also be used for other services if=
 your AS/IdP protects multiple things.</div>
<div>&nbsp;</div>
<div>So I guess what I'm missing is what's the value proposition in this sp=
ec when we have something that can do this already? And this doesn't seem t=
o do anything different (apart from syntax changes)?</div>
<div>&nbsp;</div>
<div>&nbsp;-- Justin</div>
<div>
<div><br />
<div>
<div>On Jul 29, 2013, at 4:14 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt=
@oracle.com">phil.hunt@oracle.com</a>&gt; wrote:</div>
<br />
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">
<div style=3D"word-wrap: break-word;">FYI. &nbsp;I have been noticing a sub=
stantial number of sites acting as OAuth Clients using OAuth to authenticat=
e users.
<div>&nbsp;</div>
<div>I know several of us have blogged on the issue over the past year so I=
 won't re-hash it here. &nbsp;In short, many of us recommended OIDC as the =
correct methodology.</div>
<div>&nbsp;</div>
<div>Never-the-less, I've spoken with a number of service providers who ind=
icate they are not ready to make the jump to OIDC, yet they agree there is =
a desire to support authentication only (where as OIDC does IDP-like servic=
es).</div>
<div>&nbsp;</div>
<div>This draft is intended as a minimum authentication only specification=
=2E &nbsp;I've tried to make it as compatible as possible with OIDC.</div>
<div>&nbsp;</div>
<div>For now, I've just posted to keep track of the issue so we can address=
 at the next re-chartering.</div>
<div>&nbsp;</div>
<div>Happy to answer questions and discuss.&nbsp;</div>
<div>&nbsp;</div>
<div>
<div>
<div style=3D"word-wrap: break-word;">
<div style=3D"word-wrap: break-word;">
<div style=3D"word-wrap: break-word;">
<div>Phil</div>
<div>&nbsp;</div>
<div>@independentid</div>
<div><a href=3D"http://www.independentid.com/">www.independentid.com</a></d=
iv>
</div>
<a href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br /><br /=
></div>
</div>
<span style=3D"border-collapse: separate; border-spacing: 0px;"><span style=
=3D"border-collapse: separate; font-family: Helvetica; font-size: medium; f=
ont-style: normal; font-variant: normal; font-weight: normal; letter-spacin=
g: normal; line-height: normal; text-indent: 0px; text-transform: none; whi=
te-space: normal; word-spacing: 0px; border-spacing: 0px;"></span><br /></s=
pan></div>
<div><br />
<div>Begin forwarded message:</div>
<br />
<blockquote type=3D"cite" style=3D"padding-left:5px; border-left:#1010ff 2p=
x solid; margin-left:5px; width:100%">
<div style=3D"margin: 0px;"><span style=3D"font-family: Helvetica; font-siz=
e: medium;"><strong>From: </strong></span><span style=3D"font-family: Helve=
tica; font-size: medium;"><a href=3D"mailto:internet-drafts@ietf.org">inter=
net-drafts@ietf.org</a><br /></span></div>
<div style=3D"margin: 0px;"><span style=3D"font-family: Helvetica; font-siz=
e: medium;"><strong>Subject: </strong></span><span style=3D"font-family: He=
lvetica; font-size: medium;"><strong>New Version Notification for draft-hun=
t-oauth-v2-user-a4c-00.txt</strong><br /></span></div>
<div style=3D"margin: 0px;"><span style=3D"font-family: Helvetica; font-siz=
e: medium;"><strong>Date: </strong></span><span style=3D"font-family: Helve=
tica; font-size: medium;">29 July, 2013 9:49:41 AM GMT+02:00<br /></span></=
div>
<div style=3D"margin: 0px;"><span style=3D"font-family: Helvetica; font-siz=
e: medium;"><strong>To: </strong></span><span style=3D"font-family: Helveti=
ca; font-size: medium;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com=
">phil.hunt@yahoo.com</a>&gt;, Phil Hunt &lt;<a href=3D"mailto:None@ietfa=
=2Eamsl.com">None@ietfa.amsl.com</a>&gt;, Phil Hunt &lt;&gt;<br /></span></=
div>
<br />
<div><br /> A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br />=
 has been successfully submitted by Phil Hunt and posted to the<br /> IETF =
repository.<br /><br /> Filename:<span style=3D"white-space: pre-wrap;"> </=
span>draft-hunt-oauth-v2-user-a4c<br /> Revision:<span style=3D"white-space=
: pre-wrap;"> </span>00<br /> Title:<span style=3D"white-space: pre-wrap;">=
 </span><span style=3D"white-space: pre-wrap;"></span>OAuth 2.0 User Authen=
tication For Client<br /> Creation date:<span style=3D"white-space: pre-wra=
p;"> </span>2013-07-29<br /> Group:<span style=3D"white-space: pre-wrap;"> =
</span><span style=3D"white-space: pre-wrap;"></span>Individual Submission<=
br /> Number of pages: 9<br /> URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://www.ietf.org/internet-dr=
afts/draft-hunt-oauth-v2-user-a4c-00.txt">http://www.ietf.org/internet-draf=
ts/draft-hunt-oauth-v2-user-a4c-00.txt</a><br /> Status: &nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://datatracker.ietf.org/=
doc/draft-hunt-oauth-v2-user-a4c">http://datatracker.ietf.org/doc/draft-hun=
t-oauth-v2-user-a4c</a><br /> Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;<a href=3D"http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-0=
0">http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00</a><br /><br =
/><br /> Abstract:<br /> &nbsp;&nbsp;This specification defines a new OAuth=
2 endpoint that enables user<br /> &nbsp;&nbsp;authentication session infor=
mation to be shared with client<br /> &nbsp;&nbsp;applications.<br /><br />=
<br /><br /><br /> Please note that it may take a couple of minutes from th=
e time of submission<br /> until the htmlized version and diff are availabl=
e at <a href=3D"http://tools.ietf.org/"> tools.ietf.org</a>.<br /><br /> Th=
e IETF Secretariat<br /><br /></div>
</blockquote>
</div>
</div>
</div>
_______________________________________________<br /> OAuth mailing list<br=
 /><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br /><a href=3D"htt=
ps://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/list=
info/oauth</a></blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</blockquote>
</blockquote>
</div>
_______________________________________________<br /> OAuth mailing list<br=
 /><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br /><a href=3D"htt=
ps://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/list=
info/oauth</a></blockquote>
</div>
</div>
</div>
</div>
</div>
<br /> _______________________________________________<br /> OAuth mailing =
list<br /><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br /><a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailm=
an/listinfo/oauth</a><br /><br /></blockquote>
</div>
<br /><br clear=3D"all" />
<div>&nbsp;</div>
-- <br />Nat Sakimura (=3Dnat)
<div>Chairman, OpenID Foundation<br /><a href=3D"http://nat.sakimura.org/">=
http://nat.sakimura.org/</a><br /> @_nat_en</div>
</div>
<br /><fieldset></fieldset><br />
<pre>_______________________________________________
OAuth mailing list
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.or=
g/mailman/listinfo/oauth</a>
</pre>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br /><br clear=3D"all" />
<div>&nbsp;</div>
-- <br />Nat Sakimura (=3Dnat)
<div>Chairman, OpenID Foundation<br /><a href=3D"http://nat.sakimura.org/">=
http://nat.sakimura.org/</a><br /> @_nat_en</div>
</div>
</div>
</blockquote>
</div>
</div>
<br /> _______________________________________________<br /> OAuth mailing =
list<br /><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br /><a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailm=
an/listinfo/oauth</a><br /><br /><br /></div>
</div>
</div>
</div>
</div>
_______________________________________________<br /> OAuth mailing list<br=
 /><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br /><a href=3D"htt=
ps://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/list=
info/oauth</a></blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br /><br clear=3D"all" />
<div>&nbsp;</div>
-- <br />Nat Sakimura (=3Dnat)
<div>Chairman, OpenID Foundation<br /><a href=3D"http://nat.sakimura.org/">=
http://nat.sakimura.org/</a><br />@_nat_en</div>
</div>
<br />
<pre>_______________________________________________
OAuth mailing list
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.or=
g/mailman/listinfo/oauth</a><span style=3D"white-space: normal;">
</span></pre>
</blockquote>
<div>&nbsp;</div>
</body></html>

--=_5f514e0eced4ef7784555da6ec50d0cc--


From sakimura@gmail.com  Thu Aug  1 09:07:50 2013
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31CB921E8088 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 09:07:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.561
X-Spam-Level: 
X-Spam-Status: No, score=-2.561 tagged_above=-999 required=5 tests=[AWL=0.038,  BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppyMvaAAfxgg for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 09:07:47 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id B738821E80BE for <oauth@ietf.org>; Thu,  1 Aug 2013 09:07:46 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id ec20so1582937lab.28 for <oauth@ietf.org>; Thu, 01 Aug 2013 09:07:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=G8AQqxaVoB1Xd7EPIRcWCCz5R2DRUgvR4fqWQQxeaFM=; b=V1RX5Xi27/cMHAHlibIGFSzO7JDgo9w6FicJ8lwg79CG4RDI9PBEglRB53HLxjTnDe +altCOUM7TB1bTCEwX8N+SxezyJDauX3Eo2e+A/9CRV/a1gyGm6nWpr6PdJ7DDShLT5b ojyrPtU/nixLs5G4IZL2dfs1eQS1bGpPSwA13n8PhSeXhE6VfvKR2FCm1DdhfAiZtTu/ LML5tb3Oq5sQF/J+jxagBDJVUC02ZaUHQ7MHe90/Z2nTDe6y1Bhdxh0W8IQN2cBgMKsA GGLSeNelAWfHvNRwidcLcdVg/H2qMbMne+OTPKfJoaPyKCFkgLRMz4mwEfyWSPs3JqVn abyw==
MIME-Version: 1.0
X-Received: by 10.152.10.71 with SMTP id g7mr1065580lab.60.1375373265513; Thu, 01 Aug 2013 09:07:45 -0700 (PDT)
Received: by 10.112.134.38 with HTTP; Thu, 1 Aug 2013 09:07:45 -0700 (PDT)
In-Reply-To: <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org> <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com>
Date: Thu, 1 Aug 2013 18:07:45 +0200
Message-ID: <CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary=001a1132f662ecb41604e2e50a88
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 16:07:50 -0000

--001a1132f662ecb41604e2e50a88
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Like Bill says, it can just be a profile of OpenID Connect.
IETF specs already references OpenID Foundation specs.
It should not be a problem.
I do not think we want to folk.


2013/8/1 Anthony Nadalin <tonynad@microsoft.com>

>  I believe it beneficial to have a common format and common values, and 1
> way to handle the format and values. I believe that having this in oauth =
is
> beneficial, I believe that it would also be beneficial for OpenID if this
> were in oauth. There are cases for signed and unsigned formats. ****
>
> ** **
>
> *From:* Richer, Justin P. [mailto:jricher@mitre.org]
> *Sent:* Thursday, August 1, 2013 7:15 AM
> *To:* Nat Sakimura
> *Cc:* Anthony Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG
>
> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)***=
*
>
>  ** **
>
> Also, it's (optionally) a token in the proposed document we're discussing
> (=A72.4.1), which means there are two ways to parse the same information.
> OIDC uses JWTs for everything, signed and unsigned. This means that OIDC =
is
> actually simpler from an implementation perspective, wouldn't you say?
> Instead of having two parsers, you have one to cover both cases.  ****
>
> ** **
>
> (And given your tendency to throw signed assertions at every problem, I
> would have thought that you'd prefer this anyway.) ****
>
> ** **
>
>  -- Justin****
>
> ** **
>
> On Aug 1, 2013, at 9:40 AM, Nat Sakimura <sakimura@gmail.com>****
>
>  wrote:****
>
>
>
> ****
>
>  Yes, it is a Token. ****
>
> No, it does not have to be signed. ****
>
> ** **
>
> As to be a token or not to be a token question, it has been discussed in
> the WG before, and if I remember correctly,  Microsoft argued for token
> saying that it is just base64 decoding and I lost there.  ****
>
> Nat****
>
>
> On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com> wrote:*=
*
> **
>
> You can=92t do this, first openid uses a token and second it=92s signed, =
third
> there is no specification to just return a authentication JSON structure*=
*
> **
>
>  ****
>
> *From:* Richer, Justin P. [mailto:jricher@mitre.org <jricher@mitre.org>]
> *Sent:* Thursday, August 1, 2013 5:15 AM
> *To:* Anthony Nadalin
> *Cc:* Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org WG
> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)***=
*
>
>  ****
>
> Tony, you can already return the authn result from the token request (we
> discussed this specifically in May as I recall). That's what the "idtoken=
"
> and "code idtoken" responses are for in OpenID Connect. The proposed draf=
t
> is nearly a duplicate of the core functionality of OIDC. ****
>
>  ****
>
>  -- Justin****
>
>  ****
>
> On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com>****
>
>  wrote:****
>
> ** **
>
>  The proposal does not duplicate what OpenID does, there is clear benefit
> for returning an authentication result in the token request result. This =
is
> being proposed as optional JSON structure.****
>
>  ****
>
> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On Behalf
> Of *Bill Mills
> *Sent:* Wednesday, July 31, 2013 2:50 PM
> *To:* Prateek Mishra; Nat Sakimura
> *Cc:* oauth@ietf.org WG
> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)***=
*
>
>  ****
>
> Rather than extending OAuth for something OpenID already does...  why
> don't we get a simple informational example doc to show how to implement
> the most basic OpenID service, which is the same functionality on a
> standard that's already written?****
>
>  ****
>
> This is sounding more and mor elike a documentation problem.****
>
>  ****
>    ------------------------------
>
> *From:* Prateek Mishra <prateek.mishra@oracle.com>
> *To:* Nat Sakimura <sakimura@gmail.com>
> *Cc:* "oauth@ietf.org WG" <oauth@ietf.org>
> *Sent:* Wednesday, July 31, 2013 2:38 PM
> *Subject:* [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:
> New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)****
>
>  ****
>
> Nat -
>
> thanks for the detailed response. I did review the links you sent out but
> it remained unclear to me which
> features are MTI and which are not. For example, there is nothing in the
> Basic Client Profile that suggests
> that Section 2.3 is optional. I also could not find any definition for "
> non-dynamic OpenID Connect Server".
>
> I dont think there is a need to duplicate portions of the draft
> specification text in a new document. One solution
> that was used in SAML 2.0 was to define a conformance document which
> described several different
> operational modes and explained how only a small set of features needed t=
o
> be implemented in certain modes.
>
> http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf
>
> There are probably other smarter ways to achieve the same effect.
>
> Given this situation, I do think its a reasonable task for the OAuth
> community to consider the need for
> a minimal extension to OAuth that accommodates authentication. The
> community should be made aware that
> RFC 6749 is being misused for federated authentication, as explained in  =
-
>
>
>
> http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-wh=
at.html
>
>
> and that there doesn't appear to be a simple solution that is currently
> available. It would be great if it turned
> out that OpenID Connect offered such a solution but that isn't clear to m=
e.
>
> Thx,
> prateek****
>
>  ****
>
>   ****
>
> Inline: ****
>
> 2013/7/31 Prateek Mishra <prateek.mishra@oracle.com>****
>
>  Nat -
>
> your blog posting is helpful to those of us who are looking for a minimal
> extension of OAuth with
> an authenticator.  Many implementors are seeking a modest extension of
> OAuth, not an entire new protocol
> stack.   I believe that is the point of Phil Hunt's proposal to the OAuth
> committee.
>
> I do have some questions for about the statements made in the blog -
>
> A) Can you direct me to a single OpenID Connect draft specification
> document where steps 1 and 2 are described?****
>
>    ****
>
> Actually, it is not a single spec, that the Standard is referencing
> others. ****
>
> The Standard is kind of cluttered because it has 6 response types and
> three request types in it. ****
>
> I suppose it would be much easier for the readers to split them into
> coherent pieces, though that means duplicate texts. ****
>
>  ****
>
> The easiest approach here is to read the Basic Client Profile.
> http://openid.net/specs/openid-connect-basic-1_0-28.html****
>
> Then, read OAuth 2.0 Multiple Response Type Encoding Practices
> http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html . **=
*
> *
>
>  ****
>
>
> B) If I implement steps 1 and 2, do I then have a conformant OpenID
> Connect implementation? Are there no
> other MTI protocol exchanges in OpenID Connect?****
>
>    ****
>
> Yes, for a non-dynamic OpenID Connect Server. ****
>
>  ****
>
> Nat****
>
>   ****
>
>
> Thanks,
> prateek****
>
>
>
>    ****
>
>  ****
>
>  I have written a short blog post titled "Write an OpenID Connect server
> in three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-con=
nect-server-in-three-simple-steps/>
> ". ****
>
>  ****
>
> Really, there is not much you need to on top of OAuth 2.0. ****
>
>  ****
>
> It puzzles me why you need to create a draft with only minor variances in
> parameter names. ****
>
>  ****
>
>  e.g., ****
>
> session instead of id_token****
>
> lat instead of iat****
>
> alv instead of acr****
>
> etc. ****
>
>    ****
>
> If you change those parameter names, you will have a conformant profile o=
f
> OpenID Connect. ****
>
>  ****
>
> Nat****
>
>  ****
>
> 2013/7/31 John Bradley <ve7jtb@ve7jtb.com>****
>
>  Connect dosen't require a userinfo endpoint.   It is required for
> interoperability if you are building an open IdP.   For an enterprise typ=
e
> deployment discovery, registration, userifo are all optional.****
>
>  ****
>
> The server is required to pass the nonce which is equivalent to a request
> ID through to the JWT if the client sends it in the request.****
>
>  ****
>
> Justin is correct.****
>
>  ****
>
> John B.****
>
>  ****
>
> On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote:****
>
>
>
> ****
>
>   Forgot reply all.
>
> Phil****
>
>
> Begin forwarded message:****
>
>  *From:* Phil Hunt <phil.hunt@oracle.com>
> *Date:* 30 July, 2013 17:25:46 GMT+02:00
> *To:* "Richer, Justin P." <jricher@mitre.org>
> *Subject:* *Re: [OAUTH-WG] New Version Notification for
> draft-hunt-oauth-v2-user-a4c-00.txt*****
>
>   The whole point is authn only. Many do not want or need the userinfo
> endpoint.
>
> Phil****
>
>
> On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org> wrote:**=
*
> *
>
>  What do you mean? You absolutely can implement a compliant OIDC server
> nearly as simply as this. The things that you're missing I think are
> necessary for basic interoperable functionality, and are things that othe=
r
> folks using OAuth for authentication have also implemented. Namely:****
>
>  ****
>
>  - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is
> easy to do with JWT). Without a signed and verifiable ID token or
> equivalent, you're asking for all kinds of token injection problems.****
>
>  - Session management requests (max auth age, auth time)****
>
>  - Not fall over with other parameters that you don't support (display,
> prompt, etc).****
>
>  ****
>
> See here for more information:****
>
>  ****
>
>  http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI****
>
>  ****
>
> Additionally, something that's really important to support is the User
> Info Endpoint, so you can actually get user profile information beyond ju=
st
> the simple "someone was here" claim -- this was the real value of Faceboo=
k
> Connect from an RP's perspective. Some people will probably want to use
> SCIM for this, too, and that's fine.****
>
>  ****
>
>  -- Justin****
>
>  ****
>
> On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com>****
>
>  wrote:****
>
>
>
> ****
>
>  The oidc specs do not allow this simple an implementation. The spec
> members have not shown interest in making changes as they say they are to=
o
> far down the road.****
>
>  ****
>
> I have tried to make my draft as close as possible to oidc but maybe it
> shouldn't be clarity wise. I am interested in what the group feels is
> clearest. ****
>
>  ****
>
> From an ietf perspective the concern is improper use of the 6749 for
> authn. Is this a bug or gap we need to address?
>
> Phil****
>
>
> On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org> wrote:**=
*
> *
>
>  From what I read, you've defined something that uses an OAuth 2 code
> flow to get an extra token which is specified as a JWT. You named it
> "session_token" instead of "id_token", and you've left off the User
> Information Endpoint -- but other than that, this is exactly the Basic
> Client for OpenID Connect. In other words, if you change the names on
> things you've got OIDC, but without the capabilities to go beyond a very
> basic "hey there's a user here" claim. This is the same place that OpenID
> 2.0 started, and it was very, very quickly extended with SREG, AX, PAPE,
> and others for it to be useful in the real world of distributed logins.
> You've also left out discovery and registration which are required for
> distributed deployments, but I'm guessing that those would be modular
> components that could be added in (like they are in OIDC). ****
>
>  ****
>
> I've heard complaints that OIDC is complicated, but it's really not. Yes,
> I agree that the giant stack of documents is intimidating and in my opini=
on
> it's a bit of a mess with Messages and Standard split up (but I lost that
> argument years ago). However, at the core, you've got an OAuth2
> authorization server that spits out access tokens and id tokens. The id
> token is a JWT with some known claims (iss, sub, etc) and is issued along
> side the access token, and its audience is the *client* and not the
> *protected resource*. The access token is a regular old access token and
> its format is undefined (so you can use it with an existing OAuth2 server
> setup, like we have), and it can be used at the User Info Endpoint to get
> profile information about the user who authenticated. It could also be us=
ed
> for other services if your AS/IdP protects multiple things.****
>
>  ****
>
> So I guess what I'm missing is what's the value proposition in this spec
> when we have something that can do this already? And this doesn't seem to
> do anything different (apart from syntax changes)?****
>
>  ****
>
>  -- Justin****
>
>  ****
>
> On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com> wrote:****
>
>
>
> ****
>
>  FYI.  I have been noticing a substantial number of sites acting as OAuth
> Clients using OAuth to authenticate users.****
>
>  ****
>
> I know several of us have blogged on the issue over the past year so I
> won't re-hash it here.  In short, many of us recommended OIDC as the
> correct methodology.****
>
>  ****
>
> Never-the-less, I've spoken with a number of service providers who
> indicate they are not ready to make the jump to OIDC, yet they agree ther=
e
> is a desire to support authentication only (where as OIDC does IDP-like
> services).****
>
>  ****
>
> This draft is intended as a minimum authentication only specification.
>  I've tried to make it as compatible as possible with OIDC.****
>
>  ****
>
> For now, I've just posted to keep track of the issue so we can address at
> the next re-chartering.****
>
>  ****
>
> Happy to answer questions and discuss. ****
>
>  ****
>
> Phil****
>
>  ****
>
> @independentid****
>
> www.independentid.com****
>
> phil.hunt@oracle.com****
>
>  ****
>
>
>
> ****
>
>  ****
>
> Begin forwarded message:****
>
>
>
> ****
>
>  *From:*internet-drafts@ietf.org****
>
> *Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.tx=
t
> *****
>
> *Date:*29 July, 2013 9:49:41 AM GMT+02:00****
>
> *To:*Phil Hunt <phil.hunt@yahoo.com>, Phil Hunt <None@ietfa.amsl.com>,
> Phil Hunt <>****
>
>  ****
>
>
> A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
> has been successfully submitted by Phil Hunt and posted to the
> IETF repository.
>
> Filename: draft-hunt-oauth-v2-user-a4c
> Revision: 00
> Title: OAuth 2.0 User Authentication For Client
> Creation date: 2013-07-29
> Group: Individual Submission
> Number of pages: 9
> URL:
> http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt
> Status:
> http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
> Htmlized:
> http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00
>
>
> Abstract:
>   This specification defines a new OAuth2 endpoint that enables user
>   authentication session information to be shared with client
>   applications.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available attools.ietf.org.
>
> The IETF Secretariat****
>
>    ****
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>    ****
>
>    ****
>
>   _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>    ****
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>
>
> ****
>
>  ****
>
> --
> Nat Sakimura (=3Dnat)****
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
>
>
>
> ****
>
> _______________________________________________****
>
> OAuth mailing list****
>
> OAuth@ietf.org****
>
> https://www.ietf.org/mailman/listinfo/oauth****
>
>    ****
>
>
>
> ****
>
>  ****
>
> --
> Nat Sakimura (=3Dnat)****
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
>
>   ****
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> ****
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>   ****
>
>   ** **
>



--=20
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

--001a1132f662ecb41604e2e50a88
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Like Bill says, it can just be a profile of OpenID Connect=
.=A0<div>IETF specs already references OpenID Foundation specs.=A0</div><di=
v>It should not be a problem.=A0</div><div>I do not think we want to folk.=
=A0</div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2013/8/=
1 Anthony Nadalin <span dir=3D"ltr">&lt;<a href=3D"mailto:tonynad@microsoft=
.com" target=3D"_blank">tonynad@microsoft.com</a>&gt;</span><br><blockquote=
 class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli=
d;padding-left:1ex">






<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">I believe it beneficial t=
o have a common format and common values, and 1 way to handle the format an=
d values. I believe that having this in oauth is beneficial,
 I believe that it would also be beneficial for OpenID if this were in oaut=
h. There are cases for signed and unsigned formats.
<u></u><u></u></span></p>
<p class=3D"MsoNormal"><a name=3D"1403a4678daa8350__MailEndCompose"><span s=
tyle=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&q=
uot;;color:#1f497d"><u></u>=A0<u></u></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer=
, Justin P. [mailto:<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">=
jricher@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 7:15 AM<br>
<b>To:</b> Nat Sakimura<br>
<b>Cc:</b> Anthony Nadalin; Bill Mills; Prateek Mishra; <a href=3D"mailto:o=
auth@ietf.org" target=3D"_blank">oauth@ietf.org</a> WG</span></p><div><div =
class=3D"h5"><br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<u><=
/u><u></u></div></div><p></p>
</div>
</div><div><div class=3D"h5">
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
<p class=3D"MsoNormal">Also, it&#39;s (optionally) a token in the proposed =
document we&#39;re discussing (=A72.4.1), which means there are two ways to=
 parse the same information. OIDC uses JWTs for everything, signed and unsi=
gned. This means that OIDC is actually simpler
 from an implementation perspective, wouldn&#39;t you say? Instead of havin=
g two parsers, you have one to cover both cases.=A0
<u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">(And given your tendency to throw signed assertions =
at every problem, I would have thought that you&#39;d prefer this anyway.)
<u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0-- Justin<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 9:40 AM, Nat Sakimura &lt;<a href=
=3D"mailto:sakimura@gmail.com" target=3D"_blank">sakimura@gmail.com</a>&gt;=
<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<u></u><u></u></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal">Yes, it is a Token.=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">No, it does not have to be signed.=A0<u></u><u></u><=
/p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">As to be a token or n=
ot to be a token question, it has been discussed in the WG before, and if I=
 remember correctly, =A0Microsoft argued for token saying that it is just b=
ase64 decoding and I lost there. =A0<u></u><u></u></p>

</div>
<div>
<p class=3D"MsoNormal">Nat<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
On Aug 1, 2013, at 14:24, Anthony Nadalin &lt;<a href=3D"mailto:tonynad@mic=
rosoft.com" target=3D"_blank">tonynad@microsoft.com</a>&gt; wrote:<u></u><u=
></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">You can=92t do this, firs=
t openid uses a token and second it=92s signed, third there is no specifica=
tion to just return a authentication JSON structure</span><u></u><u></u></p=
>

<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">=A0</span><u></u><u></u><=
/p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer=
, Justin P. [<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">mailto:=
jricher@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a href=3D"mailto:oaut=
h@ietf.org" target=3D"_blank">
oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</sp=
an><u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<p class=3D"MsoNormal">Tony, you can already return the authn result from t=
he token request (we discussed this specifically in May as I recall). That&=
#39;s what the &quot;idtoken&quot; and &quot;code idtoken&quot; responses a=
re for in OpenID Connect. The proposed draft is nearly a duplicate
 of the core functionality of OIDC. <u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">=A0-- Justin<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a h=
ref=3D"mailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsoft.co=
m</a>&gt;<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><u></u>=A0<u></u></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">The proposal does not dup=
licate what OpenID does, there is clear benefit for returning an authentica=
tion result in the token request result. This is being proposed
 as optional JSON structure.</span><u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">=A0</span><u></u><u></u><=
/p>
</div>
</div>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span><span style=3D=
"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">=
=A0</span></span><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&=
quot;,&quot;sans-serif&quot;"><a href=3D"mailto:oauth-bounces@ietf.org" tar=
get=3D"_blank"><span style=3D"color:purple">oauth-bounces@ietf.org</span></=
a><span>=A0</span>[mailto:<a href=3D"mailto:oauth-" target=3D"_blank">oauth=
-</a><a href=3D"mailto:bounces@ietf.org" target=3D"_blank"><span style=3D"c=
olor:purple">bounces@ietf.org</span></a>]<span>=A0</span><b>On
 Behalf Of<span>=A0</span></b>Bill Mills<br>
<b>Sent:</b><span>=A0</span>Wednesday, July 31, 2013 2:50 PM<br>
<b>To:</b><span>=A0</span>Prateek Mishra; Nat Sakimura<br>
<b>Cc:</b><span>=A0</span><a href=3D"mailto:oauth@ietf.org" target=3D"_blan=
k"><span style=3D"color:purple">oauth@ietf.org</span></a><span>=A0</span>WG=
<br>
<b>Subject:</b><span>=A0</span>Re: [OAUTH-WG] Need for Extending OAuth with=
 AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-=
a4c-00.txt)</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">Rather than extending OAuth for something OpenID=
 already does... =A0why don&#39;t we get a simple informational example doc=
 to show how to implement the most basic OpenID service,
 which is the same functionality on a standard that&#39;s already written?<=
/span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
=A0</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
This is sounding more and mor elike a documentation problem.</span><u></u><=
u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">=A0</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgr=
ound:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span=
></b><span><span style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&q=
uot;sans-serif&quot;">=A0</span></span><span style=3D"font-size:10.0pt;font=
-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Prateek
 Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank">=
<span style=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<br>
<b>To:</b><span>=A0</span>Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail=
.com" target=3D"_blank"><span style=3D"color:purple">sakimura@gmail.com</sp=
an></a>&gt;<span>=A0</span><br>
<b>Cc:</b><span>=A0</span>&quot;<a href=3D"mailto:oauth@ietf.org%20WG" targ=
et=3D"_blank"><span style=3D"color:purple">oauth@ietf.org WG</span></a>&quo=
t; &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank"><span style=3D"c=
olor:purple">oauth@ietf.org</span></a>&gt;<span>=A0</span><br>

<b>Sent:</b><span>=A0</span>Wednesday, July 31, 2013 2:38 PM<br>
<b>Subject:</b><span>=A0</span>[OAUTH-WG] Need for Extending OAuth with Aut=
hN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-=
00.txt)</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span>=A0</span><br>
<br>
thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for &quo=
t; non-dynamic OpenID Connect Server&quot;.<br>
<br>
I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different<span>=A0</span><br>
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2=
.0-os.pdf" target=3D"_blank"><span style=3D"color:purple">http://docs.oasis=
-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</span></a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for<span>=A0</span><br>
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that<span>=A0</span><br>
RFC 6749 is being misused for federated authentication, as explained in=A0 =
-=A0<span>=A0</span><br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-o=
auth-2-what.html" target=3D"_blank"><span style=3D"color:purple">http://www=
.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html</spa=
n></a><span>=A0</span><br>

<br>
and that there doesn&#39;t appear to be a simple solution that is currently=
 available. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn&#39;t clear to=
 me.<br>
<br>
Thx,<br>
prateek<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
Inline:=A0<u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 Prateek Mishra =
&lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><span st=
yle=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<u></u><u></u>=
</p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span>=A0</span><br>
<br>
your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with<span>=A0</span><br>
an authenticator.=A0 Many implementors are seeking a modest extension of OA=
uth, not an entire new protocol<br>
stack. =A0 I believe that is the point of Phil Hunt&#39;s proposal to the O=
Auth committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span>=
=A0</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?<u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Actually, it is not a sin=
gle spec, that the Standard is referencing others.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The Standard is kind of c=
luttered because it has 6 response types and three request types in it.=A0<=
u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I suppose it would be muc=
h easier for the readers to split them into coherent pieces, though that me=
ans duplicate texts.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The easiest approach here=
 is to read the Basic Client Profile.=A0<a href=3D"http://openid.net/specs/=
openid-connect-basic-1_0-28.html" target=3D"_blank"><span style=3D"color:pu=
rple">http://openid.net/specs/openid-connect-basic-1_0-28.html</span></a><u=
></u><u></u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Then, read=A0OAuth 2.0 Mu=
ltiple Response Type Encoding Practices=A0<a href=3D"http://openid.net/spec=
s/oauth-v2-multiple-response-types-1_0-08.html" target=3D"_blank"><span sty=
le=3D"color:purple">http://openid.net/specs/oauth-v2-multiple-response-type=
s-1_0-08.html</span></a>=A0.=A0<u></u><u></u></p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no<span>=A0</span><br>
other MTI protocol exchanges in OpenID Connect?<u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Yes, for a non-dynamic Op=
enID Connect Server.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
Thanks,<br>
prateek<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
=A0 =A0<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have written a short bl=
og post titled &quot;<a href=3D"http://nat.sakimura.org/2013/07/28/write-op=
enid-connect-server-in-three-simple-steps/" target=3D"_blank"><span style=
=3D"color:purple">Write an OpenID Connect server
 in three simple steps</span></a>&quot;.=A0<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Really, there is not much=
 you need to on top of OAuth 2.0.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">It puzzles me why you nee=
d to create a draft with only minor variances in parameter names.=A0<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;m=
argin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">e.g.,=A0<u></u><u></u></p=
>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">session instead of id_tok=
en<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">lat instead of iat<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">alv instead of acr<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">etc.=A0<u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">If you change those param=
eter names, you will have a conformant profile of OpenID Connect.=A0<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background-repeat:initial initial">
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 John Bradley &l=
t;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank"><span style=3D"col=
or:purple">ve7jtb@ve7jtb.com</span></a>&gt;<u></u><u></u></p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Connect dosen&#39;t requi=
re a userinfo endpoint. =A0 It is required for interoperability if you are =
building an open IdP. =A0 For an enterprise type deployment discovery, regi=
stration, userifo are all optional.<u></u><u></u></p>

</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The server is required to=
 pass the nonce which is equivalent to a request ID through to the JWT if t=
he client sends it in the request.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Justin is correct.<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">John B.<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On 2013-07-30, at 5:30 PM=
, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u></=
u><u></u></p>

</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Forgot reply all.<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
Begin forwarded message:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<b>From:</b><span>=A0</span>Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracl=
e.com" target=3D"_blank"><span style=3D"color:purple">phil.hunt@oracle.com<=
/span></a>&gt;<br>
<b>Date:</b><span>=A0</span>30 July, 2013 17:25:46 GMT+02:00<br>
<b>To:</b><span>=A0</span>&quot;Richer, Justin P.&quot; &lt;<a href=3D"mail=
to:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jriche=
r@mitre.org</span></a>&gt;<br>
<b>Subject:</b><span>=A0</span><b>Re: [OAUTH-WG] New Version Notification f=
or draft-hunt-oauth-v2-user-a4c-00.txt</b><u></u><u></u></p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The whole point is authn =
only. Many do not want or need the userinfo endpoint.=A0<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 17:17, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">What do you mean? You abs=
olutely can implement a compliant OIDC server nearly as simply as this. The=
 things that you&#39;re missing I think are necessary for basic interoperab=
le functionality, and are things that other
 folks using OAuth for authentication have also implemented. Namely:<u></u>=
<u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0- Signing the ID token=
 (OIDC specifies the RS256 flavor of JWS, which is easy to do with JWT). Wi=
thout a signed and verifiable ID token or equivalent, you&#39;re asking for=
 all kinds of token injection problems.<u></u><u></u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0- Session management r=
equests (max auth age, auth time)<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0- Not fall over with o=
ther parameters that you don&#39;t support (display, prompt, etc).<u></u><u=
></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">See here for more informa=
tion:<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<a href=3D"http://open=
id.net/specs/openid-connect-messages-1_0.html#ServerMTI" target=3D"_blank">=
<span style=3D"color:purple">http://openid.net/specs/openid-connect-message=
s-1_0.html#ServerMTI</span></a><u></u><u></u></p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Additionally, something t=
hat&#39;s really important to support is the User Info Endpoint, so you can=
 actually get user profile information beyond just the simple &quot;someone=
 was here&quot; claim -- this was the real value of
 Facebook Connect from an RP&#39;s perspective. Some people will probably w=
ant to use SCIM for this, too, and that&#39;s fine.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0-- Justin<u></u><u></u=
></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 30, 2013, at 10:54=
 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank=
"><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt;<u></u><u=
></u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0wrote:<u></u><u></u></=
p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The oidc specs do not all=
ow this simple an implementation. The spec members have not shown interest =
in making changes as they say they are too far down the road.<u></u><u></u>=
</p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have tried to make my d=
raft as close as possible to oidc but maybe it shouldn&#39;t be clarity wis=
e. I am interested in what the group feels is clearest.=A0<u></u><u></u></p=
>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">From an ietf perspective =
the concern is improper use of the 6749 for authn. Is this a bug or gap we =
need to address?<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 16:46, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">From what I read, you&#39=
;ve defined something that uses an OAuth 2 code flow to get an extra token =
which is specified as a JWT. You named it &quot;session_token&quot; instead=
 of &quot;id_token&quot;, and you&#39;ve left off the User Information
 Endpoint -- but other than that, this is exactly the Basic Client for Open=
ID Connect. In other words, if you change the names on things you&#39;ve go=
t OIDC, but without the capabilities to go beyond a very basic &quot;hey th=
ere&#39;s a user here&quot; claim. This is the same
 place that OpenID 2.0 started, and it was very, very quickly extended with=
 SREG, AX, PAPE, and others for it to be useful in the real world of distri=
buted logins. You&#39;ve also left out discovery and registration which are=
 required for distributed deployments,
 but I&#39;m guessing that those would be modular components that could be =
added in (like they are in OIDC).=A0<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I&#39;ve heard complaints=
 that OIDC is complicated, but it&#39;s really not. Yes, I agree that the g=
iant stack of documents is intimidating and in my opinion it&#39;s a bit of=
 a mess with Messages and Standard split up (but
 I lost that argument years ago). However, at the core, you&#39;ve got an O=
Auth2 authorization server that spits out access tokens and id tokens. The =
id token is a JWT with some known claims (iss, sub, etc) and is issued alon=
g side the access token, and its audience
 is the *client* and not the *protected resource*. The access token is a re=
gular old access token and its format is undefined (so you can use it with =
an existing OAuth2 server setup, like we have), and it can be used at the U=
ser Info Endpoint to get profile
 information about the user who authenticated. It could also be used for ot=
her services if your AS/IdP protects multiple things.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">So I guess what I&#39;m m=
issing is what&#39;s the value proposition in this spec when we have someth=
ing that can do this already? And this doesn&#39;t seem to do anything diff=
erent (apart from syntax changes)?<u></u><u></u></p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0-- Justin<u></u><u></u=
></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 29, 2013, at 4:14 =
AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"=
><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u>=
</u><u></u></p>

</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">FYI. =A0I have been notic=
ing a substantial number of sites acting as OAuth Clients using OAuth to au=
thenticate users.<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I know several of us have=
 blogged on the issue over the past year so I won&#39;t re-hash it here. =
=A0In short, many of us recommended OIDC as the correct methodology.<u></u>=
<u></u></p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Never-the-less, I&#39;ve =
spoken with a number of service providers who indicate they are not ready t=
o make the jump to OIDC, yet they agree there is a desire to support authen=
tication only (where as OIDC does IDP-like
 services).<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">This draft is intended as=
 a minimum authentication only specification. =A0I&#39;ve tried to make it =
as compatible as possible with OIDC.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">For now, I&#39;ve just po=
sted to keep track of the issue so we can address at the next re-chartering=
.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Happy to answer questions=
 and discuss.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Phil</span>=
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">=A0</span><=
u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">@independen=
tid</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><a href=3D"=
http://www.independentid.com/" target=3D"_blank"><span style=3D"color:purpl=
e">www.independentid.com</span></a></span><u></u><u></u></p>

</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt;background:white;backg=
round-repeat:initial initial">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;san=
s-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><s=
pan style=3D"color:purple">phil.hunt@oracle.com</span></a></span><u></u><u>=
</u></p>

</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">=A0</span>=
<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Begin forwarded message:<=
u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">From:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org" target=
=3D"_blank"><span style=3D"color:purple">internet-drafts@ietf.org</span></a=
></span><u></u><u></u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Subject=
: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</span></=
b><u></u><u></u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Date:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;">29 July, 2013 9:49:41 AM GMT+02:00</span><u></u><u>=
</u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">To:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&q=
uot;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com" =
target=3D"_blank"><span style=3D"color:purple">phil.hunt@yahoo.com</span></=
a>&gt;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank"><sp=
an style=3D"color:purple">None@ietfa.amsl.com</span></a>&gt;, Phil Hunt &lt=
;&gt;</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0<a href=3D"http://www.ietf.org/int=
ernet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt" target=3D"_blank"><span s=
tyle=3D"color:purple">http://www.ietf.org/internet-drafts/draft-hunt-oauth-=
v2-user-a4c-00.txt</span></a><br>

Status: =A0=A0=A0=A0=A0=A0=A0=A0=A0<a href=3D"http://datatracker.ietf.org/d=
oc/draft-hunt-oauth-v2-user-a4c" target=3D"_blank"><span style=3D"color:pur=
ple">http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</span></a=
><br>
Htmlized: =A0=A0=A0=A0=A0=A0=A0<a href=3D"http://tools.ietf.org/html/draft-=
hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span style=3D"color:purple">h=
ttp://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00</span></a><br>
<br>
<br>
Abstract:<br>
=A0=A0This specification defines a new OAuth2 endpoint that enables user<br=
>
=A0=A0authentication session information to be shared with client<br>
=A0=A0applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at<a href=3D"http://tools=
.ietf.org/" target=3D"_blank"><span style=3D"color:purple">tools.ietf.org</=
span></a>.<br>
<br>
The IETF Secretariat<u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><u></u><u></u></p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span>=A0</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<pre style=3D"background:white;background-repeat:initial initial">_________=
______________________________________<u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial">OAuth mai=
ling list<u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:purple">O=
Auth@ietf.org</span></a><u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><span st=
yle=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a>=
<u></u><u></u></pre>

</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span>=A0</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><br>
<br>
<u></u><u></u></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;">_____________________________________=
__________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a></span><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
</div>
</div></div></div>
</div>

</blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>Nat Sakimura=
 (=3Dnat)<div>Chairman, OpenID Foundation<br><a href=3D"http://nat.sakimura=
.org/" target=3D"_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>

--001a1132f662ecb41604e2e50a88--

From phil.hunt@oracle.com  Thu Aug  1 20:42:05 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B946811E80E0 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 20:42:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.847
X-Spam-Level: 
X-Spam-Status: No, score=-4.847 tagged_above=-999 required=5 tests=[AWL=-0.245, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4eAIwc-2vtCz for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 20:42:01 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 778A011E80EF for <oauth@ietf.org>; Thu,  1 Aug 2013 20:41:59 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r723fubt023232 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 2 Aug 2013 03:41:57 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r723ft9v021793 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 Aug 2013 03:41:56 GMT
Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r723ftgu021776; Fri, 2 Aug 2013 03:41:55 GMT
Received: from [10.1.0.227] (/217.9.48.53) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 01 Aug 2013 20:41:53 -0700
Content-Type: multipart/alternative; boundary=Apple-Mail-8200BB63-858D-4B56-A810-8F46F81C5A47
Content-Transfer-Encoding: 7bit
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org> <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com> <CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com>
From: Phil Hunt <phil.hunt@oracle.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com>
Message-Id: <6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com>
Date: Fri, 2 Aug 2013 04:56:57 +0200
To: Nat Sakimura <sakimura@gmail.com>
X-Mailer: iPhone Mail (10B329)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 03:42:05 -0000

--Apple-Mail-8200BB63-858D-4B56-A810-8F46F81C5A47
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

OpenId specs can depend on oAuth. Having OAuth depend on OpenId is not appro=
priate here.=20

Phil

On 2013-08-01, at 18:07, Nat Sakimura <sakimura@gmail.com> wrote:

> Like Bill says, it can just be a profile of OpenID Connect.=20
> IETF specs already references OpenID Foundation specs.=20
> It should not be a problem.=20
> I do not think we want to folk.=20
>=20
>=20
> 2013/8/1 Anthony Nadalin <tonynad@microsoft.com>
>> I believe it beneficial to have a common format and common values, and 1 w=
ay to handle the format and values. I believe that having this in oauth is b=
eneficial, I believe that it would also be beneficial for OpenID if this wer=
e in oauth. There are cases for signed and unsigned formats.
>>=20
>> =20
>>=20
>> From: Richer, Justin P. [mailto:jricher@mitre.org]=20
>> Sent: Thursday, August 1, 2013 7:15 AM
>> To: Nat Sakimura
>> Cc: Anthony Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG
>>=20
>>=20
>> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:=
 New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
>> =20
>>=20
>> Also, it's (optionally) a token in the proposed document we're discussing=
 (=C2=A72.4.1), which means there are two ways to parse the same information=
. OIDC uses JWTs for everything, signed and unsigned. This means that OIDC i=
s actually simpler from an implementation perspective, wouldn't you say? Ins=
tead of having two parsers, you have one to cover both cases.=20
>>=20
>> =20
>>=20
>> (And given your tendency to throw signed assertions at every problem, I w=
ould have thought that you'd prefer this anyway.)
>>=20
>> =20
>>=20
>>  -- Justin
>>=20
>> =20
>>=20
>> On Aug 1, 2013, at 9:40 AM, Nat Sakimura <sakimura@gmail.com>
>>=20
>>  wrote:
>>=20
>>=20
>>=20
>>=20
>> Yes, it is a Token.=20
>>=20
>> No, it does not have to be signed.=20
>>=20
>> =20
>>=20
>> As to be a token or not to be a token question, it has been discussed in t=
he WG before, and if I remember correctly,  Microsoft argued for token sayin=
g that it is just base64 decoding and I lost there. =20
>>=20
>> Nat
>>=20
>>=20
>> On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com> wrote:
>>=20
>> You can=E2=80=99t do this, first openid uses a token and second it=E2=80=99=
s signed, third there is no specification to just return a authentication JS=
ON structure
>>=20
>> =20
>>=20
>> From: Richer, Justin P. [mailto:jricher@mitre.org]=20
>> Sent: Thursday, August 1, 2013 5:15 AM
>> To: Anthony Nadalin
>> Cc: Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org WG
>> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:=
 New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
>>=20
>> =20
>>=20
>> Tony, you can already return the authn result from the token request (we d=
iscussed this specifically in May as I recall). That's what the "idtoken" an=
d "code idtoken" responses are for in OpenID Connect. The proposed draft is n=
early a duplicate of the core functionality of OIDC.
>>=20
>> =20
>>=20
>>  -- Justin
>>=20
>> =20
>>=20
>> On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com>
>>=20
>>  wrote:
>>=20
>> =20
>>=20
>> The proposal does not duplicate what OpenID does, there is clear benefit f=
or returning an authentication result in the token request result. This is b=
eing proposed as optional JSON structure.
>>=20
>> =20
>>=20
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On  Behalf O=
f Bill Mills
>> Sent: Wednesday, July 31, 2013 2:50 PM
>> To: Prateek Mishra; Nat Sakimura
>> Cc: oauth@ietf.org WG
>> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:=
 New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
>>=20
>> =20
>>=20
>> Rather than extending OAuth for something OpenID already does...  why don=
't we get a simple informational example doc to show how to implement the mo=
st basic OpenID service, which is the same functionality on a standard that'=
s already written?
>>=20
>> =20
>>=20
>> This is sounding more and mor elike a documentation problem.
>>=20
>> =20
>>=20
>> From: Prateek Mishra <prateek.mishra@oracle.com>
>> To: Nat Sakimura <sakimura@gmail.com>=20
>> Cc: "oauth@ietf.org WG" <oauth@ietf.org>=20
>> Sent: Wednesday, July 31, 2013 2:38 PM
>> Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New=
 Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
>>=20
>> =20
>>=20
>> Nat -=20
>>=20
>> thanks for the detailed response. I did review the links you sent out but=
 it remained unclear to me which
>> features are MTI and which are not. For example, there is nothing in the B=
asic Client Profile that suggests
>> that Section 2.3 is optional. I also could not find any definition for " n=
on-dynamic OpenID Connect Server".
>>=20
>> I dont think there is a need to duplicate portions of the draft specifica=
tion text in a new document. One solution
>> that was used in SAML 2.0 was to define a conformance document which desc=
ribed several different=20
>> operational modes and explained how only a small set of features needed t=
o be implemented in certain modes.
>>=20
>> http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf=

>>=20
>> There are probably other smarter ways to achieve the same effect.
>>=20
>> Given this situation, I do think its a reasonable task for the OAuth comm=
unity to consider the need for=20
>> a minimal extension to OAuth that accommodates authentication. The commun=
ity should be made aware that=20
>> RFC 6749 is being misused for federated authentication, as explained in  -=
 =20
>>=20
>> http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-wh=
at.html=20
>>=20
>> and that there doesn't appear to be a simple solution that is currently a=
vailable. It would be great if it turned
>> out that OpenID Connect offered such a solution but that isn't clear to m=
e.
>>=20
>> Thx,
>> prateek
>>=20
>> =20
>>=20
>> =20
>>=20
>> Inline:=20
>>=20
>> 2013/7/31 Prateek Mishra <prateek.mishra@oracle.com>
>>=20
>> Nat -=20
>>=20
>> your blog posting is helpful to those of us who are looking for a minimal=
 extension of OAuth with=20
>> an authenticator.  Many implementors are seeking a modest extension of OA=
uth, not an entire new protocol
>> stack.   I believe that is the point of Phil Hunt's proposal to the OAuth=
 committee.
>>=20
>> I do have some questions for about the statements made in the blog -=20
>>=20
>> A) Can you direct me to a single OpenID Connect draft specification docum=
ent where steps 1 and 2 are described?
>>=20
>> =20
>>=20
>> Actually, it is not a single spec, that the Standard is referencing other=
s.=20
>>=20
>> The Standard is kind of cluttered because it has 6 response types and thr=
ee request types in it.=20
>>=20
>> I suppose it would be much easier for the readers to split them into cohe=
rent pieces, though that means duplicate texts.=20
>>=20
>> =20
>>=20
>> The easiest approach here is to read the Basic Client Profile. http://ope=
nid.net/specs/openid-connect-basic-1_0-28.html
>>=20
>> Then, read OAuth 2.0 Multiple Response Type Encoding Practices http://ope=
nid.net/specs/oauth-v2-multiple-response-types-1_0-08.html .=20
>>=20
>> =20
>>=20
>>=20
>> B) If I implement steps 1 and 2, do I then have a conformant OpenID Conne=
ct implementation? Are there no=20
>> other MTI protocol exchanges in OpenID Connect?
>>=20
>> =20
>>=20
>> Yes, for a non-dynamic OpenID Connect Server.=20
>>=20
>> =20
>>=20
>> Nat
>>=20
>>  =20
>>=20
>>=20
>> Thanks,
>> prateek
>>=20
>>=20
>>=20
>>   =20
>>=20
>> =20
>>=20
>> I have written a short blog post titled "Write an OpenID Connect server i=
n three simple steps".=20
>>=20
>> =20
>>=20
>> Really, there is not much you need to on top of OAuth 2.0.=20
>>=20
>> =20
>>=20
>> It puzzles me why you need to create a draft with only minor variances in=
 parameter names.=20
>>=20
>> =20
>>=20
>> e.g.,=20
>>=20
>> session instead of id_token
>>=20
>> lat instead of iat
>>=20
>> alv instead of acr
>>=20
>> etc.=20
>>=20
>> =20
>>=20
>> If you change those parameter names, you will have a conformant profile o=
f OpenID Connect.=20
>>=20
>> =20
>>=20
>> Nat
>>=20
>> =20
>>=20
>> 2013/7/31 John Bradley <ve7jtb@ve7jtb.com>
>>=20
>> Connect dosen't require a userinfo endpoint.   It is required for interop=
erability if you are building an open IdP.   For an enterprise type deployme=
nt discovery, registration, userifo are all optional.
>>=20
>> =20
>>=20
>> The server is required to pass the nonce which is equivalent to a request=
 ID through to the JWT if the client sends it in the request.
>>=20
>> =20
>>=20
>> Justin is correct.
>>=20
>> =20
>>=20
>> John B.
>>=20
>> =20
>>=20
>> On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>=20
>>=20
>>=20
>>=20
>> Forgot reply all.
>>=20
>> Phil
>>=20
>>=20
>> Begin forwarded message:
>>=20
>> From: Phil Hunt <phil.hunt@oracle.com>
>> Date: 30 July, 2013 17:25:46 GMT+02:00
>> To: "Richer, Justin P." <jricher@mitre.org>
>> Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-=
user-a4c-00.txt
>>=20
>> The whole point is authn only. Many do not want or need the userinfo endp=
oint.=20
>>=20
>> Phil
>>=20
>>=20
>> On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org> wrote:
>>=20
>> What do you mean? You absolutely can implement a compliant OIDC server ne=
arly as simply as this. The things that you're missing I think are necessary=
 for basic interoperable functionality, and are things that other folks usin=
g OAuth for authentication have also implemented. Namely:
>>=20
>> =20
>>=20
>>  - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is=
 easy to do with JWT). Without a signed and verifiable ID token or equivalen=
t, you're asking for all kinds of token injection problems.
>>=20
>>  - Session management requests (max auth age, auth time)
>>=20
>>  - Not fall over with other parameters that you don't support (display, p=
rompt, etc).
>>=20
>> =20
>>=20
>> See here for more information:
>>=20
>> =20
>>=20
>>  http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI
>>=20
>> =20
>>=20
>> Additionally, something that's really important to support is the User In=
fo Endpoint, so you can actually get user profile information beyond just th=
e simple "someone was here" claim -- this was the real value of Facebook Con=
nect from an RP's perspective. Some people will probably want to use SCIM fo=
r this, too, and that's fine.
>>=20
>> =20
>>=20
>>  -- Justin
>>=20
>> =20
>>=20
>> On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com>
>>=20
>>  wrote:
>>=20
>>=20
>>=20
>>=20
>> The oidc specs do not allow this simple an implementation. The spec membe=
rs have not shown interest in making changes as they say they are too far do=
wn the road.
>>=20
>> =20
>>=20
>> I have tried to make my draft as close as possible to oidc but maybe it s=
houldn't be clarity wise. I am interested in what the group feels is cleares=
t.=20
>>=20
>> =20
>>=20
>> =46rom an ietf perspective the concern is improper use of the 6749 for au=
thn. Is this a bug or gap we need to address?
>>=20
>> Phil
>>=20
>>=20
>> On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org> wrote:
>>=20
>> =46rom what I read, you've defined something that uses an OAuth 2 code fl=
ow to get an extra token which is specified as a JWT. You named it "session_=
token" instead of "id_token", and you've left off the User Information Endpo=
int -- but other than that, this is exactly the Basic Client for OpenID Conn=
ect. In other words, if you change the names on things you've got OIDC, but w=
ithout the capabilities to go beyond a very basic "hey there's a user here" c=
laim. This is the same place that OpenID 2.0 started, and it was very, very q=
uickly extended with SREG, AX, PAPE, and others for it to be useful in the r=
eal world of distributed logins. You've also left out discovery and registra=
tion which are required for distributed deployments, but I'm guessing that t=
hose would be modular components that could be added in (like they are in OI=
DC).=20
>>=20
>> =20
>>=20
>> I've heard complaints that OIDC is complicated, but it's really not. Yes,=
 I agree that the giant stack of documents is intimidating and in my opinion=
 it's a bit of a mess with Messages and Standard split up (but I lost that a=
rgument years ago). However, at the core, you've got an OAuth2 authorization=
 server that spits out access tokens and id tokens. The id token is a JWT wi=
th some known claims (iss, sub, etc) and is issued along side the access tok=
en, and its audience is the *client* and not the *protected resource*. The a=
ccess token is a regular old access token and its format is undefined (so yo=
u can use it with an existing OAuth2 server setup, like we have), and it can=
 be used at the User Info Endpoint to get profile information about the user=
 who authenticated. It could also be used for other services if your AS/IdP p=
rotects multiple things.
>>=20
>> =20
>>=20
>> So I guess what I'm missing is what's the value proposition in this spec w=
hen we have something that can do this already? And this doesn't seem to do a=
nything different (apart from syntax changes)?
>>=20
>> =20
>>=20
>>  -- Justin
>>=20
>> =20
>>=20
>> On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>=20
>>=20
>>=20
>>=20
>> FYI.  I have been noticing a substantial number of sites acting as OAuth C=
lients using OAuth to authenticate users.
>>=20
>> =20
>>=20
>> I know several of us have blogged on the issue over the past year so I wo=
n't re-hash it here.  In short, many of us recommended OIDC as the correct m=
ethodology.
>>=20
>> =20
>>=20
>> Never-the-less, I've spoken with a number of service providers who indica=
te they are not ready to make the jump to OIDC, yet they agree there is a de=
sire to support authentication only (where as OIDC does IDP-like services).
>>=20
>> =20
>>=20
>> This draft is intended as a minimum authentication only specification.  I=
've tried to make it as compatible as possible with OIDC.
>>=20
>> =20
>>=20
>> For now, I've just posted to keep track of the issue so we can address at=
 the next re-chartering.
>>=20
>> =20
>>=20
>> Happy to answer questions and discuss.=20
>>=20
>> =20
>>=20
>> Phil
>>=20
>> =20
>>=20
>> @independentid
>>=20
>> www.independentid.com
>>=20
>> phil.hunt@oracle.com
>>=20
>> =20
>>=20
>>=20
>>=20
>>=20
>> =20
>>=20
>> Begin forwarded message:
>>=20
>>=20
>>=20
>>=20
>> From:internet-drafts@ietf.org
>>=20
>> Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt=

>>=20
>> Date:29 July, 2013 9:49:41 AM GMT+02:00
>>=20
>> To:Phil Hunt <phil.hunt@yahoo.com>, Phil Hunt <None@ietfa.amsl.com>, Phil=
 Hunt <>
>>=20
>> =20
>>=20
>>=20
>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
>> has been successfully submitted by Phil Hunt and posted to the
>> IETF repository.
>>=20
>> Filename: draft-hunt-oauth-v2-user-a4c
>> Revision: 00
>> Title: OAuth 2.0 User Authentication For Client
>> Creation date: 2013-07-29
>> Group: Individual Submission
>> Number of pages: 9
>> URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-=
user-a4c-00.txt
>> Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user=
-a4c
>> Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-=
00
>>=20
>>=20
>> Abstract:
>>   This specification defines a new OAuth2 endpoint that enables user
>>   authentication session information to be shared with client
>>   applications.
>>=20
>>=20
>>=20
>>=20
>> Please note that it may take a couple of minutes from the time of submiss=
ion
>> until the htmlized version and diff are available attools.ietf.org.
>>=20
>> The IETF Secretariat
>>=20
>> =20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> =20
>>=20
>> =20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> =20
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>>=20
>>=20
>>=20
>> =20
>>=20
>> --=20
>> Nat Sakimura (=3Dnat)
>>=20
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>=20
>>=20
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> =20
>>=20
>>=20
>>=20
>>=20
>> =20
>>=20
>> --=20
>> Nat Sakimura (=3Dnat)
>>=20
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>=20
>> =20
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
>=20
>=20
> --=20
> Nat Sakimura (=3Dnat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-8200BB63-858D-4B56-A810-8F46F81C5A47
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>OpenId specs can depend on oAuth. Havi=
ng OAuth depend on OpenId is not appropriate here.&nbsp;<br><br>Phil</div><d=
iv><br>On 2013-08-01, at 18:07, Nat Sakimura &lt;<a href=3D"mailto:sakimura@=
gmail.com">sakimura@gmail.com</a>&gt; wrote:<br><br></div><blockquote type=3D=
"cite"><div><div dir=3D"ltr">Like Bill says, it can just be a profile of Ope=
nID Connect.&nbsp;<div>IETF specs already references OpenID Foundation specs=
.&nbsp;</div><div>It should not be a problem.&nbsp;</div><div>I do not think=
 we want to folk.&nbsp;</div>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2013/8/1=
 Anthony Nadalin <span dir=3D"ltr">&lt;<a href=3D"mailto:tonynad@microsoft.c=
om" target=3D"_blank">tonynad@microsoft.com</a>&gt;</span><br><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pa=
dding-left:1ex">






<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">I believe it beneficial to h=
ave a common format and common values, and 1 way to handle the format and va=
lues. I believe that having this in oauth is beneficial,
 I believe that it would also be beneficial for OpenID if this were in oauth=
. There are cases for signed and unsigned formats.
<u></u><u></u></span></p>
<p class=3D"MsoNormal"><a name=3D"1403a4678daa8350__MailEndCompose"><span st=
yle=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quo=
t;;color:#1f497d"><u></u>&nbsp;<u></u></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0=
in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot;=
Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-si=
ze:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer, J=
ustin P. [mailto:<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">jric=
her@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 7:15 AM<br>
<b>To:</b> Nat Sakimura<br>
<b>Cc:</b> Anthony Nadalin; Bill Mills; Prateek Mishra; <a href=3D"mailto:oa=
uth@ietf.org" target=3D"_blank">oauth@ietf.org</a> WG</span></p><div><div cl=
ass=3D"h5"><br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: =
Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<u></u=
><u></u></div></div><p></p>
</div>
</div><div><div class=3D"h5">
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
<p class=3D"MsoNormal">Also, it's (optionally) a token in the proposed docum=
ent we're discussing (=C2=A72.4.1), which means there are two ways to parse t=
he same information. OIDC uses JWTs for everything, signed and unsigned. Thi=
s means that OIDC is actually simpler
 from an implementation perspective, wouldn't you say? Instead of having two=
 parsers, you have one to cover both cases.&nbsp;
<u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">(And given your tendency to throw signed assertions a=
t every problem, I would have thought that you'd prefer this anyway.)
<u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;-- Justin<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 9:40 AM, Nat Sakimura &lt;<a href=3D=
"mailto:sakimura@gmail.com" target=3D"_blank">sakimura@gmail.com</a>&gt;<u><=
/u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<u></u><u></u></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal">Yes, it is a Token.&nbsp;<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">No, it does not have to be signed.&nbsp;<u></u><u></u=
></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">As to be a token or no=
t to be a token question, it has been discussed in the WG before, and if I r=
emember correctly, &nbsp;Microsoft argued for token saying that it is just b=
ase64 decoding and I lost there. &nbsp;<u></u><u></u></p>

</div>
<div>
<p class=3D"MsoNormal">Nat<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
On Aug 1, 2013, at 14:24, Anthony Nadalin &lt;<a href=3D"mailto:tonynad@micr=
osoft.com" target=3D"_blank">tonynad@microsoft.com</a>&gt; wrote:<u></u><u><=
/u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">You can=E2=80=99t do this, f=
irst openid uses a token and second it=E2=80=99s signed, third there is no s=
pecification to just return a authentication JSON structure</span><u></u><u>=
</u></p>

<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span><u></u><u></u>=
</p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0=
in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot;=
Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-si=
ze:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer, J=
ustin P. [<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">mailto:jric=
her@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a href=3D"mailto:oauth=
@ietf.org" target=3D"_blank">
oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: =
Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</span=
><u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
<p class=3D"MsoNormal">Tony, you can already return the authn result from th=
e token request (we discussed this specifically in May as I recall). That's w=
hat the "idtoken" and "code idtoken" responses are for in OpenID Connect. Th=
e proposed draft is nearly a duplicate
 of the core functionality of OIDC. <u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;-- Justin<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a hr=
ef=3D"mailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsoft.com<=
/a>&gt;<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><u></u>&nbsp;<u></u></=
p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">The proposal does not dupli=
cate what OpenID does, there is clear benefit for returning an authenticatio=
n result in the token request result. This is being proposed
 as optional JSON structure.</span><u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span><u></u><u></u>=
</p>
</div>
</div>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0=
in 0in">
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot;=
Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span><span style=3D"f=
ont-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbs=
p;</span></span><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&qu=
ot;,&quot;sans-serif&quot;"><a href=3D"mailto:oauth-bounces@ietf.org" target=
=3D"_blank"><span style=3D"color:purple">oauth-bounces@ietf.org</span></a><s=
pan>&nbsp;</span>[mailto:<a href=3D"mailto:oauth-" target=3D"_blank">oauth-<=
/a><a href=3D"mailto:bounces@ietf.org" target=3D"_blank"><span style=3D"colo=
r:purple">bounces@ietf.org</span></a>]<span>&nbsp;</span><b>On
 Behalf Of<span>&nbsp;</span></b>Bill Mills<br>
<b>Sent:</b><span>&nbsp;</span>Wednesday, July 31, 2013 2:50 PM<br>
<b>To:</b><span>&nbsp;</span>Prateek Mishra; Nat Sakimura<br>
<b>Cc:</b><span>&nbsp;</span><a href=3D"mailto:oauth@ietf.org" target=3D"_bl=
ank"><span style=3D"color:purple">oauth@ietf.org</span></a><span>&nbsp;</spa=
n>WG<br>
<b>Subject:</b><span>&nbsp;</span>Re: [OAUTH-WG] Need for Extending OAuth wi=
th AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user=
-a4c-00.txt)</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-family=
:&quot;Courier New&quot;">Rather than extending OAuth for something OpenID a=
lready does... &nbsp;why don't we get a simple informational example doc to s=
how how to implement the most basic OpenID service,
 which is the same functionality on a standard that's already written?</span=
><u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">&=
nbsp;</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">T=
his is sounding more and mor elike a documentation problem.</span><u></u><u>=
</u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-family=
:&quot;Courier New&quot;">&nbsp;</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgro=
und:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span><=
/b><span><span style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&quot=
;sans-serif&quot;">&nbsp;</span></span><span style=3D"font-size:10.0pt;font-=
family:&quot;Arial&quot;,&quot;sans-serif&quot;">Prateek
 Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<br>
<b>To:</b><span>&nbsp;</span>Nat Sakimura &lt;<a href=3D"mailto:sakimura@gma=
il.com" target=3D"_blank"><span style=3D"color:purple">sakimura@gmail.com</s=
pan></a>&gt;<span>&nbsp;</span><br>
<b>Cc:</b><span>&nbsp;</span>"<a href=3D"mailto:oauth@ietf.org%20WG" target=3D=
"_blank"><span style=3D"color:purple">oauth@ietf.org WG</span></a>" &lt;<a h=
ref=3D"mailto:oauth@ietf.org" target=3D"_blank"><span style=3D"color:purple"=
>oauth@ietf.org</span></a>&gt;<span>&nbsp;</span><br>

<b>Sent:</b><span>&nbsp;</span>Wednesday, July 31, 2013 2:38 PM<br>
<b>Subject:</b><span>&nbsp;</span>[OAUTH-WG] Need for Extending OAuth with A=
uthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c=
-00.txt)</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span>&nbsp;</span><b=
r>
<br>
thanks for the detailed response. I did review the links you sent out but it=
 remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Bas=
ic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for " non=
-dynamic OpenID Connect Server".<br>
<br>
I dont think there is a need to duplicate portions of the draft specificatio=
n text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which describ=
ed several different<span>&nbsp;</span><br>
operational modes and explained how only a small set of features needed to b=
e implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.=
0-os.pdf" target=3D"_blank"><span style=3D"color:purple">http://docs.oasis-o=
pen.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</span></a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth communi=
ty to consider the need for<span>&nbsp;</span><br>
a minimal extension to OAuth that accommodates authentication. The community=
 should be made aware that<span>&nbsp;</span><br>
RFC 6749 is being misused for federated authentication, as explained in&nbsp=
; -&nbsp;<span>&nbsp;</span><br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-oa=
uth-2-what.html" target=3D"_blank"><span style=3D"color:purple">http://www.i=
ndependentid.com/2013/07/simple-authentication-for-oauth-2-what.html</span><=
/a><span>&nbsp;</span><br>

<br>
and that there doesn't appear to be a simple solution that is currently avai=
lable. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn't clear to me.<=
br>
<br>
Thx,<br>
prateek<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
Inline:&nbsp;<u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 Prateek Mishra &=
lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><span styl=
e=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<u></u><u></u></p=
>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span>&nbsp;</span><b=
r>
<br>
your blog posting is helpful to those of us who are looking for a minimal ex=
tension of OAuth with<span>&nbsp;</span><br>
an authenticator.&nbsp; Many implementors are seeking a modest extension of O=
Auth, not an entire new protocol<br>
stack. &nbsp; I believe that is the point of Phil Hunt's proposal to the OAu=
th committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span>&n=
bsp;</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification document=
 where steps 1 and 2 are described?<u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Actually, it is not a sing=
le spec, that the Standard is referencing others.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The Standard is kind of cl=
uttered because it has 6 response types and three request types in it.&nbsp;=
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I suppose it would be much=
 easier for the readers to split them into coherent pieces, though that mean=
s duplicate texts.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The easiest approach here i=
s to read the Basic Client Profile.&nbsp;<a href=3D"http://openid.net/specs/=
openid-connect-basic-1_0-28.html" target=3D"_blank"><span style=3D"color:pur=
ple">http://openid.net/specs/openid-connect-basic-1_0-28.html</span></a><u><=
/u><u></u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Then, read&nbsp;OAuth 2.0 M=
ultiple Response Type Encoding Practices&nbsp;<a href=3D"http://openid.net/s=
pecs/oauth-v2-multiple-response-types-1_0-08.html" target=3D"_blank"><span s=
tyle=3D"color:purple">http://openid.net/specs/oauth-v2-multiple-response-typ=
es-1_0-08.html</span></a>&nbsp;.&nbsp;<u></u><u></u></p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect i=
mplementation? Are there no<span>&nbsp;</span><br>
other MTI protocol exchanges in OpenID Connect?<u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Yes, for a non-dynamic Ope=
nID Connect Server.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;&nbsp;<u></u><u></u>=
</p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
Thanks,<br>
prateek<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
&nbsp; &nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have written a short blo=
g post titled "<a href=3D"http://nat.sakimura.org/2013/07/28/write-openid-co=
nnect-server-in-three-simple-steps/" target=3D"_blank"><span style=3D"color:=
purple">Write an OpenID Connect server
 in three simple steps</span></a>".&nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Really, there is not much y=
ou need to on top of OAuth 2.0.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">It puzzles me why you need=
 to create a draft with only minor variances in parameter names.&nbsp;<u></u=
><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;ma=
rgin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">e.g.,&nbsp;<u></u><u></u><=
/p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">session instead of id_toke=
n<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">lat instead of iat<u></u><=
u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">alv instead of acr<u></u><=
u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">etc.&nbsp;<u></u><u></u></=
p>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">If you change those parame=
ter names, you will have a conformant profile of OpenID Connect.&nbsp;<u></u=
><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background-repeat:initial initial">
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 John Bradley &lt=
;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank"><span style=3D"color=
:purple">ve7jtb@ve7jtb.com</span></a>&gt;<u></u><u></u></p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Connect dosen't require a u=
serinfo endpoint. &nbsp; It is required for interoperability if you are buil=
ding an open IdP. &nbsp; For an enterprise type deployment discovery, regist=
ration, userifo are all optional.<u></u><u></u></p>

</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The server is required to p=
ass the nonce which is equivalent to a request ID through to the JWT if the c=
lient sends it in the request.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Justin is correct.<u></u><=
u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">John B.<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On 2013-07-30, at 5:30 PM,=
 Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><sp=
an style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u></u><=
u></u></p>

</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Forgot reply all.<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
Begin forwarded message:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<b>From:</b><span>&nbsp;</span>Phil Hunt &lt;<a href=3D"mailto:phil.hunt@ora=
cle.com" target=3D"_blank"><span style=3D"color:purple">phil.hunt@oracle.com=
</span></a>&gt;<br>
<b>Date:</b><span>&nbsp;</span>30 July, 2013 17:25:46 GMT+02:00<br>
<b>To:</b><span>&nbsp;</span>"Richer, Justin P." &lt;<a href=3D"mailto:jrich=
er@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher@mitre.o=
rg</span></a>&gt;<br>
<b>Subject:</b><span>&nbsp;</span><b>Re: [OAUTH-WG] New Version Notification=
 for draft-hunt-oauth-v2-user-a4c-00.txt</b><u></u><u></u></p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The whole point is authn o=
nly. Many do not want or need the userinfo endpoint.&nbsp;<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
On 2013-07-30, at 17:17, "Richer, Justin P." &lt;<a href=3D"mailto:jricher@m=
itre.org" target=3D"_blank"><span style=3D"color:purple">jricher@mitre.org</=
span></a>&gt; wrote:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">What do you mean? You abso=
lutely can implement a compliant OIDC server nearly as simply as this. The t=
hings that you're missing I think are necessary for basic interoperable func=
tionality, and are things that other
 folks using OAuth for authentication have also implemented. Namely:<u></u><=
u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Signing the ID tok=
en (OIDC specifies the RS256 flavor of JWS, which is easy to do with JWT). W=
ithout a signed and verifiable ID token or equivalent, you're asking for all=
 kinds of token injection problems.<u></u><u></u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Session management=
 requests (max auth age, auth time)<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Not fall over with=
 other parameters that you don't support (display, prompt, etc).<u></u><u></=
u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">See here for more informat=
ion:<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<a href=3D"http://op=
enid.net/specs/openid-connect-messages-1_0.html#ServerMTI" target=3D"_blank"=
><span style=3D"color:purple">http://openid.net/specs/openid-connect-message=
s-1_0.html#ServerMTI</span></a><u></u><u></u></p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Additionally, something th=
at's really important to support is the User Info Endpoint, so you can actua=
lly get user profile information beyond just the simple "someone was here" c=
laim -- this was the real value of
 Facebook Connect from an RP's perspective. Some people will probably want t=
o use SCIM for this, too, and that's fine.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin<u></u><u><=
/u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 30, 2013, at 10:54 A=
M, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt;<u></u><u></u=
></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;wrote:<u></u><u></u>=
</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The oidc specs do not allo=
w this simple an implementation. The spec members have not shown interest in=
 making changes as they say they are too far down the road.<u></u><u></u></p=
>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have tried to make my dr=
aft as close as possible to oidc but maybe it shouldn't be clarity wise. I a=
m interested in what the group feels is clearest.&nbsp;<u></u><u></u></p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=46rom an ietf perspective=
 the concern is improper use of the 6749 for authn. Is this a bug or gap we n=
eed to address?<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
On 2013-07-30, at 16:46, "Richer, Justin P." &lt;<a href=3D"mailto:jricher@m=
itre.org" target=3D"_blank"><span style=3D"color:purple">jricher@mitre.org</=
span></a>&gt; wrote:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">=46rom what I read, you've=
 defined something that uses an OAuth 2 code flow to get an extra token whic=
h is specified as a JWT. You named it "session_token" instead of "id_token",=
 and you've left off the User Information
 Endpoint -- but other than that, this is exactly the Basic Client for OpenI=
D Connect. In other words, if you change the names on things you've got OIDC=
, but without the capabilities to go beyond a very basic "hey there's a user=
 here" claim. This is the same
 place that OpenID 2.0 started, and it was very, very quickly extended with S=
REG, AX, PAPE, and others for it to be useful in the real world of distribut=
ed logins. You've also left out discovery and registration which are require=
d for distributed deployments,
 but I'm guessing that those would be modular components that could be added=
 in (like they are in OIDC).&nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I've heard complaints that=
 OIDC is complicated, but it's really not. Yes, I agree that the giant stack=
 of documents is intimidating and in my opinion it's a bit of a mess with Me=
ssages and Standard split up (but
 I lost that argument years ago). However, at the core, you've got an OAuth2=
 authorization server that spits out access tokens and id tokens. The id tok=
en is a JWT with some known claims (iss, sub, etc) and is issued along side t=
he access token, and its audience
 is the *client* and not the *protected resource*. The access token is a reg=
ular old access token and its format is undefined (so you can use it with an=
 existing OAuth2 server setup, like we have), and it can be used at the User=
 Info Endpoint to get profile
 information about the user who authenticated. It could also be used for oth=
er services if your AS/IdP protects multiple things.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">So I guess what I'm missin=
g is what's the value proposition in this spec when we have something that c=
an do this already? And this doesn't seem to do anything different (apart fr=
om syntax changes)?<u></u><u></u></p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin<u></u><u><=
/u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 29, 2013, at 4:14 A=
M, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u></u=
><u></u></p>

</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">FYI. &nbsp;I have been not=
icing a substantial number of sites acting as OAuth Clients using OAuth to a=
uthenticate users.<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I know several of us have b=
logged on the issue over the past year so I won't re-hash it here. &nbsp;In s=
hort, many of us recommended OIDC as the correct methodology.<u></u><u></u><=
/p>

</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Never-the-less, I've spoke=
n with a number of service providers who indicate they are not ready to make=
 the jump to OIDC, yet they agree there is a desire to support authenticatio=
n only (where as OIDC does IDP-like
 services).<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">This draft is intended as a=
 minimum authentication only specification. &nbsp;I've tried to make it as c=
ompatible as possible with OIDC.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">For now, I've just posted t=
o keep track of the issue so we can address at the next re-chartering.<u></u=
><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Happy to answer questions a=
nd discuss.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:9=
.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Phil</span><u=
></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:9=
.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">&nbsp;</span>=
<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:9=
.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">@independenti=
d</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:9=
.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><a href=3D"ht=
tp://www.independentid.com/" target=3D"_blank"><span style=3D"color:purple">=
www.independentid.com</span></a></span><u></u><u></u></p>

</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt;background:white;backgr=
ound-repeat:initial initial">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans=
-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><spa=
n style=3D"color:purple">phil.hunt@oracle.com</span></a></span><u></u><u></u=
></p>

</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:1=
3.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">&nbsp;</span=
><u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Begin forwarded message:<u=
></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">From:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&qu=
ot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_=
blank"><span style=3D"color:purple">internet-drafts@ietf.org</span></a></spa=
n><u></u><u></u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Subject: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</span></b><u=
></u><u></u></p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Date:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&qu=
ot;sans-serif&quot;">29 July, 2013 9:49:41 AM GMT+02:00</span><u></u><u></u>=
</p>

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">To:</span=
></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot=
;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com" targ=
et=3D"_blank"><span style=3D"color:purple">phil.hunt@yahoo.com</span></a>&gt=
;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank"><spa=
n style=3D"color:purple">None@ietfa.amsl.com</span></a>&gt;, Phil Hunt &lt;&=
gt;</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c=
-00.txt" target=3D"_blank"><span style=3D"color:purple">http://www.ietf.org/=
internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt</span></a><br>

Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"htt=
p://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c" target=3D"_blank"=
><span style=3D"color:purple">http://datatracker.ietf.org/doc/draft-hunt-oau=
th-v2-user-a4c</span></a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools.=
ietf.org/html/draft-hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span style=
=3D"color:purple">http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00=
</span></a><br>
<br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables us=
er<br>
&nbsp;&nbsp;authentication session information to be shared with client<br>
&nbsp;&nbsp;applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submission=
<br>
until the htmlized version and diff are available at<a href=3D"http://tools.=
ietf.org/" target=3D"_blank"><span style=3D"color:purple">tools.ietf.org</sp=
an></a>.<br>
<br>
The IETF Secretariat<u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">__________________________=
_____________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">__________________________=
_____________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><u></u><u></u></p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span>&nbsp;</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundatio=
n<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color:=
purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<pre style=3D"background:white;background-repeat:initial initial">__________=
_____________________________________<u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial">OAuth mail=
ing list<u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=3D=
"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:purple">OAuth=
@ietf.org</span></a><u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=3D=
"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><span style=3D=
"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a><u></u>=
<u></u></pre>

</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span>&nbsp;</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundatio=
n<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color:=
purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><br>
<br>
<u></u><u></u></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">_______________________________________=
________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a></span><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
</div>
</div>
</div></div></div>
</div>

</blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>Nat Sakimura (=
=3Dnat)<div>Chairman, OpenID Foundation<br><a href=3D"http://nat.sakimura.or=
g/" target=3D"_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>
</div></blockquote><blockquote type=3D"cite"><div><span>____________________=
___________________________</span><br><span>OAuth mailing list</span><br><sp=
an><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a></span><br><span><a h=
ref=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mai=
lman/listinfo/oauth</a></span><br></div></blockquote></body></html>=

--Apple-Mail-8200BB63-858D-4B56-A810-8F46F81C5A47--

From Michael.Jones@microsoft.com  Thu Aug  1 21:02:21 2013
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8C0311E80EF for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:02:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.36
X-Spam-Level: 
X-Spam-Status: No, score=-3.36 tagged_above=-999 required=5 tests=[AWL=-0.362,  BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yxq2UWWzqFAp for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:02:17 -0700 (PDT)
Received: from co1outboundpool.messaging.microsoft.com (co1ehsobe002.messaging.microsoft.com [216.32.180.185]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEE911E8167 for <oauth@ietf.org>; Thu,  1 Aug 2013 21:02:17 -0700 (PDT)
Received: from mail140-co1-R.bigfish.com (10.243.78.249) by CO1EHSOBE003.bigfish.com (10.243.66.66) with Microsoft SMTP Server id 14.1.225.22; Fri, 2 Aug 2013 04:02:16 +0000
Received: from mail140-co1 (localhost [127.0.0.1])	by mail140-co1-R.bigfish.com (Postfix) with ESMTP id 56FF06801A0; Fri,  2 Aug 2013 04:02:16 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -31
X-BigFish: VS-31(zf7Izbb2dI98dI9371Ic89bh936eI1b0bIc857h4015I1447Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6hzz16d858h1d7338h1de098h1033IL177df4h17326ah18c673h1de096h18602eh5eeeK8275bh8275dh1de097h8275chz2fh2a8h668h839hd25hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1155h)
Received-SPF: pass (mail140-co1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=Michael.Jones@microsoft.com; helo=TK5EX14HUBC102.redmond.corp.microsoft.com ; icrosoft.com ; 
Received: from mail140-co1 (localhost.localdomain [127.0.0.1]) by mail140-co1 (MessageSwitch) id 1375416132648685_9537; Fri,  2 Aug 2013 04:02:12 +0000 (UTC)
Received: from CO1EHSMHS019.bigfish.com (unknown [10.243.78.254])	by mail140-co1.bigfish.com (Postfix) with ESMTP id 9A674B4004D; Fri,  2 Aug 2013 04:02:12 +0000 (UTC)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.8) by CO1EHSMHS019.bigfish.com (10.243.66.29) with Microsoft SMTP Server (TLS) id 14.16.227.3; Fri, 2 Aug 2013 04:02:12 +0000
Received: from TK5EX14MBXC284.redmond.corp.microsoft.com ([169.254.1.38]) by TK5EX14HUBC102.redmond.corp.microsoft.com ([157.54.7.154]) with mapi id 14.03.0136.001; Fri, 2 Aug 2013 04:02:07 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>, Nat Sakimura <sakimura@gmail.com>
Thread-Topic: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
Thread-Index: AQHOjzJIbQ7osGd7rUy3sKejy5dEFpmBSr2w
Date: Fri, 2 Aug 2013 04:02:06 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B73B280@TK5EX14MBXC284.redmond.corp.microsoft.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org> <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com> <CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com> <6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com>
In-Reply-To: <6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.32]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B73B280TK5EX14MBXC284r_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:	New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 04:02:21 -0000

--_000_4E1F6AAD24975D4BA5B16804296739436B73B280TK5EX14MBXC284r_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SSBhZ3JlZSB0aGF0IHRoaXMgd3JpdGUtdXAgd291bGRu4oCZdCBiZSB3cml0dGVuIGluIGEgbWFu
bmVyIHRoYXQgd2FzIGRlcGVuZGVudCB1cG9uIHRoZSBPcGVuSUQgc3BlY3MuICBJdCB3b3VsZCBi
ZSB3cml0dGVuIGluIGEgc3RhbmQtYWxvbmUgbWFubmVyLiAgSG93ZXZlciwgSSBhZ3JlZSB3aXRo
IHdoYXQgVG9ueSBzYWlkIHRoYXQgaGF2aW5nIGNvbW1vbiBmb3JtYXQgYW5kIHZhbHVlcyBpcyB0
aGUga2V5LiAgVGhlbiB3aGV0aGVyIHBlb3BsZSBhcmUgaW1wbGVtZW50aW5nIHRvIHRoZSBhZGRp
dGlvbmFsIE9BdXRoIHNwZWMgb3IgdG8gdGhlIE9wZW5JRCBDb25uZWN0IHNwZWNzLCB0aGVpciBj
b2RlIHdvdWxkIGJlIGNvbXBhdGlibGUgd2l0aCBib3RoLg0KDQogICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IG9hdXRoLWJvdW5jZXNA
aWV0Zi5vcmcgW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgUGhp
bCBIdW50DQpTZW50OiBUaHVyc2RheSwgQXVndXN0IDAxLCAyMDEzIDc6NTcgUE0NClRvOiBOYXQg
U2FraW11cmENCkNjOiBvYXV0aEBpZXRmLm9yZyBXRw0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10g
TmVlZCBmb3IgRXh0ZW5kaW5nIE9BdXRoIHdpdGggQXV0aE4gKHdhcyBSZTogRndkOiBOZXcgVmVy
c2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LWh1bnQtb2F1dGgtdjItdXNlci1hNGMtMDAudHh0
KQ0KDQpPcGVuSWQgc3BlY3MgY2FuIGRlcGVuZCBvbiBvQXV0aC4gSGF2aW5nIE9BdXRoIGRlcGVu
ZCBvbiBPcGVuSWQgaXMgbm90IGFwcHJvcHJpYXRlIGhlcmUuDQoNClBoaWwNCg0KT24gMjAxMy0w
OC0wMSwgYXQgMTg6MDcsIE5hdCBTYWtpbXVyYSA8c2FraW11cmFAZ21haWwuY29tPG1haWx0bzpz
YWtpbXVyYUBnbWFpbC5jb20+PiB3cm90ZToNCkxpa2UgQmlsbCBzYXlzLCBpdCBjYW4ganVzdCBi
ZSBhIHByb2ZpbGUgb2YgT3BlbklEIENvbm5lY3QuDQpJRVRGIHNwZWNzIGFscmVhZHkgcmVmZXJl
bmNlcyBPcGVuSUQgRm91bmRhdGlvbiBzcGVjcy4NCkl0IHNob3VsZCBub3QgYmUgYSBwcm9ibGVt
Lg0KSSBkbyBub3QgdGhpbmsgd2Ugd2FudCB0byBmb2xrLg0KDQoyMDEzLzgvMSBBbnRob255IE5h
ZGFsaW4gPHRvbnluYWRAbWljcm9zb2Z0LmNvbTxtYWlsdG86dG9ueW5hZEBtaWNyb3NvZnQuY29t
Pj4NCkkgYmVsaWV2ZSBpdCBiZW5lZmljaWFsIHRvIGhhdmUgYSBjb21tb24gZm9ybWF0IGFuZCBj
b21tb24gdmFsdWVzLCBhbmQgMSB3YXkgdG8gaGFuZGxlIHRoZSBmb3JtYXQgYW5kIHZhbHVlcy4g
SSBiZWxpZXZlIHRoYXQgaGF2aW5nIHRoaXMgaW4gb2F1dGggaXMgYmVuZWZpY2lhbCwgSSBiZWxp
ZXZlIHRoYXQgaXQgd291bGQgYWxzbyBiZSBiZW5lZmljaWFsIGZvciBPcGVuSUQgaWYgdGhpcyB3
ZXJlIGluIG9hdXRoLiBUaGVyZSBhcmUgY2FzZXMgZm9yIHNpZ25lZCBhbmQgdW5zaWduZWQgZm9y
bWF0cy4NCg0KRnJvbTogUmljaGVyLCBKdXN0aW4gUC4gW21haWx0bzpqcmljaGVyQG1pdHJlLm9y
ZzxtYWlsdG86anJpY2hlckBtaXRyZS5vcmc+XQ0KU2VudDogVGh1cnNkYXksIEF1Z3VzdCAxLCAy
MDEzIDc6MTUgQU0NClRvOiBOYXQgU2FraW11cmENCkNjOiBBbnRob255IE5hZGFsaW47IEJpbGwg
TWlsbHM7IFByYXRlZWsgTWlzaHJhOyBvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5v
cmc+IFdHDQoNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIE5lZWQgZm9yIEV4dGVuZGluZyBPQXV0
aCB3aXRoIEF1dGhOICh3YXMgUmU6IEZ3ZDogTmV3IFZlcnNpb24gTm90aWZpY2F0aW9uIGZvciBk
cmFmdC1odW50LW9hdXRoLXYyLXVzZXItYTRjLTAwLnR4dCkNCg0KQWxzbywgaXQncyAob3B0aW9u
YWxseSkgYSB0b2tlbiBpbiB0aGUgcHJvcG9zZWQgZG9jdW1lbnQgd2UncmUgZGlzY3Vzc2luZyAo
wqcyLjQuMSksIHdoaWNoIG1lYW5zIHRoZXJlIGFyZSB0d28gd2F5cyB0byBwYXJzZSB0aGUgc2Ft
ZSBpbmZvcm1hdGlvbi4gT0lEQyB1c2VzIEpXVHMgZm9yIGV2ZXJ5dGhpbmcsIHNpZ25lZCBhbmQg
dW5zaWduZWQuIFRoaXMgbWVhbnMgdGhhdCBPSURDIGlzIGFjdHVhbGx5IHNpbXBsZXIgZnJvbSBh
biBpbXBsZW1lbnRhdGlvbiBwZXJzcGVjdGl2ZSwgd291bGRuJ3QgeW91IHNheT8gSW5zdGVhZCBv
ZiBoYXZpbmcgdHdvIHBhcnNlcnMsIHlvdSBoYXZlIG9uZSB0byBjb3ZlciBib3RoIGNhc2VzLg0K
DQooQW5kIGdpdmVuIHlvdXIgdGVuZGVuY3kgdG8gdGhyb3cgc2lnbmVkIGFzc2VydGlvbnMgYXQg
ZXZlcnkgcHJvYmxlbSwgSSB3b3VsZCBoYXZlIHRob3VnaHQgdGhhdCB5b3UnZCBwcmVmZXIgdGhp
cyBhbnl3YXkuKQ0KDQogLS0gSnVzdGluDQoNCk9uIEF1ZyAxLCAyMDEzLCBhdCA5OjQwIEFNLCBO
YXQgU2FraW11cmEgPHNha2ltdXJhQGdtYWlsLmNvbTxtYWlsdG86c2FraW11cmFAZ21haWwuY29t
Pj4NCiB3cm90ZToNCg0KWWVzLCBpdCBpcyBhIFRva2VuLg0KTm8sIGl0IGRvZXMgbm90IGhhdmUg
dG8gYmUgc2lnbmVkLg0KDQpBcyB0byBiZSBhIHRva2VuIG9yIG5vdCB0byBiZSBhIHRva2VuIHF1
ZXN0aW9uLCBpdCBoYXMgYmVlbiBkaXNjdXNzZWQgaW4gdGhlIFdHIGJlZm9yZSwgYW5kIGlmIEkg
cmVtZW1iZXIgY29ycmVjdGx5LCAgTWljcm9zb2Z0IGFyZ3VlZCBmb3IgdG9rZW4gc2F5aW5nIHRo
YXQgaXQgaXMganVzdCBiYXNlNjQgZGVjb2RpbmcgYW5kIEkgbG9zdCB0aGVyZS4NCk5hdA0KDQpP
biBBdWcgMSwgMjAxMywgYXQgMTQ6MjQsIEFudGhvbnkgTmFkYWxpbiA8dG9ueW5hZEBtaWNyb3Nv
ZnQuY29tPG1haWx0bzp0b255bmFkQG1pY3Jvc29mdC5jb20+PiB3cm90ZToNCllvdSBjYW7igJl0
IGRvIHRoaXMsIGZpcnN0IG9wZW5pZCB1c2VzIGEgdG9rZW4gYW5kIHNlY29uZCBpdOKAmXMgc2ln
bmVkLCB0aGlyZCB0aGVyZSBpcyBubyBzcGVjaWZpY2F0aW9uIHRvIGp1c3QgcmV0dXJuIGEgYXV0
aGVudGljYXRpb24gSlNPTiBzdHJ1Y3R1cmUNCg0KRnJvbTogUmljaGVyLCBKdXN0aW4gUC4gW21h
aWx0bzpqcmljaGVyQG1pdHJlLm9yZ10NClNlbnQ6IFRodXJzZGF5LCBBdWd1c3QgMSwgMjAxMyA1
OjE1IEFNDQpUbzogQW50aG9ueSBOYWRhbGluDQpDYzogQmlsbCBNaWxsczsgUHJhdGVlayBNaXNo
cmE7IE5hdCBTYWtpbXVyYTsgb2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPiBX
Rw0KU3ViamVjdDogUmU6IFtPQVVUSC1XR10gTmVlZCBmb3IgRXh0ZW5kaW5nIE9BdXRoIHdpdGgg
QXV0aE4gKHdhcyBSZTogRndkOiBOZXcgVmVyc2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LWh1
bnQtb2F1dGgtdjItdXNlci1hNGMtMDAudHh0KQ0KDQpUb255LCB5b3UgY2FuIGFscmVhZHkgcmV0
dXJuIHRoZSBhdXRobiByZXN1bHQgZnJvbSB0aGUgdG9rZW4gcmVxdWVzdCAod2UgZGlzY3Vzc2Vk
IHRoaXMgc3BlY2lmaWNhbGx5IGluIE1heSBhcyBJIHJlY2FsbCkuIFRoYXQncyB3aGF0IHRoZSAi
aWR0b2tlbiIgYW5kICJjb2RlIGlkdG9rZW4iIHJlc3BvbnNlcyBhcmUgZm9yIGluIE9wZW5JRCBD
b25uZWN0LiBUaGUgcHJvcG9zZWQgZHJhZnQgaXMgbmVhcmx5IGEgZHVwbGljYXRlIG9mIHRoZSBj
b3JlIGZ1bmN0aW9uYWxpdHkgb2YgT0lEQy4NCg0KIC0tIEp1c3Rpbg0KDQpPbiBBdWcgMSwgMjAx
MywgYXQgNzozMSBBTSwgQW50aG9ueSBOYWRhbGluIDx0b255bmFkQG1pY3Jvc29mdC5jb208bWFp
bHRvOnRvbnluYWRAbWljcm9zb2Z0LmNvbT4+DQogd3JvdGU6DQoNClRoZSBwcm9wb3NhbCBkb2Vz
IG5vdCBkdXBsaWNhdGUgd2hhdCBPcGVuSUQgZG9lcywgdGhlcmUgaXMgY2xlYXIgYmVuZWZpdCBm
b3IgcmV0dXJuaW5nIGFuIGF1dGhlbnRpY2F0aW9uIHJlc3VsdCBpbiB0aGUgdG9rZW4gcmVxdWVz
dCByZXN1bHQuIFRoaXMgaXMgYmVpbmcgcHJvcG9zZWQgYXMgb3B0aW9uYWwgSlNPTiBzdHJ1Y3R1
cmUuDQoNCkZyb206IG9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoLWJvdW5jZXNA
aWV0Zi5vcmc+IFttYWlsdG86b2F1dGgtPG1haWx0bzpvYXV0aC0+Ym91bmNlc0BpZXRmLm9yZzxt
YWlsdG86Ym91bmNlc0BpZXRmLm9yZz5dIE9uIEJlaGFsZiBPZiBCaWxsIE1pbGxzDQpTZW50OiBX
ZWRuZXNkYXksIEp1bHkgMzEsIDIwMTMgMjo1MCBQTQ0KVG86IFByYXRlZWsgTWlzaHJhOyBOYXQg
U2FraW11cmENCkNjOiBvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+IFdHDQpT
dWJqZWN0OiBSZTogW09BVVRILVdHXSBOZWVkIGZvciBFeHRlbmRpbmcgT0F1dGggd2l0aCBBdXRo
TiAod2FzIFJlOiBGd2Q6IE5ldyBWZXJzaW9uIE5vdGlmaWNhdGlvbiBmb3IgZHJhZnQtaHVudC1v
YXV0aC12Mi11c2VyLWE0Yy0wMC50eHQpDQoNClJhdGhlciB0aGFuIGV4dGVuZGluZyBPQXV0aCBm
b3Igc29tZXRoaW5nIE9wZW5JRCBhbHJlYWR5IGRvZXMuLi4gIHdoeSBkb24ndCB3ZSBnZXQgYSBz
aW1wbGUgaW5mb3JtYXRpb25hbCBleGFtcGxlIGRvYyB0byBzaG93IGhvdyB0byBpbXBsZW1lbnQg
dGhlIG1vc3QgYmFzaWMgT3BlbklEIHNlcnZpY2UsIHdoaWNoIGlzIHRoZSBzYW1lIGZ1bmN0aW9u
YWxpdHkgb24gYSBzdGFuZGFyZCB0aGF0J3MgYWxyZWFkeSB3cml0dGVuPw0KDQpUaGlzIGlzIHNv
dW5kaW5nIG1vcmUgYW5kIG1vciBlbGlrZSBhIGRvY3VtZW50YXRpb24gcHJvYmxlbS4NCg0KX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCkZyb206IFByYXRlZWsgTWlzaHJhIDxwcmF0
ZWVrLm1pc2hyYUBvcmFjbGUuY29tPG1haWx0bzpwcmF0ZWVrLm1pc2hyYUBvcmFjbGUuY29tPj4N
ClRvOiBOYXQgU2FraW11cmEgPHNha2ltdXJhQGdtYWlsLmNvbTxtYWlsdG86c2FraW11cmFAZ21h
aWwuY29tPj4NCkNjOiAib2F1dGhAaWV0Zi5vcmcgV0c8bWFpbHRvOm9hdXRoQGlldGYub3JnJTIw
V0c+IiA8b2F1dGhAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoQGlldGYub3JnPj4NClNlbnQ6IFdlZG5l
c2RheSwgSnVseSAzMSwgMjAxMyAyOjM4IFBNDQpTdWJqZWN0OiBbT0FVVEgtV0ddIE5lZWQgZm9y
IEV4dGVuZGluZyBPQXV0aCB3aXRoIEF1dGhOICh3YXMgUmU6IEZ3ZDogTmV3IFZlcnNpb24gTm90
aWZpY2F0aW9uIGZvciBkcmFmdC1odW50LW9hdXRoLXYyLXVzZXItYTRjLTAwLnR4dCkNCg0KTmF0
IC0NCg0KdGhhbmtzIGZvciB0aGUgZGV0YWlsZWQgcmVzcG9uc2UuIEkgZGlkIHJldmlldyB0aGUg
bGlua3MgeW91IHNlbnQgb3V0IGJ1dCBpdCByZW1haW5lZCB1bmNsZWFyIHRvIG1lIHdoaWNoDQpm
ZWF0dXJlcyBhcmUgTVRJIGFuZCB3aGljaCBhcmUgbm90LiBGb3IgZXhhbXBsZSwgdGhlcmUgaXMg
bm90aGluZyBpbiB0aGUgQmFzaWMgQ2xpZW50IFByb2ZpbGUgdGhhdCBzdWdnZXN0cw0KdGhhdCBT
ZWN0aW9uIDIuMyBpcyBvcHRpb25hbC4gSSBhbHNvIGNvdWxkIG5vdCBmaW5kIGFueSBkZWZpbml0
aW9uIGZvciAiIG5vbi1keW5hbWljIE9wZW5JRCBDb25uZWN0IFNlcnZlciIuDQoNCkkgZG9udCB0
aGluayB0aGVyZSBpcyBhIG5lZWQgdG8gZHVwbGljYXRlIHBvcnRpb25zIG9mIHRoZSBkcmFmdCBz
cGVjaWZpY2F0aW9uIHRleHQgaW4gYSBuZXcgZG9jdW1lbnQuIE9uZSBzb2x1dGlvbg0KdGhhdCB3
YXMgdXNlZCBpbiBTQU1MIDIuMCB3YXMgdG8gZGVmaW5lIGEgY29uZm9ybWFuY2UgZG9jdW1lbnQg
d2hpY2ggZGVzY3JpYmVkIHNldmVyYWwgZGlmZmVyZW50DQpvcGVyYXRpb25hbCBtb2RlcyBhbmQg
ZXhwbGFpbmVkIGhvdyBvbmx5IGEgc21hbGwgc2V0IG9mIGZlYXR1cmVzIG5lZWRlZCB0byBiZSBp
bXBsZW1lbnRlZCBpbiBjZXJ0YWluIG1vZGVzLg0KDQpodHRwOi8vZG9jcy5vYXNpcy1vcGVuLm9y
Zy9zZWN1cml0eS9zYW1sL3YyLjAvc2FtbC1jb25mb3JtYW5jZS0yLjAtb3MucGRmDQoNClRoZXJl
IGFyZSBwcm9iYWJseSBvdGhlciBzbWFydGVyIHdheXMgdG8gYWNoaWV2ZSB0aGUgc2FtZSBlZmZl
Y3QuDQoNCkdpdmVuIHRoaXMgc2l0dWF0aW9uLCBJIGRvIHRoaW5rIGl0cyBhIHJlYXNvbmFibGUg
dGFzayBmb3IgdGhlIE9BdXRoIGNvbW11bml0eSB0byBjb25zaWRlciB0aGUgbmVlZCBmb3INCmEg
bWluaW1hbCBleHRlbnNpb24gdG8gT0F1dGggdGhhdCBhY2NvbW1vZGF0ZXMgYXV0aGVudGljYXRp
b24uIFRoZSBjb21tdW5pdHkgc2hvdWxkIGJlIG1hZGUgYXdhcmUgdGhhdA0KUkZDIDY3NDkgaXMg
YmVpbmcgbWlzdXNlZCBmb3IgZmVkZXJhdGVkIGF1dGhlbnRpY2F0aW9uLCBhcyBleHBsYWluZWQg
aW4gIC0NCg0KaHR0cDovL3d3dy5pbmRlcGVuZGVudGlkLmNvbS8yMDEzLzA3L3NpbXBsZS1hdXRo
ZW50aWNhdGlvbi1mb3Itb2F1dGgtMi13aGF0Lmh0bWwNCg0KYW5kIHRoYXQgdGhlcmUgZG9lc24n
dCBhcHBlYXIgdG8gYmUgYSBzaW1wbGUgc29sdXRpb24gdGhhdCBpcyBjdXJyZW50bHkgYXZhaWxh
YmxlLiBJdCB3b3VsZCBiZSBncmVhdCBpZiBpdCB0dXJuZWQNCm91dCB0aGF0IE9wZW5JRCBDb25u
ZWN0IG9mZmVyZWQgc3VjaCBhIHNvbHV0aW9uIGJ1dCB0aGF0IGlzbid0IGNsZWFyIHRvIG1lLg0K
DQpUaHgsDQpwcmF0ZWVrDQoNCg0KSW5saW5lOg0KMjAxMy83LzMxIFByYXRlZWsgTWlzaHJhIDxw
cmF0ZWVrLm1pc2hyYUBvcmFjbGUuY29tPG1haWx0bzpwcmF0ZWVrLm1pc2hyYUBvcmFjbGUuY29t
Pj4NCk5hdCAtDQoNCnlvdXIgYmxvZyBwb3N0aW5nIGlzIGhlbHBmdWwgdG8gdGhvc2Ugb2YgdXMg
d2hvIGFyZSBsb29raW5nIGZvciBhIG1pbmltYWwgZXh0ZW5zaW9uIG9mIE9BdXRoIHdpdGgNCmFu
IGF1dGhlbnRpY2F0b3IuICBNYW55IGltcGxlbWVudG9ycyBhcmUgc2Vla2luZyBhIG1vZGVzdCBl
eHRlbnNpb24gb2YgT0F1dGgsIG5vdCBhbiBlbnRpcmUgbmV3IHByb3RvY29sDQpzdGFjay4gICBJ
IGJlbGlldmUgdGhhdCBpcyB0aGUgcG9pbnQgb2YgUGhpbCBIdW50J3MgcHJvcG9zYWwgdG8gdGhl
IE9BdXRoIGNvbW1pdHRlZS4NCg0KSSBkbyBoYXZlIHNvbWUgcXVlc3Rpb25zIGZvciBhYm91dCB0
aGUgc3RhdGVtZW50cyBtYWRlIGluIHRoZSBibG9nIC0NCg0KQSkgQ2FuIHlvdSBkaXJlY3QgbWUg
dG8gYSBzaW5nbGUgT3BlbklEIENvbm5lY3QgZHJhZnQgc3BlY2lmaWNhdGlvbiBkb2N1bWVudCB3
aGVyZSBzdGVwcyAxIGFuZCAyIGFyZSBkZXNjcmliZWQ/DQoNCkFjdHVhbGx5LCBpdCBpcyBub3Qg
YSBzaW5nbGUgc3BlYywgdGhhdCB0aGUgU3RhbmRhcmQgaXMgcmVmZXJlbmNpbmcgb3RoZXJzLg0K
VGhlIFN0YW5kYXJkIGlzIGtpbmQgb2YgY2x1dHRlcmVkIGJlY2F1c2UgaXQgaGFzIDYgcmVzcG9u
c2UgdHlwZXMgYW5kIHRocmVlIHJlcXVlc3QgdHlwZXMgaW4gaXQuDQpJIHN1cHBvc2UgaXQgd291
bGQgYmUgbXVjaCBlYXNpZXIgZm9yIHRoZSByZWFkZXJzIHRvIHNwbGl0IHRoZW0gaW50byBjb2hl
cmVudCBwaWVjZXMsIHRob3VnaCB0aGF0IG1lYW5zIGR1cGxpY2F0ZSB0ZXh0cy4NCg0KVGhlIGVh
c2llc3QgYXBwcm9hY2ggaGVyZSBpcyB0byByZWFkIHRoZSBCYXNpYyBDbGllbnQgUHJvZmlsZS4g
aHR0cDovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNvbm5lY3QtYmFzaWMtMV8wLTI4Lmh0bWwN
ClRoZW4sIHJlYWQgT0F1dGggMi4wIE11bHRpcGxlIFJlc3BvbnNlIFR5cGUgRW5jb2RpbmcgUHJh
Y3RpY2VzIGh0dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29hdXRoLXYyLW11bHRpcGxlLXJlc3BvbnNl
LXR5cGVzLTFfMC0wOC5odG1sIC4NCg0KDQpCKSBJZiBJIGltcGxlbWVudCBzdGVwcyAxIGFuZCAy
LCBkbyBJIHRoZW4gaGF2ZSBhIGNvbmZvcm1hbnQgT3BlbklEIENvbm5lY3QgaW1wbGVtZW50YXRp
b24/IEFyZSB0aGVyZSBubw0Kb3RoZXIgTVRJIHByb3RvY29sIGV4Y2hhbmdlcyBpbiBPcGVuSUQg
Q29ubmVjdD8NCg0KWWVzLCBmb3IgYSBub24tZHluYW1pYyBPcGVuSUQgQ29ubmVjdCBTZXJ2ZXIu
DQoNCk5hdA0KDQoNClRoYW5rcywNCnByYXRlZWsNCg0KDQoNCg0KSSBoYXZlIHdyaXR0ZW4gYSBz
aG9ydCBibG9nIHBvc3QgdGl0bGVkICJXcml0ZSBhbiBPcGVuSUQgQ29ubmVjdCBzZXJ2ZXIgaW4g
dGhyZWUgc2ltcGxlIHN0ZXBzPGh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzIwMTMvMDcvMjgvd3Jp
dGUtb3BlbmlkLWNvbm5lY3Qtc2VydmVyLWluLXRocmVlLXNpbXBsZS1zdGVwcy8+Ii4NCg0KUmVh
bGx5LCB0aGVyZSBpcyBub3QgbXVjaCB5b3UgbmVlZCB0byBvbiB0b3Agb2YgT0F1dGggMi4wLg0K
DQpJdCBwdXp6bGVzIG1lIHdoeSB5b3UgbmVlZCB0byBjcmVhdGUgYSBkcmFmdCB3aXRoIG9ubHkg
bWlub3IgdmFyaWFuY2VzIGluIHBhcmFtZXRlciBuYW1lcy4NCg0KZS5nLiwNCnNlc3Npb24gaW5z
dGVhZCBvZiBpZF90b2tlbg0KbGF0IGluc3RlYWQgb2YgaWF0DQphbHYgaW5zdGVhZCBvZiBhY3IN
CmV0Yy4NCg0KSWYgeW91IGNoYW5nZSB0aG9zZSBwYXJhbWV0ZXIgbmFtZXMsIHlvdSB3aWxsIGhh
dmUgYSBjb25mb3JtYW50IHByb2ZpbGUgb2YgT3BlbklEIENvbm5lY3QuDQoNCk5hdA0KDQoyMDEz
LzcvMzEgSm9obiBCcmFkbGV5IDx2ZTdqdGJAdmU3anRiLmNvbTxtYWlsdG86dmU3anRiQHZlN2p0
Yi5jb20+Pg0KQ29ubmVjdCBkb3Nlbid0IHJlcXVpcmUgYSB1c2VyaW5mbyBlbmRwb2ludC4gICBJ
dCBpcyByZXF1aXJlZCBmb3IgaW50ZXJvcGVyYWJpbGl0eSBpZiB5b3UgYXJlIGJ1aWxkaW5nIGFu
IG9wZW4gSWRQLiAgIEZvciBhbiBlbnRlcnByaXNlIHR5cGUgZGVwbG95bWVudCBkaXNjb3Zlcnks
IHJlZ2lzdHJhdGlvbiwgdXNlcmlmbyBhcmUgYWxsIG9wdGlvbmFsLg0KDQpUaGUgc2VydmVyIGlz
IHJlcXVpcmVkIHRvIHBhc3MgdGhlIG5vbmNlIHdoaWNoIGlzIGVxdWl2YWxlbnQgdG8gYSByZXF1
ZXN0IElEIHRocm91Z2ggdG8gdGhlIEpXVCBpZiB0aGUgY2xpZW50IHNlbmRzIGl0IGluIHRoZSBy
ZXF1ZXN0Lg0KDQpKdXN0aW4gaXMgY29ycmVjdC4NCg0KSm9obiBCLg0KDQpPbiAyMDEzLTA3LTMw
LCBhdCA1OjMwIFBNLCBQaGlsIEh1bnQgPHBoaWwuaHVudEBvcmFjbGUuY29tPG1haWx0bzpwaGls
Lmh1bnRAb3JhY2xlLmNvbT4+IHdyb3RlOg0KDQpGb3Jnb3QgcmVwbHkgYWxsLg0KDQpQaGlsDQoN
CkJlZ2luIGZvcndhcmRlZCBtZXNzYWdlOg0KRnJvbTogUGhpbCBIdW50IDxwaGlsLmh1bnRAb3Jh
Y2xlLmNvbTxtYWlsdG86cGhpbC5odW50QG9yYWNsZS5jb20+Pg0KRGF0ZTogMzAgSnVseSwgMjAx
MyAxNzoyNTo0NiBHTVQrMDI6MDANClRvOiAiUmljaGVyLCBKdXN0aW4gUC4iIDxqcmljaGVyQG1p
dHJlLm9yZzxtYWlsdG86anJpY2hlckBtaXRyZS5vcmc+Pg0KU3ViamVjdDogUmU6IFtPQVVUSC1X
R10gTmV3IFZlcnNpb24gTm90aWZpY2F0aW9uIGZvciBkcmFmdC1odW50LW9hdXRoLXYyLXVzZXIt
YTRjLTAwLnR4dA0KVGhlIHdob2xlIHBvaW50IGlzIGF1dGhuIG9ubHkuIE1hbnkgZG8gbm90IHdh
bnQgb3IgbmVlZCB0aGUgdXNlcmluZm8gZW5kcG9pbnQuDQoNClBoaWwNCg0KT24gMjAxMy0wNy0z
MCwgYXQgMTc6MTcsICJSaWNoZXIsIEp1c3RpbiBQLiIgPGpyaWNoZXJAbWl0cmUub3JnPG1haWx0
bzpqcmljaGVyQG1pdHJlLm9yZz4+IHdyb3RlOg0KV2hhdCBkbyB5b3UgbWVhbj8gWW91IGFic29s
dXRlbHkgY2FuIGltcGxlbWVudCBhIGNvbXBsaWFudCBPSURDIHNlcnZlciBuZWFybHkgYXMgc2lt
cGx5IGFzIHRoaXMuIFRoZSB0aGluZ3MgdGhhdCB5b3UncmUgbWlzc2luZyBJIHRoaW5rIGFyZSBu
ZWNlc3NhcnkgZm9yIGJhc2ljIGludGVyb3BlcmFibGUgZnVuY3Rpb25hbGl0eSwgYW5kIGFyZSB0
aGluZ3MgdGhhdCBvdGhlciBmb2xrcyB1c2luZyBPQXV0aCBmb3IgYXV0aGVudGljYXRpb24gaGF2
ZSBhbHNvIGltcGxlbWVudGVkLiBOYW1lbHk6DQoNCiAtIFNpZ25pbmcgdGhlIElEIHRva2VuIChP
SURDIHNwZWNpZmllcyB0aGUgUlMyNTYgZmxhdm9yIG9mIEpXUywgd2hpY2ggaXMgZWFzeSB0byBk
byB3aXRoIEpXVCkuIFdpdGhvdXQgYSBzaWduZWQgYW5kIHZlcmlmaWFibGUgSUQgdG9rZW4gb3Ig
ZXF1aXZhbGVudCwgeW91J3JlIGFza2luZyBmb3IgYWxsIGtpbmRzIG9mIHRva2VuIGluamVjdGlv
biBwcm9ibGVtcy4NCiAtIFNlc3Npb24gbWFuYWdlbWVudCByZXF1ZXN0cyAobWF4IGF1dGggYWdl
LCBhdXRoIHRpbWUpDQogLSBOb3QgZmFsbCBvdmVyIHdpdGggb3RoZXIgcGFyYW1ldGVycyB0aGF0
IHlvdSBkb24ndCBzdXBwb3J0IChkaXNwbGF5LCBwcm9tcHQsIGV0YykuDQoNClNlZSBoZXJlIGZv
ciBtb3JlIGluZm9ybWF0aW9uOg0KDQogaHR0cDovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNv
bm5lY3QtbWVzc2FnZXMtMV8wLmh0bWwjU2VydmVyTVRJDQoNCkFkZGl0aW9uYWxseSwgc29tZXRo
aW5nIHRoYXQncyByZWFsbHkgaW1wb3J0YW50IHRvIHN1cHBvcnQgaXMgdGhlIFVzZXIgSW5mbyBF
bmRwb2ludCwgc28geW91IGNhbiBhY3R1YWxseSBnZXQgdXNlciBwcm9maWxlIGluZm9ybWF0aW9u
IGJleW9uZCBqdXN0IHRoZSBzaW1wbGUgInNvbWVvbmUgd2FzIGhlcmUiIGNsYWltIC0tIHRoaXMg
d2FzIHRoZSByZWFsIHZhbHVlIG9mIEZhY2Vib29rIENvbm5lY3QgZnJvbSBhbiBSUCdzIHBlcnNw
ZWN0aXZlLiBTb21lIHBlb3BsZSB3aWxsIHByb2JhYmx5IHdhbnQgdG8gdXNlIFNDSU0gZm9yIHRo
aXMsIHRvbywgYW5kIHRoYXQncyBmaW5lLg0KDQogLS0gSnVzdGluDQoNCk9uIEp1bCAzMCwgMjAx
MywgYXQgMTA6NTQgQU0sIFBoaWwgSHVudCA8cGhpbC5odW50QG9yYWNsZS5jb208bWFpbHRvOnBo
aWwuaHVudEBvcmFjbGUuY29tPj4NCiB3cm90ZToNCg0KVGhlIG9pZGMgc3BlY3MgZG8gbm90IGFs
bG93IHRoaXMgc2ltcGxlIGFuIGltcGxlbWVudGF0aW9uLiBUaGUgc3BlYyBtZW1iZXJzIGhhdmUg
bm90IHNob3duIGludGVyZXN0IGluIG1ha2luZyBjaGFuZ2VzIGFzIHRoZXkgc2F5IHRoZXkgYXJl
IHRvbyBmYXIgZG93biB0aGUgcm9hZC4NCg0KSSBoYXZlIHRyaWVkIHRvIG1ha2UgbXkgZHJhZnQg
YXMgY2xvc2UgYXMgcG9zc2libGUgdG8gb2lkYyBidXQgbWF5YmUgaXQgc2hvdWxkbid0IGJlIGNs
YXJpdHkgd2lzZS4gSSBhbSBpbnRlcmVzdGVkIGluIHdoYXQgdGhlIGdyb3VwIGZlZWxzIGlzIGNs
ZWFyZXN0Lg0KDQpGcm9tIGFuIGlldGYgcGVyc3BlY3RpdmUgdGhlIGNvbmNlcm4gaXMgaW1wcm9w
ZXIgdXNlIG9mIHRoZSA2NzQ5IGZvciBhdXRobi4gSXMgdGhpcyBhIGJ1ZyBvciBnYXAgd2UgbmVl
ZCB0byBhZGRyZXNzPw0KDQpQaGlsDQoNCk9uIDIwMTMtMDctMzAsIGF0IDE2OjQ2LCAiUmljaGVy
LCBKdXN0aW4gUC4iIDxqcmljaGVyQG1pdHJlLm9yZzxtYWlsdG86anJpY2hlckBtaXRyZS5vcmc+
PiB3cm90ZToNCkZyb20gd2hhdCBJIHJlYWQsIHlvdSd2ZSBkZWZpbmVkIHNvbWV0aGluZyB0aGF0
IHVzZXMgYW4gT0F1dGggMiBjb2RlIGZsb3cgdG8gZ2V0IGFuIGV4dHJhIHRva2VuIHdoaWNoIGlz
IHNwZWNpZmllZCBhcyBhIEpXVC4gWW91IG5hbWVkIGl0ICJzZXNzaW9uX3Rva2VuIiBpbnN0ZWFk
IG9mICJpZF90b2tlbiIsIGFuZCB5b3UndmUgbGVmdCBvZmYgdGhlIFVzZXIgSW5mb3JtYXRpb24g
RW5kcG9pbnQgLS0gYnV0IG90aGVyIHRoYW4gdGhhdCwgdGhpcyBpcyBleGFjdGx5IHRoZSBCYXNp
YyBDbGllbnQgZm9yIE9wZW5JRCBDb25uZWN0LiBJbiBvdGhlciB3b3JkcywgaWYgeW91IGNoYW5n
ZSB0aGUgbmFtZXMgb24gdGhpbmdzIHlvdSd2ZSBnb3QgT0lEQywgYnV0IHdpdGhvdXQgdGhlIGNh
cGFiaWxpdGllcyB0byBnbyBiZXlvbmQgYSB2ZXJ5IGJhc2ljICJoZXkgdGhlcmUncyBhIHVzZXIg
aGVyZSIgY2xhaW0uIFRoaXMgaXMgdGhlIHNhbWUgcGxhY2UgdGhhdCBPcGVuSUQgMi4wIHN0YXJ0
ZWQsIGFuZCBpdCB3YXMgdmVyeSwgdmVyeSBxdWlja2x5IGV4dGVuZGVkIHdpdGggU1JFRywgQVgs
IFBBUEUsIGFuZCBvdGhlcnMgZm9yIGl0IHRvIGJlIHVzZWZ1bCBpbiB0aGUgcmVhbCB3b3JsZCBv
ZiBkaXN0cmlidXRlZCBsb2dpbnMuIFlvdSd2ZSBhbHNvIGxlZnQgb3V0IGRpc2NvdmVyeSBhbmQg
cmVnaXN0cmF0aW9uIHdoaWNoIGFyZSByZXF1aXJlZCBmb3IgZGlzdHJpYnV0ZWQgZGVwbG95bWVu
dHMsIGJ1dCBJJ20gZ3Vlc3NpbmcgdGhhdCB0aG9zZSB3b3VsZCBiZSBtb2R1bGFyIGNvbXBvbmVu
dHMgdGhhdCBjb3VsZCBiZSBhZGRlZCBpbiAobGlrZSB0aGV5IGFyZSBpbiBPSURDKS4NCg0KSSd2
ZSBoZWFyZCBjb21wbGFpbnRzIHRoYXQgT0lEQyBpcyBjb21wbGljYXRlZCwgYnV0IGl0J3MgcmVh
bGx5IG5vdC4gWWVzLCBJIGFncmVlIHRoYXQgdGhlIGdpYW50IHN0YWNrIG9mIGRvY3VtZW50cyBp
cyBpbnRpbWlkYXRpbmcgYW5kIGluIG15IG9waW5pb24gaXQncyBhIGJpdCBvZiBhIG1lc3Mgd2l0
aCBNZXNzYWdlcyBhbmQgU3RhbmRhcmQgc3BsaXQgdXAgKGJ1dCBJIGxvc3QgdGhhdCBhcmd1bWVu
dCB5ZWFycyBhZ28pLiBIb3dldmVyLCBhdCB0aGUgY29yZSwgeW91J3ZlIGdvdCBhbiBPQXV0aDIg
YXV0aG9yaXphdGlvbiBzZXJ2ZXIgdGhhdCBzcGl0cyBvdXQgYWNjZXNzIHRva2VucyBhbmQgaWQg
dG9rZW5zLiBUaGUgaWQgdG9rZW4gaXMgYSBKV1Qgd2l0aCBzb21lIGtub3duIGNsYWltcyAoaXNz
LCBzdWIsIGV0YykgYW5kIGlzIGlzc3VlZCBhbG9uZyBzaWRlIHRoZSBhY2Nlc3MgdG9rZW4sIGFu
ZCBpdHMgYXVkaWVuY2UgaXMgdGhlICpjbGllbnQqIGFuZCBub3QgdGhlICpwcm90ZWN0ZWQgcmVz
b3VyY2UqLiBUaGUgYWNjZXNzIHRva2VuIGlzIGEgcmVndWxhciBvbGQgYWNjZXNzIHRva2VuIGFu
ZCBpdHMgZm9ybWF0IGlzIHVuZGVmaW5lZCAoc28geW91IGNhbiB1c2UgaXQgd2l0aCBhbiBleGlz
dGluZyBPQXV0aDIgc2VydmVyIHNldHVwLCBsaWtlIHdlIGhhdmUpLCBhbmQgaXQgY2FuIGJlIHVz
ZWQgYXQgdGhlIFVzZXIgSW5mbyBFbmRwb2ludCB0byBnZXQgcHJvZmlsZSBpbmZvcm1hdGlvbiBh
Ym91dCB0aGUgdXNlciB3aG8gYXV0aGVudGljYXRlZC4gSXQgY291bGQgYWxzbyBiZSB1c2VkIGZv
ciBvdGhlciBzZXJ2aWNlcyBpZiB5b3VyIEFTL0lkUCBwcm90ZWN0cyBtdWx0aXBsZSB0aGluZ3Mu
DQoNClNvIEkgZ3Vlc3Mgd2hhdCBJJ20gbWlzc2luZyBpcyB3aGF0J3MgdGhlIHZhbHVlIHByb3Bv
c2l0aW9uIGluIHRoaXMgc3BlYyB3aGVuIHdlIGhhdmUgc29tZXRoaW5nIHRoYXQgY2FuIGRvIHRo
aXMgYWxyZWFkeT8gQW5kIHRoaXMgZG9lc24ndCBzZWVtIHRvIGRvIGFueXRoaW5nIGRpZmZlcmVu
dCAoYXBhcnQgZnJvbSBzeW50YXggY2hhbmdlcyk/DQoNCiAtLSBKdXN0aW4NCg0KT24gSnVsIDI5
LCAyMDEzLCBhdCA0OjE0IEFNLCBQaGlsIEh1bnQgPHBoaWwuaHVudEBvcmFjbGUuY29tPG1haWx0
bzpwaGlsLmh1bnRAb3JhY2xlLmNvbT4+IHdyb3RlOg0KDQpGWUkuICBJIGhhdmUgYmVlbiBub3Rp
Y2luZyBhIHN1YnN0YW50aWFsIG51bWJlciBvZiBzaXRlcyBhY3RpbmcgYXMgT0F1dGggQ2xpZW50
cyB1c2luZyBPQXV0aCB0byBhdXRoZW50aWNhdGUgdXNlcnMuDQoNCkkga25vdyBzZXZlcmFsIG9m
IHVzIGhhdmUgYmxvZ2dlZCBvbiB0aGUgaXNzdWUgb3ZlciB0aGUgcGFzdCB5ZWFyIHNvIEkgd29u
J3QgcmUtaGFzaCBpdCBoZXJlLiAgSW4gc2hvcnQsIG1hbnkgb2YgdXMgcmVjb21tZW5kZWQgT0lE
QyBhcyB0aGUgY29ycmVjdCBtZXRob2RvbG9neS4NCg0KTmV2ZXItdGhlLWxlc3MsIEkndmUgc3Bv
a2VuIHdpdGggYSBudW1iZXIgb2Ygc2VydmljZSBwcm92aWRlcnMgd2hvIGluZGljYXRlIHRoZXkg
YXJlIG5vdCByZWFkeSB0byBtYWtlIHRoZSBqdW1wIHRvIE9JREMsIHlldCB0aGV5IGFncmVlIHRo
ZXJlIGlzIGEgZGVzaXJlIHRvIHN1cHBvcnQgYXV0aGVudGljYXRpb24gb25seSAod2hlcmUgYXMg
T0lEQyBkb2VzIElEUC1saWtlIHNlcnZpY2VzKS4NCg0KVGhpcyBkcmFmdCBpcyBpbnRlbmRlZCBh
cyBhIG1pbmltdW0gYXV0aGVudGljYXRpb24gb25seSBzcGVjaWZpY2F0aW9uLiAgSSd2ZSB0cmll
ZCB0byBtYWtlIGl0IGFzIGNvbXBhdGlibGUgYXMgcG9zc2libGUgd2l0aCBPSURDLg0KDQpGb3Ig
bm93LCBJJ3ZlIGp1c3QgcG9zdGVkIHRvIGtlZXAgdHJhY2sgb2YgdGhlIGlzc3VlIHNvIHdlIGNh
biBhZGRyZXNzIGF0IHRoZSBuZXh0IHJlLWNoYXJ0ZXJpbmcuDQoNCkhhcHB5IHRvIGFuc3dlciBx
dWVzdGlvbnMgYW5kIGRpc2N1c3MuDQoNClBoaWwNCg0KQGluZGVwZW5kZW50aWQNCnd3dy5pbmRl
cGVuZGVudGlkLmNvbTxodHRwOi8vd3d3LmluZGVwZW5kZW50aWQuY29tLz4NCnBoaWwuaHVudEBv
cmFjbGUuY29tPG1haWx0bzpwaGlsLmh1bnRAb3JhY2xlLmNvbT4NCg0KDQoNCkJlZ2luIGZvcndh
cmRlZCBtZXNzYWdlOg0KDQpGcm9tOmludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzxtYWlsdG86aW50
ZXJuZXQtZHJhZnRzQGlldGYub3JnPg0KU3ViamVjdDogTmV3IFZlcnNpb24gTm90aWZpY2F0aW9u
IGZvciBkcmFmdC1odW50LW9hdXRoLXYyLXVzZXItYTRjLTAwLnR4dA0KRGF0ZToyOSBKdWx5LCAy
MDEzIDk6NDk6NDEgQU0gR01UKzAyOjAwDQpUbzpQaGlsIEh1bnQgPHBoaWwuaHVudEB5YWhvby5j
b208bWFpbHRvOnBoaWwuaHVudEB5YWhvby5jb20+PiwgUGhpbCBIdW50IDxOb25lQGlldGZhLmFt
c2wuY29tPG1haWx0bzpOb25lQGlldGZhLmFtc2wuY29tPj4sIFBoaWwgSHVudCA8Pg0KDQoNCkEg
bmV3IHZlcnNpb24gb2YgSS1ELCBkcmFmdC1odW50LW9hdXRoLXYyLXVzZXItYTRjLTAwLnR4dA0K
aGFzIGJlZW4gc3VjY2Vzc2Z1bGx5IHN1Ym1pdHRlZCBieSBQaGlsIEh1bnQgYW5kIHBvc3RlZCB0
byB0aGUNCklFVEYgcmVwb3NpdG9yeS4NCg0KRmlsZW5hbWU6IGRyYWZ0LWh1bnQtb2F1dGgtdjIt
dXNlci1hNGMNClJldmlzaW9uOiAwMA0KVGl0bGU6IE9BdXRoIDIuMCBVc2VyIEF1dGhlbnRpY2F0
aW9uIEZvciBDbGllbnQNCkNyZWF0aW9uIGRhdGU6IDIwMTMtMDctMjkNCkdyb3VwOiBJbmRpdmlk
dWFsIFN1Ym1pc3Npb24NCk51bWJlciBvZiBwYWdlczogOQ0KVVJMOiAgICAgICAgICAgICBodHRw
Oi8vd3d3LmlldGYub3JnL2ludGVybmV0LWRyYWZ0cy9kcmFmdC1odW50LW9hdXRoLXYyLXVzZXIt
YTRjLTAwLnR4dA0KU3RhdHVzOiAgICAgICAgICBodHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcv
ZG9jL2RyYWZ0LWh1bnQtb2F1dGgtdjItdXNlci1hNGMNCkh0bWxpemVkOiAgICAgICAgaHR0cDov
L3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaHVudC1vYXV0aC12Mi11c2VyLWE0Yy0wMA0KDQoN
CkFic3RyYWN0Og0KICBUaGlzIHNwZWNpZmljYXRpb24gZGVmaW5lcyBhIG5ldyBPQXV0aDIgZW5k
cG9pbnQgdGhhdCBlbmFibGVzIHVzZXINCiAgYXV0aGVudGljYXRpb24gc2Vzc2lvbiBpbmZvcm1h
dGlvbiB0byBiZSBzaGFyZWQgd2l0aCBjbGllbnQNCiAgYXBwbGljYXRpb25zLg0KDQoNCg0KDQpQ
bGVhc2Ugbm90ZSB0aGF0IGl0IG1heSB0YWtlIGEgY291cGxlIG9mIG1pbnV0ZXMgZnJvbSB0aGUg
dGltZSBvZiBzdWJtaXNzaW9uDQp1bnRpbCB0aGUgaHRtbGl6ZWQgdmVyc2lvbiBhbmQgZGlmZiBh
cmUgYXZhaWxhYmxlIGF0dG9vbHMuaWV0Zi5vcmc8aHR0cDovL3Rvb2xzLmlldGYub3JnLz4uDQoN
ClRoZSBJRVRGIFNlY3JldGFyaWF0DQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0
bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v
b2F1dGgNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
Xw0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5v
cmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQoNCg0KX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCk9BdXRoIG1haWxp
bmcgbGlzdA0KT0F1dGhAaWV0Zi5vcmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93
d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KDQoNCg0KLS0NCk5hdCBTYWtpbXVy
YSAoPW5hdCkNCkNoYWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbg0KaHR0cDovL25hdC5zYWtpbXVy
YS5vcmcvDQpAX25hdF9lbg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fDQoNCk9BdXRoIG1haWxpbmcgbGlzdA0KDQpPQXV0aEBpZXRmLm9yZzxtYWls
dG86T0F1dGhAaWV0Zi5vcmc+DQoNCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu
Zm8vb2F1dGgNCg0KDQoNCg0KLS0NCk5hdCBTYWtpbXVyYSAoPW5hdCkNCkNoYWlybWFuLCBPcGVu
SUQgRm91bmRhdGlvbg0KaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvDQpAX25hdF9lbg0KDQoNCl9f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWls
aW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8v
d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCl9fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGll
dGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxt
YW4vbGlzdGluZm8vb2F1dGgNCg0KDQoNCg0KDQotLQ0KTmF0IFNha2ltdXJhICg9bmF0KQ0KQ2hh
aXJtYW4sIE9wZW5JRCBGb3VuZGF0aW9uDQpodHRwOi8vbmF0LnNha2ltdXJhLm9yZy8NCkBfbmF0
X2VuDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1
dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpo
dHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQo=

--_000_4E1F6AAD24975D4BA5B16804296739436B73B280TK5EX14MBXC284r_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPCEtLVtp
ZiAhbXNvXT48c3R5bGU+dlw6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7
YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0
I1ZNTCk7fQ0KLnNoYXBlIHtiZWhhdmlvcjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPjwh
W2VuZGlmXS0tPjxzdHlsZT48IS0tDQovKiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNl
DQoJe2ZvbnQtZmFtaWx5OkhlbHZldGljYTsNCglwYW5vc2UtMToyIDExIDYgNCAyIDIgMiAyIDIg
NDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkhlbHZldGljYTsNCglwYW5vc2UtMToyIDEx
IDYgNCAyIDIgMiAyIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJ
cGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWls
eTpUYWhvbWE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDExIDYgOSAyIDIgNCAzIDIgNDt9
DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2
Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250
LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0K
YTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29s
b3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5N
c29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVy
cGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcA0KCXttc28tc3R5bGUtcHJpb3Jp
dHk6OTk7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCglt
c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXpl
OjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiO30NCnByZQ0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0
dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt
c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpzcGFuLkhUTUxQcmVm
b3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsN
Cgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0
dGVkIjsNCglmb250LWZhbWlseTpDb25zb2xhczt9DQpzcGFuLkVtYWlsU3R5bGUyMA0KCXttc28t
c3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsInNhbnMt
c2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5
cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjEN
Cgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30N
CmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0t
W2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRt
YXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4N
CjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRh
PSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJv
ZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiPg0KPGRpdiBjbGFzcz0i
V29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJp
ZiZxdW90Oztjb2xvcjojMUY0OTdEIj5JIGFncmVlIHRoYXQgdGhpcyB3cml0ZS11cCB3b3VsZG7i
gJl0IGJlIHdyaXR0ZW4gaW4gYSBtYW5uZXIgdGhhdCB3YXMgZGVwZW5kZW50IHVwb24gdGhlIE9w
ZW5JRCBzcGVjcy4mbmJzcDsgSXQgd291bGQgYmUgd3JpdHRlbiBpbiBhIHN0YW5kLWFsb25lIG1h
bm5lci4mbmJzcDsgSG93ZXZlciwNCiBJIGFncmVlIHdpdGggd2hhdCBUb255IHNhaWQgdGhhdCBo
YXZpbmcgY29tbW9uIGZvcm1hdCBhbmQgdmFsdWVzIGlzIHRoZSBrZXkuJm5ic3A7IFRoZW4gd2hl
dGhlciBwZW9wbGUgYXJlIGltcGxlbWVudGluZyB0byB0aGUgYWRkaXRpb25hbCBPQXV0aCBzcGVj
IG9yIHRvIHRoZSBPcGVuSUQgQ29ubmVjdCBzcGVjcywgdGhlaXIgY29kZSB3b3VsZCBiZSBjb21w
YXRpYmxlIHdpdGggYm90aC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp
YnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJz
cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z
LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu
YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw
OyZuYnNwOyAtLSBNaWtlPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy
aSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7
PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXIt
dG9wOnNvbGlkICNCNUM0REYgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZh
bWlseTomcXVvdDtUYWhvbWEmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3Nw
YW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1Rh
aG9tYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gb2F1dGgtYm91bmNlc0BpZXRmLm9y
ZyBbbWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPlBo
aWwgSHVudDxicj4NCjxiPlNlbnQ6PC9iPiBUaHVyc2RheSwgQXVndXN0IDAxLCAyMDEzIDc6NTcg
UE08YnI+DQo8Yj5Ubzo8L2I+IE5hdCBTYWtpbXVyYTxicj4NCjxiPkNjOjwvYj4gb2F1dGhAaWV0
Zi5vcmcgV0c8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gTmVlZCBmb3IgRXh0
ZW5kaW5nIE9BdXRoIHdpdGggQXV0aE4gKHdhcyBSZTogRndkOiBOZXcgVmVyc2lvbiBOb3RpZmlj
YXRpb24gZm9yIGRyYWZ0LWh1bnQtb2F1dGgtdjItdXNlci1hNGMtMDAudHh0KTxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZu
YnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PcGVuSWQgc3BlY3Mg
Y2FuIGRlcGVuZCBvbiBvQXV0aC4gSGF2aW5nIE9BdXRoIGRlcGVuZCBvbiBPcGVuSWQgaXMgbm90
IGFwcHJvcHJpYXRlIGhlcmUuJm5ic3A7PGJyPg0KPGJyPg0KUGhpbDxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206
MTIuMHB0Ij48YnI+DQpPbiAyMDEzLTA4LTAxLCBhdCAxODowNywgTmF0IFNha2ltdXJhICZsdDs8
YSBocmVmPSJtYWlsdG86c2FraW11cmFAZ21haWwuY29tIj5zYWtpbXVyYUBnbWFpbC5jb208L2E+
Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1h
cmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPkxpa2UgQmlsbCBzYXlzLCBpdCBjYW4ganVzdCBiZSBhIHByb2ZpbGUg
b2YgT3BlbklEIENvbm5lY3QuJm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+SUVURiBzcGVjcyBhbHJlYWR5IHJlZmVyZW5jZXMgT3BlbklEIEZvdW5kYXRp
b24gc3BlY3MuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj5JdCBzaG91bGQgbm90IGJlIGEgcHJvYmxlbS4mbmJzcDs8bzpwPjwvbzpwPjwv
cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkgZG8gbm90IHRoaW5rIHdl
IHdhbnQgdG8gZm9say4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48bzpw
PiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4yMDEzLzgvMSBB
bnRob255IE5hZGFsaW4gJmx0OzxhIGhyZWY9Im1haWx0bzp0b255bmFkQG1pY3Jvc29mdC5jb20i
IHRhcmdldD0iX2JsYW5rIj50b255bmFkQG1pY3Jvc29mdC5jb208L2E+Jmd0OzxvOnA+PC9vOnA+
PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu
cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5JIGJlbGlldmUgaXQgYmVuZWZpY2lhbCB0byBo
YXZlIGEgY29tbW9uIGZvcm1hdCBhbmQgY29tbW9uIHZhbHVlcywgYW5kIDEgd2F5IHRvIGhhbmRs
ZSB0aGUgZm9ybWF0DQogYW5kIHZhbHVlcy4gSSBiZWxpZXZlIHRoYXQgaGF2aW5nIHRoaXMgaW4g
b2F1dGggaXMgYmVuZWZpY2lhbCwgSSBiZWxpZXZlIHRoYXQgaXQgd291bGQgYWxzbyBiZSBiZW5l
ZmljaWFsIGZvciBPcGVuSUQgaWYgdGhpcyB3ZXJlIGluIG9hdXRoLiBUaGVyZSBhcmUgY2FzZXMg
Zm9yIHNpZ25lZCBhbmQgdW5zaWduZWQgZm9ybWF0cy4NCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t
bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGEgbmFtZT0iMTQwM2E0Njc4ZGFhODM1MF9fTWFpbEVu
ZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90
O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj4mbmJz
cDs8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpu
b25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4g
MGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0
bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox
MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1
b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m
YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gUmljaGVy
LCBKdXN0aW4gUC4gW21haWx0bzo8YSBocmVmPSJtYWlsdG86anJpY2hlckBtaXRyZS5vcmciIHRh
cmdldD0iX2JsYW5rIj5qcmljaGVyQG1pdHJlLm9yZzwvYT5dDQo8YnI+DQo8Yj5TZW50OjwvYj4g
VGh1cnNkYXksIEF1Z3VzdCAxLCAyMDEzIDc6MTUgQU08YnI+DQo8Yj5Ubzo8L2I+IE5hdCBTYWtp
bXVyYTxicj4NCjxiPkNjOjwvYj4gQW50aG9ueSBOYWRhbGluOyBCaWxsIE1pbGxzOyBQcmF0ZWVr
IE1pc2hyYTsgPGEgaHJlZj0ibWFpbHRvOm9hdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+
DQpvYXV0aEBpZXRmLm9yZzwvYT4gV0c8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW09BVVRI
LVdHXSBOZWVkIGZvciBFeHRlbmRpbmcgT0F1dGggd2l0aCBBdXRoTiAod2FzIFJlOiBGd2Q6IE5l
dyBWZXJzaW9uIE5vdGlmaWNhdGlvbiBmb3IgZHJhZnQtaHVudC1vYXV0aC12Mi11c2VyLWE0Yy0w
MC50eHQpPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxk
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs
dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t
bWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+QWxzbywgaXQncyAob3B0aW9uYWxseSkgYSB0b2tlbiBp
biB0aGUgcHJvcG9zZWQgZG9jdW1lbnQgd2UncmUgZGlzY3Vzc2luZyAowqcyLjQuMSksIHdoaWNo
IG1lYW5zIHRoZXJlIGFyZSB0d28gd2F5cyB0byBwYXJzZSB0aGUgc2FtZSBpbmZvcm1hdGlvbi4g
T0lEQyB1c2VzIEpXVHMgZm9yIGV2ZXJ5dGhpbmcsDQogc2lnbmVkIGFuZCB1bnNpZ25lZC4gVGhp
cyBtZWFucyB0aGF0IE9JREMgaXMgYWN0dWFsbHkgc2ltcGxlciBmcm9tIGFuIGltcGxlbWVudGF0
aW9uIHBlcnNwZWN0aXZlLCB3b3VsZG4ndCB5b3Ugc2F5PyBJbnN0ZWFkIG9mIGhhdmluZyB0d28g
cGFyc2VycywgeW91IGhhdmUgb25lIHRvIGNvdmVyIGJvdGggY2FzZXMuJm5ic3A7DQo8bzpwPjwv
bzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn
aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4oQW5kIGdpdmVuIHlv
dXIgdGVuZGVuY3kgdG8gdGhyb3cgc2lnbmVkIGFzc2VydGlvbnMgYXQgZXZlcnkgcHJvYmxlbSwg
SSB3b3VsZCBoYXZlIHRob3VnaHQgdGhhdCB5b3UnZCBwcmVmZXIgdGhpcyBhbnl3YXkuKQ0KPG86
cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn
aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7LS0g
SnVzdGluPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1
dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0
OmF1dG8iPk9uIEF1ZyAxLCAyMDEzLCBhdCA5OjQwIEFNLCBOYXQgU2FraW11cmEgJmx0OzxhIGhy
ZWY9Im1haWx0bzpzYWtpbXVyYUBnbWFpbC5jb20iIHRhcmdldD0iX2JsYW5rIj5zYWtpbXVyYUBn
bWFpbC5jb208L2E+Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvIj4mbmJzcDt3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0
b206MTIuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJn
aW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPlllcywgaXQgaXMgYSBUb2tlbi4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv
cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Tm8sIGl0IGRvZXMgbm90IGhh
dmUgdG8gYmUgc2lnbmVkLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJn
aW4tYm90dG9tOjEyLjBwdCI+QXMgdG8gYmUgYSB0b2tlbiBvciBub3QgdG8gYmUgYSB0b2tlbiBx
dWVzdGlvbiwgaXQgaGFzIGJlZW4gZGlzY3Vzc2VkIGluIHRoZSBXRyBiZWZvcmUsIGFuZCBpZiBJ
IHJlbWVtYmVyIGNvcnJlY3RseSwgJm5ic3A7TWljcm9zb2Z0IGFyZ3VlZCBmb3IgdG9rZW4gc2F5
aW5nIHRoYXQgaXQgaXMganVzdCBiYXNlNjQgZGVjb2RpbmcNCiBhbmQgSSBsb3N0IHRoZXJlLiAm
bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0
byI+TmF0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPjxi
cj4NCk9uIEF1ZyAxLCAyMDEzLCBhdCAxNDoyNCwgQW50aG9ueSBOYWRhbGluICZsdDs8YSBocmVm
PSJtYWlsdG86dG9ueW5hZEBtaWNyb3NvZnQuY29tIiB0YXJnZXQ9Il9ibGFuayI+dG9ueW5hZEBt
aWNyb3NvZnQuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9j
a3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh
bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFG
NDk3RCI+WW91IGNhbuKAmXQgZG8gdGhpcywgZmlyc3Qgb3BlbmlkIHVzZXMgYSB0b2tlbiBhbmQg
c2Vjb25kIGl04oCZcyBzaWduZWQsIHRoaXJkIHRoZXJlIGlzIG5vIHNwZWNpZmljYXRpb24NCiB0
byBqdXN0IHJldHVybiBhIGF1dGhlbnRpY2F0aW9uIEpTT04gc3RydWN0dXJlPC9zcGFuPjxvOnA+
PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs
dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl
OjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm
cXVvdDs7Y29sb3I6IzFGNDk3RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4N
CjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtw
YWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90
OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z
LXNlcmlmJnF1b3Q7Ij4gUmljaGVyLCBKdXN0aW4gUC4gWzxhIGhyZWY9Im1haWx0bzpqcmljaGVy
QG1pdHJlLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm1haWx0bzpqcmljaGVyQG1pdHJlLm9yZzwvYT5d
DQo8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXksIEF1Z3VzdCAxLCAyMDEzIDU6MTUgQU08YnI+
DQo8Yj5Ubzo8L2I+IEFudGhvbnkgTmFkYWxpbjxicj4NCjxiPkNjOjwvYj4gQmlsbCBNaWxsczsg
UHJhdGVlayBNaXNocmE7IE5hdCBTYWtpbXVyYTsgPGEgaHJlZj0ibWFpbHRvOm9hdXRoQGlldGYu
b3JnIiB0YXJnZXQ9Il9ibGFuayI+DQpvYXV0aEBpZXRmLm9yZzwvYT4gV0c8YnI+DQo8Yj5TdWJq
ZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10gTmVlZCBmb3IgRXh0ZW5kaW5nIE9BdXRoIHdpdGggQXV0
aE4gKHdhcyBSZTogRndkOiBOZXcgVmVyc2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LWh1bnQt
b2F1dGgtdjItdXNlci1hNGMtMDAudHh0KTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w
LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwv
cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs
dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5Ub255LCB5b3UgY2FuIGFscmVhZHkg
cmV0dXJuIHRoZSBhdXRobiByZXN1bHQgZnJvbSB0aGUgdG9rZW4gcmVxdWVzdCAod2UgZGlzY3Vz
c2VkIHRoaXMgc3BlY2lmaWNhbGx5IGluIE1heSBhcyBJIHJlY2FsbCkuIFRoYXQncyB3aGF0IHRo
ZSAmcXVvdDtpZHRva2VuJnF1b3Q7IGFuZCAmcXVvdDtjb2RlIGlkdG9rZW4mcXVvdDsgcmVzcG9u
c2VzDQogYXJlIGZvciBpbiBPcGVuSUQgQ29ubmVjdC4gVGhlIHByb3Bvc2VkIGRyYWZ0IGlzIG5l
YXJseSBhIGR1cGxpY2F0ZSBvZiB0aGUgY29yZSBmdW5jdGlvbmFsaXR5IG9mIE9JREMuDQo8bzpw
PjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z
by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8
bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph
dXRvIj4mbmJzcDstLSBKdXN0aW48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+T24gQXVnIDEsIDIwMTMsIGF0IDc6
MzEgQU0sIEFudGhvbnkgTmFkYWxpbiAmbHQ7PGEgaHJlZj0ibWFpbHRvOnRvbnluYWRAbWljcm9z
b2Z0LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPnRvbnluYWRAbWljcm9zb2Z0LmNvbTwvYT4mZ3Q7PG86
cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNw
O3dyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPiZuYnNwOzxv
OnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2lu
LWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90
OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPlRoZSBwcm9wb3NhbCBkb2Vz
IG5vdCBkdXBsaWNhdGUgd2hhdCBPcGVuSUQgZG9lcywgdGhlcmUgaXMgY2xlYXIgYmVuZWZpdCBm
b3IgcmV0dXJuaW5nIGFuIGF1dGhlbnRpY2F0aW9uDQogcmVzdWx0IGluIHRoZSB0b2tlbiByZXF1
ZXN0IHJlc3VsdC4gVGhpcyBpcyBiZWluZyBwcm9wb3NlZCBhcyBvcHRpb25hbCBKU09OIHN0cnVj
dHVyZS48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t
Ym90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls
eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3
RCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8
ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFk
ZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48
Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp
JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHls
ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90
O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOzxhIGhyZWY9Im1haWx0bzpvYXV0aC1ib3VuY2VzQGll
dGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+b2F1dGgt
Ym91bmNlc0BpZXRmLm9yZzwvc3Bhbj48L2E+Jm5ic3A7W21haWx0bzo8YSBocmVmPSJtYWlsdG86
b2F1dGgtIiB0YXJnZXQ9Il9ibGFuayI+b2F1dGgtPC9hPjxhIGhyZWY9Im1haWx0bzpib3VuY2Vz
QGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+Ym91
bmNlc0BpZXRmLm9yZzwvc3Bhbj48L2E+XSZuYnNwOzxiPk9uDQogQmVoYWxmIE9mJm5ic3A7PC9i
PkJpbGwgTWlsbHM8YnI+DQo8Yj5TZW50OjwvYj4mbmJzcDtXZWRuZXNkYXksIEp1bHkgMzEsIDIw
MTMgMjo1MCBQTTxicj4NCjxiPlRvOjwvYj4mbmJzcDtQcmF0ZWVrIE1pc2hyYTsgTmF0IFNha2lt
dXJhPGJyPg0KPGI+Q2M6PC9iPiZuYnNwOzxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIg
dGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPm9hdXRoQGlldGYub3Jn
PC9zcGFuPjwvYT4mbmJzcDtXRzxicj4NCjxiPlN1YmplY3Q6PC9iPiZuYnNwO1JlOiBbT0FVVEgt
V0ddIE5lZWQgZm9yIEV4dGVuZGluZyBPQXV0aCB3aXRoIEF1dGhOICh3YXMgUmU6IEZ3ZDogTmV3
IFZlcnNpb24gTm90aWZpY2F0aW9uIGZvciBkcmFmdC1odW50LW9hdXRoLXYyLXVzZXItYTRjLTAw
LnR4dCk8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6
YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
O2JhY2tncm91bmQ6d2hpdGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJp
ZXIgTmV3JnF1b3Q7Ij5SYXRoZXIgdGhhbiBleHRlbmRpbmcgT0F1dGggZm9yIHNvbWV0aGluZyBP
cGVuSUQgYWxyZWFkeSBkb2VzLi4uICZuYnNwO3doeSBkb24ndCB3ZSBnZXQgYSBzaW1wbGUgaW5m
b3JtYXRpb25hbCBleGFtcGxlIGRvYyB0byBzaG93IGhvdyB0byBpbXBsZW1lbnQgdGhlIG1vc3Qg
YmFzaWMgT3BlbklEIHNlcnZpY2UsIHdoaWNoIGlzIHRoZSBzYW1lIGZ1bmN0aW9uYWxpdHkgb24g
YSBzdGFuZGFyZA0KIHRoYXQncyBhbHJlYWR5IHdyaXR0ZW4/PC9zcGFuPjxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6
YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4m
bmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6
YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5
OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij5UaGlzIGlzIHNvdW5kaW5nIG1vcmUgYW5kIG1vciBl
bGlrZSBhIGRvY3VtZW50YXRpb24gcHJvYmxlbS48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rp
dj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2Jh
Y2tncm91bmQ6d2hpdGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIg
TmV3JnF1b3Q7Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K
PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXYgY2xhc3M9Ik1zb05vcm1hbCIgYWxpZ249ImNlbnRl
ciIgc3R5bGU9InRleHQtYWxpZ246Y2VudGVyO2JhY2tncm91bmQ6d2hpdGUiPg0KPGhyIHNpemU9
IjEiIHdpZHRoPSIxMDAlIiBhbGlnbj0iY2VudGVyIj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv
dHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCjxiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0FyaWFsJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYm
cXVvdDsiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250
LWZhbWlseTomcXVvdDtBcmlhbCZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4mbmJzcDtQ
cmF0ZWVrIE1pc2hyYSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnByYXRlZWsubWlzaHJhQG9yYWNsZS5j
b20iIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5wcmF0ZWVrLm1p
c2hyYUBvcmFjbGUuY29tPC9zcGFuPjwvYT4mZ3Q7PGJyPg0KPGI+VG86PC9iPiZuYnNwO05hdCBT
YWtpbXVyYSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNha2ltdXJhQGdtYWlsLmNvbSIgdGFyZ2V0PSJf
YmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPnNha2ltdXJhQGdtYWlsLmNvbTwvc3Bh
bj48L2E+Jmd0OyZuYnNwOzxicj4NCjxiPkNjOjwvYj4mbmJzcDsmcXVvdDs8YSBocmVmPSJtYWls
dG86b2F1dGhAaWV0Zi5vcmclMjBXRyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xv
cjpwdXJwbGUiPm9hdXRoQGlldGYub3JnIFdHPC9zcGFuPjwvYT4mcXVvdDsgJmx0OzxhIGhyZWY9
Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xv
cjpwdXJwbGUiPm9hdXRoQGlldGYub3JnPC9zcGFuPjwvYT4mZ3Q7Jm5ic3A7PGJyPg0KPGI+U2Vu
dDo8L2I+Jm5ic3A7V2VkbmVzZGF5LCBKdWx5IDMxLCAyMDEzIDI6MzggUE08YnI+DQo8Yj5TdWJq
ZWN0OjwvYj4mbmJzcDtbT0FVVEgtV0ddIE5lZWQgZm9yIEV4dGVuZGluZyBPQXV0aCB3aXRoIEF1
dGhOICh3YXMgUmU6IEZ3ZDogTmV3IFZlcnNpb24gTm90aWZpY2F0aW9uIGZvciBkcmFmdC1odW50
LW9hdXRoLXYyLXVzZXItYTRjLTAwLnR4dCk8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4N
CjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tn
cm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpOYXQg
LSZuYnNwOzxicj4NCjxicj4NCnRoYW5rcyBmb3IgdGhlIGRldGFpbGVkIHJlc3BvbnNlLiBJIGRp
ZCByZXZpZXcgdGhlIGxpbmtzIHlvdSBzZW50IG91dCBidXQgaXQgcmVtYWluZWQgdW5jbGVhciB0
byBtZSB3aGljaDxicj4NCmZlYXR1cmVzIGFyZSBNVEkgYW5kIHdoaWNoIGFyZSBub3QuIEZvciBl
eGFtcGxlLCB0aGVyZSBpcyBub3RoaW5nIGluIHRoZSBCYXNpYyBDbGllbnQgUHJvZmlsZSB0aGF0
IHN1Z2dlc3RzPGJyPg0KdGhhdCBTZWN0aW9uIDIuMyBpcyBvcHRpb25hbC4gSSBhbHNvIGNvdWxk
IG5vdCBmaW5kIGFueSBkZWZpbml0aW9uIGZvciAmcXVvdDsgbm9uLWR5bmFtaWMgT3BlbklEIENv
bm5lY3QgU2VydmVyJnF1b3Q7Ljxicj4NCjxicj4NCkkgZG9udCB0aGluayB0aGVyZSBpcyBhIG5l
ZWQgdG8gZHVwbGljYXRlIHBvcnRpb25zIG9mIHRoZSBkcmFmdCBzcGVjaWZpY2F0aW9uIHRleHQg
aW4gYSBuZXcgZG9jdW1lbnQuIE9uZSBzb2x1dGlvbjxicj4NCnRoYXQgd2FzIHVzZWQgaW4gU0FN
TCAyLjAgd2FzIHRvIGRlZmluZSBhIGNvbmZvcm1hbmNlIGRvY3VtZW50IHdoaWNoIGRlc2NyaWJl
ZCBzZXZlcmFsIGRpZmZlcmVudCZuYnNwOzxicj4NCm9wZXJhdGlvbmFsIG1vZGVzIGFuZCBleHBs
YWluZWQgaG93IG9ubHkgYSBzbWFsbCBzZXQgb2YgZmVhdHVyZXMgbmVlZGVkIHRvIGJlIGltcGxl
bWVudGVkIGluIGNlcnRhaW4gbW9kZXMuPGJyPg0KPGJyPg0KPGEgaHJlZj0iaHR0cDovL2RvY3Mu
b2FzaXMtb3Blbi5vcmcvc2VjdXJpdHkvc2FtbC92Mi4wL3NhbWwtY29uZm9ybWFuY2UtMi4wLW9z
LnBkZiIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmh0dHA6Ly9k
b2NzLm9hc2lzLW9wZW4ub3JnL3NlY3VyaXR5L3NhbWwvdjIuMC9zYW1sLWNvbmZvcm1hbmNlLTIu
MC1vcy5wZGY8L3NwYW4+PC9hPjxicj4NCjxicj4NClRoZXJlIGFyZSBwcm9iYWJseSBvdGhlciBz
bWFydGVyIHdheXMgdG8gYWNoaWV2ZSB0aGUgc2FtZSBlZmZlY3QuPGJyPg0KPGJyPg0KR2l2ZW4g
dGhpcyBzaXR1YXRpb24sIEkgZG8gdGhpbmsgaXRzIGEgcmVhc29uYWJsZSB0YXNrIGZvciB0aGUg
T0F1dGggY29tbXVuaXR5IHRvIGNvbnNpZGVyIHRoZSBuZWVkIGZvciZuYnNwOzxicj4NCmEgbWlu
aW1hbCBleHRlbnNpb24gdG8gT0F1dGggdGhhdCBhY2NvbW1vZGF0ZXMgYXV0aGVudGljYXRpb24u
IFRoZSBjb21tdW5pdHkgc2hvdWxkIGJlIG1hZGUgYXdhcmUgdGhhdCZuYnNwOzxicj4NClJGQyA2
NzQ5IGlzIGJlaW5nIG1pc3VzZWQgZm9yIGZlZGVyYXRlZCBhdXRoZW50aWNhdGlvbiwgYXMgZXhw
bGFpbmVkIGluJm5ic3A7IC0mbmJzcDsmbmJzcDs8YnI+DQo8YnI+DQo8YSBocmVmPSJodHRwOi8v
d3d3LmluZGVwZW5kZW50aWQuY29tLzIwMTMvMDcvc2ltcGxlLWF1dGhlbnRpY2F0aW9uLWZvci1v
YXV0aC0yLXdoYXQuaHRtbCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJw
bGUiPmh0dHA6Ly93d3cuaW5kZXBlbmRlbnRpZC5jb20vMjAxMy8wNy9zaW1wbGUtYXV0aGVudGlj
YXRpb24tZm9yLW9hdXRoLTItd2hhdC5odG1sPC9zcGFuPjwvYT4mbmJzcDs8YnI+DQo8YnI+DQph
bmQgdGhhdCB0aGVyZSBkb2Vzbid0IGFwcGVhciB0byBiZSBhIHNpbXBsZSBzb2x1dGlvbiB0aGF0
IGlzIGN1cnJlbnRseSBhdmFpbGFibGUuIEl0IHdvdWxkIGJlIGdyZWF0IGlmIGl0IHR1cm5lZDxi
cj4NCm91dCB0aGF0IE9wZW5JRCBDb25uZWN0IG9mZmVyZWQgc3VjaCBhIHNvbHV0aW9uIGJ1dCB0
aGF0IGlzbid0IGNsZWFyIHRvIG1lLjxicj4NCjxicj4NClRoeCw8YnI+DQpwcmF0ZWVrPG86cD48
L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6
YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8
L2Rpdj4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2lu
LWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNr
Z3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bWFyZ2luLWJvdHRvbToxMi4wcHQ7YmFja2dyb3VuZDp3aGl0ZTtiYWNrZ3JvdW5kLXJlcGVhdDpp
bml0aWFsIGluaXRpYWwiPg0KSW5saW5lOiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQoyMDEzLzcvMzEg
UHJhdGVlayBNaXNocmEgJmx0OzxhIGhyZWY9Im1haWx0bzpwcmF0ZWVrLm1pc2hyYUBvcmFjbGUu
Y29tIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+cHJhdGVlay5t
aXNocmFAb3JhY2xlLmNvbTwvc3Bhbj48L2E+Jmd0OzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8
YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAx
LjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10
b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h
cmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpOYXQgLSZuYnNwOzxicj4N
Cjxicj4NCnlvdXIgYmxvZyBwb3N0aW5nIGlzIGhlbHBmdWwgdG8gdGhvc2Ugb2YgdXMgd2hvIGFy
ZSBsb29raW5nIGZvciBhIG1pbmltYWwgZXh0ZW5zaW9uIG9mIE9BdXRoIHdpdGgmbmJzcDs8YnI+
DQphbiBhdXRoZW50aWNhdG9yLiZuYnNwOyBNYW55IGltcGxlbWVudG9ycyBhcmUgc2Vla2luZyBh
IG1vZGVzdCBleHRlbnNpb24gb2YgT0F1dGgsIG5vdCBhbiBlbnRpcmUgbmV3IHByb3RvY29sPGJy
Pg0Kc3RhY2suICZuYnNwOyBJIGJlbGlldmUgdGhhdCBpcyB0aGUgcG9pbnQgb2YgUGhpbCBIdW50
J3MgcHJvcG9zYWwgdG8gdGhlIE9BdXRoIGNvbW1pdHRlZS48YnI+DQo8YnI+DQpJIGRvIGhhdmUg
c29tZSBxdWVzdGlvbnMgZm9yIGFib3V0IHRoZSBzdGF0ZW1lbnRzIG1hZGUgaW4gdGhlIGJsb2cg
LSZuYnNwOzxicj4NCjxicj4NCkEpIENhbiB5b3UgZGlyZWN0IG1lIHRvIGEgc2luZ2xlIE9wZW5J
RCBDb25uZWN0IGRyYWZ0IHNwZWNpZmljYXRpb24gZG9jdW1lbnQgd2hlcmUgc3RlcHMgMSBhbmQg
MiBhcmUgZGVzY3JpYmVkPzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8
ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0
ZSI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KQWN0dWFs
bHksIGl0IGlzIG5vdCBhIHNpbmdsZSBzcGVjLCB0aGF0IHRoZSBTdGFuZGFyZCBpcyByZWZlcmVu
Y2luZyBvdGhlcnMuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpUaGUgU3Rh
bmRhcmQgaXMga2luZCBvZiBjbHV0dGVyZWQgYmVjYXVzZSBpdCBoYXMgNiByZXNwb25zZSB0eXBl
cyBhbmQgdGhyZWUgcmVxdWVzdCB0eXBlcyBpbiBpdC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3Jv
dW5kOndoaXRlIj4NCkkgc3VwcG9zZSBpdCB3b3VsZCBiZSBtdWNoIGVhc2llciBmb3IgdGhlIHJl
YWRlcnMgdG8gc3BsaXQgdGhlbSBpbnRvIGNvaGVyZW50IHBpZWNlcywgdGhvdWdoIHRoYXQgbWVh
bnMgZHVwbGljYXRlIHRleHRzLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N
CjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFy
Z2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndo
aXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpUaGUg
ZWFzaWVzdCBhcHByb2FjaCBoZXJlIGlzIHRvIHJlYWQgdGhlIEJhc2ljIENsaWVudCBQcm9maWxl
LiZuYnNwOzxhIGhyZWY9Imh0dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29wZW5pZC1jb25uZWN0LWJh
c2ljLTFfMC0yOC5odG1sIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBs
ZSI+aHR0cDovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNvbm5lY3QtYmFzaWMtMV8wLTI4Lmh0
bWw8L3NwYW4+PC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z
by1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KVGhlbiwgcmVhZCZu
YnNwO09BdXRoIDIuMCBNdWx0aXBsZSBSZXNwb25zZSBUeXBlIEVuY29kaW5nIFByYWN0aWNlcyZu
YnNwOzxhIGhyZWY9Imh0dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29hdXRoLXYyLW11bHRpcGxlLXJl
c3BvbnNlLXR5cGVzLTFfMC0wOC5odG1sIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNv
bG9yOnB1cnBsZSI+aHR0cDovL29wZW5pZC5uZXQvc3BlY3Mvb2F1dGgtdjItbXVsdGlwbGUtcmVz
cG9uc2UtdHlwZXMtMV8wLTA4Lmh0bWw8L3NwYW4+PC9hPiZuYnNwOy4mbmJzcDs8bzpwPjwvbzpw
PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t
YWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXIt
bGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2lu
LWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0
b206NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu
LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRl
Ij4NCjxicj4NCkIpIElmIEkgaW1wbGVtZW50IHN0ZXBzIDEgYW5kIDIsIGRvIEkgdGhlbiBoYXZl
IGEgY29uZm9ybWFudCBPcGVuSUQgQ29ubmVjdCBpbXBsZW1lbnRhdGlvbj8gQXJlIHRoZXJlIG5v
Jm5ic3A7PGJyPg0Kb3RoZXIgTVRJIHByb3RvY29sIGV4Y2hhbmdlcyBpbiBPcGVuSUQgQ29ubmVj
dD88bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxkaXY+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv
O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86
cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NClllcywgZm9yIGEgbm9uLWR5bmFt
aWMgT3BlbklEIENvbm5lY3QgU2VydmVyLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8
L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3Jv
dW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2
Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+
DQpOYXQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJzcDsmbmJzcDs8
bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxl
PSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGlu
IDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4t
cmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6
YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCjxicj4NClRoYW5rcyw8YnI+DQpwcmF0ZWVrPG86cD48
L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2Jh
Y2tncm91bmQ6d2hpdGUiPg0KPGJyPg0KPGJyPg0KJm5ic3A7ICZuYnNwOzxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFj
a2dyb3VuZDp3aGl0ZSI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8
L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206
NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h
cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3
aGl0ZSI+DQpJIGhhdmUgd3JpdHRlbiBhIHNob3J0IGJsb2cgcG9zdCB0aXRsZWQgJnF1b3Q7PGEg
aHJlZj0iaHR0cDovL25hdC5zYWtpbXVyYS5vcmcvMjAxMy8wNy8yOC93cml0ZS1vcGVuaWQtY29u
bmVjdC1zZXJ2ZXItaW4tdGhyZWUtc2ltcGxlLXN0ZXBzLyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFu
IHN0eWxlPSJjb2xvcjpwdXJwbGUiPldyaXRlIGFuIE9wZW5JRCBDb25uZWN0IHNlcnZlciBpbiB0
aHJlZSBzaW1wbGUgc3RlcHM8L3NwYW4+PC9hPiZxdW90Oy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tn
cm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k
aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu
LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRl
Ij4NClJlYWxseSwgdGhlcmUgaXMgbm90IG11Y2ggeW91IG5lZWQgdG8gb24gdG9wIG9mIE9BdXRo
IDIuMC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJzcDs8
bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KSXQgcHV6emxlcyBtZSB3aHkg
eW91IG5lZWQgdG8gY3JlYXRlIGEgZHJhZnQgd2l0aCBvbmx5IG1pbm9yIHZhcmlhbmNlcyBpbiBw
YXJhbWV0ZXIgbmFtZXMuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp
dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUi
Pg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8YmxvY2tx
dW90ZSBzdHlsZT0ibWFyZ2luLWxlZnQ6MzAuMHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJp
Z2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t
LWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KZS5nLiwmbmJzcDs8bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNr
Z3JvdW5kOndoaXRlIj4NCnNlc3Npb24gaW5zdGVhZCBvZiBpZF90b2tlbjxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2Jh
Y2tncm91bmQ6d2hpdGUiPg0KbGF0IGluc3RlYWQgb2YgaWF0PG86cD48L286cD48L3A+DQo8L2Rp
dj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv
LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3Vu
ZDp3aGl0ZSI+DQphbHYgaW5zdGVhZCBvZiBhY3I8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k
aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu
LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRl
Ij4NCmV0Yy4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVv
dGU+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv
LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3Vu
ZDp3aGl0ZSI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N
CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w
LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0K
SWYgeW91IGNoYW5nZSB0aG9zZSBwYXJhbWV0ZXIgbmFtZXMsIHlvdSB3aWxsIGhhdmUgYSBjb25m
b3JtYW50IHByb2ZpbGUgb2YgT3BlbklEIENvbm5lY3QuJm5ic3A7PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
O2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2
Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5k
OndoaXRlIj4NCk5hdDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRp
dj4NCjxkaXYgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0O2JhY2tncm91bmQtcmVwZWF0Omlu
aXRpYWwgaW5pdGlhbCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+
DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0
b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQoyMDEzLzcvMzEgSm9obiBCcmFkbGV5ICZs
dDs8YSBocmVmPSJtYWlsdG86dmU3anRiQHZlN2p0Yi5jb20iIHRhcmdldD0iX2JsYW5rIj48c3Bh
biBzdHlsZT0iY29sb3I6cHVycGxlIj52ZTdqdGJAdmU3anRiLmNvbTwvc3Bhbj48L2E+Jmd0Ozxv
OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9y
ZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21h
cmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4t
Ym90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tn
cm91bmQ6d2hpdGUiPg0KQ29ubmVjdCBkb3Nlbid0IHJlcXVpcmUgYSB1c2VyaW5mbyBlbmRwb2lu
dC4gJm5ic3A7IEl0IGlzIHJlcXVpcmVkIGZvciBpbnRlcm9wZXJhYmlsaXR5IGlmIHlvdSBhcmUg
YnVpbGRpbmcgYW4gb3BlbiBJZFAuICZuYnNwOyBGb3IgYW4gZW50ZXJwcmlzZSB0eXBlIGRlcGxv
eW1lbnQgZGlzY292ZXJ5LCByZWdpc3RyYXRpb24sIHVzZXJpZm8gYXJlIGFsbCBvcHRpb25hbC48
bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t
LWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp
dj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzti
YWNrZ3JvdW5kOndoaXRlIj4NClRoZSBzZXJ2ZXIgaXMgcmVxdWlyZWQgdG8gcGFzcyB0aGUgbm9u
Y2Ugd2hpY2ggaXMgZXF1aXZhbGVudCB0byBhIHJlcXVlc3QgSUQgdGhyb3VnaCB0byB0aGUgSldU
IGlmIHRoZSBjbGllbnQgc2VuZHMgaXQgaW4gdGhlIHJlcXVlc3QuPG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
O2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2
Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5k
OndoaXRlIj4NCkp1c3RpbiBpcyBjb3JyZWN0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp
dj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5k
OndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K
PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At
YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpK
b2huIEIuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6
YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCk9uIDIwMTMtMDctMzAsIGF0IDU6MzAgUE0sIFBoaWwg
SHVudCAmbHQ7PGEgaHJlZj0ibWFpbHRvOnBoaWwuaHVudEBvcmFjbGUuY29tIiB0YXJnZXQ9Il9i
bGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+cGhpbC5odW50QG9yYWNsZS5jb208L3Nw
YW4+PC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJn
aW4tYm90dG9tOjEyLjBwdDtiYWNrZ3JvdW5kOndoaXRlIj4NCjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90
dG9tOjUuMHB0Ij4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzti
YWNrZ3JvdW5kOndoaXRlIj4NCkZvcmdvdCByZXBseSBhbGwuPGJyPg0KPGJyPg0KUGhpbDxvOnA+
PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQ7YmFja2dy
b3VuZDp3aGl0ZTtiYWNrZ3JvdW5kLXJlcGVhdDppbml0aWFsIGluaXRpYWwiPg0KPGJyPg0KQmVn
aW4gZm9yd2FyZGVkIG1lc3NhZ2U6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3Rl
IHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206
MTIuMHB0O2JhY2tncm91bmQ6d2hpdGU7YmFja2dyb3VuZC1yZXBlYXQ6aW5pdGlhbCBpbml0aWFs
Ij4NCjxiPkZyb206PC9iPiZuYnNwO1BoaWwgSHVudCAmbHQ7PGEgaHJlZj0ibWFpbHRvOnBoaWwu
aHVudEBvcmFjbGUuY29tIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBs
ZSI+cGhpbC5odW50QG9yYWNsZS5jb208L3NwYW4+PC9hPiZndDs8YnI+DQo8Yj5EYXRlOjwvYj4m
bmJzcDszMCBKdWx5LCAyMDEzIDE3OjI1OjQ2IEdNVCYjNDM7MDI6MDA8YnI+DQo8Yj5Ubzo8L2I+
Jm5ic3A7JnF1b3Q7UmljaGVyLCBKdXN0aW4gUC4mcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzpq
cmljaGVyQG1pdHJlLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJw
bGUiPmpyaWNoZXJAbWl0cmUub3JnPC9zcGFuPjwvYT4mZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+
Jm5ic3A7PGI+UmU6IFtPQVVUSC1XR10gTmV3IFZlcnNpb24gTm90aWZpY2F0aW9uIGZvciBkcmFm
dC1odW50LW9hdXRoLXYyLXVzZXItYTRjLTAwLnR4dDwvYj48bzpwPjwvbzpwPjwvcD4NCjwvYmxv
Y2txdW90ZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0
b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv
LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3Vu
ZDp3aGl0ZSI+DQpUaGUgd2hvbGUgcG9pbnQgaXMgYXV0aG4gb25seS4gTWFueSBkbyBub3Qgd2Fu
dCBvciBuZWVkIHRoZSB1c2VyaW5mbyBlbmRwb2ludC4mbmJzcDs8YnI+DQo8YnI+DQpQaGlsPG86
cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9tOjEyLjBwdDtiYWNr
Z3JvdW5kOndoaXRlO2JhY2tncm91bmQtcmVwZWF0OmluaXRpYWwgaW5pdGlhbCI+DQo8YnI+DQpP
biAyMDEzLTA3LTMwLCBhdCAxNzoxNywgJnF1b3Q7UmljaGVyLCBKdXN0aW4gUC4mcXVvdDsgJmx0
OzxhIGhyZWY9Im1haWx0bzpqcmljaGVyQG1pdHJlLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFu
IHN0eWxlPSJjb2xvcjpwdXJwbGUiPmpyaWNoZXJAbWl0cmUub3JnPC9zcGFuPjwvYT4mZ3Q7IHdy
b3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRv
cDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1
dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpXaGF0IGRvIHlvdSBtZWFuPyBZb3UgYWJzb2x1dGVseSBj
YW4gaW1wbGVtZW50IGEgY29tcGxpYW50IE9JREMgc2VydmVyIG5lYXJseSBhcyBzaW1wbHkgYXMg
dGhpcy4gVGhlIHRoaW5ncyB0aGF0IHlvdSdyZSBtaXNzaW5nIEkgdGhpbmsgYXJlIG5lY2Vzc2Fy
eSBmb3IgYmFzaWMgaW50ZXJvcGVyYWJsZSBmdW5jdGlvbmFsaXR5LCBhbmQgYXJlIHRoaW5ncyB0
aGF0IG90aGVyIGZvbGtzIHVzaW5nIE9BdXRoIGZvciBhdXRoZW50aWNhdGlvbiBoYXZlDQogYWxz
byBpbXBsZW1lbnRlZC4gTmFtZWx5OjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJz
cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7LSBTaWduaW5n
IHRoZSBJRCB0b2tlbiAoT0lEQyBzcGVjaWZpZXMgdGhlIFJTMjU2IGZsYXZvciBvZiBKV1MsIHdo
aWNoIGlzIGVhc3kgdG8gZG8gd2l0aCBKV1QpLiBXaXRob3V0IGEgc2lnbmVkIGFuZCB2ZXJpZmlh
YmxlIElEIHRva2VuIG9yIGVxdWl2YWxlbnQsIHlvdSdyZSBhc2tpbmcgZm9yIGFsbCBraW5kcyBv
ZiB0b2tlbiBpbmplY3Rpb24gcHJvYmxlbXMuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2
Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+
DQombmJzcDstIFNlc3Npb24gbWFuYWdlbWVudCByZXF1ZXN0cyAobWF4IGF1dGggYWdlLCBhdXRo
IHRpbWUpPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp
bi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJzcDstIE5vdCBmYWxsIG92
ZXIgd2l0aCBvdGhlciBwYXJhbWV0ZXJzIHRoYXQgeW91IGRvbid0IHN1cHBvcnQgKGRpc3BsYXks
IHByb21wdCwgZXRjKS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJz
cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KU2VlIGhlcmUgZm9yIG1v
cmUgaW5mb3JtYXRpb246PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs
dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KJm5i
c3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28t
bWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCiZuYnNwOzxhIGhyZWY9
Imh0dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29wZW5pZC1jb25uZWN0LW1lc3NhZ2VzLTFfMC5odG1s
I1NlcnZlck1USSIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmh0
dHA6Ly9vcGVuaWQubmV0L3NwZWNzL29wZW5pZC1jb25uZWN0LW1lc3NhZ2VzLTFfMC5odG1sI1Nl
cnZlck1USTwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4N
CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w
LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0K
Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt
c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCkFkZGl0aW9uYWxs
eSwgc29tZXRoaW5nIHRoYXQncyByZWFsbHkgaW1wb3J0YW50IHRvIHN1cHBvcnQgaXMgdGhlIFVz
ZXIgSW5mbyBFbmRwb2ludCwgc28geW91IGNhbiBhY3R1YWxseSBnZXQgdXNlciBwcm9maWxlIGlu
Zm9ybWF0aW9uIGJleW9uZCBqdXN0IHRoZSBzaW1wbGUgJnF1b3Q7c29tZW9uZSB3YXMgaGVyZSZx
dW90OyBjbGFpbSAtLSB0aGlzIHdhcyB0aGUgcmVhbCB2YWx1ZSBvZiBGYWNlYm9vayBDb25uZWN0
IGZyb20gYW4gUlAncyBwZXJzcGVjdGl2ZS4gU29tZQ0KIHBlb3BsZSB3aWxsIHByb2JhYmx5IHdh
bnQgdG8gdXNlIFNDSU0gZm9yIHRoaXMsIHRvbywgYW5kIHRoYXQncyBmaW5lLjxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h
bHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+
DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFj
a2dyb3VuZDp3aGl0ZSI+DQombmJzcDstLSBKdXN0aW48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dy
b3VuZDp3aGl0ZSI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2
Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+
DQpPbiBKdWwgMzAsIDIwMTMsIGF0IDEwOjU0IEFNLCBQaGlsIEh1bnQgJmx0OzxhIGhyZWY9Im1h
aWx0bzpwaGlsLmh1bnRAb3JhY2xlLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJj
b2xvcjpwdXJwbGUiPnBoaWwuaHVudEBvcmFjbGUuY29tPC9zcGFuPjwvYT4mZ3Q7PG86cD48L286
cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1
dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJzcDt3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0O2JhY2tncm91bmQ6d2hpdGUiPg0KPG86
cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9w
OjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t
YWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpUaGUgb2lkYyBzcGVjcyBkbyBub3QgYWxsb3cg
dGhpcyBzaW1wbGUgYW4gaW1wbGVtZW50YXRpb24uIFRoZSBzcGVjIG1lbWJlcnMgaGF2ZSBub3Qg
c2hvd24gaW50ZXJlc3QgaW4gbWFraW5nIGNoYW5nZXMgYXMgdGhleSBzYXkgdGhleSBhcmUgdG9v
IGZhciBkb3duIHRoZSByb2FkLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+
DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv
cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4N
CiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpJIGhhdmUgdHJp
ZWQgdG8gbWFrZSBteSBkcmFmdCBhcyBjbG9zZSBhcyBwb3NzaWJsZSB0byBvaWRjIGJ1dCBtYXli
ZSBpdCBzaG91bGRuJ3QgYmUgY2xhcml0eSB3aXNlLiBJIGFtIGludGVyZXN0ZWQgaW4gd2hhdCB0
aGUgZ3JvdXAgZmVlbHMgaXMgY2xlYXJlc3QuJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N
CjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tn
cm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k
aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu
LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRl
Ij4NCkZyb20gYW4gaWV0ZiBwZXJzcGVjdGl2ZSB0aGUgY29uY2VybiBpcyBpbXByb3BlciB1c2Ug
b2YgdGhlIDY3NDkgZm9yIGF1dGhuLiBJcyB0aGlzIGEgYnVnIG9yIGdhcCB3ZSBuZWVkIHRvIGFk
ZHJlc3M/PGJyPg0KPGJyPg0KUGhpbDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bWFyZ2luLWJvdHRvbToxMi4wcHQ7YmFja2dyb3VuZDp3aGl0ZTtiYWNrZ3JvdW5kLXJlcGVhdDpp
bml0aWFsIGluaXRpYWwiPg0KPGJyPg0KT24gMjAxMy0wNy0zMCwgYXQgMTY6NDYsICZxdW90O1Jp
Y2hlciwgSnVzdGluIFAuJnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86anJpY2hlckBtaXRyZS5v
cmciIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5qcmljaGVyQG1p
dHJlLm9yZzwvc3Bhbj48L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJs
b2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv
O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KRnJvbSB3aGF0
IEkgcmVhZCwgeW91J3ZlIGRlZmluZWQgc29tZXRoaW5nIHRoYXQgdXNlcyBhbiBPQXV0aCAyIGNv
ZGUgZmxvdyB0byBnZXQgYW4gZXh0cmEgdG9rZW4gd2hpY2ggaXMgc3BlY2lmaWVkIGFzIGEgSldU
LiBZb3UgbmFtZWQgaXQgJnF1b3Q7c2Vzc2lvbl90b2tlbiZxdW90OyBpbnN0ZWFkIG9mICZxdW90
O2lkX3Rva2VuJnF1b3Q7LCBhbmQgeW91J3ZlIGxlZnQgb2ZmIHRoZSBVc2VyIEluZm9ybWF0aW9u
IEVuZHBvaW50IC0tIGJ1dCBvdGhlciB0aGFuIHRoYXQsIHRoaXMgaXMNCiBleGFjdGx5IHRoZSBC
YXNpYyBDbGllbnQgZm9yIE9wZW5JRCBDb25uZWN0LiBJbiBvdGhlciB3b3JkcywgaWYgeW91IGNo
YW5nZSB0aGUgbmFtZXMgb24gdGhpbmdzIHlvdSd2ZSBnb3QgT0lEQywgYnV0IHdpdGhvdXQgdGhl
IGNhcGFiaWxpdGllcyB0byBnbyBiZXlvbmQgYSB2ZXJ5IGJhc2ljICZxdW90O2hleSB0aGVyZSdz
IGEgdXNlciBoZXJlJnF1b3Q7IGNsYWltLiBUaGlzIGlzIHRoZSBzYW1lIHBsYWNlIHRoYXQgT3Bl
bklEIDIuMCBzdGFydGVkLCBhbmQgaXQgd2FzDQogdmVyeSwgdmVyeSBxdWlja2x5IGV4dGVuZGVk
IHdpdGggU1JFRywgQVgsIFBBUEUsIGFuZCBvdGhlcnMgZm9yIGl0IHRvIGJlIHVzZWZ1bCBpbiB0
aGUgcmVhbCB3b3JsZCBvZiBkaXN0cmlidXRlZCBsb2dpbnMuIFlvdSd2ZSBhbHNvIGxlZnQgb3V0
IGRpc2NvdmVyeSBhbmQgcmVnaXN0cmF0aW9uIHdoaWNoIGFyZSByZXF1aXJlZCBmb3IgZGlzdHJp
YnV0ZWQgZGVwbG95bWVudHMsIGJ1dCBJJ20gZ3Vlc3NpbmcgdGhhdCB0aG9zZSB3b3VsZCBiZSBt
b2R1bGFyDQogY29tcG9uZW50cyB0aGF0IGNvdWxkIGJlIGFkZGVkIGluIChsaWtlIHRoZXkgYXJl
IGluIE9JREMpLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJzcDs8bzpw
PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t
Ym90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KSSd2ZSBoZWFyZCBjb21wbGFpbnRz
IHRoYXQgT0lEQyBpcyBjb21wbGljYXRlZCwgYnV0IGl0J3MgcmVhbGx5IG5vdC4gWWVzLCBJIGFn
cmVlIHRoYXQgdGhlIGdpYW50IHN0YWNrIG9mIGRvY3VtZW50cyBpcyBpbnRpbWlkYXRpbmcgYW5k
IGluIG15IG9waW5pb24gaXQncyBhIGJpdCBvZiBhIG1lc3Mgd2l0aCBNZXNzYWdlcyBhbmQgU3Rh
bmRhcmQgc3BsaXQgdXAgKGJ1dCBJIGxvc3QgdGhhdCBhcmd1bWVudCB5ZWFycyBhZ28pLiBIb3dl
dmVyLCBhdA0KIHRoZSBjb3JlLCB5b3UndmUgZ290IGFuIE9BdXRoMiBhdXRob3JpemF0aW9uIHNl
cnZlciB0aGF0IHNwaXRzIG91dCBhY2Nlc3MgdG9rZW5zIGFuZCBpZCB0b2tlbnMuIFRoZSBpZCB0
b2tlbiBpcyBhIEpXVCB3aXRoIHNvbWUga25vd24gY2xhaW1zIChpc3MsIHN1YiwgZXRjKSBhbmQg
aXMgaXNzdWVkIGFsb25nIHNpZGUgdGhlIGFjY2VzcyB0b2tlbiwgYW5kIGl0cyBhdWRpZW5jZSBp
cyB0aGUgKmNsaWVudCogYW5kIG5vdCB0aGUgKnByb3RlY3RlZA0KIHJlc291cmNlKi4gVGhlIGFj
Y2VzcyB0b2tlbiBpcyBhIHJlZ3VsYXIgb2xkIGFjY2VzcyB0b2tlbiBhbmQgaXRzIGZvcm1hdCBp
cyB1bmRlZmluZWQgKHNvIHlvdSBjYW4gdXNlIGl0IHdpdGggYW4gZXhpc3RpbmcgT0F1dGgyIHNl
cnZlciBzZXR1cCwgbGlrZSB3ZSBoYXZlKSwgYW5kIGl0IGNhbiBiZSB1c2VkIGF0IHRoZSBVc2Vy
IEluZm8gRW5kcG9pbnQgdG8gZ2V0IHByb2ZpbGUgaW5mb3JtYXRpb24gYWJvdXQgdGhlIHVzZXIg
d2hvIGF1dGhlbnRpY2F0ZWQuDQogSXQgY291bGQgYWxzbyBiZSB1c2VkIGZvciBvdGhlciBzZXJ2
aWNlcyBpZiB5b3VyIEFTL0lkUCBwcm90ZWN0cyBtdWx0aXBsZSB0aGluZ3MuPG86cD48L286cD48
L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs
dDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4N
CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNr
Z3JvdW5kOndoaXRlIj4NClNvIEkgZ3Vlc3Mgd2hhdCBJJ20gbWlzc2luZyBpcyB3aGF0J3MgdGhl
IHZhbHVlIHByb3Bvc2l0aW9uIGluIHRoaXMgc3BlYyB3aGVuIHdlIGhhdmUgc29tZXRoaW5nIHRo
YXQgY2FuIGRvIHRoaXMgYWxyZWFkeT8gQW5kIHRoaXMgZG9lc24ndCBzZWVtIHRvIGRvIGFueXRo
aW5nIGRpZmZlcmVudCAoYXBhcnQgZnJvbSBzeW50YXggY2hhbmdlcyk/PG86cD48L286cD48L3A+
DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph
dXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3Jv
dW5kOndoaXRlIj4NCiZuYnNwOy0tIEp1c3RpbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp
dj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5k
OndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCk9u
IEp1bCAyOSwgMjAxMywgYXQgNDoxNCBBTSwgUGhpbCBIdW50ICZsdDs8YSBocmVmPSJtYWlsdG86
cGhpbC5odW50QG9yYWNsZS5jb20iIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6
cHVycGxlIj5waGlsLmh1bnRAb3JhY2xlLmNvbTwvc3Bhbj48L2E+Jmd0OyB3cm90ZTo8bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0O2JhY2tncm91
bmQ6d2hpdGUiPg0KPG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0
eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpGWUkuICZuYnNwO0kg
aGF2ZSBiZWVuIG5vdGljaW5nIGEgc3Vic3RhbnRpYWwgbnVtYmVyIG9mIHNpdGVzIGFjdGluZyBh
cyBPQXV0aCBDbGllbnRzIHVzaW5nIE9BdXRoIHRvIGF1dGhlbnRpY2F0ZSB1c2Vycy48bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph
dXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3Jv
dW5kOndoaXRlIj4NCkkga25vdyBzZXZlcmFsIG9mIHVzIGhhdmUgYmxvZ2dlZCBvbiB0aGUgaXNz
dWUgb3ZlciB0aGUgcGFzdCB5ZWFyIHNvIEkgd29uJ3QgcmUtaGFzaCBpdCBoZXJlLiAmbmJzcDtJ
biBzaG9ydCwgbWFueSBvZiB1cyByZWNvbW1lbmRlZCBPSURDIGFzIHRoZSBjb3JyZWN0IG1ldGhv
ZG9sb2d5LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt
c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+
PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpOZXZlci10aGUtbGVzcywgSSd2ZSBz
cG9rZW4gd2l0aCBhIG51bWJlciBvZiBzZXJ2aWNlIHByb3ZpZGVycyB3aG8gaW5kaWNhdGUgdGhl
eSBhcmUgbm90IHJlYWR5IHRvIG1ha2UgdGhlIGp1bXAgdG8gT0lEQywgeWV0IHRoZXkgYWdyZWUg
dGhlcmUgaXMgYSBkZXNpcmUgdG8gc3VwcG9ydCBhdXRoZW50aWNhdGlvbiBvbmx5ICh3aGVyZSBh
cyBPSURDIGRvZXMgSURQLWxpa2Ugc2VydmljZXMpLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8
L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3Jv
dW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2
Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+
DQpUaGlzIGRyYWZ0IGlzIGludGVuZGVkIGFzIGEgbWluaW11bSBhdXRoZW50aWNhdGlvbiBvbmx5
IHNwZWNpZmljYXRpb24uICZuYnNwO0kndmUgdHJpZWQgdG8gbWFrZSBpdCBhcyBjb21wYXRpYmxl
IGFzIHBvc3NpYmxlIHdpdGggT0lEQy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8
ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0
ZSI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KRm9yIG5v
dywgSSd2ZSBqdXN0IHBvc3RlZCB0byBrZWVwIHRyYWNrIG9mIHRoZSBpc3N1ZSBzbyB3ZSBjYW4g
YWRkcmVzcyBhdCB0aGUgbmV4dCByZS1jaGFydGVyaW5nLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+
DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNr
Z3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0
ZSI+DQpIYXBweSB0byBhbnN3ZXIgcXVlc3Rpb25zIGFuZCBkaXNjdXNzLiZuYnNwOzxvOnA+PC9v
OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv
bS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k
aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCjxz
cGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlBoaWw8L3NwYW4+PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
O2JhY2tncm91bmQ6d2hpdGUiPg0KPHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZh
bWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+Jm5ic3A7
PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQo8c3BhbiBzdHls
ZT0iZm9udC1zaXplOjkuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OywmcXVv
dDtzYW5zLXNlcmlmJnF1b3Q7Ij5AaW5kZXBlbmRlbnRpZDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNr
Z3JvdW5kOndoaXRlIj4NCjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxhIGhyZWY9Imh0
dHA6Ly93d3cuaW5kZXBlbmRlbnRpZC5jb20vIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9
ImNvbG9yOnB1cnBsZSI+d3d3LmluZGVwZW5kZW50aWQuY29tPC9zcGFuPjwvYT48L3NwYW4+PG86
cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMy41cHQ7YmFj
a2dyb3VuZDp3aGl0ZTtiYWNrZ3JvdW5kLXJlcGVhdDppbml0aWFsIGluaXRpYWwiPg0KPHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMy41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7
LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPjxhIGhyZWY9Im1haWx0bzpwaGlsLmh1bnRAb3JhY2xl
LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPnBoaWwuaHVu
dEBvcmFjbGUuY29tPC9zcGFuPjwvYT48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk
aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs
dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KPHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxMy41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQ7YmFja2dyb3Vu
ZDp3aGl0ZSI+DQo8bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0K
PGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At
YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQom
bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCkJlZ2luIGZvcndhcmRlZCBtZXNz
YWdlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4w
cHQ7YmFja2dyb3VuZDp3aGl0ZSI+DQo8bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJs
b2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCjxi
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTMuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGlj
YSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5
bGU9ImZvbnQtc2l6ZToxMy41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZx
dW90O3NhbnMtc2VyaWYmcXVvdDsiPjxhIGhyZWY9Im1haWx0bzppbnRlcm5ldC1kcmFmdHNAaWV0
Zi5vcmciIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5pbnRlcm5l
dC1kcmFmdHNAaWV0Zi5vcmc8L3NwYW4+PC9hPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5k
OndoaXRlIj4NCjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTMuNXB0O2ZvbnQtZmFtaWx5OiZx
dW90O0hlbHZldGljYSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5TdWJqZWN0OiBOZXcg
VmVyc2lvbiBOb3RpZmljYXRpb24gZm9yIGRyYWZ0LWh1bnQtb2F1dGgtdjItdXNlci1hNGMtMDAu
dHh0PC9zcGFuPjwvYj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt
c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCjxiPjxzcGFuIHN0
eWxlPSJmb250LXNpemU6MTMuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oywm
cXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5EYXRlOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxMy41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMt
c2VyaWYmcXVvdDsiPjI5IEp1bHksIDIwMTMgOTo0OTo0MSBBTSBHTVQmIzQzOzAyOjAwPC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KPGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMy41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2Vy
aWYmcXVvdDsiPlRvOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMy41cHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPlBo
aWwgSHVudCAmbHQ7PGEgaHJlZj0ibWFpbHRvOnBoaWwuaHVudEB5YWhvby5jb20iIHRhcmdldD0i
X2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5waGlsLmh1bnRAeWFob28uY29tPC9z
cGFuPjwvYT4mZ3Q7LA0KIFBoaWwgSHVudCAmbHQ7PGEgaHJlZj0ibWFpbHRvOk5vbmVAaWV0ZmEu
YW1zbC5jb20iIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5Ob25l
QGlldGZhLmFtc2wuY29tPC9zcGFuPjwvYT4mZ3Q7LCBQaGlsIEh1bnQgJmx0OyZndDs8L3NwYW4+
PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0
b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn
aW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0b206MTIuMHB0O2JhY2tncm91bmQ6d2hpdGU7YmFj
a2dyb3VuZC1yZXBlYXQ6aW5pdGlhbCBpbml0aWFsIj4NCjxicj4NCkEgbmV3IHZlcnNpb24gb2Yg
SS1ELCBkcmFmdC1odW50LW9hdXRoLXYyLXVzZXItYTRjLTAwLnR4dDxicj4NCmhhcyBiZWVuIHN1
Y2Nlc3NmdWxseSBzdWJtaXR0ZWQgYnkgUGhpbCBIdW50IGFuZCBwb3N0ZWQgdG8gdGhlPGJyPg0K
SUVURiByZXBvc2l0b3J5Ljxicj4NCjxicj4NCkZpbGVuYW1lOiBkcmFmdC1odW50LW9hdXRoLXYy
LXVzZXItYTRjPGJyPg0KUmV2aXNpb246IDAwPGJyPg0KVGl0bGU6IE9BdXRoIDIuMCBVc2VyIEF1
dGhlbnRpY2F0aW9uIEZvciBDbGllbnQ8YnI+DQpDcmVhdGlvbiBkYXRlOiAyMDEzLTA3LTI5PGJy
Pg0KR3JvdXA6IEluZGl2aWR1YWwgU3VibWlzc2lvbjxicj4NCk51bWJlciBvZiBwYWdlczogOTxi
cj4NClVSTDogJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7PGEgaHJlZj0iaHR0cDovL3d3dy5pZXRmLm9yZy9pbnRl
cm5ldC1kcmFmdHMvZHJhZnQtaHVudC1vYXV0aC12Mi11c2VyLWE0Yy0wMC50eHQiIHRhcmdldD0i
X2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRwOi8vd3d3LmlldGYub3JnL2lu
dGVybmV0LWRyYWZ0cy9kcmFmdC1odW50LW9hdXRoLXYyLXVzZXItYTRjLTAwLnR4dDwvc3Bhbj48
L2E+PGJyPg0KU3RhdHVzOiAmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDs8YSBocmVmPSJodHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2Ry
YWZ0LWh1bnQtb2F1dGgtdjItdXNlci1hNGMiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0i
Y29sb3I6cHVycGxlIj5odHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWh1bnQt
b2F1dGgtdjItdXNlci1hNGM8L3NwYW4+PC9hPjxicj4NCkh0bWxpemVkOiAmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5v
cmcvaHRtbC9kcmFmdC1odW50LW9hdXRoLXYyLXVzZXItYTRjLTAwIiB0YXJnZXQ9Il9ibGFuayI+
PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJh
ZnQtaHVudC1vYXV0aC12Mi11c2VyLWE0Yy0wMDwvc3Bhbj48L2E+PGJyPg0KPGJyPg0KPGJyPg0K
QWJzdHJhY3Q6PGJyPg0KJm5ic3A7Jm5ic3A7VGhpcyBzcGVjaWZpY2F0aW9uIGRlZmluZXMgYSBu
ZXcgT0F1dGgyIGVuZHBvaW50IHRoYXQgZW5hYmxlcyB1c2VyPGJyPg0KJm5ic3A7Jm5ic3A7YXV0
aGVudGljYXRpb24gc2Vzc2lvbiBpbmZvcm1hdGlvbiB0byBiZSBzaGFyZWQgd2l0aCBjbGllbnQ8
YnI+DQombmJzcDsmbmJzcDthcHBsaWNhdGlvbnMuPGJyPg0KPGJyPg0KPGJyPg0KPGJyPg0KPGJy
Pg0KUGxlYXNlIG5vdGUgdGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBsZSBvZiBtaW51dGVzIGZyb20g
dGhlIHRpbWUgb2Ygc3VibWlzc2lvbjxicj4NCnVudGlsIHRoZSBodG1saXplZCB2ZXJzaW9uIGFu
ZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQ8YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0Zi5vcmcvIiB0
YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+dG9vbHMuaWV0Zi5vcmc8
L3NwYW4+PC9hPi48YnI+DQo8YnI+DQpUaGUgSUVURiBTZWNyZXRhcmlhdDxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1
dG87YmFja2dyb3VuZDp3aGl0ZSI+DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fXzxicj4NCk9BdXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0
bzpPQXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJw
bGUiPk9BdXRoQGlldGYub3JnPC9zcGFuPjwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5p
ZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5
bGU9ImNvbG9yOnB1cnBsZSI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9v
YXV0aDwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwv
ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdp
bi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0
ZSI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxv
Y2txdW90ZT4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0
b20tYWx0OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvYmxvY2txdW90ZT4NCjwvZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6
YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCl9fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFp
bGluZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9i
bGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+T0F1dGhAaWV0Zi5vcmc8L3NwYW4+PC9h
Pjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1
dGgiIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5odHRwczovL3d3
dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwv
cD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv
dHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9tOjEyLjBwdDti
YWNrZ3JvdW5kOndoaXRlO2JhY2tncm91bmQtcmVwZWF0OmluaXRpYWwgaW5pdGlhbCI+DQo8YnI+
DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCk9B
dXRoIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyIgdGFy
Z2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPk9BdXRoQGlldGYub3JnPC9z
cGFuPjwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp
bmZvL29hdXRoIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+aHR0
cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aDwvc3Bhbj48L2E+PG86cD48
L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0
OmF1dG87YmFja2dyb3VuZDp3aGl0ZSI+DQo8YnI+DQo8YnIgY2xlYXI9ImFsbCI+DQo8bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph
dXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn
aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hp
dGUiPg0KLS0mbmJzcDs8YnI+DQpOYXQgU2FraW11cmEgKD1uYXQpPG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn
aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hp
dGUiPg0KQ2hhaXJtYW4sIE9wZW5JRCBGb3VuZGF0aW9uPGJyPg0KPGEgaHJlZj0iaHR0cDovL25h
dC5zYWtpbXVyYS5vcmcvIiB0YXJnZXQ9Il9ibGFuayI+PHNwYW4gc3R5bGU9ImNvbG9yOnB1cnBs
ZSI+aHR0cDovL25hdC5zYWtpbXVyYS5vcmcvPC9zcGFuPjwvYT48YnI+DQpAX25hdF9lbjxvOnA+
PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9tOjEyLjBw
dDtiYWNrZ3JvdW5kOndoaXRlIj4NCjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8cHJl
IHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlO2JhY2tncm91bmQtcmVwZWF0OmluaXRpYWwgaW5pdGlh
bCI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwv
bzpwPjwvcHJlPg0KPHByZSBzdHlsZT0iYmFja2dyb3VuZDp3aGl0ZTtiYWNrZ3JvdW5kLXJlcGVh
dDppbml0aWFsIGluaXRpYWwiPk9BdXRoIG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9wcmU+DQo8
cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlO2JhY2tncm91bmQtcmVwZWF0OmluaXRpYWwgaW5p
dGlhbCI+PGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+PHNw
YW4gc3R5bGU9ImNvbG9yOnB1cnBsZSI+T0F1dGhAaWV0Zi5vcmc8L3NwYW4+PC9hPjxvOnA+PC9v
OnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJiYWNrZ3JvdW5kOndoaXRlO2JhY2tncm91bmQtcmVwZWF0
OmluaXRpYWwgaW5pdGlhbCI+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9s
aXN0aW5mby9vYXV0aCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUi
Pmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L3NwYW4+PC9hPjxv
OnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv
bS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k
aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t
Ym90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUiPg0KPGJyPg0KPGJyIGNsZWFyPSJhbGwi
Pg0KPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv
dHRvbS1hbHQ6YXV0bztiYWNrZ3JvdW5kOndoaXRlIj4NCiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNr
Z3JvdW5kOndoaXRlIj4NCi0tJm5ic3A7PGJyPg0KTmF0IFNha2ltdXJhICg9bmF0KTxvOnA+PC9v
OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bztiYWNr
Z3JvdW5kOndoaXRlIj4NCkNoYWlybWFuLCBPcGVuSUQgRm91bmRhdGlvbjxicj4NCjxhIGhyZWY9
Imh0dHA6Ly9uYXQuc2FraW11cmEub3JnLyIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJj
b2xvcjpwdXJwbGUiPmh0dHA6Ly9uYXQuc2FraW11cmEub3JnLzwvc3Bhbj48L2E+PGJyPg0KQF9u
YXRfZW48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90
ZT4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO2JhY2tncm91bmQ6d2hpdGUi
Pg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRv
bToxMi4wcHQ7YmFja2dyb3VuZDp3aGl0ZTtiYWNrZ3JvdW5kLXJlcGVhdDppbml0aWFsIGluaXRp
YWwiPg0KPGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X188YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0
Zi5vcmciIHRhcmdldD0iX2JsYW5rIj48c3BhbiBzdHlsZT0iY29sb3I6cHVycGxlIj5PQXV0aEBp
ZXRmLm9yZzwvc3Bhbj48L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFp
bG1hbi9saXN0aW5mby9vYXV0aCIgdGFyZ2V0PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpw
dXJwbGUiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L3NwYW4+
PC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t
LWFsdDphdXRvIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEzLjVwdDtmb250LWZhbWlseTomcXVv
dDtIZWx2ZXRpY2EmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+X19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpPQXV0aCBtYWlsaW5nIGxpc3Q8
YnI+DQo8YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj48c3Bh
biBzdHlsZT0iY29sb3I6cHVycGxlIj5PQXV0aEBpZXRmLm9yZzwvc3Bhbj48L2E+PGJyPg0KPGEg
aHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aCIgdGFyZ2V0
PSJfYmxhbmsiPjxzcGFuIHN0eWxlPSJjb2xvcjpwdXJwbGUiPmh0dHBzOi8vd3d3LmlldGYub3Jn
L21haWxtYW4vbGlzdGluZm8vb2F1dGg8L3NwYW4+PC9hPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph
dXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+
DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4m
bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k
aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyIGNsZWFy
PSJhbGwiPg0KPG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86
cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPi0tIDxicj4N
Ck5hdCBTYWtpbXVyYSAoPW5hdCk8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj5DaGFpcm1hbiwgT3BlbklEIEZvdW5kYXRpb248YnI+DQo8YSBocmVmPSJodHRwOi8v
bmF0LnNha2ltdXJhLm9yZy8iIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vbmF0LnNha2ltdXJhLm9y
Zy88L2E+PGJyPg0KQF9uYXRfZW48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rp
dj4NCjwvYmxvY2txdW90ZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21h
cmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPl9fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFpbGlu
ZyBsaXN0PGJyPg0KPGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIj5PQXV0aEBpZXRmLm9y
ZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv
L29hdXRoIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxv
OnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvYm9keT4NCjwv
aHRtbD4NCg==

--_000_4E1F6AAD24975D4BA5B16804296739436B73B280TK5EX14MBXC284r_--

From phil.hunt@oracle.com  Thu Aug  1 21:09:16 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2782711E80FE for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:09:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.816
X-Spam-Level: 
X-Spam-Status: No, score=-4.816 tagged_above=-999 required=5 tests=[AWL=-0.214, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBmlEwlOupM9 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:09:11 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA0921E8054 for <oauth@ietf.org>; Thu,  1 Aug 2013 21:08:16 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7248Dk6012990 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 2 Aug 2013 04:08:14 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7248Baf006506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 Aug 2013 04:08:12 GMT
Received: from abhmt104.oracle.com (abhmt104.oracle.com [141.146.116.56]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7248ALK014143; Fri, 2 Aug 2013 04:08:11 GMT
Received: from [10.1.0.227] (/217.9.48.53) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 01 Aug 2013 21:08:09 -0700
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org> <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com> <CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com> <6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com> <4E1F6AAD24975D4BA5B16804296739436B73B280@TK5EX14MBXC284.redmond.corp.microsoft.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436B73B280@TK5EX14MBXC284.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary=Apple-Mail-7349B05E-0F99-463C-884F-10EEA4A79E34
Content-Transfer-Encoding: 7bit
Message-Id: <C71E9977-6035-4BF7-B490-AB51BA5AC29B@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Fri, 2 Aug 2013 06:08:05 +0200
To: Mike Jones <Michael.Jones@microsoft.com>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 04:09:16 -0000

--Apple-Mail-7349B05E-0F99-463C-884F-10EEA4A79E34
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

+1

Phil

On 2013-08-02, at 6:02, Mike Jones <Michael.Jones@microsoft.com> wrote:

> I agree that this write-up wouldn=E2=80=99t be written in a manner that wa=
s dependent upon the OpenID specs.  It would be written in a stand-alone man=
ner.  However, I agree with what Tony said that having common format and val=
ues is the key.  Then whether people are implementing to the additional OAut=
h spec or to the OpenID Connect specs, their code would be compatible with b=
oth.
> =20
>                                              -- Mike
> =20
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of P=
hil Hunt
> Sent: Thursday, August 01, 2013 7:57 PM
> To: Nat Sakimura
> Cc: oauth@ietf.org WG
> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
> =20
> OpenId specs can depend on oAuth. Having OAuth depend on OpenId is not app=
ropriate here.=20
>=20
> Phil
>=20
> On 2013-08-01, at 18:07, Nat Sakimura <sakimura@gmail.com> wrote:
>=20
> Like Bill says, it can just be a profile of OpenID Connect.=20
> IETF specs already references OpenID Foundation specs.=20
> It should not be a problem.=20
> I do not think we want to folk.=20
> =20
>=20
> 2013/8/1 Anthony Nadalin <tonynad@microsoft.com>
> I believe it beneficial to have a common format and common values, and 1 w=
ay to handle the format and values. I believe that having this in oauth is b=
eneficial, I believe that it would also be beneficial for OpenID if this wer=
e in oauth. There are cases for signed and unsigned formats.
> =20
> From: Richer, Justin P. [mailto:jricher@mitre.org]=20
> Sent: Thursday, August 1, 2013 7:15 AM
> To: Nat Sakimura
> Cc: Anthony Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG
>=20
> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
> =20
> Also, it's (optionally) a token in the proposed document we're discussing (=
=C2=A72.4.1), which means there are two ways to parse the same information. O=
IDC uses JWTs for everything, signed and unsigned. This means that OIDC is a=
ctually simpler from an implementation perspective, wouldn't you say? Instea=
d of having two parsers, you have one to cover both cases.=20
> =20
> (And given your tendency to throw signed assertions at every problem, I wo=
uld have thought that you'd prefer this anyway.)
> =20
>  -- Justin
> =20
> On Aug 1, 2013, at 9:40 AM, Nat Sakimura <sakimura@gmail.com>
>  wrote:
> =20
>=20
> Yes, it is a Token.=20
> No, it does not have to be signed.=20
> =20
> As to be a token or not to be a token question, it has been discussed in t=
he WG before, and if I remember correctly,  Microsoft argued for token sayin=
g that it is just base64 decoding and I lost there. =20
>=20
> Nat
>=20
> On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com> wrote:
>=20
> You can=E2=80=99t do this, first openid uses a token and second it=E2=80=99=
s signed, third there is no specification to just return a authentication JS=
ON structure
> =20
> From: Richer, Justin P. [mailto:jricher@mitre.org]=20
> Sent: Thursday, August 1, 2013 5:15 AM
> To: Anthony Nadalin
> Cc: Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org WG
> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
> =20
> Tony, you can already return the authn result from the token request (we d=
iscussed this specifically in May as I recall). That's what the "idtoken" an=
d "code idtoken" responses are for in OpenID Connect. The proposed draft is n=
early a duplicate of the core functionality of OIDC.
> =20
>  -- Justin
> =20
> On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com>
>  wrote:
> =20
>=20
> The proposal does not duplicate what OpenID does, there is clear benefit f=
or returning an authentication result in the token request result. This is b=
eing proposed as optional JSON structure.
> =20
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of B=
ill Mills
> Sent: Wednesday, July 31, 2013 2:50 PM
> To: Prateek Mishra; Nat Sakimura
> Cc: oauth@ietf.org WG
> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
> =20
> Rather than extending OAuth for something OpenID already does...  why don'=
t we get a simple informational example doc to show how to implement the mos=
t basic OpenID service, which is the same functionality on a standard that's=
 already written?
> =20
> This is sounding more and mor elike a documentation problem.
> =20
> From: Prateek Mishra <prateek.mishra@oracle.com>
> To: Nat Sakimura <sakimura@gmail.com>=20
> Cc: "oauth@ietf.org WG" <oauth@ietf.org>=20
> Sent: Wednesday, July 31, 2013 2:38 PM
> Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New V=
ersion Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
> =20
> Nat -=20
>=20
> thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which
> features are MTI and which are not. For example, there is nothing in the B=
asic Client Profile that suggests
> that Section 2.3 is optional. I also could not find any definition for " n=
on-dynamic OpenID Connect Server".
>=20
> I dont think there is a need to duplicate portions of the draft specificat=
ion text in a new document. One solution
> that was used in SAML 2.0 was to define a conformance document which descr=
ibed several different=20
> operational modes and explained how only a small set of features needed to=
 be implemented in certain modes.
>=20
> http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf
>=20
> There are probably other smarter ways to achieve the same effect.
>=20
> Given this situation, I do think its a reasonable task for the OAuth commu=
nity to consider the need for=20
> a minimal extension to OAuth that accommodates authentication. The communi=
ty should be made aware that=20
> RFC 6749 is being misused for federated authentication, as explained in  -=
 =20
>=20
> http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-wha=
t.html=20
>=20
> and that there doesn't appear to be a simple solution that is currently av=
ailable. It would be great if it turned
> out that OpenID Connect offered such a solution but that isn't clear to me=
.
>=20
> Thx,
> prateek
> =20
> =20
> Inline:=20
>=20
> 2013/7/31 Prateek Mishra <prateek.mishra@oracle.com>
> Nat -=20
>=20
> your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with=20
> an authenticator.  Many implementors are seeking a modest extension of OAu=
th, not an entire new protocol
> stack.   I believe that is the point of Phil Hunt's proposal to the OAuth c=
ommittee.
>=20
> I do have some questions for about the statements made in the blog -=20
>=20
> A) Can you direct me to a single OpenID Connect draft specification docume=
nt where steps 1 and 2 are described?
> =20
> Actually, it is not a single spec, that the Standard is referencing others=
.=20
> The Standard is kind of cluttered because it has 6 response types and thre=
e request types in it.=20
> I suppose it would be much easier for the readers to split them into coher=
ent pieces, though that means duplicate texts.=20
> =20
> The easiest approach here is to read the Basic Client Profile. http://open=
id.net/specs/openid-connect-basic-1_0-28.html
> Then, read OAuth 2.0 Multiple Response Type Encoding Practices http://open=
id.net/specs/oauth-v2-multiple-response-types-1_0-08.html .=20
> =20
>=20
> B) If I implement steps 1 and 2, do I then have a conformant OpenID Connec=
t implementation? Are there no=20
> other MTI protocol exchanges in OpenID Connect?
> =20
> Yes, for a non-dynamic OpenID Connect Server.=20
> =20
> Nat
>  =20
>=20
> Thanks,
> prateek
>=20
>=20
>   =20
> =20
> I have written a short blog post titled "Write an OpenID Connect server in=
 three simple steps".=20
> =20
> Really, there is not much you need to on top of OAuth 2.0.=20
> =20
> It puzzles me why you need to create a draft with only minor variances in p=
arameter names.=20
> =20
> e.g.,=20
> session instead of id_token
> lat instead of iat
> alv instead of acr
> etc.=20
> =20
> If you change those parameter names, you will have a conformant profile of=
 OpenID Connect.=20
> =20
> Nat
> =20
> 2013/7/31 John Bradley <ve7jtb@ve7jtb.com>
> Connect dosen't require a userinfo endpoint.   It is required for interope=
rability if you are building an open IdP.   For an enterprise type deploymen=
t discovery, registration, userifo are all optional.
> =20
> The server is required to pass the nonce which is equivalent to a request I=
D through to the JWT if the client sends it in the request.
> =20
> Justin is correct.
> =20
> John B.
> =20
> On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> =20
>=20
> Forgot reply all.
>=20
> Phil
>=20
> Begin forwarded message:
>=20
> From: Phil Hunt <phil.hunt@oracle.com>
> Date: 30 July, 2013 17:25:46 GMT+02:00
> To: "Richer, Justin P." <jricher@mitre.org>
> Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v2-u=
ser-a4c-00.txt
>=20
> The whole point is authn only. Many do not want or need the userinfo endpo=
int.=20
>=20
> Phil
>=20
> On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org> wrote:
>=20
> What do you mean? You absolutely can implement a compliant OIDC server nea=
rly as simply as this. The things that you're missing I think are necessary f=
or basic interoperable functionality, and are things that other folks using O=
Auth for authentication have also implemented. Namely:
> =20
>  - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which is e=
asy to do with JWT). Without a signed and verifiable ID token or equivalent,=
 you're asking for all kinds of token injection problems.
>  - Session management requests (max auth age, auth time)
>  - Not fall over with other parameters that you don't support (display, pr=
ompt, etc).
> =20
> See here for more information:
> =20
>  http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI
> =20
> Additionally, something that's really important to support is the User Inf=
o Endpoint, so you can actually get user profile information beyond just the=
 simple "someone was here" claim -- this was the real value of Facebook Conn=
ect from an RP's perspective. Some people will probably want to use SCIM for=
 this, too, and that's fine.
> =20
>  -- Justin
> =20
> On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com>
>  wrote:
> =20
>=20
> The oidc specs do not allow this simple an implementation. The spec member=
s have not shown interest in making changes as they say they are too far dow=
n the road.
> =20
> I have tried to make my draft as close as possible to oidc but maybe it sh=
ouldn't be clarity wise. I am interested in what the group feels is clearest=
.=20
> =20
> =46rom an ietf perspective the concern is improper use of the 6749 for aut=
hn. Is this a bug or gap we need to address?
>=20
> Phil
>=20
> On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org> wrote:
>=20
> =46rom what I read, you've defined something that uses an OAuth 2 code flo=
w to get an extra token which is specified as a JWT. You named it "session_t=
oken" instead of "id_token", and you've left off the User Information Endpoi=
nt -- but other than that, this is exactly the Basic Client for OpenID Conne=
ct. In other words, if you change the names on things you've got OIDC, but w=
ithout the capabilities to go beyond a very basic "hey there's a user here" c=
laim. This is the same place that OpenID 2.0 started, and it was very, very q=
uickly extended with SREG, AX, PAPE, and others for it to be useful in the r=
eal world of distributed logins. You've also left out discovery and registra=
tion which are required for distributed deployments, but I'm guessing that t=
hose would be modular components that could be added in (like they are in OI=
DC).=20
> =20
> I've heard complaints that OIDC is complicated, but it's really not. Yes, I=
 agree that the giant stack of documents is intimidating and in my opinion i=
t's a bit of a mess with Messages and Standard split up (but I lost that arg=
ument years ago). However, at the core, you've got an OAuth2 authorization s=
erver that spits out access tokens and id tokens. The id token is a JWT with=
 some known claims (iss, sub, etc) and is issued along side the access token=
, and its audience is the *client* and not the *protected resource*. The acc=
ess token is a regular old access token and its format is undefined (so you c=
an use it with an existing OAuth2 server setup, like we have), and it can be=
 used at the User Info Endpoint to get profile information about the user wh=
o authenticated. It could also be used for other services if your AS/IdP pro=
tects multiple things.
> =20
> So I guess what I'm missing is what's the value proposition in this spec w=
hen we have something that can do this already? And this doesn't seem to do a=
nything different (apart from syntax changes)?
> =20
>  -- Justin
> =20
> On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
> =20
>=20
> FYI.  I have been noticing a substantial number of sites acting as OAuth C=
lients using OAuth to authenticate users.
> =20
> I know several of us have blogged on the issue over the past year so I won=
't re-hash it here.  In short, many of us recommended OIDC as the correct me=
thodology.
> =20
> Never-the-less, I've spoken with a number of service providers who indicat=
e they are not ready to make the jump to OIDC, yet they agree there is a des=
ire to support authentication only (where as OIDC does IDP-like services).
> =20
> This draft is intended as a minimum authentication only specification.  I'=
ve tried to make it as compatible as possible with OIDC.
> =20
> For now, I've just posted to keep track of the issue so we can address at t=
he next re-chartering.
> =20
> Happy to answer questions and discuss.=20
> =20
> Phil
> =20
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>=20
> =20
> =20
>=20
> =20
> Begin forwarded message:
> =20
>=20
> From:internet-drafts@ietf.org
> Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt
> Date:29 July, 2013 9:49:41 AM GMT+02:00
> To:Phil Hunt <phil.hunt@yahoo.com>, Phil Hunt <None@ietfa.amsl.com>, Phil H=
unt <>
> =20
>=20
> A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
> has been successfully submitted by Phil Hunt and posted to the
> IETF repository.
>=20
> Filename: draft-hunt-oauth-v2-user-a4c
> Revision: 00
> Title: OAuth 2.0 User Authentication For Client
> Creation date: 2013-07-29
> Group: Individual Submission
> Number of pages: 9
> URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-u=
ser-a4c-00.txt
> Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-=
a4c
> Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-0=
0
>=20
>=20
> Abstract:
>   This specification defines a new OAuth2 endpoint that enables user
>   authentication session information to be shared with client
>   applications.
>=20
>=20
>=20
>=20
> Please note that it may take a couple of minutes from the time of submissi=
on
> until the htmlized version and diff are available attools.ietf.org.
>=20
> The IETF Secretariat
>=20
> =20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> =20
> =20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> =20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20
>=20
>=20
> =20
> --=20
> Nat Sakimura (=3Dnat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> =20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> =20
>=20
>=20
> =20
> --=20
> Nat Sakimura (=3Dnat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> =20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> =20
> =20
>=20
>=20
> =20
> --=20
> Nat Sakimura (=3Dnat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-7349B05E-0F99-463C-884F-10EEA4A79E34
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>+1<br><br>Phil</div><div><br>On 2013-0=
8-02, at 6:02, Mike Jones &lt;<a href=3D"mailto:Michael.Jones@microsoft.com"=
>Michael.Jones@microsoft.com</a>&gt; wrote:<br><br></div><blockquote type=3D=
"cite"><div>

<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8">
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p
	{mso-style-priority:99;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->


<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1F497D">I agree that this write-up w=
ouldn=E2=80=99t be written in a manner that was dependent upon the OpenID sp=
ecs.&nbsp; It would be written in a stand-alone manner.&nbsp; However,
 I agree with what Tony said that having common format and values is the key=
.&nbsp; Then whether people are implementing to the additional OAuth spec or=
 to the OpenID Connect specs, their code would be compatible with both.<o:p>=
</o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p=
>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; -- Mike<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></p=
>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0=
in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot;=
Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-siz=
e:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> <a href=3D"=
mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a href=3D"mailto=
:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>]
<b>On Behalf Of </b>Phil Hunt<br>
<b>Sent:</b> Thursday, August 01, 2013 7:57 PM<br>
<b>To:</b> Nat Sakimura<br>
<b>Cc:</b> <a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: =
Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<o:p><=
/o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">OpenId specs can depend on oAuth. Having OAuth depend=
 on OpenId is not appropriate here.&nbsp;<br>
<br>
Phil<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
On 2013-08-01, at 18:07, Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail.c=
om">sakimura@gmail.com</a>&gt; wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal">Like Bill says, it can just be a profile of OpenID Co=
nnect.&nbsp;<o:p></o:p></p>
<div>
<p class=3D"MsoNormal">IETF specs already references OpenID Foundation specs=
.&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">It should not be a problem.&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">I do not think we want to folk.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">2013/8/1 Anthony Nadalin &lt;<a href=3D"mailto:tonyna=
d@microsoft.com" target=3D"_blank">tonynad@microsoft.com</a>&gt;<o:p></o:p><=
/p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quo=
t;sans-serif&quot;;color:#1F497D">I believe it beneficial to have a common f=
ormat and common values, and 1 way to handle the format
 and values. I believe that having this in oauth is beneficial, I believe th=
at it would also be beneficial for OpenID if this were in oauth. There are c=
ases for signed and unsigned formats.
</span><o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><a name=3D"1403a4678daa8350__MailEndCompose"><span style=3D"font-siz=
e:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D">&nbsp;</span></a><o:p></o:p></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0=
in 0in">
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><b><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&=
quot;sans-serif&quot;">From:</span></b><span style=3D"font-size:11.0pt;font-=
family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer, Justin P. [mailt=
o:<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">jricher@mitre.org</=
a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 7:15 AM<br>
<b>To:</b> Nat Sakimura<br>
<b>Cc:</b> Anthony Nadalin; Bill Mills; Prateek Mishra; <a href=3D"mailto:oa=
uth@ietf.org" target=3D"_blank">
oauth@ietf.org</a> WG</span><o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal"><br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: =
Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<o:p><=
/o:p></p>
</div>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">Also, it's (optionally) a token in the proposed document we're discu=
ssing (=C2=A72.4.1), which means there are two ways to parse the same inform=
ation. OIDC uses JWTs for everything,
 signed and unsigned. This means that OIDC is actually simpler from an imple=
mentation perspective, wouldn't you say? Instead of having two parsers, you h=
ave one to cover both cases.&nbsp;
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">(And given your tendency to throw signed assertions at every problem=
, I would have thought that you'd prefer this anyway.)
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;-- Justin<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">On Aug 1, 2013, at 9:40 AM, Nat Sakimura &lt;<a href=3D"mailto:sakim=
ura@gmail.com" target=3D"_blank">sakimura@gmail.com</a>&gt;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;wrote:<o:p></o:p></p>
</div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
"><o:p>&nbsp;</o:p></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">Yes, it is a Token.&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">No, it does not have to be signed.&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
">As to be a token or not to be a token question, it has been discussed in t=
he WG before, and if I remember correctly, &nbsp;Microsoft argued for token s=
aying that it is just base64 decoding
 and I lost there. &nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">Nat<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
"><br>
On Aug 1, 2013, at 14:24, Anthony Nadalin &lt;<a href=3D"mailto:tonynad@micr=
osoft.com" target=3D"_blank">tonynad@microsoft.com</a>&gt; wrote:<o:p></o:p>=
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quo=
t;sans-serif&quot;;color:#1F497D">You can=E2=80=99t do this, first openid us=
es a token and second it=E2=80=99s signed, third there is no specification
 to just return a authentication JSON structure</span><o:p></o:p></p>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quo=
t;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0=
in 0in">
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><b><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&=
quot;sans-serif&quot;">From:</span></b><span style=3D"font-size:11.0pt;font-=
family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer, Justin P. [<a hr=
ef=3D"mailto:jricher@mitre.org" target=3D"_blank">mailto:jricher@mitre.org</=
a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a href=3D"mailto:oauth=
@ietf.org" target=3D"_blank">
oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: =
Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</span=
><o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
</div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">Tony, you can already return the authn result from the token request=
 (we discussed this specifically in May as I recall). That's what the "idtok=
en" and "code idtoken" responses
 are for in OpenID Connect. The proposed draft is nearly a duplicate of the c=
ore functionality of OIDC.
<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;-- Justin<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a href=3D"mailto:to=
nynad@microsoft.com" target=3D"_blank">tonynad@microsoft.com</a>&gt;<o:p></o=
:p></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;wrote:<o:p></o:p></p>
</div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
">&nbsp;<o:p></o:p></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quo=
t;sans-serif&quot;;color:#1F497D">The proposal does not duplicate what OpenI=
D does, there is clear benefit for returning an authentication
 result in the token request result. This is being proposed as optional JSON=
 structure.</span><o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quo=
t;sans-serif&quot;;color:#1F497D">&nbsp;</span><o:p></o:p></p>
</div>
</div>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0=
in 0in">
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><b><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&=
quot;sans-serif&quot;">From:</span></b><span style=3D"font-size:11.0pt;font-=
family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbsp;<a href=3D"mailto:o=
auth-bounces@ietf.org" target=3D"_blank"><span style=3D"color:purple">oauth-=
bounces@ietf.org</span></a>&nbsp;[mailto:<a href=3D"mailto:oauth-" target=3D=
"_blank">oauth-</a><a href=3D"mailto:bounces@ietf.org" target=3D"_blank"><sp=
an style=3D"color:purple">bounces@ietf.org</span></a>]&nbsp;<b>On
 Behalf Of&nbsp;</b>Bill Mills<br>
<b>Sent:</b>&nbsp;Wednesday, July 31, 2013 2:50 PM<br>
<b>To:</b>&nbsp;Prateek Mishra; Nat Sakimura<br>
<b>Cc:</b>&nbsp;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank"><span st=
yle=3D"color:purple">oauth@ietf.org</span></a>&nbsp;WG<br>
<b>Subject:</b>&nbsp;Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was=
 Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<=
/span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<span style=3D"font-family:&quot;Courier New&quot;">Rather than extending OA=
uth for something OpenID already does... &nbsp;why don't we get a simple inf=
ormational example doc to show how to implement the most basic OpenID servic=
e, which is the same functionality on a standard
 that's already written?</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><span style=3D"font-family:&quot;Courier New&quot;">&nbsp;</span><o:=
p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><span style=3D"font-family:&quot;Courier New&quot;">This is sounding=
 more and mor elike a documentation problem.</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<span style=3D"font-family:&quot;Courier New&quot;">&nbsp;</span><o:p></o:p>=
</p>
</div>
</div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgro=
und:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<b><span style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-=
serif&quot;">From:</span></b><span style=3D"font-size:10.0pt;font-family:&qu=
ot;Arial&quot;,&quot;sans-serif&quot;">&nbsp;Prateek Mishra &lt;<a href=3D"m=
ailto:prateek.mishra@oracle.com" target=3D"_blank"><span style=3D"color:purp=
le">prateek.mishra@oracle.com</span></a>&gt;<br>
<b>To:</b>&nbsp;Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail.com" targe=
t=3D"_blank"><span style=3D"color:purple">sakimura@gmail.com</span></a>&gt;&=
nbsp;<br>
<b>Cc:</b>&nbsp;"<a href=3D"mailto:oauth@ietf.org%20WG" target=3D"_blank"><s=
pan style=3D"color:purple">oauth@ietf.org WG</span></a>" &lt;<a href=3D"mail=
to:oauth@ietf.org" target=3D"_blank"><span style=3D"color:purple">oauth@ietf=
.org</span></a>&gt;&nbsp;<br>
<b>Sent:</b>&nbsp;Wednesday, July 31, 2013 2:38 PM<br>
<b>Subject:</b>&nbsp;[OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</spa=
n><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Nat -&nbsp;<br>
<br>
thanks for the detailed response. I did review the links you sent out but it=
 remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Bas=
ic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for " non=
-dynamic OpenID Connect Server".<br>
<br>
I dont think there is a need to duplicate portions of the draft specificatio=
n text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which describ=
ed several different&nbsp;<br>
operational modes and explained how only a small set of features needed to b=
e implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.=
0-os.pdf" target=3D"_blank"><span style=3D"color:purple">http://docs.oasis-o=
pen.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</span></a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth communi=
ty to consider the need for&nbsp;<br>
a minimal extension to OAuth that accommodates authentication. The community=
 should be made aware that&nbsp;<br>
RFC 6749 is being misused for federated authentication, as explained in&nbsp=
; -&nbsp;&nbsp;<br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-oa=
uth-2-what.html" target=3D"_blank"><span style=3D"color:purple">http://www.i=
ndependentid.com/2013/07/simple-authentication-for-oauth-2-what.html</span><=
/a>&nbsp;<br>
<br>
and that there doesn't appear to be a simple solution that is currently avai=
lable. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn't clear to me.<=
br>
<br>
Thx,<br>
prateek<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white;background-repeat:initial initial">
Inline:&nbsp;<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
2013/7/31 Prateek Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com" ta=
rget=3D"_blank"><span style=3D"color:purple">prateek.mishra@oracle.com</span=
></a>&gt;<o:p></o:p></p>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Nat -&nbsp;<br>
<br>
your blog posting is helpful to those of us who are looking for a minimal ex=
tension of OAuth with&nbsp;<br>
an authenticator.&nbsp; Many implementors are seeking a modest extension of O=
Auth, not an entire new protocol<br>
stack. &nbsp; I believe that is the point of Phil Hunt's proposal to the OAu=
th committee.<br>
<br>
I do have some questions for about the statements made in the blog -&nbsp;<b=
r>
<br>
A) Can you direct me to a single OpenID Connect draft specification document=
 where steps 1 and 2 are described?<o:p></o:p></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Actually, it is not a single spec, that the Standard is referencing others.&=
nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
The Standard is kind of cluttered because it has 6 response types and three r=
equest types in it.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
I suppose it would be much easier for the readers to split them into coheren=
t pieces, though that means duplicate texts.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
The easiest approach here is to read the Basic Client Profile.&nbsp;<a href=3D=
"http://openid.net/specs/openid-connect-basic-1_0-28.html" target=3D"_blank"=
><span style=3D"color:purple">http://openid.net/specs/openid-connect-basic-1=
_0-28.html</span></a><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Then, read&nbsp;OAuth 2.0 Multiple Response Type Encoding Practices&nbsp;<a h=
ref=3D"http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html"=
 target=3D"_blank"><span style=3D"color:purple">http://openid.net/specs/oaut=
h-v2-multiple-response-types-1_0-08.html</span></a>&nbsp;.&nbsp;<o:p></o:p><=
/p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect i=
mplementation? Are there no&nbsp;<br>
other MTI protocol exchanges in OpenID Connect?<o:p></o:p></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Yes, for a non-dynamic OpenID Connect Server.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Nat<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<br>
Thanks,<br>
prateek<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<br>
<br>
&nbsp; &nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
I have written a short blog post titled "<a href=3D"http://nat.sakimura.org/=
2013/07/28/write-openid-connect-server-in-three-simple-steps/" target=3D"_bl=
ank"><span style=3D"color:purple">Write an OpenID Connect server in three si=
mple steps</span></a>".&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Really, there is not much you need to on top of OAuth 2.0.&nbsp;<o:p></o:p><=
/p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
It puzzles me why you need to create a draft with only minor variances in pa=
rameter names.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;ma=
rgin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
e.g.,&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
session instead of id_token<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
lat instead of iat<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
alv instead of acr<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
etc.&nbsp;<o:p></o:p></p>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
If you change those parameter names, you will have a conformant profile of O=
penID Connect.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Nat<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background-repeat:initial initial">
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
2013/7/31 John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_b=
lank"><span style=3D"color:purple">ve7jtb@ve7jtb.com</span></a>&gt;<o:p></o:=
p></p>
</div>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Connect dosen't require a userinfo endpoint. &nbsp; It is required for inter=
operability if you are building an open IdP. &nbsp; For an enterprise type d=
eployment discovery, registration, userifo are all optional.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
The server is required to pass the nonce which is equivalent to a request ID=
 through to the JWT if the client sends it in the request.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Justin is correct.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
John B.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
On 2013-07-30, at 5:30 PM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.=
com" target=3D"_blank"><span style=3D"color:purple">phil.hunt@oracle.com</sp=
an></a>&gt; wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white">
<o:p>&nbsp;</o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Forgot reply all.<br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white;background-repeat:initial initial">
<br>
Begin forwarded message:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white;background-repeat:initial initial">
<b>From:</b>&nbsp;Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" targ=
et=3D"_blank"><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&g=
t;<br>
<b>Date:</b>&nbsp;30 July, 2013 17:25:46 GMT+02:00<br>
<b>To:</b>&nbsp;"Richer, Justin P." &lt;<a href=3D"mailto:jricher@mitre.org"=
 target=3D"_blank"><span style=3D"color:purple">jricher@mitre.org</span></a>=
&gt;<br>
<b>Subject:</b>&nbsp;<b>Re: [OAUTH-WG] New Version Notification for draft-hu=
nt-oauth-v2-user-a4c-00.txt</b><o:p></o:p></p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
The whole point is authn only. Many do not want or need the userinfo endpoin=
t.&nbsp;<br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white;background-repeat:initial initial">
<br>
On 2013-07-30, at 17:17, "Richer, Justin P." &lt;<a href=3D"mailto:jricher@m=
itre.org" target=3D"_blank"><span style=3D"color:purple">jricher@mitre.org</=
span></a>&gt; wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
What do you mean? You absolutely can implement a compliant OIDC server nearl=
y as simply as this. The things that you're missing I think are necessary fo=
r basic interoperable functionality, and are things that other folks using O=
Auth for authentication have
 also implemented. Namely:<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;- Signing the ID token (OIDC specifies the RS256 flavor of JWS, which i=
s easy to do with JWT). Without a signed and verifiable ID token or equivale=
nt, you're asking for all kinds of token injection problems.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;- Session management requests (max auth age, auth time)<o:p></o:p></p>=

</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;- Not fall over with other parameters that you don't support (display,=
 prompt, etc).<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
See here for more information:<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<a href=3D"http://openid.net/specs/openid-connect-messages-1_0.html#Se=
rverMTI" target=3D"_blank"><span style=3D"color:purple">http://openid.net/sp=
ecs/openid-connect-messages-1_0.html#ServerMTI</span></a><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Additionally, something that's really important to support is the User Info E=
ndpoint, so you can actually get user profile information beyond just the si=
mple "someone was here" claim -- this was the real value of Facebook Connect=
 from an RP's perspective. Some
 people will probably want to use SCIM for this, too, and that's fine.<o:p><=
/o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;-- Justin<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
On Jul 30, 2013, at 10:54 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@orac=
le.com" target=3D"_blank"><span style=3D"color:purple">phil.hunt@oracle.com<=
/span></a>&gt;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white">
<o:p>&nbsp;</o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
The oidc specs do not allow this simple an implementation. The spec members h=
ave not shown interest in making changes as they say they are too far down t=
he road.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
I have tried to make my draft as close as possible to oidc but maybe it shou=
ldn't be clarity wise. I am interested in what the group feels is clearest.&=
nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
=46rom an ietf perspective the concern is improper use of the 6749 for authn=
. Is this a bug or gap we need to address?<br>
<br>
Phil<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white;background-repeat:initial initial">
<br>
On 2013-07-30, at 16:46, "Richer, Justin P." &lt;<a href=3D"mailto:jricher@m=
itre.org" target=3D"_blank"><span style=3D"color:purple">jricher@mitre.org</=
span></a>&gt; wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
=46rom what I read, you've defined something that uses an OAuth 2 code flow t=
o get an extra token which is specified as a JWT. You named it "session_toke=
n" instead of "id_token", and you've left off the User Information Endpoint -=
- but other than that, this is
 exactly the Basic Client for OpenID Connect. In other words, if you change t=
he names on things you've got OIDC, but without the capabilities to go beyon=
d a very basic "hey there's a user here" claim. This is the same place that O=
penID 2.0 started, and it was
 very, very quickly extended with SREG, AX, PAPE, and others for it to be us=
eful in the real world of distributed logins. You've also left out discovery=
 and registration which are required for distributed deployments, but I'm gu=
essing that those would be modular
 components that could be added in (like they are in OIDC).&nbsp;<o:p></o:p>=
</p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
I've heard complaints that OIDC is complicated, but it's really not. Yes, I a=
gree that the giant stack of documents is intimidating and in my opinion it'=
s a bit of a mess with Messages and Standard split up (but I lost that argum=
ent years ago). However, at
 the core, you've got an OAuth2 authorization server that spits out access t=
okens and id tokens. The id token is a JWT with some known claims (iss, sub,=
 etc) and is issued along side the access token, and its audience is the *cl=
ient* and not the *protected
 resource*. The access token is a regular old access token and its format is=
 undefined (so you can use it with an existing OAuth2 server setup, like we h=
ave), and it can be used at the User Info Endpoint to get profile informatio=
n about the user who authenticated.
 It could also be used for other services if your AS/IdP protects multiple t=
hings.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
So I guess what I'm missing is what's the value proposition in this spec whe=
n we have something that can do this already? And this doesn't seem to do an=
ything different (apart from syntax changes)?<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;-- Justin<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
On Jul 29, 2013, at 4:14 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracl=
e.com" target=3D"_blank"><span style=3D"color:purple">phil.hunt@oracle.com</=
span></a>&gt; wrote:<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white">
<o:p>&nbsp;</o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
FYI. &nbsp;I have been noticing a substantial number of sites acting as OAut=
h Clients using OAuth to authenticate users.<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
I know several of us have blogged on the issue over the past year so I won't=
 re-hash it here. &nbsp;In short, many of us recommended OIDC as the correct=
 methodology.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Never-the-less, I've spoken with a number of service providers who indicate t=
hey are not ready to make the jump to OIDC, yet they agree there is a desire=
 to support authentication only (where as OIDC does IDP-like services).<o:p>=
</o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
This draft is intended as a minimum authentication only specification. &nbsp=
;I've tried to make it as compatible as possible with OIDC.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
For now, I've just posted to keep track of the issue so we can address at th=
e next re-chartering.<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Happy to answer questions and discuss.&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<span style=3D"font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-=
serif&quot;">Phil</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<span style=3D"font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-=
serif&quot;">&nbsp;</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<span style=3D"font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-=
serif&quot;">@independentid</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<span style=3D"font-size:9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-=
serif&quot;"><a href=3D"http://www.independentid.com/" target=3D"_blank"><sp=
an style=3D"color:purple">www.independentid.com</span></a></span><o:p></o:p>=
</p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:13.5pt=
;background:white;background-repeat:initial initial">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans=
-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><spa=
n style=3D"color:purple">phil.hunt@oracle.com</span></a></span><o:p></o:p></=
p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans=
-serif&quot;">&nbsp;</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white">
<o:p>&nbsp;</o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Begin forwarded message:<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white">
<o:p>&nbsp;</o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;s=
ans-serif&quot;">From:</span></b><span style=3D"font-size:13.5pt;font-family=
:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><a href=3D"mailto:internet-dr=
afts@ietf.org" target=3D"_blank"><span style=3D"color:purple">internet-draft=
s@ietf.org</span></a></span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;s=
ans-serif&quot;">Subject: New Version Notification for draft-hunt-oauth-v2-u=
ser-a4c-00.txt</span></b><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;s=
ans-serif&quot;">Date:</span></b><span style=3D"font-size:13.5pt;font-family=
:&quot;Helvetica&quot;,&quot;sans-serif&quot;">29 July, 2013 9:49:41 AM GMT+=
02:00</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;s=
ans-serif&quot;">To:</span></b><span style=3D"font-size:13.5pt;font-family:&=
quot;Helvetica&quot;,&quot;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto=
:phil.hunt@yahoo.com" target=3D"_blank"><span style=3D"color:purple">phil.hu=
nt@yahoo.com</span></a>&gt;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank"><spa=
n style=3D"color:purple">None@ietfa.amsl.com</span></a>&gt;, Phil Hunt &lt;&=
gt;</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white;background-repeat:initial initial">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c=
-00.txt" target=3D"_blank"><span style=3D"color:purple">http://www.ietf.org/=
internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt</span></a><br>
Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"htt=
p://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c" target=3D"_blank"=
><span style=3D"color:purple">http://datatracker.ietf.org/doc/draft-hunt-oau=
th-v2-user-a4c</span></a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools.=
ietf.org/html/draft-hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span style=
=3D"color:purple">http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00=
</span></a><br>
<br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables us=
er<br>
&nbsp;&nbsp;authentication session information to be shared with client<br>
&nbsp;&nbsp;applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submission=
<br>
until the htmlized version and diff are available at<a href=3D"http://tools.=
ietf.org/" target=3D"_blank"><span style=3D"color:purple">tools.ietf.org</sp=
an></a>.<br>
<br>
The IETF Secretariat<o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white;background-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><o:p></o:p></p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<br>
<br clear=3D"all">
<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
--&nbsp;<br>
Nat Sakimura (=3Dnat)<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Chairman, OpenID Foundation<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color:=
purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white">
<o:p>&nbsp;</o:p></p>
</div>
<pre style=3D"background:white;background-repeat:initial initial">__________=
_____________________________________<o:p></o:p></pre>
<pre style=3D"background:white;background-repeat:initial initial">OAuth mail=
ing list<o:p></o:p></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=3D=
"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:purple">OAuth=
@ietf.org</span></a><o:p></o:p></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=3D=
"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><span style=3D=
"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a><o:p></=
o:p></pre>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
<br>
<br clear=3D"all">
<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
--&nbsp;<br>
Nat Sakimura (=3Dnat)<o:p></o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
Chairman, OpenID Foundation<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color:=
purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto;background:white">
&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;margin-bottom:12.0pt=
;background:white;background-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><o:p></o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto"><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&q=
uot;sans-serif&quot;">_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a></span><o:p></o:p></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal" style=3D"mso-margin-top-alt:auto;mso-margin-bottom-al=
t:auto">&nbsp;<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal"><br>
<br clear=3D"all">
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<p class=3D"MsoNormal">-- <br>
Nat Sakimura (=3Dnat)<o:p></o:p></p>
<div>
<p class=3D"MsoNormal">Chairman, OpenID Foundation<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank">http://nat.sakimura.o=
rg/</a><br>
@_nat_en<o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal">_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org=
/mailman/listinfo/oauth</a><o:p></o:p></p>
</div>
</blockquote>
</div>


</div></blockquote></body></html>=

--Apple-Mail-7349B05E-0F99-463C-884F-10EEA4A79E34--

From sakimura@gmail.com  Thu Aug  1 21:34:43 2013
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18D5421E8054 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:34:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.565
X-Spam-Level: 
X-Spam-Status: No, score=-2.565 tagged_above=-999 required=5 tests=[AWL=0.034,  BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XORVNyuWfG5S for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:34:40 -0700 (PDT)
Received: from mail-la0-x236.google.com (mail-la0-x236.google.com [IPv6:2a00:1450:4010:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 79D4621E805D for <oauth@ietf.org>; Thu,  1 Aug 2013 21:34:39 -0700 (PDT)
Received: by mail-la0-f54.google.com with SMTP id ea20so119308lab.41 for <oauth@ietf.org>; Thu, 01 Aug 2013 21:34:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nIc8elgx4w0K+IZ4CxWO9j6iNghgJn+Bgi/ymFPbLvQ=; b=0e53ydo5vEFJeiresSlA7uEV2m03DlxNQ9LcnsPGN48P6TEp2xetf/qZRdIDtDFgZ0 nERPgQa7kS/0Zwzo2bsOt3sj/GZPkQzHnv1vzbyG5lqstJxE0fGcSNyWLhsh7VjcjKbS AG6vMdX614dHE1ANyFpqzMjdqxkAe2AZytdBchCxANozdDJ1nRA2rfuBmgAJgR2gvfxO 2UCPmuh/Hxm2d3ANfdZzICzHeD95qh+TYiOiFDYJ/LRYq0dF0AequoPfh+Be/J2fF8Eo c/nxHcBBkMr0LGks20LZ1mco9h4HolZqSFs/AoBuL84Qb3nCgTO/Xx6CKd6BiZm6feTN 8q7g==
MIME-Version: 1.0
X-Received: by 10.112.89.42 with SMTP id bl10mr2654810lbb.77.1375418078248; Thu, 01 Aug 2013 21:34:38 -0700 (PDT)
Received: by 10.112.134.38 with HTTP; Thu, 1 Aug 2013 21:34:37 -0700 (PDT)
In-Reply-To: <6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org> <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com> <CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com> <6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com>
Date: Fri, 2 Aug 2013 06:34:37 +0200
Message-ID: <CABzCy2BA-fXy86NU+vZd96jV9yVo9GEBAmm_AoMeZoR-ECgyyQ@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary=001a11c374a6f8c7af04e2ef79fd
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 04:34:43 -0000

--001a11c374a6f8c7af04e2ef79fd
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

Not necessarily. Why would it be inappropriate?

I call it NIH syndrome.
Respecting the work which is done outside is a good thing.
Just taking the content and taking a credit for it is a bad practice.

Forking is also bad.



2013/8/2 Phil Hunt <phil.hunt@oracle.com>

> OpenId specs can depend on oAuth. Having OAuth depend on OpenId is not
> appropriate here.
>
> Phil
>
> On 2013-08-01, at 18:07, Nat Sakimura <sakimura@gmail.com> wrote:
>
> Like Bill says, it can just be a profile of OpenID Connect.
> IETF specs already references OpenID Foundation specs.
> It should not be a problem.
> I do not think we want to folk.
>
>
> 2013/8/1 Anthony Nadalin <tonynad@microsoft.com>
>
>>  I believe it beneficial to have a common format and common values, and
>> 1 way to handle the format and values. I believe that having this in oau=
th
>> is beneficial, I believe that it would also be beneficial for OpenID if
>> this were in oauth. There are cases for signed and unsigned formats. ***=
*
>>
>> ** **
>>
>> *From:* Richer, Justin P. [mailto:jricher@mitre.org]
>> *Sent:* Thursday, August 1, 2013 7:15 AM
>> *To:* Nat Sakimura
>> *Cc:* Anthony Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG
>>
>> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
>> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)**=
*
>> *
>>
>>  ** **
>>
>> Also, it's (optionally) a token in the proposed document we're discussin=
g
>> (=A72.4.1), which means there are two ways to parse the same information=
.
>> OIDC uses JWTs for everything, signed and unsigned. This means that OIDC=
 is
>> actually simpler from an implementation perspective, wouldn't you say?
>> Instead of having two parsers, you have one to cover both cases.  ****
>>
>> ** **
>>
>> (And given your tendency to throw signed assertions at every problem, I
>> would have thought that you'd prefer this anyway.) ****
>>
>> ** **
>>
>>  -- Justin****
>>
>> ** **
>>
>> On Aug 1, 2013, at 9:40 AM, Nat Sakimura <sakimura@gmail.com>****
>>
>>  wrote:****
>>
>>
>>
>> ****
>>
>>  Yes, it is a Token. ****
>>
>> No, it does not have to be signed. ****
>>
>> ** **
>>
>> As to be a token or not to be a token question, it has been discussed in
>> the WG before, and if I remember correctly,  Microsoft argued for token
>> saying that it is just base64 decoding and I lost there.  ****
>>
>> Nat****
>>
>>
>> On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com> wrote:=
*
>> ***
>>
>> You can=92t do this, first openid uses a token and second it=92s signed,
>> third there is no specification to just return a authentication JSON
>> structure****
>>
>>  ****
>>
>> *From:* Richer, Justin P. [mailto:jricher@mitre.org <jricher@mitre.org>]
>> *Sent:* Thursday, August 1, 2013 5:15 AM
>> *To:* Anthony Nadalin
>> *Cc:* Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org WG
>> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
>> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)**=
*
>> *
>>
>>  ****
>>
>> Tony, you can already return the authn result from the token request (we
>> discussed this specifically in May as I recall). That's what the "idtoke=
n"
>> and "code idtoken" responses are for in OpenID Connect. The proposed dra=
ft
>> is nearly a duplicate of the core functionality of OIDC. ****
>>
>>  ****
>>
>>  -- Justin****
>>
>>  ****
>>
>> On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com>****
>>
>>  wrote:****
>>
>> ** **
>>
>>  The proposal does not duplicate what OpenID does, there is clear
>> benefit for returning an authentication result in the token request resu=
lt.
>> This is being proposed as optional JSON structure.****
>>
>>  ****
>>
>> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>> Behalf Of *Bill Mills
>> *Sent:* Wednesday, July 31, 2013 2:50 PM
>> *To:* Prateek Mishra; Nat Sakimura
>> *Cc:* oauth@ietf.org WG
>> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
>> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)**=
*
>> *
>>
>>  ****
>>
>> Rather than extending OAuth for something OpenID already does...  why
>> don't we get a simple informational example doc to show how to implement
>> the most basic OpenID service, which is the same functionality on a
>> standard that's already written?****
>>
>>  ****
>>
>> This is sounding more and mor elike a documentation problem.****
>>
>>  ****
>>    ------------------------------
>>
>> *From:* Prateek Mishra <prateek.mishra@oracle.com>
>> *To:* Nat Sakimura <sakimura@gmail.com>
>> *Cc:* "oauth@ietf.org WG" <oauth@ietf.org>
>> *Sent:* Wednesday, July 31, 2013 2:38 PM
>> *Subject:* [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:
>> New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)****
>>
>>  ****
>>
>> Nat -
>>
>> thanks for the detailed response. I did review the links you sent out bu=
t
>> it remained unclear to me which
>> features are MTI and which are not. For example, there is nothing in the
>> Basic Client Profile that suggests
>> that Section 2.3 is optional. I also could not find any definition for "
>> non-dynamic OpenID Connect Server".
>>
>> I dont think there is a need to duplicate portions of the draft
>> specification text in a new document. One solution
>> that was used in SAML 2.0 was to define a conformance document which
>> described several different
>> operational modes and explained how only a small set of features needed
>> to be implemented in certain modes.
>>
>> http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pd=
f
>>
>> There are probably other smarter ways to achieve the same effect.
>>
>> Given this situation, I do think its a reasonable task for the OAuth
>> community to consider the need for
>> a minimal extension to OAuth that accommodates authentication. The
>> community should be made aware that
>> RFC 6749 is being misused for federated authentication, as explained in
>> -
>>
>>
>> http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-w=
hat.html
>>
>>
>> and that there doesn't appear to be a simple solution that is currently
>> available. It would be great if it turned
>> out that OpenID Connect offered such a solution but that isn't clear to
>> me.
>>
>> Thx,
>> prateek****
>>
>>  ****
>>
>>   ****
>>
>> Inline: ****
>>
>> 2013/7/31 Prateek Mishra <prateek.mishra@oracle.com>****
>>
>>  Nat -
>>
>> your blog posting is helpful to those of us who are looking for a minima=
l
>> extension of OAuth with
>> an authenticator.  Many implementors are seeking a modest extension of
>> OAuth, not an entire new protocol
>> stack.   I believe that is the point of Phil Hunt's proposal to the OAut=
h
>> committee.
>>
>> I do have some questions for about the statements made in the blog -
>>
>> A) Can you direct me to a single OpenID Connect draft specification
>> document where steps 1 and 2 are described?****
>>
>>    ****
>>
>> Actually, it is not a single spec, that the Standard is referencing
>> others. ****
>>
>> The Standard is kind of cluttered because it has 6 response types and
>> three request types in it. ****
>>
>> I suppose it would be much easier for the readers to split them into
>> coherent pieces, though that means duplicate texts. ****
>>
>>  ****
>>
>> The easiest approach here is to read the Basic Client Profile.
>> http://openid.net/specs/openid-connect-basic-1_0-28.html****
>>
>> Then, read OAuth 2.0 Multiple Response Type Encoding Practices
>> http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html . *=
*
>> **
>>
>>  ****
>>
>>
>> B) If I implement steps 1 and 2, do I then have a conformant OpenID
>> Connect implementation? Are there no
>> other MTI protocol exchanges in OpenID Connect?****
>>
>>    ****
>>
>> Yes, for a non-dynamic OpenID Connect Server. ****
>>
>>  ****
>>
>> Nat****
>>
>>   ****
>>
>>
>> Thanks,
>> prateek****
>>
>>
>>
>>    ****
>>
>>  ****
>>
>>  I have written a short blog post titled "Write an OpenID Connect server
>> in three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-co=
nnect-server-in-three-simple-steps/>
>> ". ****
>>
>>  ****
>>
>> Really, there is not much you need to on top of OAuth 2.0. ****
>>
>>  ****
>>
>> It puzzles me why you need to create a draft with only minor variances i=
n
>> parameter names. ****
>>
>>  ****
>>
>>  e.g., ****
>>
>> session instead of id_token****
>>
>> lat instead of iat****
>>
>> alv instead of acr****
>>
>> etc. ****
>>
>>    ****
>>
>> If you change those parameter names, you will have a conformant profile
>> of OpenID Connect. ****
>>
>>  ****
>>
>> Nat****
>>
>>  ****
>>
>> 2013/7/31 John Bradley <ve7jtb@ve7jtb.com>****
>>
>>  Connect dosen't require a userinfo endpoint.   It is required for
>> interoperability if you are building an open IdP.   For an enterprise ty=
pe
>> deployment discovery, registration, userifo are all optional.****
>>
>>  ****
>>
>> The server is required to pass the nonce which is equivalent to a reques=
t
>> ID through to the JWT if the client sends it in the request.****
>>
>>  ****
>>
>> Justin is correct.****
>>
>>  ****
>>
>> John B.****
>>
>>  ****
>>
>> On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote:****
>>
>>
>>
>> ****
>>
>>   Forgot reply all.
>>
>> Phil****
>>
>>
>> Begin forwarded message:****
>>
>>  *From:* Phil Hunt <phil.hunt@oracle.com>
>> *Date:* 30 July, 2013 17:25:46 GMT+02:00
>> *To:* "Richer, Justin P." <jricher@mitre.org>
>> *Subject:* *Re: [OAUTH-WG] New Version Notification for
>> draft-hunt-oauth-v2-user-a4c-00.txt*****
>>
>>   The whole point is authn only. Many do not want or need the userinfo
>> endpoint.
>>
>> Phil****
>>
>>
>> On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org> wrote:*=
*
>> **
>>
>>  What do you mean? You absolutely can implement a compliant OIDC server
>> nearly as simply as this. The things that you're missing I think are
>> necessary for basic interoperable functionality, and are things that oth=
er
>> folks using OAuth for authentication have also implemented. Namely:****
>>
>>  ****
>>
>>  - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which i=
s
>> easy to do with JWT). Without a signed and verifiable ID token or
>> equivalent, you're asking for all kinds of token injection problems.****
>>
>>  - Session management requests (max auth age, auth time)****
>>
>>  - Not fall over with other parameters that you don't support (display,
>> prompt, etc).****
>>
>>  ****
>>
>> See here for more information:****
>>
>>  ****
>>
>>  http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI****
>>
>>  ****
>>
>> Additionally, something that's really important to support is the User
>> Info Endpoint, so you can actually get user profile information beyond j=
ust
>> the simple "someone was here" claim -- this was the real value of Facebo=
ok
>> Connect from an RP's perspective. Some people will probably want to use
>> SCIM for this, too, and that's fine.****
>>
>>  ****
>>
>>  -- Justin****
>>
>>  ****
>>
>> On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com>****
>>
>>  wrote:****
>>
>>
>>
>> ****
>>
>>  The oidc specs do not allow this simple an implementation. The spec
>> members have not shown interest in making changes as they say they are t=
oo
>> far down the road.****
>>
>>  ****
>>
>> I have tried to make my draft as close as possible to oidc but maybe it
>> shouldn't be clarity wise. I am interested in what the group feels is
>> clearest. ****
>>
>>  ****
>>
>> From an ietf perspective the concern is improper use of the 6749 for
>> authn. Is this a bug or gap we need to address?
>>
>> Phil****
>>
>>
>> On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org> wrote:*=
*
>> **
>>
>>  From what I read, you've defined something that uses an OAuth 2 code
>> flow to get an extra token which is specified as a JWT. You named it
>> "session_token" instead of "id_token", and you've left off the User
>> Information Endpoint -- but other than that, this is exactly the Basic
>> Client for OpenID Connect. In other words, if you change the names on
>> things you've got OIDC, but without the capabilities to go beyond a very
>> basic "hey there's a user here" claim. This is the same place that OpenI=
D
>> 2.0 started, and it was very, very quickly extended with SREG, AX, PAPE,
>> and others for it to be useful in the real world of distributed logins.
>> You've also left out discovery and registration which are required for
>> distributed deployments, but I'm guessing that those would be modular
>> components that could be added in (like they are in OIDC). ****
>>
>>  ****
>>
>> I've heard complaints that OIDC is complicated, but it's really not. Yes=
,
>> I agree that the giant stack of documents is intimidating and in my opin=
ion
>> it's a bit of a mess with Messages and Standard split up (but I lost tha=
t
>> argument years ago). However, at the core, you've got an OAuth2
>> authorization server that spits out access tokens and id tokens. The id
>> token is a JWT with some known claims (iss, sub, etc) and is issued alon=
g
>> side the access token, and its audience is the *client* and not the
>> *protected resource*. The access token is a regular old access token and
>> its format is undefined (so you can use it with an existing OAuth2 serve=
r
>> setup, like we have), and it can be used at the User Info Endpoint to ge=
t
>> profile information about the user who authenticated. It could also be u=
sed
>> for other services if your AS/IdP protects multiple things.****
>>
>>  ****
>>
>> So I guess what I'm missing is what's the value proposition in this spec
>> when we have something that can do this already? And this doesn't seem t=
o
>> do anything different (apart from syntax changes)?****
>>
>>  ****
>>
>>  -- Justin****
>>
>>  ****
>>
>> On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com> wrote:****
>>
>>
>>
>> ****
>>
>>  FYI.  I have been noticing a substantial number of sites acting as
>> OAuth Clients using OAuth to authenticate users.****
>>
>>  ****
>>
>> I know several of us have blogged on the issue over the past year so I
>> won't re-hash it here.  In short, many of us recommended OIDC as the
>> correct methodology.****
>>
>>  ****
>>
>> Never-the-less, I've spoken with a number of service providers who
>> indicate they are not ready to make the jump to OIDC, yet they agree the=
re
>> is a desire to support authentication only (where as OIDC does IDP-like
>> services).****
>>
>>  ****
>>
>> This draft is intended as a minimum authentication only specification.
>>  I've tried to make it as compatible as possible with OIDC.****
>>
>>  ****
>>
>> For now, I've just posted to keep track of the issue so we can address a=
t
>> the next re-chartering.****
>>
>>  ****
>>
>> Happy to answer questions and discuss. ****
>>
>>  ****
>>
>> Phil****
>>
>>  ****
>>
>> @independentid****
>>
>> www.independentid.com****
>>
>> phil.hunt@oracle.com****
>>
>>  ****
>>
>>
>>
>> ****
>>
>>  ****
>>
>> Begin forwarded message:****
>>
>>
>>
>> ****
>>
>>  *From:*internet-drafts@ietf.org****
>>
>> *Subject: New Version Notification for
>> draft-hunt-oauth-v2-user-a4c-00.txt*****
>>
>> *Date:*29 July, 2013 9:49:41 AM GMT+02:00****
>>
>> *To:*Phil Hunt <phil.hunt@yahoo.com>, Phil Hunt <None@ietfa.amsl.com>,
>> Phil Hunt <>****
>>
>>  ****
>>
>>
>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
>> has been successfully submitted by Phil Hunt and posted to the
>> IETF repository.
>>
>> Filename: draft-hunt-oauth-v2-user-a4c
>> Revision: 00
>> Title: OAuth 2.0 User Authentication For Client
>> Creation date: 2013-07-29
>> Group: Individual Submission
>> Number of pages: 9
>> URL:
>> http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt
>> Status:
>> http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>> Htmlized:
>> http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00
>>
>>
>> Abstract:
>>   This specification defines a new OAuth2 endpoint that enables user
>>   authentication session information to be shared with client
>>   applications.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available attools.ietf.org.
>>
>> The IETF Secretariat****
>>
>>    ****
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth****
>>
>>    ****
>>
>>    ****
>>
>>   _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth****
>>
>>    ****
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth****
>>
>>
>>
>> ****
>>
>>  ****
>>
>> --
>> Nat Sakimura (=3Dnat)****
>>
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en****
>>
>>
>>
>> ****
>>
>> _______________________________________________****
>>
>> OAuth mailing list****
>>
>> OAuth@ietf.org****
>>
>> https://www.ietf.org/mailman/listinfo/oauth****
>>
>>    ****
>>
>>
>>
>> ****
>>
>>  ****
>>
>> --
>> Nat Sakimura (=3Dnat)****
>>
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en****
>>
>>   ****
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> ****
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth****
>>
>>   ****
>>
>>   ** **
>>
>
>
>
> --
> Nat Sakimura (=3Dnat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>


--=20
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

--001a11c374a6f8c7af04e2ef79fd
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Not necessarily. Why would it be inappropriate?=A0<div><br=
></div><div>I call it NIH syndrome.=A0</div><div>Respecting the work which =
is done outside is a good thing.=A0</div><div>Just taking the content and t=
aking a credit for it is a bad practice.=A0</div>
<div><br></div><div>Forking is also bad.=A0</div><div><br></div><div class=
=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2013/8/2 Phil Hunt <spa=
n dir=3D"ltr">&lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"=
>phil.hunt@oracle.com</a>&gt;</span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"auto"><div>OpenId specs can depe=
nd on oAuth. Having OAuth depend on OpenId is not appropriate here.=A0<span=
 class=3D"HOEnZb"><font color=3D"#888888"><br>
<br>Phil</font></span></div><div><div class=3D"h5"><div><br>On 2013-08-01, =
at 18:07, Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail.com" target=3D"=
_blank">sakimura@gmail.com</a>&gt; wrote:<br><br></div><blockquote type=3D"=
cite">
<div><div dir=3D"ltr">Like Bill says, it can just be a profile of OpenID Co=
nnect.=A0<div>IETF specs already references OpenID Foundation specs.=A0</di=
v><div>It should not be a problem.=A0</div><div>I do not think we want to f=
olk.=A0</div>

</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2013/8/=
1 Anthony Nadalin <span dir=3D"ltr">&lt;<a href=3D"mailto:tonynad@microsoft=
.com" target=3D"_blank">tonynad@microsoft.com</a>&gt;</span><br><blockquote=
 class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli=
d;padding-left:1ex">







<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">I believe it beneficial t=
o have a common format and common values, and 1 way to handle the format an=
d values. I believe that having this in oauth is beneficial,
 I believe that it would also be beneficial for OpenID if this were in oaut=
h. There are cases for signed and unsigned formats.
<u></u><u></u></span></p>
<p class=3D"MsoNormal"><a name=3D"1403d1e1feb19c57_1403a4678daa8350__MailEn=
dCompose"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&=
quot;sans-serif&quot;;color:#1f497d"><u></u>=A0<u></u></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer=
, Justin P. [mailto:<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">=
jricher@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 7:15 AM<br>
<b>To:</b> Nat Sakimura<br>
<b>Cc:</b> Anthony Nadalin; Bill Mills; Prateek Mishra; <a href=3D"mailto:o=
auth@ietf.org" target=3D"_blank">oauth@ietf.org</a> WG</span></p><div><div>=
<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<u><=
/u><u></u></div></div><p></p>
</div>
</div><div><div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
<p class=3D"MsoNormal">Also, it&#39;s (optionally) a token in the proposed =
document we&#39;re discussing (=A72.4.1), which means there are two ways to=
 parse the same information. OIDC uses JWTs for everything, signed and unsi=
gned. This means that OIDC is actually simpler
 from an implementation perspective, wouldn&#39;t you say? Instead of havin=
g two parsers, you have one to cover both cases.=A0
<u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">(And given your tendency to throw signed assertions =
at every problem, I would have thought that you&#39;d prefer this anyway.)
<u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0-- Justin<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 9:40 AM, Nat Sakimura &lt;<a href=
=3D"mailto:sakimura@gmail.com" target=3D"_blank">sakimura@gmail.com</a>&gt;=
<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<u></u><u></u></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal">Yes, it is a Token.=A0<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">No, it does not have to be signed.=A0<u></u><u></u><=
/p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">As to be a token or n=
ot to be a token question, it has been discussed in the WG before, and if I=
 remember correctly, =A0Microsoft argued for token saying that it is just b=
ase64 decoding and I lost there. =A0<u></u><u></u></p>


</div>
<div>
<p class=3D"MsoNormal">Nat<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
On Aug 1, 2013, at 14:24, Anthony Nadalin &lt;<a href=3D"mailto:tonynad@mic=
rosoft.com" target=3D"_blank">tonynad@microsoft.com</a>&gt; wrote:<u></u><u=
></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">You can=92t do this, firs=
t openid uses a token and second it=92s signed, third there is no specifica=
tion to just return a authentication JSON structure</span><u></u><u></u></p=
>


<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">=A0</span><u></u><u></u><=
/p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer=
, Justin P. [<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">mailto:=
jricher@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a href=3D"mailto:oaut=
h@ietf.org" target=3D"_blank">
oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</sp=
an><u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<p class=3D"MsoNormal">Tony, you can already return the authn result from t=
he token request (we discussed this specifically in May as I recall). That&=
#39;s what the &quot;idtoken&quot; and &quot;code idtoken&quot; responses a=
re for in OpenID Connect. The proposed draft is nearly a duplicate
 of the core functionality of OIDC. <u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">=A0-- Justin<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a h=
ref=3D"mailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsoft.co=
m</a>&gt;<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">=A0wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><u></u>=A0<u></u></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">The proposal does not dup=
licate what OpenID does, there is clear benefit for returning an authentica=
tion result in the token request result. This is being proposed
 as optional JSON structure.</span><u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1f497d">=A0</span><u></u><u></u><=
/p>
</div>
</div>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span><span style=3D=
"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">=
=A0</span></span><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&=
quot;,&quot;sans-serif&quot;"><a href=3D"mailto:oauth-bounces@ietf.org" tar=
get=3D"_blank"><span style=3D"color:purple">oauth-bounces@ietf.org</span></=
a><span>=A0</span>[mailto:<a href=3D"mailto:oauth-" target=3D"_blank">oauth=
-</a><a href=3D"mailto:bounces@ietf.org" target=3D"_blank"><span style=3D"c=
olor:purple">bounces@ietf.org</span></a>]<span>=A0</span><b>On
 Behalf Of<span>=A0</span></b>Bill Mills<br>
<b>Sent:</b><span>=A0</span>Wednesday, July 31, 2013 2:50 PM<br>
<b>To:</b><span>=A0</span>Prateek Mishra; Nat Sakimura<br>
<b>Cc:</b><span>=A0</span><a href=3D"mailto:oauth@ietf.org" target=3D"_blan=
k"><span style=3D"color:purple">oauth@ietf.org</span></a><span>=A0</span>WG=
<br>
<b>Subject:</b><span>=A0</span>Re: [OAUTH-WG] Need for Extending OAuth with=
 AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-=
a4c-00.txt)</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">Rather than extending OAuth for something OpenID=
 already does... =A0why don&#39;t we get a simple informational example doc=
 to show how to implement the most basic OpenID service,
 which is the same functionality on a standard that&#39;s already written?<=
/span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
=A0</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">=
This is sounding more and mor elike a documentation problem.</span><u></u><=
u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-famil=
y:&quot;Courier New&quot;">=A0</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgr=
ound:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span=
></b><span><span style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&q=
uot;sans-serif&quot;">=A0</span></span><span style=3D"font-size:10.0pt;font=
-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Prateek
 Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank">=
<span style=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<br>
<b>To:</b><span>=A0</span>Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail=
.com" target=3D"_blank"><span style=3D"color:purple">sakimura@gmail.com</sp=
an></a>&gt;<span>=A0</span><br>
<b>Cc:</b><span>=A0</span>&quot;<a href=3D"mailto:oauth@ietf.org%20WG" targ=
et=3D"_blank"><span style=3D"color:purple">oauth@ietf.org WG</span></a>&quo=
t; &lt;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank"><span style=3D"c=
olor:purple">oauth@ietf.org</span></a>&gt;<span>=A0</span><br>


<b>Sent:</b><span>=A0</span>Wednesday, July 31, 2013 2:38 PM<br>
<b>Subject:</b><span>=A0</span>[OAUTH-WG] Need for Extending OAuth with Aut=
hN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-=
00.txt)</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span>=A0</span><br>
<br>
thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for &quo=
t; non-dynamic OpenID Connect Server&quot;.<br>
<br>
I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different<span>=A0</span><br>
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2=
.0-os.pdf" target=3D"_blank"><span style=3D"color:purple">http://docs.oasis=
-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</span></a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for<span>=A0</span><br>
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that<span>=A0</span><br>
RFC 6749 is being misused for federated authentication, as explained in=A0 =
-=A0<span>=A0</span><br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-o=
auth-2-what.html" target=3D"_blank"><span style=3D"color:purple">http://www=
.independentid.com/2013/07/simple-authentication-for-oauth-2-what.html</spa=
n></a><span>=A0</span><br>


<br>
and that there doesn&#39;t appear to be a simple solution that is currently=
 available. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn&#39;t clear to=
 me.<br>
<br>
Thx,<br>
prateek<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
Inline:=A0<u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 Prateek Mishra =
&lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><span st=
yle=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<u></u><u></u>=
</p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span>=A0</span><br>
<br>
your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with<span>=A0</span><br>
an authenticator.=A0 Many implementors are seeking a modest extension of OA=
uth, not an entire new protocol<br>
stack. =A0 I believe that is the point of Phil Hunt&#39;s proposal to the O=
Auth committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span>=
=A0</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?<u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Actually, it is not a sin=
gle spec, that the Standard is referencing others.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The Standard is kind of c=
luttered because it has 6 response types and three request types in it.=A0<=
u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I suppose it would be muc=
h easier for the readers to split them into coherent pieces, though that me=
ans duplicate texts.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The easiest approach here=
 is to read the Basic Client Profile.=A0<a href=3D"http://openid.net/specs/=
openid-connect-basic-1_0-28.html" target=3D"_blank"><span style=3D"color:pu=
rple">http://openid.net/specs/openid-connect-basic-1_0-28.html</span></a><u=
></u><u></u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Then, read=A0OAuth 2.0 Mu=
ltiple Response Type Encoding Practices=A0<a href=3D"http://openid.net/spec=
s/oauth-v2-multiple-response-types-1_0-08.html" target=3D"_blank"><span sty=
le=3D"color:purple">http://openid.net/specs/oauth-v2-multiple-response-type=
s-1_0-08.html</span></a>=A0.=A0<u></u><u></u></p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no<span>=A0</span><br>
other MTI protocol exchanges in OpenID Connect?<u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Yes, for a non-dynamic Op=
enID Connect Server.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
Thanks,<br>
prateek<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
=A0 =A0<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have written a short bl=
og post titled &quot;<a href=3D"http://nat.sakimura.org/2013/07/28/write-op=
enid-connect-server-in-three-simple-steps/" target=3D"_blank"><span style=
=3D"color:purple">Write an OpenID Connect server
 in three simple steps</span></a>&quot;.=A0<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Really, there is not much=
 you need to on top of OAuth 2.0.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">It puzzles me why you nee=
d to create a draft with only minor variances in parameter names.=A0<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;m=
argin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">e.g.,=A0<u></u><u></u></p=
>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">session instead of id_tok=
en<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">lat instead of iat<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">alv instead of acr<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">etc.=A0<u></u><u></u></p>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">If you change those param=
eter names, you will have a conformant profile of OpenID Connect.=A0<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background-repeat:initial initial">
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 John Bradley &l=
t;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank"><span style=3D"col=
or:purple">ve7jtb@ve7jtb.com</span></a>&gt;<u></u><u></u></p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Connect dosen&#39;t requi=
re a userinfo endpoint. =A0 It is required for interoperability if you are =
building an open IdP. =A0 For an enterprise type deployment discovery, regi=
stration, userifo are all optional.<u></u><u></u></p>


</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The server is required to=
 pass the nonce which is equivalent to a request ID through to the JWT if t=
he client sends it in the request.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Justin is correct.<u></u>=
<u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">John B.<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On 2013-07-30, at 5:30 PM=
, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u></=
u><u></u></p>


</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Forgot reply all.<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
Begin forwarded message:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<b>From:</b><span>=A0</span>Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracl=
e.com" target=3D"_blank"><span style=3D"color:purple">phil.hunt@oracle.com<=
/span></a>&gt;<br>
<b>Date:</b><span>=A0</span>30 July, 2013 17:25:46 GMT+02:00<br>
<b>To:</b><span>=A0</span>&quot;Richer, Justin P.&quot; &lt;<a href=3D"mail=
to:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jriche=
r@mitre.org</span></a>&gt;<br>
<b>Subject:</b><span>=A0</span><b>Re: [OAUTH-WG] New Version Notification f=
or draft-hunt-oauth-v2-user-a4c-00.txt</b><u></u><u></u></p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The whole point is authn =
only. Many do not want or need the userinfo endpoint.=A0<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 17:17, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">What do you mean? You abs=
olutely can implement a compliant OIDC server nearly as simply as this. The=
 things that you&#39;re missing I think are necessary for basic interoperab=
le functionality, and are things that other
 folks using OAuth for authentication have also implemented. Namely:<u></u>=
<u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0- Signing the ID token=
 (OIDC specifies the RS256 flavor of JWS, which is easy to do with JWT). Wi=
thout a signed and verifiable ID token or equivalent, you&#39;re asking for=
 all kinds of token injection problems.<u></u><u></u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0- Session management r=
equests (max auth age, auth time)<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0- Not fall over with o=
ther parameters that you don&#39;t support (display, prompt, etc).<u></u><u=
></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">See here for more informa=
tion:<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<a href=3D"http://open=
id.net/specs/openid-connect-messages-1_0.html#ServerMTI" target=3D"_blank">=
<span style=3D"color:purple">http://openid.net/specs/openid-connect-message=
s-1_0.html#ServerMTI</span></a><u></u><u></u></p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Additionally, something t=
hat&#39;s really important to support is the User Info Endpoint, so you can=
 actually get user profile information beyond just the simple &quot;someone=
 was here&quot; claim -- this was the real value of
 Facebook Connect from an RP&#39;s perspective. Some people will probably w=
ant to use SCIM for this, too, and that&#39;s fine.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0-- Justin<u></u><u></u=
></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 30, 2013, at 10:54=
 AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank=
"><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt;<u></u><u=
></u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0wrote:<u></u><u></u></=
p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The oidc specs do not all=
ow this simple an implementation. The spec members have not shown interest =
in making changes as they say they are too far down the road.<u></u><u></u>=
</p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have tried to make my d=
raft as close as possible to oidc but maybe it shouldn&#39;t be clarity wis=
e. I am interested in what the group feels is clearest.=A0<u></u><u></u></p=
>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">From an ietf perspective =
the concern is improper use of the 6749 for authn. Is this a bug or gap we =
need to address?<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
On 2013-07-30, at 16:46, &quot;Richer, Justin P.&quot; &lt;<a href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher=
@mitre.org</span></a>&gt; wrote:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">From what I read, you&#39=
;ve defined something that uses an OAuth 2 code flow to get an extra token =
which is specified as a JWT. You named it &quot;session_token&quot; instead=
 of &quot;id_token&quot;, and you&#39;ve left off the User Information
 Endpoint -- but other than that, this is exactly the Basic Client for Open=
ID Connect. In other words, if you change the names on things you&#39;ve go=
t OIDC, but without the capabilities to go beyond a very basic &quot;hey th=
ere&#39;s a user here&quot; claim. This is the same
 place that OpenID 2.0 started, and it was very, very quickly extended with=
 SREG, AX, PAPE, and others for it to be useful in the real world of distri=
buted logins. You&#39;ve also left out discovery and registration which are=
 required for distributed deployments,
 but I&#39;m guessing that those would be modular components that could be =
added in (like they are in OIDC).=A0<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I&#39;ve heard complaints=
 that OIDC is complicated, but it&#39;s really not. Yes, I agree that the g=
iant stack of documents is intimidating and in my opinion it&#39;s a bit of=
 a mess with Messages and Standard split up (but
 I lost that argument years ago). However, at the core, you&#39;ve got an O=
Auth2 authorization server that spits out access tokens and id tokens. The =
id token is a JWT with some known claims (iss, sub, etc) and is issued alon=
g side the access token, and its audience
 is the *client* and not the *protected resource*. The access token is a re=
gular old access token and its format is undefined (so you can use it with =
an existing OAuth2 server setup, like we have), and it can be used at the U=
ser Info Endpoint to get profile
 information about the user who authenticated. It could also be used for ot=
her services if your AS/IdP protects multiple things.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">So I guess what I&#39;m m=
issing is what&#39;s the value proposition in this spec when we have someth=
ing that can do this already? And this doesn&#39;t seem to do anything diff=
erent (apart from syntax changes)?<u></u><u></u></p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0-- Justin<u></u><u></u=
></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 29, 2013, at 4:14 =
AM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"=
><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u>=
</u><u></u></p>


</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">FYI. =A0I have been notic=
ing a substantial number of sites acting as OAuth Clients using OAuth to au=
thenticate users.<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I know several of us have=
 blogged on the issue over the past year so I won&#39;t re-hash it here. =
=A0In short, many of us recommended OIDC as the correct methodology.<u></u>=
<u></u></p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Never-the-less, I&#39;ve =
spoken with a number of service providers who indicate they are not ready t=
o make the jump to OIDC, yet they agree there is a desire to support authen=
tication only (where as OIDC does IDP-like
 services).<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">This draft is intended as=
 a minimum authentication only specification. =A0I&#39;ve tried to make it =
as compatible as possible with OIDC.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">For now, I&#39;ve just po=
sted to keep track of the issue so we can address at the next re-chartering=
.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Happy to answer questions=
 and discuss.=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Phil</span>=
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">=A0</span><=
u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">@independen=
tid</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
9.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><a href=3D"=
http://www.independentid.com/" target=3D"_blank"><span style=3D"color:purpl=
e">www.independentid.com</span></a></span><u></u><u></u></p>


</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt;background:white;backg=
round-repeat:initial initial">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;san=
s-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><s=
pan style=3D"color:purple">phil.hunt@oracle.com</span></a></span><u></u><u>=
</u></p>


</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:=
13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">=A0</span>=
<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Begin forwarded message:<=
u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">From:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org" target=
=3D"_blank"><span style=3D"color:purple">internet-drafts@ietf.org</span></a=
></span><u></u><u></u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Subject=
: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</span></=
b><u></u><u></u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Date:</=
span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,=
&quot;sans-serif&quot;">29 July, 2013 9:49:41 AM GMT+02:00</span><u></u><u>=
</u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-si=
ze:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">To:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&q=
uot;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com" =
target=3D"_blank"><span style=3D"color:purple">phil.hunt@yahoo.com</span></=
a>&gt;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank"><sp=
an style=3D"color:purple">None@ietfa.amsl.com</span></a>&gt;, Phil Hunt &lt=
;&gt;</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0<a href=3D"http://www.ietf.org/int=
ernet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt" target=3D"_blank"><span s=
tyle=3D"color:purple">http://www.ietf.org/internet-drafts/draft-hunt-oauth-=
v2-user-a4c-00.txt</span></a><br>


Status: =A0=A0=A0=A0=A0=A0=A0=A0=A0<a href=3D"http://datatracker.ietf.org/d=
oc/draft-hunt-oauth-v2-user-a4c" target=3D"_blank"><span style=3D"color:pur=
ple">http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</span></a=
><br>
Htmlized: =A0=A0=A0=A0=A0=A0=A0<a href=3D"http://tools.ietf.org/html/draft-=
hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span style=3D"color:purple">h=
ttp://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00</span></a><br>
<br>
<br>
Abstract:<br>
=A0=A0This specification defines a new OAuth2 endpoint that enables user<br=
>
=A0=A0authentication session information to be shared with client<br>
=A0=A0applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at<a href=3D"http://tools=
.ietf.org/" target=3D"_blank"><span style=3D"color:purple">tools.ietf.org</=
span></a>.<br>
<br>
The IETF Secretariat<u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">_________________________=
______________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><u></u><u></u></p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span>=A0</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<pre style=3D"background:white;background-repeat:initial initial">_________=
______________________________________<u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial">OAuth mai=
ling list<u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:purple">O=
Auth@ietf.org</span></a><u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><span st=
yle=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a>=
<u></u><u></u></pre>


</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span>=A0</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundati=
on<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color=
:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=A0<u></u><u></u></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backg=
round-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><br>
<br>
<u></u><u></u></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;">_____________________________________=
__________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pu=
rple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><=
span style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a></span><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal">=A0<u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>=A0<u></u></p>
</div>
</div>
</div></div></div>
</div>

</blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>Nat Sakimura=
 (=3Dnat)<div>Chairman, OpenID Foundation<br><a href=3D"http://nat.sakimura=
.org/" target=3D"_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>
</div></blockquote><blockquote type=3D"cite"><div><span>___________________=
____________________________</span><br><span>OAuth mailing list</span><br><=
span><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a>=
</span><br>
<span><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_bl=
ank">https://www.ietf.org/mailman/listinfo/oauth</a></span><br></div></bloc=
kquote></div></div></div></blockquote></div><br><br clear=3D"all"><div><br>=
</div>
-- <br>Nat Sakimura (=3Dnat)<div>Chairman, OpenID Foundation<br><a href=3D"=
http://nat.sakimura.org/" target=3D"_blank">http://nat.sakimura.org/</a><br=
>@_nat_en</div>
</div></div>

--001a11c374a6f8c7af04e2ef79fd--

From wmills_92105@yahoo.com  Thu Aug  1 21:44:40 2013
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40F6711E810C for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3rNY32W6Azy for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:44:34 -0700 (PDT)
Received: from nm4.bullet.mail.bf1.yahoo.com (nm4.bullet.mail.bf1.yahoo.com [98.139.212.163]) by ietfa.amsl.com (Postfix) with ESMTP id AA4F821E8252 for <oauth@ietf.org>; Thu,  1 Aug 2013 21:43:46 -0700 (PDT)
Received: from [98.139.212.152] by nm4.bullet.mail.bf1.yahoo.com with NNFMP; 02 Aug 2013 04:43:45 -0000
Received: from [98.139.212.231] by tm9.bullet.mail.bf1.yahoo.com with NNFMP; 02 Aug 2013 04:43:45 -0000
Received: from [127.0.0.1] by omp1040.mail.bf1.yahoo.com with NNFMP; 02 Aug 2013 04:43:45 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 591994.30195.bm@omp1040.mail.bf1.yahoo.com
Received: (qmail 7561 invoked by uid 60001); 2 Aug 2013 04:43:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1375418625; bh=IXefT/x8Beh1gBGLpcXDxB9iPr7NI5yTMGcQbplhNdM=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=ZrMpz5Dv0Vj25gPd2X+5Ax3EEj/BunUUGOlDC7oN68AefU+ix8zMeHe1Mx+3DJYnbVUUBSP5eo5Phwj4c5Lw6N01Mu7C1j9PothRAm+H8ri84EVSdpQiS+x46Rz8NxZiJ7JYveqeHZ/zXWHXtEgYzDoDk9L9PYSofzbR099pBdE=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=QvuvkqhPfiLWD4YWuSWh9CXLtu1Nvuwp1NjIDYwyLoIoB/1G7vVNz/hS8dTgJbRKKkPVqczVROfzGCaJNdGIPeSQeG6SB09Rzo8r1QyyYvWBIYjz0KeGnP8yBWR5Ey8MJSi/Y31p/OeAlgF10FyCh9MvaJKi6vp3kNNW5DXW340=;
X-YMail-OSG: _VqvV_8VM1k94lTfntgRHXXVLIr0k4_dkrsfmKmujZVC9zN U7atuGigguIcF8ma7CCAhVzPMKqSulZspRVshr2iYQjavnIcmFYfF39..IN3 nJjcQbNp8Jd2FgvjBMBc6XujLQajJb94V98RYnuevzL2Z38EKiJBrclq_69g 3wgHFLoRENUzUo3PPfTJ.cKzAp7G4Xgp7Dor3e59tEDM2mNI.MFbdRIYL9Nm bmOu8776ZyUgApX.vyQMXr3EGG.onIYnuTU.UTy3dkuIPRpGLchi6B00YHH2 ymc9.229HnXqfr0dNJe44G3Z6jH5uaU4o96l9w6cYuGLc56vt.T1eV7TvdVS 7Bl4AQoZd.Dq2HUUP.YVeolA78gr.AeqxHmFSpZSf5JNT5d5S1p7NVWGd40h vt0aar1ypcQT0.CWu7Z4BTwnCqirnZlQlSSlCpK3kQ5rhXQIA_31j8y4WKsQ FgKFgdXZox0sycvctT8rjJ2_aWCHNX8RTCKEFW_rcDWOhxtJGPuosMAi9c0s dUckfYfPyYmF5cE6l41_KBn1e26OlTUo9fKA6lpTkFDDRy1KEFoBecTnK3wD UlZawyNxVTx1TH3XrzLRgMWw2Qpk2V.0X6_CpEyEwgHx23b_.nAU_TAuSk8v gANxlGmUIKvmim6TqubvXp1datqpEzqb8M7TdlctquiYEGfjmMcriNSNnSyM .wtQaGkVYE0kZFQMRi5htyiA2CXNVWF4Ky6xBHIk66ZRF9pvKBarlrURxvn1 04cJB.LTr4IPZQKXTurUmkSs6UsB667vdO1TubIsZlnjdKMktvkjpsl6mOn2 WAFcJeGpeKMUYhbxNOx2Q.SHWyMy74WeNU1dmoy1ywZPrOgJFEGERN7MYkjz 69XLSgqEmBHVxz.vpowX2mNiK_ox9qidWPho9G_aZwqEG0suvqG1LjeM_DXH LLvimPpaSTtqd1RC1deBnxLJTe1_gJ7I-
Received: from [99.31.212.42] by web142803.mail.bf1.yahoo.com via HTTP; Thu, 01 Aug 2013 21:43:45 PDT
X-Rocket-MIMEInfo: 002.001, Q2lyY3VsYXIgcmVmZXJlbmNlcyBhcmUgbm90IG15IGZhdm9yaXRlLgoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCiBGcm9tOiBOYXQgU2FraW11cmEgPHNha2ltdXJhQGdtYWlsLmNvbT4KVG86IFBoaWwgSHVudCA8cGhpbC5odW50QG9yYWNsZS5jb20.IApDYzogIm9hdXRoQGlldGYub3JnIFdHIiA8b2F1dGhAaWV0Zi5vcmc.IApTZW50OiBUaHVyc2RheSwgQXVndXN0IDEsIDIwMTMgOTozNCBQTQpTdWJqZWN0OiBSZTogW09BVVRILVdHXSBOZWVkIGZvciBFeHRlbmRpbmcgT0F1dGggd2l0aCABMAEBAQE-
X-Mailer: YahooMailWebService/0.8.152.567
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com>	<E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com>	<BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com>	<CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com>	<51F983E3.1020400@oracle.com>	<1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com>	<5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com>	<5D020B1E-531D-444E-A492-046D444D48D2@mitre.org>	<e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com>	<2117136733141454493@unknownmsgid>	<8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org>	<f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com>	<CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com>	<6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com> <CABzCy2BA-fXy86NU+vZd96jV9yVo9GEBAmm_AoMeZoR-ECgyyQ@mail.gmail.com>
Message-ID: <1375418625.52579.YahooMailNeo@web142803.mail.bf1.yahoo.com>
Date: Thu, 1 Aug 2013 21:43:45 -0700 (PDT)
From: Bill Mills <wmills_92105@yahoo.com>
To: Nat Sakimura <sakimura@gmail.com>, Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <CABzCy2BA-fXy86NU+vZd96jV9yVo9GEBAmm_AoMeZoR-ECgyyQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="905790552-337973688-1375418625=:52579"
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 04:44:40 -0000

--905790552-337973688-1375418625=:52579
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Circular references are not my favorite.=0A=0A=0A__________________________=
______=0A From: Nat Sakimura <sakimura@gmail.com>=0ATo: Phil Hunt <phil.hun=
t@oracle.com> =0ACc: "oauth@ietf.org WG" <oauth@ietf.org> =0ASent: Thursday=
, August 1, 2013 9:34 PM=0ASubject: Re: [OAUTH-WG] Need for Extending OAuth=
 with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-=
user-a4c-00.txt)=0A =0A=0A=0ANot necessarily. Why would it be inappropriate=
?=C2=A0=0A=0AI call it NIH syndrome.=C2=A0=0ARespecting the work which is d=
one outside is a good thing.=C2=A0=0AJust taking the content and taking a c=
redit for it is a bad practice.=C2=A0=0A=0AForking is also bad.=C2=A0=0A=0A=
=0A=0A=0A2013/8/2 Phil Hunt <phil.hunt@oracle.com>=0A=0AOpenId specs can de=
pend on oAuth. Having OAuth depend on OpenId is not appropriate here.=C2=A0=
=0A>=0A>Phil=0A>=0A>On 2013-08-01, at 18:07, Nat Sakimura <sakimura@gmail.c=
om> wrote:=0A>=0A>=0A>Like Bill says, it can just be a profile of OpenID Co=
nnect.=C2=A0=0A>>IETF specs already references OpenID Foundation specs.=C2=
=A0=0A>>It should not be a problem.=C2=A0=0A>>I do not think we want to fol=
k.=C2=A0=0A>>=0A>>=0A>>=0A>>2013/8/1 Anthony Nadalin <tonynad@microsoft.com=
>=0A>>=0A>>I believe it beneficial to have a common format and common value=
s, and 1 way to handle the format and values. I believe that having this in=
 oauth is beneficial, I believe that it would also be beneficial for OpenID=
 if this were in oauth. There are cases for signed and unsigned formats. =
=0A>>>=C2=A0=0A>>>From:Richer, Justin P. [mailto:jricher@mitre.org] =0A>>>S=
ent: Thursday, August 1, 2013 7:15 AM=0A>>>To: Nat Sakimura=0A>>>Cc: Anthon=
y Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG=0A>>>=0A>>>Subject=
: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Vers=
ion Notification for draft-hunt-oauth-v2-user-a4c-00.txt)=0A>>>=C2=A0=0A>>>=
Also, it's (optionally) a token in the proposed document we're discussing (=
=C2=A72.4.1), which means there are two ways to parse the same information.=
 OIDC uses JWTs for everything, signed and unsigned. This means that OIDC i=
s actually simpler from an implementation perspective, wouldn't you say? In=
stead of having two parsers, you have one to cover both cases.=C2=A0 =0A>>>=
=C2=A0=0A>>>(And given your tendency to throw signed assertions at every pr=
oblem, I would have thought that you'd prefer this anyway.) =0A>>>=C2=A0=0A=
>>>=C2=A0-- Justin=0A>>>=C2=A0=0A>>>On Aug 1, 2013, at 9:40 AM, Nat Sakimur=
a <sakimura@gmail.com>=0A>>>=C2=A0wrote:=0A>>>=0A>>>=0A>>>=0A>>>Yes, it is =
a Token.=C2=A0=0A>>>>No, it does not have to be signed.=C2=A0=0A>>>>=C2=A0=
=0A>>>>As to be a token or not to be a token question, it has been discusse=
d in the WG before, and if I remember correctly, =C2=A0Microsoft argued for=
 token saying that it is just base64 decoding and I lost there. =C2=A0=0A>>=
>>Nat=0A>>>>=0A>>>>On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@micro=
soft.com> wrote:=0A>>>>You can=E2=80=99t do this, first openid uses a token=
 and second it=E2=80=99s signed, third there is no specification to just re=
turn a authentication JSON structure=0A>>>>>=C2=A0=0A>>>>>From:Richer, Just=
in P. [mailto:jricher@mitre.org] =0A>>>>>Sent: Thursday, August 1, 2013 5:1=
5 AM=0A>>>>>To: Anthony Nadalin=0A>>>>>Cc: Bill Mills; Prateek Mishra; Nat =
Sakimura; oauth@ietf.org WG=0A>>>>>Subject: Re: [OAUTH-WG] Need for Extendi=
ng OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-o=
auth-v2-user-a4c-00.txt)=0A>>>>>=C2=A0=0A>>>>>Tony, you can already return =
the authn result from the token request (we discussed this specifically in =
May as I recall). That's what the "idtoken" and "code idtoken" responses ar=
e for in OpenID Connect. The proposed draft is nearly a duplicate of the co=
re functionality of OIDC. =0A>>>>>=C2=A0=0A>>>>>=C2=A0-- Justin=0A>>>>>=C2=
=A0=0A>>>>>On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.c=
om>=0A>>>>>=C2=A0wrote:=0A>>>>>=C2=A0=0A>>>>>The proposal does not duplicat=
e what OpenID does, there is clear benefit for returning an authentication =
result in the token request result. This is being proposed as optional JSON=
 structure.=0A>>>>>>=C2=A0=0A>>>>>>From:=C2=A0oauth-bounces@ietf.org=C2=A0[=
mailto:oauth-bounces@ietf.org]=C2=A0On Behalf Of=C2=A0Bill Mills=0A>>>>>>Se=
nt:=C2=A0Wednesday, July 31, 2013 2:50 PM=0A>>>>>>To:=C2=A0Prateek Mishra; =
Nat Sakimura=0A>>>>>>Cc:=C2=A0oauth@ietf.org=C2=A0WG=0A>>>>>>Subject:=C2=A0=
Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Versio=
n Notification for draft-hunt-oauth-v2-user-a4c-00.txt)=0A>>>>>>=C2=A0=0A>>=
>>>>Rather than extending OAuth for something OpenID already does... =C2=A0=
why don't we get a simple informational example doc to show how to implemen=
t the most basic OpenID service, which is the same functionality on a stand=
ard that's already written?=0A>>>>>>=C2=A0=0A>>>>>>This is sounding more an=
d mor elike a documentation problem.=0A>>>>>>=C2=A0=0A>>>>>>=0A>>>>>>______=
__________________________=0A>>>>>> =0A>>>>>>From:=C2=A0Prateek Mishra <pra=
teek.mishra@oracle.com>=0A>>>>>>To:=C2=A0Nat Sakimura <sakimura@gmail.com>=
=C2=A0=0A>>>>>>Cc:=C2=A0"oauth@ietf.org WG" <oauth@ietf.org>=C2=A0=0A>>>>>>=
Sent:=C2=A0Wednesday, July 31, 2013 2:38 PM=0A>>>>>>Subject:=C2=A0[OAUTH-WG=
] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notificatio=
n for draft-hunt-oauth-v2-user-a4c-00.txt)=0A>>>>>>=C2=A0=0A>>>>>>Nat -=C2=
=A0=0A>>>>>>=0A>>>>>>thanks for the detailed response. I did review the lin=
ks you sent out but it remained unclear to me which=0A>>>>>>features are MT=
I and which are not. For example, there is nothing in the Basic Client Prof=
ile that suggests=0A>>>>>>that Section 2.3 is optional. I also could not fi=
nd any definition for " non-dynamic OpenID Connect Server".=0A>>>>>>=0A>>>>=
>>I dont think there is a need to duplicate portions of the draft specifica=
tion text in a new document. One solution=0A>>>>>>that was used in SAML 2.0=
 was to define a conformance document which described several different=C2=
=A0=0A>>>>>>operational modes and explained how only a small set of feature=
s needed to be implemented in certain modes.=0A>>>>>>=0A>>>>>>http://docs.o=
asis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf=0A>>>>>>=0A>>>=
>>>There are probably other smarter ways to achieve the same effect.=0A>>>>=
>>=0A>>>>>>Given this situation, I do think its a reasonable task for the O=
Auth community to consider the need for=C2=A0=0A>>>>>>a minimal extension t=
o OAuth that accommodates authentication. The community should be made awar=
e that=C2=A0=0A>>>>>>RFC 6749 is being misused for federated authentication=
, as explained in=C2=A0 -=C2=A0=C2=A0=0A>>>>>>=0A>>>>>>http://www.independe=
ntid.com/2013/07/simple-authentication-for-oauth-2-what.html=C2=A0=0A>>>>>>=
=0A>>>>>>and that there doesn't appear to be a simple solution that is curr=
ently available. It would be great if it turned=0A>>>>>>out that OpenID Con=
nect offered such a solution but that isn't clear to me.=0A>>>>>>=0A>>>>>>T=
hx,=0A>>>>>>prateek=0A>>>>>>=C2=A0=0A>>>>>>=C2=A0=0A>>>>>>>Inline:=C2=A0=0A=
>>>>>>>2013/7/31 Prateek Mishra <prateek.mishra@oracle.com>=0A>>>>>>>Nat -=
=C2=A0=0A>>>>>>>>=0A>>>>>>>>your blog posting is helpful to those of us who=
 are looking for a minimal extension of OAuth with=C2=A0=0A>>>>>>>>an authe=
nticator.=C2=A0 Many implementors are seeking a modest extension of OAuth, =
not an entire new protocol=0A>>>>>>>>stack. =C2=A0 I believe that is the po=
int of Phil Hunt's proposal to the OAuth committee.=0A>>>>>>>>=0A>>>>>>>>I =
do have some questions for about the statements made in the blog -=C2=A0=0A=
>>>>>>>>=0A>>>>>>>>A) Can you direct me to a single OpenID Connect draft sp=
ecification document where steps 1 and 2 are described?=0A>>>>>>>=C2=A0=0A>=
>>>>>>Actually, it is not a single spec, that the Standard is referencing o=
thers.=C2=A0=0A>>>>>>>The Standard is kind of cluttered because it has 6 re=
sponse types and three request types in it.=C2=A0=0A>>>>>>>I suppose it wou=
ld be much easier for the readers to split them into coherent pieces, thoug=
h that means duplicate texts.=C2=A0=0A>>>>>>>=C2=A0=0A>>>>>>>The easiest ap=
proach here is to read the Basic Client Profile.=C2=A0http://openid.net/spe=
cs/openid-connect-basic-1_0-28.html=0A>>>>>>>Then, read=C2=A0OAuth 2.0 Mult=
iple Response Type Encoding Practices=C2=A0http://openid.net/specs/oauth-v2=
-multiple-response-types-1_0-08.html=C2=A0.=C2=A0=0A>>>>>>>=C2=A0=0A>>>>>>>=
=0A>>>>>>>>B) If I implement steps 1 and 2, do I then have a conformant Ope=
nID Connect implementation? Are there no=C2=A0=0A>>>>>>>>other MTI protocol=
 exchanges in OpenID Connect?=0A>>>>>>>=C2=A0=0A>>>>>>>Yes, for a non-dynam=
ic OpenID Connect Server.=C2=A0=0A>>>>>>>=C2=A0=0A>>>>>>>Nat=0A>>>>>>>=C2=
=A0=C2=A0=0A>>>>>>>=0A>>>>>>>>Thanks,=0A>>>>>>>>prateek=0A>>>>>>>>=0A>>>>>>=
>>=0A>>>>>>>>=C2=A0 =C2=A0=0A>>>>>>>>=C2=A0=0A>>>>>>>>I have written a shor=
t blog post titled "Write an OpenID Connect server in three simple steps".=
=C2=A0=0A>>>>>>>>>=C2=A0=0A>>>>>>>>>Really, there is not much you need to o=
n top of OAuth 2.0.=C2=A0=0A>>>>>>>>>=C2=A0=0A>>>>>>>>>It puzzles me why yo=
u need to create a draft with only minor variances in parameter names.=C2=
=A0=0A>>>>>>>>>=C2=A0=0A>>>>>>>>>e.g.,=C2=A0=0A>>>>>>>>>>session instead of=
 id_token=0A>>>>>>>>>>lat instead of iat=0A>>>>>>>>>>alv instead of acr=0A>=
>>>>>>>>>etc.=C2=A0=0A>>>>>>>>>=C2=A0=0A>>>>>>>>>If you change those parame=
ter names, you will have a conformant profile of OpenID Connect.=C2=A0=0A>>=
>>>>>>>=C2=A0=0A>>>>>>>>>Nat=0A>>>>>>>>>=C2=A0=0A>>>>>>>>>2013/7/31 John Br=
adley <ve7jtb@ve7jtb.com>=0A>>>>>>>>>Connect dosen't require a userinfo end=
point. =C2=A0 It is required for interoperability if you are building an op=
en IdP. =C2=A0 For an enterprise type deployment discovery, registration, u=
serifo are all optional.=0A>>>>>>>>>>=C2=A0=0A>>>>>>>>>>The server is requi=
red to pass the nonce which is equivalent to a request ID through to the JW=
T if the client sends it in the request.=0A>>>>>>>>>>=C2=A0=0A>>>>>>>>>>Jus=
tin is correct.=0A>>>>>>>>>>=C2=A0=0A>>>>>>>>>>John B.=0A>>>>>>>>>>=C2=A0=
=0A>>>>>>>>>>On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com> wr=
ote:=0A>>>>>>>>>>=0A>>>>>>>>>>=0A>>>>>>>>>>=0A>>>>>>>>>>Forgot reply all.=
=0A>>>>>>>>>>>=0A>>>>>>>>>>>Phil=0A>>>>>>>>>>>=0A>>>>>>>>>>>Begin forwarded=
 message:=0A>>>>>>>>>>>From:=C2=A0Phil Hunt <phil.hunt@oracle.com>=0A>>>>>>=
>>>>>>Date:=C2=A030 July, 2013 17:25:46 GMT+02:00=0A>>>>>>>>>>>>To:=C2=A0"R=
icher, Justin P." <jricher@mitre.org>=0A>>>>>>>>>>>>Subject:=C2=A0Re: [OAUT=
H-WG] New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt=0A>>=
>>>>>>>>>The whole point is authn only. Many do not want or need the userin=
fo endpoint.=C2=A0=0A>>>>>>>>>>>>=0A>>>>>>>>>>>>Phil=0A>>>>>>>>>>>>=0A>>>>>=
>>>>>>>On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org> wro=
te:=0A>>>>>>>>>>>>What do you mean? You absolutely can implement a complian=
t OIDC server nearly as simply as this. The things that you're missing I th=
ink are necessary for basic interoperable functionality, and are things tha=
t other folks using OAuth for authentication have also implemented. Namely:=
=0A>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>=C2=A0- Signing the ID token (OIDC sp=
ecifies the RS256 flavor of JWS, which is easy to do with JWT). Without a s=
igned and verifiable ID token or equivalent, you're asking for all kinds of=
 token injection problems.=0A>>>>>>>>>>>>>=C2=A0- Session management reques=
ts (max auth age, auth time)=0A>>>>>>>>>>>>>=C2=A0- Not fall over with othe=
r parameters that you don't support (display, prompt, etc).=0A>>>>>>>>>>>>>=
=C2=A0=0A>>>>>>>>>>>>>See here for more information:=0A>>>>>>>>>>>>>=C2=A0=
=0A>>>>>>>>>>>>>=C2=A0http://openid.net/specs/openid-connect-messages-1_0.h=
tml#ServerMTI=0A>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>Additionally, something =
that's really important to support is the User Info Endpoint, so you can ac=
tually get user profile information beyond just the simple "someone was her=
e" claim -- this was the real value of Facebook Connect from an RP's perspe=
ctive. Some people will probably want to use SCIM for this, too, and that's=
 fine.=0A>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>=C2=A0-- Justin=0A>>>>>>>>>>>>>=
=C2=A0=0A>>>>>>>>>>>>>On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@or=
acle.com>=0A>>>>>>>>>>>>>=C2=A0wrote:=0A>>>>>>>>>>>>>=0A>>>>>>>>>>>>>=0A>>>=
>>>>>>>>>>=0A>>>>>>>>>>>>>The oidc specs do not allow this simple an implem=
entation. The spec members have not shown interest in making changes as the=
y say they are too far down the road.=0A>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>=
>>I have tried to make my draft as close as possible to oidc but maybe it s=
houldn't be clarity wise. I am interested in what the group feels is cleare=
st.=C2=A0=0A>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>>From an ietf perspective t=
he concern is improper use of the 6749 for authn. Is this a bug or gap we n=
eed to address?=0A>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>Phil=0A>>>>>>>>>>>>>>=0A>>=
>>>>>>>>>>>>On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org=
> wrote:=0A>>>>>>>>>>>>>>From what I read, you've defined something that us=
es an OAuth 2 code flow to get an extra token which is specified as a JWT. =
You named it "session_token" instead of "id_token", and you've left off the=
 User Information Endpoint -- but other than that, this is exactly the Basi=
c Client for OpenID Connect. In other words, if you change the names on thi=
ngs you've got OIDC, but without the capabilities to go beyond a very basic=
 "hey there's a user here" claim. This is the same place that OpenID 2.0 st=
arted, and it was very, very quickly extended with SREG, AX, PAPE, and othe=
rs for it to be useful in the real world of distributed logins. You've also=
 left out discovery and registration which are required for distributed dep=
loyments, but I'm guessing that those would be modular components that coul=
d be added in (like they are in OIDC).=C2=A0=0A>>>>>>>>>>>>>>>=C2=A0=0A>>>>=
>>>>>>>>>>>I've heard complaints that OIDC is complicated, but it's really =
not. Yes, I agree that the giant stack of documents is intimidating and in =
my opinion it's a bit of a mess with Messages and Standard split up (but I =
lost that argument years ago). However, at the core, you've got an OAuth2 a=
uthorization server that spits out access tokens and id tokens. The id toke=
n is a JWT with some known claims (iss, sub, etc) and is issued along side =
the access token, and its audience is the *client* and not the *protected r=
esource*. The access token is a regular old access token and its format is =
undefined (so you can use it with an existing OAuth2 server setup, like we =
have), and it can be used at the User Info Endpoint to get profile informat=
ion about the user who authenticated. It could also be used for other servi=
ces if your AS/IdP protects multiple things.=0A>>>>>>>>>>>>>>>=C2=A0=0A>>>>=
>>>>>>>>>>>So I guess what I'm missing is what's the value proposition in t=
his spec when we have something that can do this already? And this doesn't =
seem to do anything different (apart from syntax changes)?=0A>>>>>>>>>>>>>>=
>=C2=A0=0A>>>>>>>>>>>>>>>=C2=A0-- Justin=0A>>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>=
>>>>>>>On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com> wrote:=
=0A>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>FYI=
. =C2=A0I have been noticing a substantial number of sites acting as OAuth =
Clients using OAuth to authenticate users.=0A>>>>>>>>>>>>>>>>=C2=A0=0A>>>>>=
>>>>>>>>>>>I know several of us have blogged on the issue over the past yea=
r so I won't re-hash it here. =C2=A0In short, many of us recommended OIDC a=
s the correct methodology.=0A>>>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>>>>Never=
-the-less, I've spoken with a number of service providers who indicate they=
 are not ready to make the jump to OIDC, yet they agree there is a desire t=
o support authentication only (where as OIDC does IDP-like services).=0A>>>=
>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>>>>This draft is intended as a minimum a=
uthentication only specification. =C2=A0I've tried to make it as compatible=
 as possible with OIDC.=0A>>>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>>>>For now,=
 I've just posted to keep track of the issue so we can address at the next =
re-chartering.=0A>>>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>>>>Happy to answer q=
uestions and discuss.=C2=A0=0A>>>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>>>>Phil=
=0A>>>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>>>>@independentid=0A>>>>>>>>>>>>>>=
>>www.independentid.com=0A>>>>>>>>>>>>>>>>phil.hunt@oracle.com=0A>>>>>>>>>>=
>>>>>>=C2=A0=0A>>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>>=0A>>>=
>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>>>>Begin forwarded message:=0A>>>>>>>>>>=
>>>>>>=0A>>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>>From:interne=
t-drafts@ietf.org=0A>>>>>>>>>>>>>>>>>Subject: New Version Notification for =
draft-hunt-oauth-v2-user-a4c-00.txt=0A>>>>>>>>>>>>>>>>>Date:29 July, 2013 9=
:49:41 AM GMT+02:00=0A>>>>>>>>>>>>>>>>>To:Phil Hunt <phil.hunt@yahoo.com>, =
Phil Hunt <None@ietfa.amsl.com>, Phil Hunt <>=0A>>>>>>>>>>>>>>>>>=C2=A0=0A>=
>>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>>>A new version of I-D, draft-hunt-oauth-=
v2-user-a4c-00.txt=0A>>>>>>>>>>>>>>>>>has been successfully submitted by Ph=
il Hunt and posted to the=0A>>>>>>>>>>>>>>>>>IETF repository.=0A>>>>>>>>>>>=
>>>>>>=0A>>>>>>>>>>>>>>>>>Filename: draft-hunt-oauth-v2-user-a4c=0A>>>>>>>>=
>>>>>>>>>Revision: 00=0A>>>>>>>>>>>>>>>>>Title: OAuth 2.0 User Authenticati=
on For Client=0A>>>>>>>>>>>>>>>>>Creation date: 2013-07-29=0A>>>>>>>>>>>>>>=
>>>Group: Individual Submission=0A>>>>>>>>>>>>>>>>>Number of pages: 9=0A>>>=
>>>>>>>>>>>>>>URL: =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-u=
ser-a4c-00.txt=0A>>>>>>>>>>>>>>>>>Status: =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-us=
er-a4c=0A>>>>>>>>>>>>>>>>>Htmlized: =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00=0A>>>>>>>>>>>=
>>>>>>=0A>>>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>>>Abstract:=0A>>>>>>>>>>>>>>>>>=
=C2=A0=C2=A0This specification defines a new OAuth2 endpoint that enables u=
ser=0A>>>>>>>>>>>>>>>>>=C2=A0=C2=A0authentication session information to be=
 shared with client=0A>>>>>>>>>>>>>>>>>=C2=A0=C2=A0applications.=0A>>>>>>>>=
>>>>>>>>>=0A>>>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>>>=0A>>>=
>>>>>>>>>>>>>>Please note that it may take a couple of minutes from the tim=
e of submission=0A>>>>>>>>>>>>>>>>>until the htmlized version and diff are =
available attools.ietf.org.=0A>>>>>>>>>>>>>>>>>=0A>>>>>>>>>>>>>>>>>The IETF=
 Secretariat=0A>>>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>>>>___________________=
____________________________=0A>>>>>>>>>>>>>>>>OAuth mailing list=0A>>>>>>>=
>>>>>>>>>OAuth@ietf.org=0A>>>>>>>>>>>>>>>>https://www.ietf.org/mailman/list=
info/oauth=0A>>>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>>>=C2=A0=0A>>>>>>>>>>>_____=
__________________________________________=0A>>>>>>>>>>>OAuth mailing list=
=0A>>>>>>>>>>>OAuth@ietf.org=0A>>>>>>>>>>>https://www.ietf.org/mailman/list=
info/oauth=0A>>>>>>>>>>=C2=A0=0A>>>>>>>>>>=0A>>>>>>>>>>____________________=
___________________________=0A>>>>>>>>>>OAuth mailing list=0A>>>>>>>>>>OAut=
h@ietf.org=0A>>>>>>>>>>https://www.ietf.org/mailman/listinfo/oauth=0A>>>>>>=
>>>=0A>>>>>>>>>=0A>>>>>>>>>=0A>>>>>>>>>=C2=A0=0A>>>>>>>>>--=C2=A0=0A>>>>>>>=
>>Nat Sakimura (=3Dnat)=0A>>>>>>>>>Chairman, OpenID Foundation=0A>>>>>>>>>h=
ttp://nat.sakimura.org/=0A>>>>>>>>>@_nat_en=0A>>>>>>>>>=0A>>>>>>>>>=0A>>>>>=
>>>>=0A>>>>>>>>>_______________________________________________=0A>>>>>>>>>=
OAuth mailing list=0A>>>>>>>>>OAuth@ietf.org=0A>>>>>>>>>https://www.ietf.or=
g/mailman/listinfo/oauth=0A>>>>>>>>=C2=A0=0A>>>>>>>=0A>>>>>>>=0A>>>>>>>=0A>=
>>>>>>=C2=A0=0A>>>>>>>--=C2=A0=0A>>>>>>>Nat Sakimura (=3Dnat)=0A>>>>>>>Chai=
rman, OpenID Foundation=0A>>>>>>>http://nat.sakimura.org/=0A>>>>>>>@_nat_en=
=0A>>>>>>=C2=A0=0A>>>>>>=0A>>>>>>__________________________________________=
_____=0A>>>>>>OAuth mailing list=0A>>>>>>OAuth@ietf.org=0A>>>>>>https://www=
.ietf.org/mailman/listinfo/oauth=0A>>>>>>=0A>>>>>>=0A>>>>>>________________=
_______________________________=0A>>>>>>OAuth mailing list=0A>>>>>>OAuth@ie=
tf.org=0A>>>>>>https://www.ietf.org/mailman/listinfo/oauth=0A>>>>>=C2=A0=0A=
>>>=C2=A0=0A>>=0A>>=0A>>=0A>>-- =0A>>Nat Sakimura (=3Dnat)=0A>>Chairman, Op=
enID Foundation=0A>>http://nat.sakimura.org/=0A>>@_nat_en=0A>______________=
_________________________________=0A>>OAuth mailing list=0A>>OAuth@ietf.org=
=0A>>https://www.ietf.org/mailman/listinfo/oauth=0A>>=0A=0A=0A=0A-- =0ANat =
Sakimura (=3Dnat)=0AChairman, OpenID Foundation=0Ahttp://nat.sakimura.org/=
=0A@_nat_en=0A_______________________________________________=0AOAuth maili=
ng list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oauth
--905790552-337973688-1375418625=:52579
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:Co=
urier New, courier, monaco, monospace, sans-serif;font-size:12pt"><div><spa=
n>Circular references are not my favorite.</span></div><div><br></div>  <di=
v style=3D"font-family: 'Courier New', courier, monaco, monospace, sans-ser=
if; font-size: 12pt;"> <div style=3D"font-family: 'times new roman', 'new y=
ork', times, serif; font-size: 12pt;"> <div dir=3D"ltr"> <hr size=3D"1">  <=
font size=3D"2" face=3D"Arial"> <b><span style=3D"font-weight:bold;">From:<=
/span></b> Nat Sakimura &lt;sakimura@gmail.com&gt;<br> <b><span style=3D"fo=
nt-weight: bold;">To:</span></b> Phil Hunt &lt;phil.hunt@oracle.com&gt; <br=
><b><span style=3D"font-weight: bold;">Cc:</span></b> "oauth@ietf.org WG" &=
lt;oauth@ietf.org&gt; <br> <b><span style=3D"font-weight: bold;">Sent:</spa=
n></b> Thursday, August 1, 2013 9:34 PM<br> <b><span style=3D"font-weight: =
bold;">Subject:</span></b> Re: [OAUTH-WG] Need for Extending OAuth with Aut=
hN (was Re: Fwd:
 New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<br> </fo=
nt> </div> <div class=3D"y_msg_container"><br><div id=3D"yiv1833077055"><di=
v dir=3D"ltr">Not necessarily. Why would it be inappropriate?&nbsp;<div><br=
></div><div>I call it NIH syndrome.&nbsp;</div><div>Respecting the work whi=
ch is done outside is a good thing.&nbsp;</div><div>Just taking the content=
 and taking a credit for it is a bad practice.&nbsp;</div>=0A<div><br></div=
><div>Forking is also bad.&nbsp;</div><div><br></div><div class=3D"yiv18330=
77055gmail_extra"><br><br><div class=3D"yiv1833077055gmail_quote">2013/8/2 =
Phil Hunt <span dir=3D"ltr">&lt;<a rel=3D"nofollow" ymailto=3D"mailto:phil.=
hunt@oracle.com" target=3D"_blank" href=3D"mailto:phil.hunt@oracle.com">phi=
l.hunt@oracle.com</a>&gt;</span><br>=0A<blockquote class=3D"yiv1833077055gm=
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex;"><div><div>OpenId specs can depend on oAuth. Having OAuth depend on=
 OpenId is not appropriate here.&nbsp;<span class=3D"yiv1833077055HOEnZb"><=
font color=3D"#888888"><br>=0A<br>Phil</font></span></div><div><div class=
=3D"yiv1833077055h5"><div><br>On 2013-08-01, at 18:07, Nat Sakimura &lt;<a =
rel=3D"nofollow" ymailto=3D"mailto:sakimura@gmail.com" target=3D"_blank" hr=
ef=3D"mailto:sakimura@gmail.com">sakimura@gmail.com</a>&gt; wrote:<br><br><=
/div><blockquote type=3D"cite">=0A<div><div dir=3D"ltr">Like Bill says, it =
can just be a profile of OpenID Connect.&nbsp;<div>IETF specs already refer=
ences OpenID Foundation specs.&nbsp;</div><div>It should not be a problem.&=
nbsp;</div><div>I do not think we want to folk.&nbsp;</div>=0A=0A</div><div=
 class=3D"yiv1833077055gmail_extra"><br><br><div class=3D"yiv1833077055gmai=
l_quote">2013/8/1 Anthony Nadalin <span dir=3D"ltr">&lt;<a rel=3D"nofollow"=
 ymailto=3D"mailto:tonynad@microsoft.com" target=3D"_blank" href=3D"mailto:=
tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;</span><br><blockquote =
class=3D"yiv1833077055gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1=
px #ccc solid;padding-left:1ex;">=0A=0A=0A=0A=0A=0A=0A=0A<div lang=3D"EN-US=
">=0A<div>=0A<div class=3D"yiv1833077055MsoNormal"><span style=3D"font-size=
:11.0pt;color:#1f497d;">I believe it beneficial to have a common format and=
 common values, and 1 way to handle the format and values. I believe that h=
aving this in oauth is beneficial,=0A I believe that it would also be benef=
icial for OpenID if this were in oauth. There are cases for signed and unsi=
gned formats.=0A<u></u><u></u></span></div>=0A<div class=3D"yiv1833077055Ms=
oNormal"><a rel=3D"nofollow" name=3D"1403d1e1feb19c57_1403a4678daa8350__Mai=
lEndCompose" href=3D""><span style=3D"font-size:11.0pt;color:#1f497d;"><u><=
/u>&nbsp;<u></u></span></a></div>=0A<div>=0A<div style=3D"border:none;borde=
r-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in;">=0A<div class=3D"yiv1=
833077055MsoNormal"><b><span style=3D"font-size:11.0pt;">From:</span></b><s=
pan style=3D"font-size:11.0pt;"> Richer, Justin P. [mailto:<a rel=3D"nofoll=
ow" ymailto=3D"mailto:jricher@mitre.org" target=3D"_blank" href=3D"mailto:j=
richer@mitre.org">jricher@mitre.org</a>]=0A<br>=0A<b>Sent:</b> Thursday, Au=
gust 1, 2013 7:15 AM<br>=0A<b>To:</b> Nat Sakimura<br>=0A<b>Cc:</b> Anthony=
 Nadalin; Bill Mills; Prateek Mishra; <a rel=3D"nofollow" ymailto=3D"mailto=
:oauth@ietf.org" target=3D"_blank" href=3D"mailto:oauth@ietf.org">oauth@iet=
f.org</a> WG</span></div><div><div><br>=0A<b>Subject:</b> Re: [OAUTH-WG] Ne=
ed for Extending OAuth with AuthN (was Re: Fwd: New Version Notification fo=
r draft-hunt-oauth-v2-user-a4c-00.txt)<u></u><u></u></div></div>=0A</div>=
=0A</div><div><div>=0A<div class=3D"yiv1833077055MsoNormal"><u></u>&nbsp;<u=
></u></div>=0A<div class=3D"yiv1833077055MsoNormal">Also, it's (optionally)=
 a token in the proposed document we're discussing (=C2=A72.4.1), which mea=
ns there are two ways to parse the same information. OIDC uses JWTs for eve=
rything, signed and unsigned. This means that OIDC is actually simpler=0A f=
rom an implementation perspective, wouldn't you say? Instead of having two =
parsers, you have one to cover both cases.&nbsp;=0A<u></u><u></u></div>=0A<=
div>=0A<div class=3D"yiv1833077055MsoNormal"><u></u>&nbsp;<u></u></div>=0A<=
/div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal">(And given your tende=
ncy to throw signed assertions at every problem, I would have thought that =
you'd prefer this anyway.)=0A<u></u><u></u></div>=0A<div>=0A<div class=3D"y=
iv1833077055MsoNormal"><u></u>&nbsp;<u></u></div>=0A</div>=0A<div>=0A<div c=
lass=3D"yiv1833077055MsoNormal">&nbsp;-- Justin<u></u><u></u></div>=0A</div=
>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal"><u></u>&nbsp;<u></u></div=
>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal">On Aug 1, 2013, a=
t 9:40 AM, Nat Sakimura &lt;<a rel=3D"nofollow" ymailto=3D"mailto:sakimura@=
gmail.com" target=3D"_blank" href=3D"mailto:sakimura@gmail.com">sakimura@gm=
ail.com</a>&gt;<u></u><u></u></div>=0A</div>=0A<div>=0A<div class=3D"yiv183=
3077055MsoNormal">&nbsp;wrote:<u></u><u></u></div>=0A</div>=0A<div class=3D=
"yiv1833077055MsoNormal"><br>=0A<br>=0A<u></u><u></u></div>=0A<blockquote s=
tyle=3D"margin-top:5.0pt;margin-bottom:5.0pt;">=0A<div>=0A<div>=0A<div clas=
s=3D"yiv1833077055MsoNormal">Yes, it is a Token.&nbsp;<u></u><u></u></div>=
=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal">No, it does not h=
ave to be signed.&nbsp;<u></u><u></u></div>=0A</div>=0A<div>=0A<div class=
=3D"yiv1833077055MsoNormal"><u></u>&nbsp;<u></u></div>=0A</div>=0A<div>=0A<=
div class=3D"yiv1833077055MsoNormal" style=3D"margin-bottom:12.0pt;">As to =
be a token or not to be a token question, it has been discussed in the WG b=
efore, and if I remember correctly, &nbsp;Microsoft argued for token saying=
 that it is just base64 decoding and I lost there. &nbsp;<u></u><u></u></di=
v>=0A=0A=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal">Nat<u></u=
><u></u></div>=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" sty=
le=3D"margin-bottom:12.0pt;"><br>=0AOn Aug 1, 2013, at 14:24, Anthony Nadal=
in &lt;<a rel=3D"nofollow" ymailto=3D"mailto:tonynad@microsoft.com" target=
=3D"_blank" href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>=
&gt; wrote:<u></u><u></u></div>=0A</div>=0A<blockquote style=3D"margin-top:=
5.0pt;margin-bottom:5.0pt;">=0A<div class=3D"yiv1833077055MsoNormal"><span =
style=3D"font-size:11.0pt;color:#1f497d;">You can=E2=80=99t do this, first =
openid uses a token and second it=E2=80=99s signed, third there is no speci=
fication to just return a authentication JSON structure</span><u></u><u></u=
></div>=0A=0A=0A<div class=3D"yiv1833077055MsoNormal"><span style=3D"font-s=
ize:11.0pt;color:#1f497d;">&nbsp;</span><u></u><u></u></div>=0A<div>=0A<div=
 style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in =
0in;">=0A<div class=3D"yiv1833077055MsoNormal"><b><span style=3D"font-size:=
11.0pt;">From:</span></b><span style=3D"font-size:11.0pt;"> Richer, Justin =
P. [<a rel=3D"nofollow" ymailto=3D"mailto:jricher@mitre.org" target=3D"_bla=
nk" href=3D"mailto:jricher@mitre.org">mailto:jricher@mitre.org</a>]=0A<br>=
=0A<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>=0A<b>To:</b> Anthony N=
adalin<br>=0A<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a rel=3D=
"nofollow" ymailto=3D"mailto:oauth@ietf.org" target=3D"_blank" href=3D"mail=
to:oauth@ietf.org">=0Aoauth@ietf.org</a> WG<br>=0A<b>Subject:</b> Re: [OAUT=
H-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notific=
ation for draft-hunt-oauth-v2-user-a4c-00.txt)</span><u></u><u></u></div>=
=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal">&nbsp;<u=
></u><u></u></div>=0A</div>=0A<div class=3D"yiv1833077055MsoNormal">Tony, y=
ou can already return the authn result from the token request (we discussed=
 this specifically in May as I recall). That's what the "idtoken" and "code=
 idtoken" responses are for in OpenID Connect. The proposed draft is nearly=
 a duplicate=0A of the core functionality of OIDC. <u></u><u></u></div>=0A<=
div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal">&nbsp;<u></u><u></u></=
div>=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal">&nbs=
p;-- Justin<u></u><u></u></div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yi=
v1833077055MsoNormal">&nbsp;<u></u><u></u></div>=0A</div>=0A<div>=0A<div>=
=0A<div class=3D"yiv1833077055MsoNormal">On Aug 1, 2013, at 7:31 AM, Anthon=
y Nadalin &lt;<a rel=3D"nofollow" ymailto=3D"mailto:tonynad@microsoft.com" =
target=3D"_blank" href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.c=
om</a>&gt;<u></u><u></u></div>=0A</div>=0A<div>=0A<div class=3D"yiv18330770=
55MsoNormal">&nbsp;wrote:<u></u><u></u></div>=0A</div>=0A<div class=3D"yiv1=
833077055MsoNormal" style=3D"margin-bottom:12.0pt;"><u></u>&nbsp;<u></u></d=
iv>=0A<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt;">=0A<div>=
=0A<div>=0A<div class=3D"yiv1833077055MsoNormal"><span style=3D"font-size:1=
1.0pt;color:#1f497d;">The proposal does not duplicate what OpenID does, the=
re is clear benefit for returning an authentication result in the token req=
uest result. This is being proposed=0A as optional JSON structure.</span><u=
></u><u></u></div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055Ms=
oNormal"><span style=3D"font-size:11.0pt;color:#1f497d;">&nbsp;</span><u></=
u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div style=3D"border:none;borde=
r-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in;">=0A<div>=0A<div class=
=3D"yiv1833077055MsoNormal"><b><span style=3D"font-size:11.0pt;">From:</spa=
n></b><span><span style=3D"font-size:11.0pt;">&nbsp;</span></span><span sty=
le=3D"font-size:11.0pt;"><a rel=3D"nofollow" ymailto=3D"mailto:oauth-bounce=
s@ietf.org" target=3D"_blank" href=3D"mailto:oauth-bounces@ietf.org"><span =
style=3D"color:purple;">oauth-bounces@ietf.org</span></a><span>&nbsp;</span=
>[mailto:<a rel=3D"nofollow" ymailto=3D"mailto:oauth-" target=3D"_blank" hr=
ef=3D"mailto:oauth-">oauth-</a><a rel=3D"nofollow" ymailto=3D"mailto:bounce=
s@ietf.org" target=3D"_blank" href=3D"mailto:bounces@ietf.org"><span style=
=3D"color:purple;">bounces@ietf.org</span></a>]<span>&nbsp;</span><b>On=0A =
Behalf Of<span>&nbsp;</span></b>Bill Mills<br>=0A<b>Sent:</b><span>&nbsp;</=
span>Wednesday, July 31, 2013 2:50 PM<br>=0A<b>To:</b><span>&nbsp;</span>Pr=
ateek Mishra; Nat Sakimura<br>=0A<b>Cc:</b><span>&nbsp;</span><a rel=3D"nof=
ollow" ymailto=3D"mailto:oauth@ietf.org" target=3D"_blank" href=3D"mailto:o=
auth@ietf.org"><span style=3D"color:purple;">oauth@ietf.org</span></a><span=
>&nbsp;</span>WG<br>=0A<b>Subject:</b><span>&nbsp;</span>Re: [OAUTH-WG] Nee=
d for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for=
 draft-hunt-oauth-v2-user-a4c-00.txt)</span><u></u><u></u></div>=0A</div>=
=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal">=
&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div=
 class=3D"yiv1833077055MsoNormal" style=3D"background:white;"><span style=
=3D"">Rather than extending OAuth for something OpenID already does... &nbs=
p;why don't we get a simple informational example doc to show how to implem=
ent the most basic OpenID service,=0A which is the same functionality on a =
standard that's already written?</span><u></u><u></u></div>=0A</div>=0A</di=
v>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal"><span st=
yle=3D"">&nbsp;</span><u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<di=
v>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal"><span style=3D"">This is=
 sounding more and mor elike a documentation problem.</span><u></u><u></u><=
/div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv18330770=
55MsoNormal" style=3D"background:white;"><span style=3D"">&nbsp;</span><u><=
/u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D=
"yiv1833077055MsoNormal" align=3D"center" style=3D"text-align:center;backgr=
ound:white;">=0A<hr size=3D"1" width=3D"100%" align=3D"center">=0A</div>=0A=
<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;"><=
b><span style=3D"font-size:10.0pt;">From:</span></b><span><span style=3D"fo=
nt-size:10.0pt;">&nbsp;</span></span><span style=3D"font-size:10.0pt;">Prat=
eek=0A Mishra &lt;<a rel=3D"nofollow" ymailto=3D"mailto:prateek.mishra@orac=
le.com" target=3D"_blank" href=3D"mailto:prateek.mishra@oracle.com"><span s=
tyle=3D"color:purple;">prateek.mishra@oracle.com</span></a>&gt;<br>=0A<b>To=
:</b><span>&nbsp;</span>Nat Sakimura &lt;<a rel=3D"nofollow" ymailto=3D"mai=
lto:sakimura@gmail.com" target=3D"_blank" href=3D"mailto:sakimura@gmail.com=
"><span style=3D"color:purple;">sakimura@gmail.com</span></a>&gt;<span>&nbs=
p;</span><br>=0A<b>Cc:</b><span>&nbsp;</span>"<a rel=3D"nofollow" ymailto=
=3D"mailto:oauth@ietf.org%20WG" target=3D"_blank" href=3D"mailto:oauth@ietf=
.org%20WG"><span style=3D"color:purple;">oauth@ietf.org WG</span></a>" &lt;=
<a rel=3D"nofollow" ymailto=3D"mailto:oauth@ietf.org" target=3D"_blank" hre=
f=3D"mailto:oauth@ietf.org"><span style=3D"color:purple;">oauth@ietf.org</s=
pan></a>&gt;<span>&nbsp;</span><br>=0A=0A=0A<b>Sent:</b><span>&nbsp;</span>=
Wednesday, July 31, 2013 2:38 PM<br>=0A<b>Subject:</b><span>&nbsp;</span>[O=
AUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Noti=
fication for draft-hunt-oauth-v2-user-a4c-00.txt)</span><u></u><u></u></div=
>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055Ms=
oNormal" style=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A=
</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"bac=
kground:white;">Nat -<span>&nbsp;</span><br>=0A<br>=0Athanks for the detail=
ed response. I did review the links you sent out but it remained unclear to=
 me which<br>=0Afeatures are MTI and which are not. For example, there is n=
othing in the Basic Client Profile that suggests<br>=0Athat Section 2.3 is =
optional. I also could not find any definition for " non-dynamic OpenID Con=
nect Server".<br>=0A<br>=0AI dont think there is a need to duplicate portio=
ns of the draft specification text in a new document. One solution<br>=0Ath=
at was used in SAML 2.0 was to define a conformance document which describe=
d several different<span>&nbsp;</span><br>=0Aoperational modes and explaine=
d how only a small set of features needed to be implemented in certain mode=
s.<br>=0A<br>=0A<a rel=3D"nofollow" target=3D"_blank" href=3D"http://docs.o=
asis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf"><span style=
=3D"color:purple;">http://docs.oasis-open.org/security/saml/v2.0/saml-confo=
rmance-2.0-os.pdf</span></a><br>=0A<br>=0AThere are probably other smarter =
ways to achieve the same effect.<br>=0A<br>=0AGiven this situation, I do th=
ink its a reasonable task for the OAuth community to consider the need for<=
span>&nbsp;</span><br>=0Aa minimal extension to OAuth that accommodates aut=
hentication. The community should be made aware that<span>&nbsp;</span><br>=
=0ARFC 6749 is being misused for federated authentication, as explained in&=
nbsp; -&nbsp;<span>&nbsp;</span><br>=0A<br>=0A<a rel=3D"nofollow" target=3D=
"_blank" href=3D"http://www.independentid.com/2013/07/simple-authentication=
-for-oauth-2-what.html"><span style=3D"color:purple;">http://www.independen=
tid.com/2013/07/simple-authentication-for-oauth-2-what.html</span></a><span=
>&nbsp;</span><br>=0A=0A=0A<br>=0Aand that there doesn't appear to be a sim=
ple solution that is currently available. It would be great if it turned<br=
>=0Aout that OpenID Connect offered such a solution but that isn't clear to=
 me.<br>=0A<br>=0AThx,<br>=0Aprateek<u></u><u></u></div>=0A</div>=0A<div>=
=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgroun=
d:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<blockquo=
te style=3D"margin-top:5.0pt;margin-bottom:5.0pt;">=0A<div>=0A<div>=0A<div =
class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><=
u></u></div>=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNorm=
al" style=3D"margin-bottom:12.0pt;background:white;">=0AInline:&nbsp;<u></u=
><u></u></div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" styl=
e=3D"background:white;">2013/7/31 Prateek Mishra &lt;<a rel=3D"nofollow" ym=
ailto=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank" href=3D"mailto=
:prateek.mishra@oracle.com"><span style=3D"color:purple;">prateek.mishra@or=
acle.com</span></a>&gt;<u></u><u></u></div>=0A</div>=0A<blockquote style=3D=
"border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;marg=
in-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;">=0A<d=
iv>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">Nat=
 -<span>&nbsp;</span><br>=0A<br>=0Ayour blog posting is helpful to those of=
 us who are looking for a minimal extension of OAuth with<span>&nbsp;</span=
><br>=0Aan authenticator.&nbsp; Many implementors are seeking a modest exte=
nsion of OAuth, not an entire new protocol<br>=0Astack. &nbsp; I believe th=
at is the point of Phil Hunt's proposal to the OAuth committee.<br>=0A<br>=
=0AI do have some questions for about the statements made in the blog -<spa=
n>&nbsp;</span><br>=0A<br>=0AA) Can you direct me to a single OpenID Connec=
t draft specification document where steps 1 and 2 are described?<u></u><u>=
</u></div>=0A</div>=0A</blockquote>=0A<div>=0A<div>=0A<div>=0A<div class=3D=
"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></=
div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv18330770=
55MsoNormal" style=3D"background:white;">Actually, it is not a single spec,=
 that the Standard is referencing others.&nbsp;<u></u><u></u></div>=0A</div=
>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D=
"background:white;">The Standard is kind of cluttered because it has 6 resp=
onse types and three request types in it.&nbsp;<u></u><u></u></div>=0A</div=
>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D=
"background:white;">I suppose it would be much easier for the readers to sp=
lit them into coherent pieces, though that means duplicate texts.&nbsp;<u><=
/u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"=
yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></d=
iv>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv183307705=
5MsoNormal" style=3D"background:white;">The easiest approach here is to rea=
d the Basic Client Profile.&nbsp;<a rel=3D"nofollow" target=3D"_blank" href=
=3D"http://openid.net/specs/openid-connect-basic-1_0-28.html"><span style=
=3D"color:purple;">http://openid.net/specs/openid-connect-basic-1_0-28.html=
</span></a><u></u><u></u></div>=0A=0A=0A</div>=0A</div>=0A<div>=0A<div>=0A<=
div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">Then, read=
&nbsp;OAuth 2.0 Multiple Response Type Encoding Practices&nbsp;<a rel=3D"no=
follow" target=3D"_blank" href=3D"http://openid.net/specs/oauth-v2-multiple=
-response-types-1_0-08.html"><span style=3D"color:purple;">http://openid.ne=
t/specs/oauth-v2-multiple-response-types-1_0-08.html</span></a>&nbsp;.&nbsp=
;<u></u><u></u></div>=0A=0A=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<di=
v class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u=
><u></u></div>=0A</div>=0A</div>=0A</div>=0A<blockquote style=3D"border:non=
e;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8=
pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;">=0A<div>=0A<div =
class=3D"yiv1833077055MsoNormal" style=3D"background:white;"><br>=0AB) If I=
 implement steps 1 and 2, do I then have a conformant OpenID Connect implem=
entation? Are there no<span>&nbsp;</span><br>=0Aother MTI protocol exchange=
s in OpenID Connect?<u></u><u></u></div>=0A</div>=0A</blockquote>=0A<div>=
=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgroun=
d:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<=
div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">Ye=
s, for a non-dynamic OpenID Connect Server.&nbsp;<u></u><u></u></div>=0A</d=
iv>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal=
" style=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=
=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"=
background:white;">Nat<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div=
>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white=
;">&nbsp;&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<blockquot=
e style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0=
pt;">=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:w=
hite;"><br>=0AThanks,<br>=0Aprateek<u></u><u></u></div>=0A</div>=0A<div>=0A=
<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;"><=
br>=0A<br>=0A&nbsp; &nbsp;<u></u><u></u></div>=0A</div>=0A<div>=0A<div>=0A<=
div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&n=
bsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<blockquote style=3D"=
margin-top:5.0pt;margin-bottom:5.0pt;">=0A<div>=0A<div>=0A<div class=3D"yiv=
1833077055MsoNormal" style=3D"background:white;">I have written a short blo=
g post titled "<a rel=3D"nofollow" target=3D"_blank" href=3D"http://nat.sak=
imura.org/2013/07/28/write-openid-connect-server-in-three-simple-steps/"><s=
pan style=3D"color:purple;">Write an OpenID Connect server=0A in three simp=
le steps</span></a>".&nbsp;<u></u><u></u></div>=0A</div>=0A<div>=0A<div>=0A=
<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&=
nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div=
 class=3D"yiv1833077055MsoNormal" style=3D"background:white;">Really, there=
 is not much you need to on top of OAuth 2.0.&nbsp;<u></u><u></u></div>=0A<=
/div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNorm=
al" style=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div=
>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D=
"background:white;">It puzzles me why you need to create a draft with only =
minor variances in parameter names.&nbsp;<u></u><u></u></div>=0A</div>=0A</=
div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=
=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div=
>=0A<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0=
in;margin-bottom:5.0pt;">=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoN=
ormal" style=3D"background:white;">e.g.,&nbsp;<u></u><u></u></div>=0A</div>=
=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"=
background:white;">session instead of id_token<u></u><u></u></div>=0A</div>=
=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"=
background:white;">lat instead of iat<u></u><u></u></div>=0A</div>=0A</div>=
=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgroun=
d:white;">alv instead of acr<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=
=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;=
">etc.&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</blockquote>=0A<div>=
=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgroun=
d:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<=
div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">If=
 you change those parameter names, you will have a conformant profile of Op=
enID Connect.&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=
=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;=
">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<=
div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">Nat<u></u>=
<u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div style=3D"margin-bot=
tom:12.0pt;">=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:w=
hite;">&nbsp;<u></u><u></u></div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"=
yiv1833077055MsoNormal" style=3D"background:white;">2013/7/31 John Bradley =
&lt;<a rel=3D"nofollow" ymailto=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_bla=
nk" href=3D"mailto:ve7jtb@ve7jtb.com"><span style=3D"color:purple;">ve7jtb@=
ve7jtb.com</span></a>&gt;<u></u><u></u></div>=0A</div>=0A<blockquote style=
=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;m=
argin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt;">=
=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgroun=
d:white;">Connect dosen't require a userinfo endpoint. &nbsp; It is require=
d for interoperability if you are building an open IdP. &nbsp; For an enter=
prise type deployment discovery, registration, userifo are all optional.<u>=
</u><u></u></div>=0A=0A=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yi=
v1833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></div=
>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055M=
soNormal" style=3D"background:white;">The server is required to pass the no=
nce which is equivalent to a request ID through to the JWT if the client se=
nds it in the request.<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div=
>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white=
;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A=
<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">Justin is=
 correct.<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<=
div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u><=
/u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D=
"yiv1833077055MsoNormal" style=3D"background:white;">John B.<u></u><u></u><=
/div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNorm=
al" style=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div=
>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"=
background:white;">On 2013-07-30, at 5:30 PM, Phil Hunt &lt;<a rel=3D"nofol=
low" ymailto=3D"mailto:phil.hunt@oracle.com" target=3D"_blank" href=3D"mail=
to:phil.hunt@oracle.com"><span style=3D"color:purple;">phil.hunt@oracle.com=
</span></a>&gt; wrote:<u></u><u></u></div>=0A=0A=0A</div>=0A</div>=0A<div>=
=0A<div class=3D"yiv1833077055MsoNormal" style=3D"margin-bottom:12.0pt;back=
ground:white;"><br>=0A<br>=0A<u></u><u></u></div>=0A</div>=0A<blockquote st=
yle=3D"margin-top:5.0pt;margin-bottom:5.0pt;">=0A<div>=0A<div>=0A<div>=0A<d=
iv class=3D"yiv1833077055MsoNormal" style=3D"background:white;">Forgot repl=
y all.<br>=0A<br>=0APhil<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<d=
iv class=3D"yiv1833077055MsoNormal" style=3D"margin-bottom:12.0pt;backgroun=
d:white;">=0A<br>=0ABegin forwarded message:<u></u><u></u></div>=0A</div>=
=0A<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt;">=0A<div clas=
s=3D"yiv1833077055MsoNormal" style=3D"margin-bottom:12.0pt;background:white=
;">=0A<b>From:</b><span>&nbsp;</span>Phil Hunt &lt;<a rel=3D"nofollow" ymai=
lto=3D"mailto:phil.hunt@oracle.com" target=3D"_blank" href=3D"mailto:phil.h=
unt@oracle.com"><span style=3D"color:purple;">phil.hunt@oracle.com</span></=
a>&gt;<br>=0A<b>Date:</b><span>&nbsp;</span>30 July, 2013 17:25:46 GMT+02:0=
0<br>=0A<b>To:</b><span>&nbsp;</span>"Richer, Justin P." &lt;<a rel=3D"nofo=
llow" ymailto=3D"mailto:jricher@mitre.org" target=3D"_blank" href=3D"mailto=
:jricher@mitre.org"><span style=3D"color:purple;">jricher@mitre.org</span><=
/a>&gt;<br>=0A<b>Subject:</b><span>&nbsp;</span><b>Re: [OAUTH-WG] New Versi=
on Notification for draft-hunt-oauth-v2-user-a4c-00.txt</b><u></u><u></u></=
div>=0A</blockquote>=0A<blockquote style=3D"margin-top:5.0pt;margin-bottom:=
5.0pt;">=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"b=
ackground:white;">The whole point is authn only. Many do not want or need t=
he userinfo endpoint.&nbsp;<br>=0A<br>=0APhil<u></u><u></u></div>=0A</div>=
=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"margin-b=
ottom:12.0pt;background:white;">=0A<br>=0AOn 2013-07-30, at 17:17, "Richer,=
 Justin P." &lt;<a rel=3D"nofollow" ymailto=3D"mailto:jricher@mitre.org" ta=
rget=3D"_blank" href=3D"mailto:jricher@mitre.org"><span style=3D"color:purp=
le;">jricher@mitre.org</span></a>&gt; wrote:<u></u><u></u></div>=0A</div>=
=0A<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt;">=0A<div>=0A<=
div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">What do yo=
u mean? You absolutely can implement a compliant OIDC server nearly as simp=
ly as this. The things that you're missing I think are necessary for basic =
interoperable functionality, and are things that other=0A folks using OAuth=
 for authentication have also implemented. Namely:<u></u><u></u></div>=0A</=
div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=
=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div=
>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgrou=
nd:white;">&nbsp;- Signing the ID token (OIDC specifies the RS256 flavor of=
 JWS, which is easy to do with JWT). Without a signed and verifiable ID tok=
en or equivalent, you're asking for all kinds of token injection problems.<=
u></u><u></u></div>=0A=0A=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D=
"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;- Session manage=
ment requests (max auth age, auth time)<u></u><u></u></div>=0A</div>=0A</di=
v>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgro=
und:white;">&nbsp;- Not fall over with other parameters that you don't supp=
ort (display, prompt, etc).<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=
=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgroun=
d:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<=
div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">Se=
e here for more information:<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=
=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgroun=
d:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<=
div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&n=
bsp;<a rel=3D"nofollow" target=3D"_blank" href=3D"http://openid.net/specs/o=
penid-connect-messages-1_0.html#ServerMTI"><span style=3D"color:purple;">ht=
tp://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI</span></a>=
<u></u><u></u></div>=0A=0A=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div=
 class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u>=
<u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yi=
v1833077055MsoNormal" style=3D"background:white;">Additionally, something t=
hat's really important to support is the User Info Endpoint, so you can act=
ually get user profile information beyond just the simple "someone was here=
" claim -- this was the real value of=0A Facebook Connect from an RP's pers=
pective. Some people will probably want to use SCIM for this, too, and that=
's fine.<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<d=
iv class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u></=
u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"=
yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;-- Justin<u></u><=
u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1=
833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></div>=
=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055Mso=
Normal" style=3D"background:white;">On Jul 30, 2013, at 10:54 AM, Phil Hunt=
 &lt;<a rel=3D"nofollow" ymailto=3D"mailto:phil.hunt@oracle.com" target=3D"=
_blank" href=3D"mailto:phil.hunt@oracle.com"><span style=3D"color:purple;">=
phil.hunt@oracle.com</span></a>&gt;<u></u><u></u></div>=0A=0A=0A</div>=0A</=
div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backg=
round:white;">&nbsp;wrote:<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A=
<div class=3D"yiv1833077055MsoNormal" style=3D"margin-bottom:12.0pt;backgro=
und:white;"><br>=0A<br>=0A<u></u><u></u></div>=0A</div>=0A<blockquote style=
=3D"margin-top:5.0pt;margin-bottom:5.0pt;">=0A<div>=0A<div>=0A<div class=3D=
"yiv1833077055MsoNormal" style=3D"background:white;">The oidc specs do not =
allow this simple an implementation. The spec members have not shown intere=
st in making changes as they say they are too far down the road.<u></u><u><=
/u></div>=0A=0A=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"y=
iv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></di=
v>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055=
MsoNormal" style=3D"background:white;">I have tried to make my draft as clo=
se as possible to oidc but maybe it shouldn't be clarity wise. I am interes=
ted in what the group feels is clearest.&nbsp;<u></u><u></u></div>=0A=0A=0A=
</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNor=
mal" style=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</di=
v>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=
=3D"background:white;">From an ietf perspective the concern is improper use=
 of the 6749 for authn. Is this a bug or gap we need to address?<br>=0A<br>=
=0APhil<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv18=
33077055MsoNormal" style=3D"margin-bottom:12.0pt;background:white;">=0A<br>=
=0AOn 2013-07-30, at 16:46, "Richer, Justin P." &lt;<a rel=3D"nofollow" yma=
ilto=3D"mailto:jricher@mitre.org" target=3D"_blank" href=3D"mailto:jricher@=
mitre.org"><span style=3D"color:purple;">jricher@mitre.org</span></a>&gt; w=
rote:<u></u><u></u></div>=0A</div>=0A<blockquote style=3D"margin-top:5.0pt;=
margin-bottom:5.0pt;">=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" styl=
e=3D"background:white;">From what I read, you've defined something that use=
s an OAuth 2 code flow to get an extra token which is specified as a JWT. Y=
ou named it "session_token" instead of "id_token", and you've left off the =
User Information=0A Endpoint -- but other than that, this is exactly the Ba=
sic Client for OpenID Connect. In other words, if you change the names on t=
hings you've got OIDC, but without the capabilities to go beyond a very bas=
ic "hey there's a user here" claim. This is the same=0A place that OpenID 2=
.0 started, and it was very, very quickly extended with SREG, AX, PAPE, and=
 others for it to be useful in the real world of distributed logins. You've=
 also left out discovery and registration which are required for distribute=
d deployments,=0A but I'm guessing that those would be modular components t=
hat could be added in (like they are in OIDC).&nbsp;<u></u><u></u></div>=0A=
</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" styl=
e=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</di=
v>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgro=
und:white;">I've heard complaints that OIDC is complicated, but it's really=
 not. Yes, I agree that the giant stack of documents is intimidating and in=
 my opinion it's a bit of a mess with Messages and Standard split up (but=
=0A I lost that argument years ago). However, at the core, you've got an OA=
uth2 authorization server that spits out access tokens and id tokens. The i=
d token is a JWT with some known claims (iss, sub, etc) and is issued along=
 side the access token, and its audience=0A is the *client* and not the *pr=
otected resource*. The access token is a regular old access token and its f=
ormat is undefined (so you can use it with an existing OAuth2 server setup,=
 like we have), and it can be used at the User Info Endpoint to get profile=
=0A information about the user who authenticated. It could also be used for=
 other services if your AS/IdP protects multiple things.<u></u><u></u></div=
>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055Ms=
oNormal" style=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A=
</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" sty=
le=3D"background:white;">So I guess what I'm missing is what's the value pr=
oposition in this spec when we have something that can do this already? And=
 this doesn't seem to do anything different (apart from syntax changes)?<u>=
</u><u></u></div>=0A=0A=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div cl=
ass=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u>=
</u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv18=
33077055MsoNormal" style=3D"background:white;">&nbsp;-- Justin<u></u><u></u=
></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv183307=
7055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</d=
iv>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal=
" style=3D"background:white;">On Jul 29, 2013, at 4:14 AM, Phil Hunt &lt;<a=
 rel=3D"nofollow" ymailto=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"=
 href=3D"mailto:phil.hunt@oracle.com"><span style=3D"color:purple;">phil.hu=
nt@oracle.com</span></a>&gt; wrote:<u></u><u></u></div>=0A=0A=0A</div>=0A</=
div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"margin-bottom=
:12.0pt;background:white;"><br>=0A<br>=0A<u></u><u></u></div>=0A</div>=0A<b=
lockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt;">=0A<div>=0A<div>=
=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">FYI. &=
nbsp;I have been noticing a substantial number of sites acting as OAuth Cli=
ents using OAuth to authenticate users.<u></u><u></u></div>=0A</div>=0A<div=
>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgrou=
nd:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A=
<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">I=
 know several of us have blogged on the issue over the past year so I won't=
 re-hash it here. &nbsp;In short, many of us recommended OIDC as the correc=
t methodology.<u></u><u></u></div>=0A=0A=0A</div>=0A</div>=0A<div>=0A<div>=
=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;=
">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<=
div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">Never-the-=
less, I've spoken with a number of service providers who indicate they are =
not ready to make the jump to OIDC, yet they agree there is a desire to sup=
port authentication only (where as OIDC does IDP-like=0A services).<u></u><=
u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1=
833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></div>=
=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055Ms=
oNormal" style=3D"background:white;">This draft is intended as a minimum au=
thentication only specification. &nbsp;I've tried to make it as compatible =
as possible with OIDC.<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div=
>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white=
;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A=
<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">For now, =
I've just posted to keep track of the issue so we can address at the next r=
e-chartering.<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=
=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;=
<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div clas=
s=3D"yiv1833077055MsoNormal" style=3D"background:white;">Happy to answer qu=
estions and discuss.&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A=
<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:w=
hite;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div=
>=0A<div>=0A<div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoN=
ormal" style=3D"background:white;"><span style=3D"font-size:9.0pt;">Phil</s=
pan><u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div c=
lass=3D"yiv1833077055MsoNormal" style=3D"background:white;"><span style=3D"=
font-size:9.0pt;">&nbsp;</span><u></u><u></u></div>=0A</div>=0A</div>=0A</d=
iv>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgr=
ound:white;"><span style=3D"font-size:9.0pt;">@independentid</span><u></u><=
u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv183307705=
5MsoNormal" style=3D"background:white;"><span style=3D"font-size:9.0pt;"><a=
 rel=3D"nofollow" target=3D"_blank" href=3D"http://www.independentid.com/">=
<span style=3D"color:purple;">www.independentid.com</span></a></span><u></u=
><u></u></div>=0A=0A=0A</div>=0A</div>=0A</div>=0A<div class=3D"yiv18330770=
55MsoNormal" style=3D"margin-bottom:13.5pt;background:white;">=0A<span styl=
e=3D"font-size:13.5pt;"><a rel=3D"nofollow" ymailto=3D"mailto:phil.hunt@ora=
cle.com" target=3D"_blank" href=3D"mailto:phil.hunt@oracle.com"><span style=
=3D"color:purple;">phil.hunt@oracle.com</span></a></span><u></u><u></u></di=
v>=0A=0A=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" s=
tyle=3D"background:white;"><span style=3D"font-size:13.5pt;">&nbsp;</span><=
u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv1=
833077055MsoNormal" style=3D"margin-bottom:12.0pt;background:white;"><br>=
=0A<br>=0A<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div>=0A=
<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;<u>=
</u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833=
077055MsoNormal" style=3D"background:white;">Begin forwarded message:<u></u=
><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNo=
rmal" style=3D"margin-bottom:12.0pt;background:white;"><br>=0A<br>=0A<u></u=
><u></u></div>=0A</div>=0A<blockquote style=3D"margin-top:5.0pt;margin-bott=
om:5.0pt;">=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=
=3D"background:white;"><b><span style=3D"font-size:13.5pt;">From:</span></b=
><span style=3D"font-size:13.5pt;"><a rel=3D"nofollow" ymailto=3D"mailto:in=
ternet-drafts@ietf.org" target=3D"_blank" href=3D"mailto:internet-drafts@ie=
tf.org"><span style=3D"color:purple;">internet-drafts@ietf.org</span></a></=
span><u></u><u></u></div>=0A=0A=0A</div>=0A</div>=0A<div>=0A<div>=0A<div cl=
ass=3D"yiv1833077055MsoNormal" style=3D"background:white;"><b><span style=
=3D"font-size:13.5pt;">Subject: New Version Notification for draft-hunt-oau=
th-v2-user-a4c-00.txt</span></b><u></u><u></u></div>=0A=0A=0A</div>=0A</div=
>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgrou=
nd:white;"><b><span style=3D"font-size:13.5pt;">Date:</span></b><span style=
=3D"font-size:13.5pt;">29 July, 2013 9:49:41 AM GMT+02:00</span><u></u><u><=
/u></div>=0A=0A=0A</div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv183307=
7055MsoNormal" style=3D"background:white;"><b><span style=3D"font-size:13.5=
pt;">To:</span></b><span style=3D"font-size:13.5pt;">Phil Hunt &lt;<a rel=
=3D"nofollow" ymailto=3D"mailto:phil.hunt@yahoo.com" target=3D"_blank" href=
=3D"mailto:phil.hunt@yahoo.com"><span style=3D"color:purple;">phil.hunt@yah=
oo.com</span></a>&gt;,=0A Phil Hunt &lt;<a rel=3D"nofollow" ymailto=3D"mail=
to:None@ietfa.amsl.com" target=3D"_blank" href=3D"mailto:None@ietfa.amsl.co=
m"><span style=3D"color:purple;">None@ietfa.amsl.com</span></a>&gt;, Phil H=
unt &lt;&gt;</span><u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div>=
=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbsp;=
<u></u><u></u></div>=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv183307705=
5MsoNormal" style=3D"margin-bottom:12.0pt;background:white;">=0A<br>=0AA ne=
w version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>=0Ahas been succes=
sfully submitted by Phil Hunt and posted to the<br>=0AIETF repository.<br>=
=0A<br>=0AFilename: draft-hunt-oauth-v2-user-a4c<br>=0ARevision: 00<br>=0AT=
itle: OAuth 2.0 User Authentication For Client<br>=0ACreation date: 2013-07=
-29<br>=0AGroup: Individual Submission<br>=0ANumber of pages: 9<br>=0AURL: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
rel=3D"nofollow" target=3D"_blank" href=3D"http://www.ietf.org/internet-dra=
fts/draft-hunt-oauth-v2-user-a4c-00.txt"><span style=3D"color:purple;">http=
://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt</span><=
/a><br>=0A=0A=0AStatus: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;<a rel=3D"nofollow" target=3D"_blank" href=3D"http://datatracker.ietf.or=
g/doc/draft-hunt-oauth-v2-user-a4c"><span style=3D"color:purple;">http://da=
tatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</span></a><br>=0AHtmliz=
ed: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a rel=3D"nofollow" target=3D=
"_blank" href=3D"http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00=
"><span style=3D"color:purple;">http://tools.ietf.org/html/draft-hunt-oauth=
-v2-user-a4c-00</span></a><br>=0A<br>=0A<br>=0AAbstract:<br>=0A&nbsp;&nbsp;=
This specification defines a new OAuth2 endpoint that enables user<br>=0A&n=
bsp;&nbsp;authentication session information to be shared with client<br>=
=0A&nbsp;&nbsp;applications.<br>=0A<br>=0A<br>=0A<br>=0A<br>=0APlease note =
that it may take a couple of minutes from the time of submission<br>=0Aunti=
l the htmlized version and diff are available at<a rel=3D"nofollow" target=
=3D"_blank" href=3D"http://tools.ietf.org/"><span style=3D"color:purple;">t=
ools.ietf.org</span></a>.<br>=0A<br>=0AThe IETF Secretariat<u></u><u></u></=
div>=0A</div>=0A</blockquote>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1=
833077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></div>=
=0A</div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv1833077055M=
soNormal" style=3D"background:white;">_____________________________________=
__________<br>=0AOAuth mailing list<br>=0A<a rel=3D"nofollow" ymailto=3D"ma=
ilto:OAuth@ietf.org" target=3D"_blank" href=3D"mailto:OAuth@ietf.org"><span=
 style=3D"color:purple;">OAuth@ietf.org</span></a><br>=0A<a rel=3D"nofollow=
" target=3D"_blank" href=3D"https://www.ietf.org/mailman/listinfo/oauth"><s=
pan style=3D"color:purple;">https://www.ietf.org/mailman/listinfo/oauth</sp=
an></a><u></u><u></u></div>=0A</div>=0A</blockquote>=0A</div>=0A<div>=0A<di=
v>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">&nbs=
p;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A</blockquote>=0A</block=
quote>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" sty=
le=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</d=
iv>=0A</blockquote>=0A</blockquote>=0A</div>=0A<div>=0A<div class=3D"yiv183=
3077055MsoNormal" style=3D"background:white;">_____________________________=
__________________<br>=0AOAuth mailing list<br>=0A<a rel=3D"nofollow" ymail=
to=3D"mailto:OAuth@ietf.org" target=3D"_blank" href=3D"mailto:OAuth@ietf.or=
g"><span style=3D"color:purple;">OAuth@ietf.org</span></a><br>=0A<a rel=3D"=
nofollow" target=3D"_blank" href=3D"https://www.ietf.org/mailman/listinfo/o=
auth"><span style=3D"color:purple;">https://www.ietf.org/mailman/listinfo/o=
auth</span></a><u></u><u></u></div>=0A</div>=0A</blockquote>=0A</div>=0A<di=
v>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:whit=
e;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A</div>=0A</div>=
=0A<div class=3D"yiv1833077055MsoNormal" style=3D"margin-bottom:12.0pt;back=
ground:white;">=0A<br>=0A_______________________________________________<br=
>=0AOAuth mailing list<br>=0A<a rel=3D"nofollow" ymailto=3D"mailto:OAuth@ie=
tf.org" target=3D"_blank" href=3D"mailto:OAuth@ietf.org"><span style=3D"col=
or:purple;">OAuth@ietf.org</span></a><br>=0A<a rel=3D"nofollow" target=3D"_=
blank" href=3D"https://www.ietf.org/mailman/listinfo/oauth"><span style=3D"=
color:purple;">https://www.ietf.org/mailman/listinfo/oauth</span></a><u></u=
><u></u></div>=0A</blockquote>=0A</div>=0A<div>=0A<div class=3D"yiv18330770=
55MsoNormal" style=3D"background:white;"><br>=0A<br clear=3D"all">=0A<u></u=
><u></u></div>=0A</div>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv18330770=
55MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></div>=0A</div=
>=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=
=3D"background:white;">--<span>&nbsp;</span><br>=0ANat Sakimura (=3Dnat)<u>=
</u><u></u></div>=0A</div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055Mso=
Normal" style=3D"background:white;">Chairman, OpenID Foundation<br>=0A<a re=
l=3D"nofollow" target=3D"_blank" href=3D"http://nat.sakimura.org/"><span st=
yle=3D"color:purple;">http://nat.sakimura.org/</span></a><br>=0A@_nat_en<u>=
</u><u></u></div>=0A</div>=0A</div>=0A</div>=0A<div>=0A<div class=3D"yiv183=
3077055MsoNormal" style=3D"margin-bottom:12.0pt;background:white;"><br>=0A<=
br>=0A<u></u><u></u></div>=0A</div>=0A<pre style=3D"background:white;">____=
___________________________________________<u></u><u></u></pre>=0A<pre styl=
e=3D"background:white;">OAuth mailing list<u></u><u></u></pre>=0A<pre style=
=3D"background:white;"><a rel=3D"nofollow" ymailto=3D"mailto:OAuth@ietf.org=
" target=3D"_blank" href=3D"mailto:OAuth@ietf.org"><span style=3D"color:pur=
ple;">OAuth@ietf.org</span></a><u></u><u></u></pre>=0A<pre style=3D"backgro=
und:white;"><a rel=3D"nofollow" target=3D"_blank" href=3D"https://www.ietf.=
org/mailman/listinfo/oauth"><span style=3D"color:purple;">https://www.ietf.=
org/mailman/listinfo/oauth</span></a><u></u><u></u></pre>=0A=0A=0A</blockqu=
ote>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backg=
round:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A</blo=
ckquote>=0A</div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"=
background:white;"><br>=0A<br clear=3D"all">=0A<u></u><u></u></div>=0A</div=
>=0A<div>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"=
background:white;">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</div>=0A=
<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"background:white;">-=
-<span>&nbsp;</span><br>=0ANat Sakimura (=3Dnat)<u></u><u></u></div>=0A</di=
v>=0A<div>=0A<div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"backgro=
und:white;">Chairman, OpenID Foundation<br>=0A<a rel=3D"nofollow" target=3D=
"_blank" href=3D"http://nat.sakimura.org/"><span style=3D"color:purple;">ht=
tp://nat.sakimura.org/</span></a><br>=0A@_nat_en<u></u><u></u></div>=0A</di=
v>=0A</div>=0A</div>=0A</blockquote>=0A<div>=0A<div>=0A<div class=3D"yiv183=
3077055MsoNormal" style=3D"background:white;">&nbsp;<u></u><u></u></div>=0A=
</div>=0A</div>=0A</div>=0A<div class=3D"yiv1833077055MsoNormal" style=3D"m=
argin-bottom:12.0pt;background:white;">=0A<br>=0A__________________________=
_____________________<br>=0AOAuth mailing list<br>=0A<a rel=3D"nofollow" ym=
ailto=3D"mailto:OAuth@ietf.org" target=3D"_blank" href=3D"mailto:OAuth@ietf=
.org"><span style=3D"color:purple;">OAuth@ietf.org</span></a><br>=0A<a rel=
=3D"nofollow" target=3D"_blank" href=3D"https://www.ietf.org/mailman/listin=
fo/oauth"><span style=3D"color:purple;">https://www.ietf.org/mailman/listin=
fo/oauth</span></a><br>=0A<br>=0A<u></u><u></u></div>=0A</div>=0A</div>=0A<=
/div>=0A<div class=3D"yiv1833077055MsoNormal"><span style=3D"font-size:13.5=
pt;">_______________________________________________<br>=0AOAuth mailing li=
st<br>=0A<a rel=3D"nofollow" ymailto=3D"mailto:OAuth@ietf.org" target=3D"_b=
lank" href=3D"mailto:OAuth@ietf.org"><span style=3D"color:purple;">OAuth@ie=
tf.org</span></a><br>=0A<a rel=3D"nofollow" target=3D"_blank" href=3D"https=
://www.ietf.org/mailman/listinfo/oauth"><span style=3D"color:purple;">https=
://www.ietf.org/mailman/listinfo/oauth</span></a></span><u></u><u></u></div=
>=0A</div>=0A</blockquote>=0A</div>=0A<div>=0A<div class=3D"yiv1833077055Ms=
oNormal">&nbsp;<u></u><u></u></div>=0A</div>=0A</div>=0A</blockquote>=0A</d=
iv>=0A</blockquote>=0A</div>=0A<div class=3D"yiv1833077055MsoNormal"><u></u=
>&nbsp;<u></u></div>=0A</div>=0A</div>=0A</div></div></div>=0A</div>=0A=0A<=
/blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>Nat Sakimura =
(=3Dnat)<div>Chairman, OpenID Foundation<br><a rel=3D"nofollow" target=3D"_=
blank" href=3D"http://nat.sakimura.org/">http://nat.sakimura.org/</a><br>@_=
nat_en</div>=0A</div>=0A</div></blockquote><blockquote type=3D"cite"><div><=
span>_______________________________________________</span><br><span>OAuth =
mailing list</span><br><span><a rel=3D"nofollow" ymailto=3D"mailto:OAuth@ie=
tf.org" target=3D"_blank" href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>=
</span><br>=0A<span><a rel=3D"nofollow" target=3D"_blank" href=3D"https://w=
ww.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/o=
auth</a></span><br></div></blockquote></div></div></div></blockquote></div>=
<br><br clear=3D"all"><div><br></div>=0A-- <br>Nat Sakimura (=3Dnat)<div>Ch=
airman, OpenID Foundation<br><a rel=3D"nofollow" target=3D"_blank" href=3D"=
http://nat.sakimura.org/">http://nat.sakimura.org/</a><br>@_nat_en</div>=0A=
</div></div></div><br>_______________________________________________<br>OA=
uth mailing list<br><a ymailto=3D"mailto:OAuth@ietf.org" href=3D"mailto:OAu=
th@ietf.org">OAuth@ietf.org</a><br><a href=3D"https://www.ietf.org/mailman/=
listinfo/oauth" target=3D"_blank">https://www.ietf.org/mailman/listinfo/oau=
th</a><br><br><br></div> </div> </div>  </div></body></html>
--905790552-337973688-1375418625=:52579--

From sakimura@gmail.com  Thu Aug  1 21:52:57 2013
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DBEA11E8104 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:52:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Level: 
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[AWL=0.031,  BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5AhBBVCPlfiR for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 21:52:54 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) by ietfa.amsl.com (Postfix) with ESMTP id 6083E11E81D1 for <oauth@ietf.org>; Thu,  1 Aug 2013 21:52:53 -0700 (PDT)
Received: by mail-lb0-f169.google.com with SMTP id u10so136209lbi.14 for <oauth@ietf.org>; Thu, 01 Aug 2013 21:52:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vjIghoKH7ITfDw0sD9pzMzRH+Xoz5Eix602yJGrut+4=; b=FrjuGyC8avIUjqgExlKcRt7TCvg7ZJC+EeOXPyuK5AU6orVeQFEpYJgN4ilC8sZSqi cypPFq12IEQCFNZtYB4gTpkE4ijw0jCOJNOI86H7xSV0fgT4QEZj8E+LPMOVdjnhs9f6 7MfYWy/tA9zBTPv6esBh9zqlBBKfzUvDzdDTrnv66CRpO/7SVF27Lh9dIF7ib0maijpD TIbFEKyq2eUxBYemuPtDw3PVjCrUVeMVpO/Ia/INf1Q/33KaEpjNoNfjd8q1gTg3LBUr Iv6qksSP8+4luB5Lg/QP3iAqFQIwDW9n2wdC6pzPnA2Q7XLfrKIhPwSdTEq+6dapFlKj E7HQ==
MIME-Version: 1.0
X-Received: by 10.112.63.2 with SMTP id c2mr2745331lbs.6.1375419172140; Thu, 01 Aug 2013 21:52:52 -0700 (PDT)
Received: by 10.112.134.38 with HTTP; Thu, 1 Aug 2013 21:52:52 -0700 (PDT)
In-Reply-To: <1375418625.52579.YahooMailNeo@web142803.mail.bf1.yahoo.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org> <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com> <CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com> <6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com> <CABzCy2BA-fXy86NU+vZd96jV9yVo9GEBAmm_AoMeZoR-ECgyyQ@mail.gmail.com> <1375418625.52579.YahooMailNeo@web142803.mail.bf1.yahoo.com>
Date: Fri, 2 Aug 2013 06:52:52 +0200
Message-ID: <CABzCy2DwR26Jex5zX0yRfbrx9cc93n4+UngSoCPt_EJ3fJUvaQ@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Bill Mills <wmills_92105@yahoo.com>
Content-Type: multipart/alternative; boundary=001a11c3e8802c416404e2efbbff
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 04:52:57 -0000

--001a11c3e8802c416404e2efbbff
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

It is not a circular reference.
They are layered.
Profile referencing an extension sepc, which references a framework spec is
perfectly fine.
In fact, it should be that way.

It is just that the middle section in this case was worked out at an
outside forum.
Suppose it was worked in at OAuth WG and it was called OAuth Authentication
Extension.
And let us call what Phil is proposing as OAuth Authentication Extension
Basic Profile.

Then would it be a problem for the Basic Profile to reference the Authn
Extension, which in turn refences the RFC6749? Do we call it circular?

Of course not.

In this case, it is only that the "OAuth Authentication Extension" is
called "OpenID Connect".




2013/8/2 Bill Mills <wmills_92105@yahoo.com>

> Circular references are not my favorite.
>
>   ------------------------------
>  *From:* Nat Sakimura <sakimura@gmail.com>
> *To:* Phil Hunt <phil.hunt@oracle.com>
> *Cc:* "oauth@ietf.org WG" <oauth@ietf.org>
> *Sent:* Thursday, August 1, 2013 9:34 PM
>
> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
>
> Not necessarily. Why would it be inappropriate?
>
> I call it NIH syndrome.
> Respecting the work which is done outside is a good thing.
> Just taking the content and taking a credit for it is a bad practice.
>
> Forking is also bad.
>
>
>
> 2013/8/2 Phil Hunt <phil.hunt@oracle.com>
>
> OpenId specs can depend on oAuth. Having OAuth depend on OpenId is not
> appropriate here.
>
> Phil
>
> On 2013-08-01, at 18:07, Nat Sakimura <sakimura@gmail.com> wrote:
>
> Like Bill says, it can just be a profile of OpenID Connect.
> IETF specs already references OpenID Foundation specs.
> It should not be a problem.
> I do not think we want to folk.
>
>
> 2013/8/1 Anthony Nadalin <tonynad@microsoft.com>
>
>  I believe it beneficial to have a common format and common values, and 1
> way to handle the format and values. I believe that having this in oauth =
is
> beneficial, I believe that it would also be beneficial for OpenID if this
> were in oauth. There are cases for signed and unsigned formats. ****
> ** **
>  *From:* Richer, Justin P. [mailto:jricher@mitre.org]
> *Sent:* Thursday, August 1, 2013 7:15 AM
> *To:* Nat Sakimura
> *Cc:* Anthony Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG
>
> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)***=
*
>  ** **
> Also, it's (optionally) a token in the proposed document we're discussing
> (=A72.4.1), which means there are two ways to parse the same information.
> OIDC uses JWTs for everything, signed and unsigned. This means that OIDC =
is
> actually simpler from an implementation perspective, wouldn't you say?
> Instead of having two parsers, you have one to cover both cases.  ****
>  ** **
>  (And given your tendency to throw signed assertions at every problem, I
> would have thought that you'd prefer this anyway.) ****
>  ** **
>   -- Justin****
>  ** **
>  On Aug 1, 2013, at 9:40 AM, Nat Sakimura <sakimura@gmail.com>****
>   wrote:****
>
>
> ****
>
>  Yes, it is a Token. ****
>  No, it does not have to be signed. ****
>  ** **
>  As to be a token or not to be a token question, it has been discussed in
> the WG before, and if I remember correctly,  Microsoft argued for token
> saying that it is just base64 decoding and I lost there.  ****
>  Nat****
>
> On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com> wrote:*=
*
> **
>
> You can=92t do this, first openid uses a token and second it=92s signed, =
third
> there is no specification to just return a authentication JSON structure*=
*
> **
>  ****
>  *From:* Richer, Justin P. [mailto:jricher@mitre.org <jricher@mitre.org>]
> *Sent:* Thursday, August 1, 2013 5:15 AM
> *To:* Anthony Nadalin
> *Cc:* Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org WG
> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)***=
*
>    ****
>  Tony, you can already return the authn result from the token request (we
> discussed this specifically in May as I recall). That's what the "idtoken=
"
> and "code idtoken" responses are for in OpenID Connect. The proposed draf=
t
> is nearly a duplicate of the core functionality of OIDC. ****
>   ****
>    -- Justin****
>    ****
>   On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com>****
>   wrote:****
>  ** **
>
>  The proposal does not duplicate what OpenID does, there is clear benefit
> for returning an authentication result in the token request result. This =
is
> being proposed as optional JSON structure.****
>    ****
>    *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
> Behalf Of *Bill Mills
> *Sent:* Wednesday, July 31, 2013 2:50 PM
> *To:* Prateek Mishra; Nat Sakimura
> *Cc:* oauth@ietf.org WG
> *Subject:* Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:
> Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)***=
*
>     ****
>    Rather than extending OAuth for something OpenID already does...  why
> don't we get a simple informational example doc to show how to implement
> the most basic OpenID service, which is the same functionality on a
> standard that's already written?****
>     ****
>    This is sounding more and mor elike a documentation problem.****
>     ****
>    ------------------------------
>  *From:* Prateek Mishra <prateek.mishra@oracle.com>
> *To:* Nat Sakimura <sakimura@gmail.com>
> *Cc:* "oauth@ietf.org WG" <oauth@ietf.org>
> *Sent:* Wednesday, July 31, 2013 2:38 PM
> *Subject:* [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd:
> New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)****
>     ****
>   Nat -
>
> thanks for the detailed response. I did review the links you sent out but
> it remained unclear to me which
> features are MTI and which are not. For example, there is nothing in the
> Basic Client Profile that suggests
> that Section 2.3 is optional. I also could not find any definition for "
> non-dynamic OpenID Connect Server".
>
> I dont think there is a need to duplicate portions of the draft
> specification text in a new document. One solution
> that was used in SAML 2.0 was to define a conformance document which
> described several different
> operational modes and explained how only a small set of features needed t=
o
> be implemented in certain modes.
>
> http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf
>
> There are probably other smarter ways to achieve the same effect.
>
> Given this situation, I do think its a reasonable task for the OAuth
> community to consider the need for
> a minimal extension to OAuth that accommodates authentication. The
> community should be made aware that
> RFC 6749 is being misused for federated authentication, as explained in  =
-
>
>
>
> http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-wh=
at.html
>
>
> and that there doesn't appear to be a simple solution that is currently
> available. It would be great if it turned
> out that OpenID Connect offered such a solution but that isn't clear to m=
e.
>
> Thx,
> prateek****
>    ****
>
>   ****
>   Inline: ****
>  2013/7/31 Prateek Mishra <prateek.mishra@oracle.com>****
>
>  Nat -
>
> your blog posting is helpful to those of us who are looking for a minimal
> extension of OAuth with
> an authenticator.  Many implementors are seeking a modest extension of
> OAuth, not an entire new protocol
> stack.   I believe that is the point of Phil Hunt's proposal to the OAuth
> committee.
>
> I do have some questions for about the statements made in the blog -
>
> A) Can you direct me to a single OpenID Connect draft specification
> document where steps 1 and 2 are described?****
>
>    ****
>    Actually, it is not a single spec, that the Standard is referencing
> others. ****
>   The Standard is kind of cluttered because it has 6 response types and
> three request types in it. ****
>   I suppose it would be much easier for the readers to split them into
> coherent pieces, though that means duplicate texts. ****
>     ****
>    The easiest approach here is to read the Basic Client Profile.
> http://openid.net/specs/openid-connect-basic-1_0-28.html****
>   Then, read OAuth 2.0 Multiple Response Type Encoding Practices
> http://openid.net/specs/oauth-v2-multiple-response-types-1_0-08.html . **=
*
> *
>     ****
>
>
> B) If I implement steps 1 and 2, do I then have a conformant OpenID
> Connect implementation? Are there no
> other MTI protocol exchanges in OpenID Connect?****
>
>    ****
>    Yes, for a non-dynamic OpenID Connect Server. ****
>     ****
>    Nat****
>      ****
>
>
> Thanks,
> prateek****
>
>
>    ****
>    ****
>
>  I have written a short blog post titled "Write an OpenID Connect server
> in three simple steps<http://nat.sakimura.org/2013/07/28/write-openid-con=
nect-server-in-three-simple-steps/>
> ". ****
>    ****
>    Really, there is not much you need to on top of OAuth 2.0. ****
>     ****
>    It puzzles me why you need to create a draft with only minor variances
> in parameter names. ****
>     ****
>
>  e.g., ****
>   session instead of id_token****
>   lat instead of iat****
>   alv instead of acr****
>   etc. ****
>
>    ****
>    If you change those parameter names, you will have a conformant
> profile of OpenID Connect. ****
>     ****
>    Nat****
>     ****
>   2013/7/31 John Bradley <ve7jtb@ve7jtb.com>****
>
>  Connect dosen't require a userinfo endpoint.   It is required for
> interoperability if you are building an open IdP.   For an enterprise typ=
e
> deployment discovery, registration, userifo are all optional.****
>    ****
>    The server is required to pass the nonce which is equivalent to a
> request ID through to the JWT if the client sends it in the request.****
>     ****
>    Justin is correct.****
>     ****
>    John B.****
>    ****
>    On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote:****
>
>
> ****
>
>   Forgot reply all.
>
> Phil****
>
> Begin forwarded message:****
>
>  *From:* Phil Hunt <phil.hunt@oracle.com>
> *Date:* 30 July, 2013 17:25:46 GMT+02:00
> *To:* "Richer, Justin P." <jricher@mitre.org>
> *Subject:* *Re: [OAUTH-WG] New Version Notification for
> draft-hunt-oauth-v2-user-a4c-00.txt*****
>
>   The whole point is authn only. Many do not want or need the userinfo
> endpoint.
>
> Phil****
>
> On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org> wrote:**=
*
> *
>
>  What do you mean? You absolutely can implement a compliant OIDC server
> nearly as simply as this. The things that you're missing I think are
> necessary for basic interoperable functionality, and are things that othe=
r
> folks using OAuth for authentication have also implemented. Namely:****
>    ****
>     - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which
> is easy to do with JWT). Without a signed and verifiable ID token or
> equivalent, you're asking for all kinds of token injection problems.****
>    - Session management requests (max auth age, auth time)****
>    - Not fall over with other parameters that you don't support (display,
> prompt, etc).****
>     ****
>    See here for more information:****
>     ****
>     http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI***=
*
>     ****
>    Additionally, something that's really important to support is the User
> Info Endpoint, so you can actually get user profile information beyond ju=
st
> the simple "someone was here" claim -- this was the real value of Faceboo=
k
> Connect from an RP's perspective. Some people will probably want to use
> SCIM for this, too, and that's fine.****
>     ****
>     -- Justin****
>     ****
>    On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com>****
>    wrote:****
>
>
> ****
>
>  The oidc specs do not allow this simple an implementation. The spec
> members have not shown interest in making changes as they say they are to=
o
> far down the road.****
>     ****
>    I have tried to make my draft as close as possible to oidc but maybe
> it shouldn't be clarity wise. I am interested in what the group feels is
> clearest. ****
>     ****
>    From an ietf perspective the concern is improper use of the 6749 for
> authn. Is this a bug or gap we need to address?
>
> Phil****
>
> On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org> wrote:**=
*
> *
>
>  From what I read, you've defined something that uses an OAuth 2 code
> flow to get an extra token which is specified as a JWT. You named it
> "session_token" instead of "id_token", and you've left off the User
> Information Endpoint -- but other than that, this is exactly the Basic
> Client for OpenID Connect. In other words, if you change the names on
> things you've got OIDC, but without the capabilities to go beyond a very
> basic "hey there's a user here" claim. This is the same place that OpenID
> 2.0 started, and it was very, very quickly extended with SREG, AX, PAPE,
> and others for it to be useful in the real world of distributed logins.
> You've also left out discovery and registration which are required for
> distributed deployments, but I'm guessing that those would be modular
> components that could be added in (like they are in OIDC). ****
>    ****
>    I've heard complaints that OIDC is complicated, but it's really not.
> Yes, I agree that the giant stack of documents is intimidating and in my
> opinion it's a bit of a mess with Messages and Standard split up (but I
> lost that argument years ago). However, at the core, you've got an OAuth2
> authorization server that spits out access tokens and id tokens. The id
> token is a JWT with some known claims (iss, sub, etc) and is issued along
> side the access token, and its audience is the *client* and not the
> *protected resource*. The access token is a regular old access token and
> its format is undefined (so you can use it with an existing OAuth2 server
> setup, like we have), and it can be used at the User Info Endpoint to get
> profile information about the user who authenticated. It could also be us=
ed
> for other services if your AS/IdP protects multiple things.****
>     ****
>    So I guess what I'm missing is what's the value proposition in this
> spec when we have something that can do this already? And this doesn't se=
em
> to do anything different (apart from syntax changes)?****
>     ****
>     -- Justin****
>     ****
>    On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com> wrote:**=
*
> *
>
>
> ****
>
>  FYI.  I have been noticing a substantial number of sites acting as OAuth
> Clients using OAuth to authenticate users.****
>    ****
>    I know several of us have blogged on the issue over the past year so I
> won't re-hash it here.  In short, many of us recommended OIDC as the
> correct methodology.****
>     ****
>    Never-the-less, I've spoken with a number of service providers who
> indicate they are not ready to make the jump to OIDC, yet they agree ther=
e
> is a desire to support authentication only (where as OIDC does IDP-like
> services).****
>     ****
>    This draft is intended as a minimum authentication only specification.
>  I've tried to make it as compatible as possible with OIDC.****
>     ****
>    For now, I've just posted to keep track of the issue so we can address
> at the next re-chartering.****
>     ****
>    Happy to answer questions and discuss. ****
>     ****
>      Phil****
>     ****
>    @independentid****
>   www.independentid.com****
>   phil.hunt@oracle.com****
>    ****
>
>
> ****
>     ****
>   Begin forwarded message:****
>
>
> ****
>
>  *From:*internet-drafts@ietf.org****
>   *Subject: New Version Notification for
> draft-hunt-oauth-v2-user-a4c-00.txt*****
>   *Date:*29 July, 2013 9:49:41 AM GMT+02:00****
>   *To:*Phil Hunt <phil.hunt@yahoo.com>, Phil Hunt <None@ietfa.amsl.com>,
> Phil Hunt <>****
>    ****
>
> A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
> has been successfully submitted by Phil Hunt and posted to the
> IETF repository.
>
> Filename: draft-hunt-oauth-v2-user-a4c
> Revision: 00
> Title: OAuth 2.0 User Authentication For Client
> Creation date: 2013-07-29
> Group: Individual Submission
> Number of pages: 9
> URL:
> http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt
> Status:
> http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
> Htmlized:
> http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00
>
>
> Abstract:
>   This specification defines a new OAuth2 endpoint that enables user
>   authentication session information to be shared with client
>   applications.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available attools.ietf.org.
>
> The IETF Secretariat****
>
>    ****
>    _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>    ****
>
>    ****
>
>   _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>    ****
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>
>
> ****
>    ****
>   --
> Nat Sakimura (=3Dnat)****
>   Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
>
>
> ****
>
> _______________________________________________****
>
> OAuth mailing list****
>
> OAuth@ietf.org****
>
> https://www.ietf.org/mailman/listinfo/oauth****
>
>    ****
>
>
>
> ****
>    ****
>   --
> Nat Sakimura (=3Dnat)****
>   Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
>
>   ****
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> ****
>   _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth****
>
>   ****
>
>   ** **
>
>
>
>
> --
> Nat Sakimura (=3Dnat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> --
> Nat Sakimura (=3Dnat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>


--=20
Nat Sakimura (=3Dnat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

--001a11c3e8802c416404e2efbbff
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">It is not a circular reference.=A0<div>They are layered.=
=A0</div><div>Profile referencing an extension sepc, which references a fra=
mework spec is perfectly fine.=A0</div><div>In fact, it should be that way.=
=A0</div>
<div><br></div><div>It is just that the middle section in this case was wor=
ked out at an outside forum.=A0</div><div>Suppose it was worked in at OAuth=
 WG and it was called OAuth Authentication Extension.=A0</div><div>And let =
us call what Phil is proposing as OAuth Authentication Extension Basic Prof=
ile.=A0</div>
<div><br></div><div>Then would it be a problem for the Basic Profile to ref=
erence the Authn Extension, which in turn refences the RFC6749? Do we call =
it circular?=A0</div><div><br></div><div>Of course not.=A0</div><div><br></=
div>
<div>In this case, it is only that the &quot;OAuth Authentication Extension=
&quot; is called &quot;OpenID Connect&quot;.=A0</div><div><br></div><div><d=
iv><br></div></div></div><div class=3D"gmail_extra"><br><br><div class=3D"g=
mail_quote">
2013/8/2 Bill Mills <span dir=3D"ltr">&lt;<a href=3D"mailto:wmills_92105@ya=
hoo.com" target=3D"_blank">wmills_92105@yahoo.com</a>&gt;</span><br><blockq=
uote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc =
solid;padding-left:1ex">
<div><div style=3D"font-size:12pt;font-family:Courier New,courier,monaco,mo=
nospace,sans-serif"><div><span>Circular references are not my favorite.</sp=
an></div><div><br></div>  <div style=3D"font-family:&#39;Courier New&#39;,c=
ourier,monaco,monospace,sans-serif;font-size:12pt">
 <div style=3D"font-family:&#39;times new roman&#39;,&#39;new york&#39;,tim=
es,serif;font-size:12pt"> <div dir=3D"ltr"> <hr size=3D"1">  <font face=3D"=
Arial"> <b><span style=3D"font-weight:bold">From:</span></b> Nat Sakimura &=
lt;<a href=3D"mailto:sakimura@gmail.com" target=3D"_blank">sakimura@gmail.c=
om</a>&gt;<br>
 <b><span style=3D"font-weight:bold">To:</span></b> Phil Hunt &lt;<a href=
=3D"mailto:phil.hunt@oracle.com" target=3D"_blank">phil.hunt@oracle.com</a>=
&gt; <br><b><span style=3D"font-weight:bold">Cc:</span></b> &quot;<a href=
=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.org</a> WG&quot; &l=
t;<a href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.org</a>&gt=
; <br>
 <b><span style=3D"font-weight:bold">Sent:</span></b> Thursday, August 1, 2=
013 9:34 PM<div><div class=3D"h5"><br> <b><span style=3D"font-weight:bold">=
Subject:</span></b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was=
 Re: Fwd:
 New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<br> </di=
v></div></font> </div><div><div class=3D"h5"> <div><br><div><div dir=3D"ltr=
">Not necessarily. Why would it be inappropriate?=A0<div><br></div><div>I c=
all it NIH syndrome.=A0</div>
<div>Respecting the work which is done outside is a good thing.=A0</div><di=
v>Just taking the content and taking a credit for it is a bad practice.=A0<=
/div>
<div><br></div><div>Forking is also bad.=A0</div><div><br></div><div><br><b=
r><div>2013/8/2 Phil Hunt <span dir=3D"ltr">&lt;<a rel=3D"nofollow" href=3D=
"mailto:phil.hunt@oracle.com" target=3D"_blank">phil.hunt@oracle.com</a>&gt=
;</span><br>

<blockquote style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-l=
eft:1ex"><div><div>OpenId specs can depend on oAuth. Having OAuth depend on=
 OpenId is not appropriate here.=A0<span><font color=3D"#888888"><br>
<br>Phil</font></span></div><div><div><div><br>On 2013-08-01, at 18:07, Nat=
 Sakimura &lt;<a rel=3D"nofollow" href=3D"mailto:sakimura@gmail.com" target=
=3D"_blank">sakimura@gmail.com</a>&gt; wrote:<br><br></div><blockquote type=
=3D"cite">

<div><div dir=3D"ltr">Like Bill says, it can just be a profile of OpenID Co=
nnect.=A0<div>IETF specs already references OpenID Foundation specs.=A0</di=
v><div>It should not be a problem.=A0</div><div>I do not think we want to f=
olk.=A0</div>


</div><div><br><br><div>2013/8/1 Anthony Nadalin <span dir=3D"ltr">&lt;<a r=
el=3D"nofollow" href=3D"mailto:tonynad@microsoft.com" target=3D"_blank">ton=
ynad@microsoft.com</a>&gt;</span><br><blockquote style=3D"margin:0 0 0 .8ex=
;border-left:1px #ccc solid;padding-left:1ex">








<div lang=3D"EN-US">
<div>
<div><span style=3D"font-size:11.0pt;color:#1f497d">I believe it beneficial=
 to have a common format and common values, and 1 way to handle the format =
and values. I believe that having this in oauth is beneficial,
 I believe that it would also be beneficial for OpenID if this were in oaut=
h. There are cases for signed and unsigned formats.
<u></u><u></u></span></div>
<div><a rel=3D"nofollow" name=3D"1403d56b0cecaa34_1403d1e1feb19c57_1403a467=
8daa8350__MailEndCompose"><span style=3D"font-size:11.0pt;color:#1f497d"><u=
></u>=A0<u></u></span></a></div>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<div><b><span style=3D"font-size:11.0pt">From:</span></b><span style=3D"fon=
t-size:11.0pt"> Richer, Justin P. [mailto:<a rel=3D"nofollow" href=3D"mailt=
o:jricher@mitre.org" target=3D"_blank">jricher@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 7:15 AM<br>
<b>To:</b> Nat Sakimura<br>
<b>Cc:</b> Anthony Nadalin; Bill Mills; Prateek Mishra; <a rel=3D"nofollow"=
 href=3D"mailto:oauth@ietf.org" target=3D"_blank">oauth@ietf.org</a> WG</sp=
an></div><div><div><br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<u><=
/u><u></u></div></div>
</div>
</div><div><div>
<div><u></u>=A0<u></u></div>
<div>Also, it&#39;s (optionally) a token in the proposed document we&#39;re=
 discussing (=A72.4.1), which means there are two ways to parse the same in=
formation. OIDC uses JWTs for everything, signed and unsigned. This means t=
hat OIDC is actually simpler
 from an implementation perspective, wouldn&#39;t you say? Instead of havin=
g two parsers, you have one to cover both cases.=A0
<u></u><u></u></div>
<div>
<div><u></u>=A0<u></u></div>
</div>
<div>
<div>(And given your tendency to throw signed assertions at every problem, =
I would have thought that you&#39;d prefer this anyway.)
<u></u><u></u></div>
<div>
<div><u></u>=A0<u></u></div>
</div>
<div>
<div>=A0-- Justin<u></u><u></u></div>
</div>
<div>
<div><u></u>=A0<u></u></div>
<div>
<div>
<div>On Aug 1, 2013, at 9:40 AM, Nat Sakimura &lt;<a rel=3D"nofollow" href=
=3D"mailto:sakimura@gmail.com" target=3D"_blank">sakimura@gmail.com</a>&gt;=
<u></u><u></u></div>
</div>
<div>
<div>=A0wrote:<u></u><u></u></div>
</div>
<div><br>
<br>
<u></u><u></u></div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>Yes, it is a Token.=A0<u></u><u></u></div>
</div>
<div>
<div>No, it does not have to be signed.=A0<u></u><u></u></div>
</div>
<div>
<div><u></u>=A0<u></u></div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt">As to be a token or not to be a token q=
uestion, it has been discussed in the WG before, and if I remember correctl=
y, =A0Microsoft argued for token saying that it is just base64 decoding and=
 I lost there. =A0<u></u><u></u></div>



</div>
<div>
<div>Nat<u></u><u></u></div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt"><br>
On Aug 1, 2013, at 14:24, Anthony Nadalin &lt;<a rel=3D"nofollow" href=3D"m=
ailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsoft.com</a>&gt=
; wrote:<u></u><u></u></div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div><span style=3D"font-size:11.0pt;color:#1f497d">You can=92t do this, fi=
rst openid uses a token and second it=92s signed, third there is no specifi=
cation to just return a authentication JSON structure</span><u></u><u></u><=
/div>



<div><span style=3D"font-size:11.0pt;color:#1f497d">=A0</span><u></u><u></u=
></div>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<div><b><span style=3D"font-size:11.0pt">From:</span></b><span style=3D"fon=
t-size:11.0pt"> Richer, Justin P. [<a rel=3D"nofollow" href=3D"mailto:jrich=
er@mitre.org" target=3D"_blank">mailto:jricher@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a rel=3D"nofollow" hr=
ef=3D"mailto:oauth@ietf.org" target=3D"_blank">
oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re:=
 Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</sp=
an><u></u><u></u></div>
</div>
</div>
<div>
<div>=A0<u></u><u></u></div>
</div>
<div>Tony, you can already return the authn result from the token request (=
we discussed this specifically in May as I recall). That&#39;s what the &qu=
ot;idtoken&quot; and &quot;code idtoken&quot; responses are for in OpenID C=
onnect. The proposed draft is nearly a duplicate
 of the core functionality of OIDC. <u></u><u></u></div>
<div>
<div>
<div>=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>=A0-- Justin<u></u><u></u></div>
</div>
<div>
<div>
<div>=A0<u></u><u></u></div>
</div>
<div>
<div>
<div>On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a rel=3D"nofollow" hr=
ef=3D"mailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsoft.com=
</a>&gt;<u></u><u></u></div>
</div>
<div>
<div>=A0wrote:<u></u><u></u></div>
</div>
<div style=3D"margin-bottom:12.0pt"><u></u>=A0<u></u></div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div><span style=3D"font-size:11.0pt;color:#1f497d">The proposal does not d=
uplicate what OpenID does, there is clear benefit for returning an authenti=
cation result in the token request result. This is being proposed
 as optional JSON structure.</span><u></u><u></u></div>
</div>
<div>
<div>
<div><span style=3D"font-size:11.0pt;color:#1f497d">=A0</span><u></u><u></u=
></div>
</div>
</div>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in =
0in 0in">
<div>
<div><b><span style=3D"font-size:11.0pt">From:</span></b><span><span style=
=3D"font-size:11.0pt">=A0</span></span><span style=3D"font-size:11.0pt"><a =
rel=3D"nofollow" href=3D"mailto:oauth-bounces@ietf.org" target=3D"_blank"><=
span style=3D"color:purple">oauth-bounces@ietf.org</span></a><span>=A0</spa=
n>[mailto:<a rel=3D"nofollow" href=3D"mailto:oauth-" target=3D"_blank">oaut=
h-</a><a rel=3D"nofollow" href=3D"mailto:bounces@ietf.org" target=3D"_blank=
"><span style=3D"color:purple">bounces@ietf.org</span></a>]<span>=A0</span>=
<b>On
 Behalf Of<span>=A0</span></b>Bill Mills<br>
<b>Sent:</b><span>=A0</span>Wednesday, July 31, 2013 2:50 PM<br>
<b>To:</b><span>=A0</span>Prateek Mishra; Nat Sakimura<br>
<b>Cc:</b><span>=A0</span><a rel=3D"nofollow" href=3D"mailto:oauth@ietf.org=
" target=3D"_blank"><span style=3D"color:purple">oauth@ietf.org</span></a><=
span>=A0</span>WG<br>
<b>Subject:</b><span>=A0</span>Re: [OAUTH-WG] Need for Extending OAuth with=
 AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-=
a4c-00.txt)</span><u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div>=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white"><span>Rather than extending OAuth for somet=
hing OpenID already does... =A0why don&#39;t we get a simple informational =
example doc to show how to implement the most basic OpenID service,
 which is the same functionality on a standard that&#39;s already written?<=
/span><u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div><span>=A0</span><u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div><span>This is sounding more and mor elike a documentation problem.</sp=
an><u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white"><span>=A0</span><u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div align=3D"center" style=3D"text-align:center;background:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<div style=3D"background:white"><b><span style=3D"font-size:10.0pt">From:</=
span></b><span><span style=3D"font-size:10.0pt">=A0</span></span><span styl=
e=3D"font-size:10.0pt">Prateek
 Mishra &lt;<a rel=3D"nofollow" href=3D"mailto:prateek.mishra@oracle.com" t=
arget=3D"_blank"><span style=3D"color:purple">prateek.mishra@oracle.com</sp=
an></a>&gt;<br>
<b>To:</b><span>=A0</span>Nat Sakimura &lt;<a rel=3D"nofollow" href=3D"mail=
to:sakimura@gmail.com" target=3D"_blank"><span style=3D"color:purple">sakim=
ura@gmail.com</span></a>&gt;<span>=A0</span><br>
<b>Cc:</b><span>=A0</span>&quot;<a rel=3D"nofollow" href=3D"mailto:oauth@ie=
tf.org%20WG" target=3D"_blank"><span style=3D"color:purple">oauth@ietf.org =
WG</span></a>&quot; &lt;<a rel=3D"nofollow" href=3D"mailto:oauth@ietf.org" =
target=3D"_blank"><span style=3D"color:purple">oauth@ietf.org</span></a>&gt=
;<span>=A0</span><br>



<b>Sent:</b><span>=A0</span>Wednesday, July 31, 2013 2:38 PM<br>
<b>Subject:</b><span>=A0</span>[OAUTH-WG] Need for Extending OAuth with Aut=
hN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-=
00.txt)</span><u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Nat -<span>=A0</span><br>
<br>
thanks for the detailed response. I did review the links you sent out but i=
t remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Ba=
sic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for &quo=
t; non-dynamic OpenID Connect Server&quot;.<br>
<br>
I dont think there is a need to duplicate portions of the draft specificati=
on text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which descri=
bed several different<span>=A0</span><br>
operational modes and explained how only a small set of features needed to =
be implemented in certain modes.<br>
<br>
<a rel=3D"nofollow" href=3D"http://docs.oasis-open.org/security/saml/v2.0/s=
aml-conformance-2.0-os.pdf" target=3D"_blank"><span style=3D"color:purple">=
http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</=
span></a><br>

<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth commun=
ity to consider the need for<span>=A0</span><br>
a minimal extension to OAuth that accommodates authentication. The communit=
y should be made aware that<span>=A0</span><br>
RFC 6749 is being misused for federated authentication, as explained in=A0 =
-=A0<span>=A0</span><br>
<br>
<a rel=3D"nofollow" href=3D"http://www.independentid.com/2013/07/simple-aut=
hentication-for-oauth-2-what.html" target=3D"_blank"><span style=3D"color:p=
urple">http://www.independentid.com/2013/07/simple-authentication-for-oauth=
-2-what.html</span></a><span>=A0</span><br>



<br>
and that there doesn&#39;t appear to be a simple solution that is currently=
 available. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn&#39;t clear to=
 me.<br>
<br>
Thx,<br>
prateek<u></u><u></u></div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white">
Inline:=A0<u></u><u></u></div>
<div>
<div>
<div style=3D"background:white">2013/7/31 Prateek Mishra &lt;<a rel=3D"nofo=
llow" href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><span sty=
le=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<u></u><u></u><=
/div>

</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div style=3D"background:white">Nat -<span>=A0</span><br>
<br>
your blog posting is helpful to those of us who are looking for a minimal e=
xtension of OAuth with<span>=A0</span><br>
an authenticator.=A0 Many implementors are seeking a modest extension of OA=
uth, not an entire new protocol<br>
stack. =A0 I believe that is the point of Phil Hunt&#39;s proposal to the O=
Auth committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span>=
=A0</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification documen=
t where steps 1 and 2 are described?<u></u><u></u></div>
</div>
</blockquote>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Actually, it is not a single spec, that the=
 Standard is referencing others.=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">The Standard is kind of cluttered because i=
t has 6 response types and three request types in it.=A0<u></u><u></u></div=
>
</div>
</div>
<div>
<div>
<div style=3D"background:white">I suppose it would be much easier for the r=
eaders to split them into coherent pieces, though that means duplicate text=
s.=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">The easiest approach here is to read the Ba=
sic Client Profile.=A0<a rel=3D"nofollow" href=3D"http://openid.net/specs/o=
penid-connect-basic-1_0-28.html" target=3D"_blank"><span style=3D"color:pur=
ple">http://openid.net/specs/openid-connect-basic-1_0-28.html</span></a><u>=
</u><u></u></div>



</div>
</div>
<div>
<div>
<div style=3D"background:white">Then, read=A0OAuth 2.0 Multiple Response Ty=
pe Encoding Practices=A0<a rel=3D"nofollow" href=3D"http://openid.net/specs=
/oauth-v2-multiple-response-types-1_0-08.html" target=3D"_blank"><span styl=
e=3D"color:purple">http://openid.net/specs/oauth-v2-multiple-response-types=
-1_0-08.html</span></a>=A0.=A0<u></u><u></u></div>



</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div style=3D"background:white"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect=
 implementation? Are there no<span>=A0</span><br>
other MTI protocol exchanges in OpenID Connect?<u></u><u></u></div>
</div>
</blockquote>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Yes, for a non-dynamic OpenID Connect Serve=
r.=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Nat<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0=A0<u></u><u></u></div>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div style=3D"background:white"><br>
Thanks,<br>
prateek<u></u><u></u></div>
</div>
<div>
<div>
<div style=3D"background:white"><br>
<br>
=A0 =A0<u></u><u></u></div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div style=3D"background:white">I have written a short blog post titled &qu=
ot;<a rel=3D"nofollow" href=3D"http://nat.sakimura.org/2013/07/28/write-ope=
nid-connect-server-in-three-simple-steps/" target=3D"_blank"><span style=3D=
"color:purple">Write an OpenID Connect server
 in three simple steps</span></a>&quot;.=A0<u></u><u></u></div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Really, there is not much you need to on to=
p of OAuth 2.0.=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">It puzzles me why you need to create a draf=
t with only minor variances in parameter names.=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;m=
argin-bottom:5.0pt">
<div>
<div>
<div style=3D"background:white">e.g.,=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">session instead of id_token<u></u><u></u></=
div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">lat instead of iat<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">alv instead of acr<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">etc.=A0<u></u><u></u></div>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">If you change those parameter names, you wi=
ll have a conformant profile of OpenID Connect.=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Nat<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt">
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
<div>
<div>
<div style=3D"background:white">2013/7/31 John Bradley &lt;<a rel=3D"nofoll=
ow" href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank"><span style=3D"colo=
r:purple">ve7jtb@ve7jtb.com</span></a>&gt;<u></u><u></u></div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-=
bottom:5.0pt">
<div>
<div>
<div style=3D"background:white">Connect dosen&#39;t require a userinfo endp=
oint. =A0 It is required for interoperability if you are building an open I=
dP. =A0 For an enterprise type deployment discovery, registration, userifo =
are all optional.<u></u><u></u></div>



</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">The server is required to pass the nonce wh=
ich is equivalent to a request ID through to the JWT if the client sends it=
 in the request.<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Justin is correct.<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">John B.<u></u><u></u></div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">On 2013-07-30, at 5:30 PM, Phil Hunt &lt;<a=
 rel=3D"nofollow" href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><s=
pan style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u></u=
><u></u></div>



</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<div style=3D"background:white">Forgot reply all.<br>
<br>
Phil<u></u><u></u></div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white">
<br>
Begin forwarded message:<u></u><u></u></div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div style=3D"margin-bottom:12.0pt;background:white">
<b>From:</b><span>=A0</span>Phil Hunt &lt;<a rel=3D"nofollow" href=3D"mailt=
o:phil.hunt@oracle.com" target=3D"_blank"><span style=3D"color:purple">phil=
.hunt@oracle.com</span></a>&gt;<br>
<b>Date:</b><span>=A0</span>30 July, 2013 17:25:46 GMT+02:00<br>
<b>To:</b><span>=A0</span>&quot;Richer, Justin P.&quot; &lt;<a rel=3D"nofol=
low" href=3D"mailto:jricher@mitre.org" target=3D"_blank"><span style=3D"col=
or:purple">jricher@mitre.org</span></a>&gt;<br>
<b>Subject:</b><span>=A0</span><b>Re: [OAUTH-WG] New Version Notification f=
or draft-hunt-oauth-v2-user-a4c-00.txt</b><u></u><u></u></div>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div style=3D"background:white">The whole point is authn only. Many do not =
want or need the userinfo endpoint.=A0<br>
<br>
Phil<u></u><u></u></div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white">
<br>
On 2013-07-30, at 17:17, &quot;Richer, Justin P.&quot; &lt;<a rel=3D"nofoll=
ow" href=3D"mailto:jricher@mitre.org" target=3D"_blank"><span style=3D"colo=
r:purple">jricher@mitre.org</span></a>&gt; wrote:<u></u><u></u></div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div style=3D"background:white">What do you mean? You absolutely can implem=
ent a compliant OIDC server nearly as simply as this. The things that you&#=
39;re missing I think are necessary for basic interoperable functionality, =
and are things that other
 folks using OAuth for authentication have also implemented. Namely:<u></u>=
<u></u></div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">=A0- Signing the ID token (OIDC specifies t=
he RS256 flavor of JWS, which is easy to do with JWT). Without a signed and=
 verifiable ID token or equivalent, you&#39;re asking for all kinds of toke=
n injection problems.<u></u><u></u></div>



</div>
</div>
<div>
<div>
<div style=3D"background:white">=A0- Session management requests (max auth =
age, auth time)<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">=A0- Not fall over with other parameters th=
at you don&#39;t support (display, prompt, etc).<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">See here for more information:<u></u><u></u=
></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">=A0<a rel=3D"nofollow" href=3D"http://openi=
d.net/specs/openid-connect-messages-1_0.html#ServerMTI" target=3D"_blank"><=
span style=3D"color:purple">http://openid.net/specs/openid-connect-messages=
-1_0.html#ServerMTI</span></a><u></u><u></u></div>



</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Additionally, something that&#39;s really i=
mportant to support is the User Info Endpoint, so you can actually get user=
 profile information beyond just the simple &quot;someone was here&quot; cl=
aim -- this was the real value of
 Facebook Connect from an RP&#39;s perspective. Some people will probably w=
ant to use SCIM for this, too, and that&#39;s fine.<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">=A0-- Justin<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">On Jul 30, 2013, at 10:54 AM, Phil Hunt &lt=
;<a rel=3D"nofollow" href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"=
><span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt;<u></u><u>=
</u></div>



</div>
</div>
<div>
<div>
<div style=3D"background:white">=A0wrote:<u></u><u></u></div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div style=3D"background:white">The oidc specs do not allow this simple an =
implementation. The spec members have not shown interest in making changes =
as they say they are too far down the road.<u></u><u></u></div>


</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">I have tried to make my draft as close as p=
ossible to oidc but maybe it shouldn&#39;t be clarity wise. I am interested=
 in what the group feels is clearest.=A0<u></u><u></u></div>


</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">From an ietf perspective the concern is imp=
roper use of the 6749 for authn. Is this a bug or gap we need to address?<b=
r>
<br>
Phil<u></u><u></u></div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white">
<br>
On 2013-07-30, at 16:46, &quot;Richer, Justin P.&quot; &lt;<a rel=3D"nofoll=
ow" href=3D"mailto:jricher@mitre.org" target=3D"_blank"><span style=3D"colo=
r:purple">jricher@mitre.org</span></a>&gt; wrote:<u></u><u></u></div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div style=3D"background:white">From what I read, you&#39;ve defined someth=
ing that uses an OAuth 2 code flow to get an extra token which is specified=
 as a JWT. You named it &quot;session_token&quot; instead of &quot;id_token=
&quot;, and you&#39;ve left off the User Information
 Endpoint -- but other than that, this is exactly the Basic Client for Open=
ID Connect. In other words, if you change the names on things you&#39;ve go=
t OIDC, but without the capabilities to go beyond a very basic &quot;hey th=
ere&#39;s a user here&quot; claim. This is the same
 place that OpenID 2.0 started, and it was very, very quickly extended with=
 SREG, AX, PAPE, and others for it to be useful in the real world of distri=
buted logins. You&#39;ve also left out discovery and registration which are=
 required for distributed deployments,
 but I&#39;m guessing that those would be modular components that could be =
added in (like they are in OIDC).=A0<u></u><u></u></div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">I&#39;ve heard complaints that OIDC is comp=
licated, but it&#39;s really not. Yes, I agree that the giant stack of docu=
ments is intimidating and in my opinion it&#39;s a bit of a mess with Messa=
ges and Standard split up (but
 I lost that argument years ago). However, at the core, you&#39;ve got an O=
Auth2 authorization server that spits out access tokens and id tokens. The =
id token is a JWT with some known claims (iss, sub, etc) and is issued alon=
g side the access token, and its audience
 is the *client* and not the *protected resource*. The access token is a re=
gular old access token and its format is undefined (so you can use it with =
an existing OAuth2 server setup, like we have), and it can be used at the U=
ser Info Endpoint to get profile
 information about the user who authenticated. It could also be used for ot=
her services if your AS/IdP protects multiple things.<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">So I guess what I&#39;m missing is what&#39=
;s the value proposition in this spec when we have something that can do th=
is already? And this doesn&#39;t seem to do anything different (apart from =
syntax changes)?<u></u><u></u></div>



</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">=A0-- Justin<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">On Jul 29, 2013, at 4:14 AM, Phil Hunt &lt;=
<a rel=3D"nofollow" href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank">=
<span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u><=
/u><u></u></div>



</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div style=3D"background:white">FYI. =A0I have been noticing a substantial =
number of sites acting as OAuth Clients using OAuth to authenticate users.<=
u></u><u></u></div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">I know several of us have blogged on the is=
sue over the past year so I won&#39;t re-hash it here. =A0In short, many of=
 us recommended OIDC as the correct methodology.<u></u><u></u></div>


</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Never-the-less, I&#39;ve spoken with a numb=
er of service providers who indicate they are not ready to make the jump to=
 OIDC, yet they agree there is a desire to support authentication only (whe=
re as OIDC does IDP-like
 services).<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">This draft is intended as a minimum authent=
ication only specification. =A0I&#39;ve tried to make it as compatible as p=
ossible with OIDC.<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">For now, I&#39;ve just posted to keep track=
 of the issue so we can address at the next re-chartering.<u></u><u></u></d=
iv>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Happy to answer questions and discuss.=A0<u=
></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div style=3D"background:white"><span style=3D"font-size:9.0pt">Phil</span>=
<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white"><span style=3D"font-size:9.0pt">=A0</span><=
u></u><u></u></div>
</div>
</div>
</div>
<div>
<div>
<div style=3D"background:white"><span style=3D"font-size:9.0pt">@independen=
tid</span><u></u><u></u></div>
</div>
</div>
<div>
<div>
<div style=3D"background:white"><span style=3D"font-size:9.0pt"><a rel=3D"n=
ofollow" href=3D"http://www.independentid.com/" target=3D"_blank"><span sty=
le=3D"color:purple">www.independentid.com</span></a></span><u></u><u></u></=
div>


</div>
</div>
</div>
<div style=3D"margin-bottom:13.5pt;background:white">
<span style=3D"font-size:13.5pt"><a rel=3D"nofollow" href=3D"mailto:phil.hu=
nt@oracle.com" target=3D"_blank"><span style=3D"color:purple">phil.hunt@ora=
cle.com</span></a></span><u></u><u></u></div>


</div>
<div>
<div>
<div style=3D"background:white"><span style=3D"font-size:13.5pt">=A0</span>=
<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">Begin forwarded message:<u></u><u></u></div=
>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div style=3D"background:white"><b><span style=3D"font-size:13.5pt">From:</=
span></b><span style=3D"font-size:13.5pt"><a rel=3D"nofollow" href=3D"mailt=
o:internet-drafts@ietf.org" target=3D"_blank"><span style=3D"color:purple">=
internet-drafts@ietf.org</span></a></span><u></u><u></u></div>



</div>
</div>
<div>
<div>
<div style=3D"background:white"><b><span style=3D"font-size:13.5pt">Subject=
: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</span></=
b><u></u><u></u></div>


</div>
</div>
<div>
<div>
<div style=3D"background:white"><b><span style=3D"font-size:13.5pt">Date:</=
span></b><span style=3D"font-size:13.5pt">29 July, 2013 9:49:41 AM GMT+02:0=
0</span><u></u><u></u></div>


</div>
</div>
<div>
<div>
<div style=3D"background:white"><b><span style=3D"font-size:13.5pt">To:</sp=
an></b><span style=3D"font-size:13.5pt">Phil Hunt &lt;<a rel=3D"nofollow" h=
ref=3D"mailto:phil.hunt@yahoo.com" target=3D"_blank"><span style=3D"color:p=
urple">phil.hunt@yahoo.com</span></a>&gt;,
 Phil Hunt &lt;<a rel=3D"nofollow" href=3D"mailto:None@ietfa.amsl.com" targ=
et=3D"_blank"><span style=3D"color:purple">None@ietfa.amsl.com</span></a>&g=
t;, Phil Hunt &lt;&gt;</span><u></u><u></u></div>
</div>
</div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0<a rel=3D"nofollow" href=3D"http:/=
/www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt" target=
=3D"_blank"><span style=3D"color:purple">http://www.ietf.org/internet-draft=
s/draft-hunt-oauth-v2-user-a4c-00.txt</span></a><br>



Status: =A0=A0=A0=A0=A0=A0=A0=A0=A0<a rel=3D"nofollow" href=3D"http://datat=
racker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c" target=3D"_blank"><span s=
tyle=3D"color:purple">http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-u=
ser-a4c</span></a><br>

Htmlized: =A0=A0=A0=A0=A0=A0=A0<a rel=3D"nofollow" href=3D"http://tools.iet=
f.org/html/draft-hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span style=
=3D"color:purple">http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-0=
0</span></a><br>
<br>
<br>
Abstract:<br>
=A0=A0This specification defines a new OAuth2 endpoint that enables user<br=
>
=A0=A0authentication session information to be shared with client<br>
=A0=A0applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at<a rel=3D"nofollow" hre=
f=3D"http://tools.ietf.org/" target=3D"_blank"><span style=3D"color:purple"=
>tools.ietf.org</span></a>.<br>
<br>
The IETF Secretariat<u></u><u></u></div>
</div>
</blockquote>
</div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
</div>
<div>
<div style=3D"background:white">___________________________________________=
____<br>
OAuth mailing list<br>
<a rel=3D"nofollow" href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span =
style=3D"color:purple">OAuth@ietf.org</span></a><br>
<a rel=3D"nofollow" href=3D"https://www.ietf.org/mailman/listinfo/oauth" ta=
rget=3D"_blank"><span style=3D"color:purple">https://www.ietf.org/mailman/l=
istinfo/oauth</span></a><u></u><u></u></div>
</div>
</blockquote>
</div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<div style=3D"background:white">___________________________________________=
____<br>
OAuth mailing list<br>
<a rel=3D"nofollow" href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span =
style=3D"color:purple">OAuth@ietf.org</span></a><br>
<a rel=3D"nofollow" href=3D"https://www.ietf.org/mailman/listinfo/oauth" ta=
rget=3D"_blank"><span style=3D"color:purple">https://www.ietf.org/mailman/l=
istinfo/oauth</span></a><u></u><u></u></div>
</div>
</blockquote>
</div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
</div>
</div>
<div style=3D"margin-bottom:12.0pt;background:white">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a rel=3D"nofollow" href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span =
style=3D"color:purple">OAuth@ietf.org</span></a><br>
<a rel=3D"nofollow" href=3D"https://www.ietf.org/mailman/listinfo/oauth" ta=
rget=3D"_blank"><span style=3D"color:purple">https://www.ietf.org/mailman/l=
istinfo/oauth</span></a><u></u><u></u></div>
</blockquote>
</div>
<div>
<div style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div style=3D"background:white">--<span>=A0</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></div>
</div>
<div>
<div>
<div style=3D"background:white">Chairman, OpenID Foundation<br>
<a rel=3D"nofollow" href=3D"http://nat.sakimura.org/" target=3D"_blank"><sp=
an style=3D"color:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></div>
</div>
<pre style=3D"background:white">___________________________________________=
____<u></u><u></u></pre>
<pre style=3D"background:white">OAuth mailing list<u></u><u></u></pre>
<pre style=3D"background:white"><a rel=3D"nofollow" href=3D"mailto:OAuth@ie=
tf.org" target=3D"_blank"><span style=3D"color:purple">OAuth@ietf.org</span=
></a><u></u><u></u></pre>
<pre style=3D"background:white"><a rel=3D"nofollow" href=3D"https://www.iet=
f.org/mailman/listinfo/oauth" target=3D"_blank"><span style=3D"color:purple=
">https://www.ietf.org/mailman/listinfo/oauth</span></a><u></u><u></u></pre=
>


</blockquote>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<div style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></div>
</div>
<div>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div>
<div style=3D"background:white">--<span>=A0</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></div>
</div>
<div>
<div>
<div style=3D"background:white">Chairman, OpenID Foundation<br>
<a rel=3D"nofollow" href=3D"http://nat.sakimura.org/" target=3D"_blank"><sp=
an style=3D"color:purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></div>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<div style=3D"background:white">=A0<u></u><u></u></div>
</div>
</div>
</div>
<div style=3D"margin-bottom:12.0pt;background:white">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a rel=3D"nofollow" href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span =
style=3D"color:purple">OAuth@ietf.org</span></a><br>
<a rel=3D"nofollow" href=3D"https://www.ietf.org/mailman/listinfo/oauth" ta=
rget=3D"_blank"><span style=3D"color:purple">https://www.ietf.org/mailman/l=
istinfo/oauth</span></a><br>
<br>
<u></u><u></u></div>
</div>
</div>
</div>
<div><span style=3D"font-size:13.5pt">_____________________________________=
__________<br>
OAuth mailing list<br>
<a rel=3D"nofollow" href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span =
style=3D"color:purple">OAuth@ietf.org</span></a><br>
<a rel=3D"nofollow" href=3D"https://www.ietf.org/mailman/listinfo/oauth" ta=
rget=3D"_blank"><span style=3D"color:purple">https://www.ietf.org/mailman/l=
istinfo/oauth</span></a></span><u></u><u></u></div>
</div>
</blockquote>
</div>
<div>
<div>=A0<u></u><u></u></div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<div><u></u>=A0<u></u></div>
</div>
</div>
</div></div></div>
</div>

</blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>Nat Sakimura=
 (=3Dnat)<div>Chairman, OpenID Foundation<br><a rel=3D"nofollow" href=3D"ht=
tp://nat.sakimura.org/" target=3D"_blank">http://nat.sakimura.org/</a><br>@=
_nat_en</div>

</div>
</div></blockquote><blockquote type=3D"cite"><div><span>___________________=
____________________________</span><br><span>OAuth mailing list</span><br><=
span><a rel=3D"nofollow" href=3D"mailto:OAuth@ietf.org" target=3D"_blank">O=
Auth@ietf.org</a></span><br>

<span><a rel=3D"nofollow" href=3D"https://www.ietf.org/mailman/listinfo/oau=
th" target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a></span=
><br></div></blockquote></div></div></div></blockquote></div><br><br clear=
=3D"all">
<div><br></div>
-- <br>Nat Sakimura (=3Dnat)<div>Chairman, OpenID Foundation<br><a rel=3D"n=
ofollow" href=3D"http://nat.sakimura.org/" target=3D"_blank">http://nat.sak=
imura.org/</a><br>@_nat_en</div>
</div></div></div><br>_______________________________________________<br>OA=
uth mailing list<br><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAu=
th@ietf.org</a><br><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
<br><br></div> </div></div></div> </div>  </div></div></blockquote></div><b=
r><br clear=3D"all"><div><br></div>-- <br>Nat Sakimura (=3Dnat)<div>Chairma=
n, OpenID Foundation<br><a href=3D"http://nat.sakimura.org/" target=3D"_bla=
nk">http://nat.sakimura.org/</a><br>
@_nat_en</div>
</div>

--001a11c3e8802c416404e2efbbff--

From phil.hunt@oracle.com  Thu Aug  1 22:01:47 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4421221E8082 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 22:01:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.792
X-Spam-Level: 
X-Spam-Status: No, score=-4.792 tagged_above=-999 required=5 tests=[AWL=-0.190, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UrfvBGp4AW1q for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 22:01:42 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 219C611E81AB for <oauth@ietf.org>; Thu,  1 Aug 2013 22:01:42 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7251dkl009532 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 2 Aug 2013 05:01:40 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7251c9Q008811 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 2 Aug 2013 05:01:39 GMT
Received: from abhmt110.oracle.com (abhmt110.oracle.com [141.146.116.62]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7251com021264; Fri, 2 Aug 2013 05:01:38 GMT
Received: from [10.1.0.227] (/217.9.48.53) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 01 Aug 2013 22:01:36 -0700
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org> <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com> <CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com> <6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com> <CABzCy2BA-fXy86NU+vZd96jV9yVo9GEBAmm_AoMeZoR-ECgyyQ@mail.gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <CABzCy2BA-fXy86NU+vZd96jV9yVo9GEBAmm_AoMeZoR-ECgyyQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary=Apple-Mail-E0E5A9BF-8595-4027-88EA-552067160FD8
Content-Transfer-Encoding: 7bit
Message-Id: <CADD3F28-7865-4F38-86DA-EA20688C64A0@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Fri, 2 Aug 2013 07:01:32 +0200
To: Nat Sakimura <sakimura@gmail.com>
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 05:01:47 -0000

--Apple-Mail-E0E5A9BF-8595-4027-88EA-552067160FD8
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Yes. Forking is bad. This is not a fork.=20

It isn't like OIDF membership hasn't been aware of the issue and hasn't had t=
ime to respond (over a year now). The clear message was Connect is too far a=
long to consider changes.

I brought the issue to the IETF because there is inappropriate use of oauth i=
n the wild. The draft submitted discusses the issue an describes a possible s=
imple fix.

The WG has a wide range of choices to make. One of which is to refer to Open=
Id Foundation. Another might be an errata to the security considerations. Th=
e first decision is to put it on the next charter. =20

I think you are 'jumping the gun' here.=20

Phil

On 2013-08-02, at 6:34, Nat Sakimura <sakimura@gmail.com> wrote:

> Not necessarily. Why would it be inappropriate?=20
>=20
> I call it NIH syndrome.=20
> Respecting the work which is done outside is a good thing.=20
> Just taking the content and taking a credit for it is a bad practice.=20
>=20
> Forking is also bad.=20
>=20
>=20
>=20
> 2013/8/2 Phil Hunt <phil.hunt@oracle.com>
>> OpenId specs can depend on oAuth. Having OAuth depend on OpenId is not ap=
propriate here.=20
>>=20
>> Phil
>>=20
>> On 2013-08-01, at 18:07, Nat Sakimura <sakimura@gmail.com> wrote:
>>=20
>>> Like Bill says, it can just be a profile of OpenID Connect.=20
>>> IETF specs already references OpenID Foundation specs.=20
>>> It should not be a problem.=20
>>> I do not think we want to folk.=20
>>>=20
>>>=20
>>> 2013/8/1 Anthony Nadalin <tonynad@microsoft.com>
>>>> I believe it beneficial to have a common format and common values, and 1=
 way to handle the format and values. I believe that having this in oauth is=
 beneficial, I believe that it would also be beneficial for OpenID if this w=
ere in oauth. There are cases for signed and unsigned formats.
>>>>=20
>>>> =20
>>>>=20
>>>> From: Richer, Justin P. [mailto:jricher@mitre.org]=20
>>>> Sent: Thursday, August 1, 2013 7:15 AM
>>>> To: Nat Sakimura
>>>> Cc: Anthony Nadalin; Bill Mills; Prateek Mishra; oauth@ietf.org WG
>>>>=20
>>>>=20
>>>> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fw=
d: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
>>>> =20
>>>>=20
>>>> Also, it's (optionally) a token in the proposed document we're discussi=
ng (=C2=A72.4.1), which means there are two ways to parse the same informati=
on. OIDC uses JWTs for everything, signed and unsigned. This means that OIDC=
 is actually simpler from an implementation perspective, wouldn't you say? I=
nstead of having two parsers, you have one to cover both cases.=20
>>>>=20
>>>> =20
>>>>=20
>>>> (And given your tendency to throw signed assertions at every problem, I=
 would have thought that you'd prefer this anyway.)
>>>>=20
>>>> =20
>>>>=20
>>>>  -- Justin
>>>>=20
>>>> =20
>>>>=20
>>>> On Aug 1, 2013, at 9:40 AM, Nat Sakimura <sakimura@gmail.com>
>>>>=20
>>>>  wrote:
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> Yes, it is a Token.=20
>>>>=20
>>>> No, it does not have to be signed.=20
>>>>=20
>>>> =20
>>>>=20
>>>> As to be a token or not to be a token question, it has been discussed i=
n the WG before, and if I remember correctly,  Microsoft argued for token sa=
ying that it is just base64 decoding and I lost there. =20
>>>>=20
>>>> Nat
>>>>=20
>>>>=20
>>>> On Aug 1, 2013, at 14:24, Anthony Nadalin <tonynad@microsoft.com> wrote=
:
>>>>=20
>>>> You can=E2=80=99t do this, first openid uses a token and second it=E2=80=
=99s signed, third there is no specification to just return a authentication=
 JSON structure
>>>>=20
>>>> =20
>>>>=20
>>>> From: Richer, Justin P. [mailto:jricher@mitre.org]=20
>>>> Sent: Thursday, August 1, 2013 5:15 AM
>>>> To: Anthony Nadalin
>>>> Cc: Bill Mills; Prateek Mishra; Nat Sakimura; oauth@ietf.org WG
>>>> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fw=
d: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
>>>>=20
>>>> =20
>>>>=20
>>>> Tony, you can already return the authn result from the token request (w=
e discussed this specifically in May as I recall). That's what the "idtoken"=
 and "code idtoken" responses are for in OpenID Connect. The proposed draft i=
s nearly a duplicate of the core functionality of OIDC.
>>>>=20
>>>> =20
>>>>=20
>>>>  -- Justin
>>>>=20
>>>> =20
>>>>=20
>>>> On Aug 1, 2013, at 7:31 AM, Anthony Nadalin <tonynad@microsoft.com>
>>>>=20
>>>>  wrote:
>>>>=20
>>>> =20
>>>>=20
>>>> The proposal does not duplicate what OpenID does, there is clear benefi=
t for returning an authentication result in the token request result. This i=
s being proposed as optional JSON structure.
>>>>=20
>>>> =20
>>>>=20
>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf O=
f Bill Mills
>>>> Sent: Wednesday, July 31, 2013 2:50 PM
>>>> To: Prateek Mishra; Nat Sakimura
>>>> Cc: oauth@ietf.org WG
>>>> Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fw=
d: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
>>>>=20
>>>> =20
>>>>=20
>>>> Rather than extending OAuth for something OpenID already does...  why d=
on't we get a simple informational example doc to show how to implement the m=
ost basic OpenID service,  which is the same functionality on a standard tha=
t's already written?
>>>>=20
>>>> =20
>>>>=20
>>>> This is sounding more and mor elike a documentation problem.
>>>>=20
>>>> =20
>>>>=20
>>>> From: Prateek Mishra <prateek.mishra@oracle.com>
>>>> To: Nat Sakimura <sakimura@gmail.com>=20
>>>> Cc: "oauth@ietf.org WG" <oauth@ietf.org>=20
>>>> Sent: Wednesday, July 31, 2013 2:38 PM
>>>> Subject: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
>>>>=20
>>>> =20
>>>>=20
>>>> Nat -=20
>>>>=20
>>>> thanks for the detailed response. I did review the links you sent out b=
ut it remained unclear to me which
>>>> features are MTI and which are not. For example, there is nothing in th=
e Basic Client Profile that suggests
>>>> that Section 2.3 is optional. I also could not find any definition for "=
 non-dynamic OpenID Connect Server".
>>>>=20
>>>> I dont think there is a need to duplicate portions of the draft specifi=
cation text in a new document. One solution
>>>> that was used in SAML 2.0 was to define a conformance document which de=
scribed several different=20
>>>> operational modes and explained how only a small set of features needed=
 to be implemented in certain modes.
>>>>=20
>>>> http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.0-os.p=
df
>>>>=20
>>>> There are probably other smarter ways to achieve the same effect.
>>>>=20
>>>> Given this situation, I do think its a reasonable task for the OAuth co=
mmunity to consider the need for=20
>>>> a minimal extension to OAuth that accommodates authentication. The comm=
unity should be made aware that=20
>>>> RFC 6749 is being misused for federated authentication, as explained in=
  - =20
>>>>=20
>>>> http://www.independentid.com/2013/07/simple-authentication-for-oauth-2-=
what.html=20
>>>>=20
>>>> and that there doesn't appear to be a simple solution that is currently=
 available. It would be great if it turned
>>>> out that OpenID Connect offered such a solution but that isn't clear to=
 me.
>>>>=20
>>>> Thx,
>>>> prateek
>>>>=20
>>>> =20
>>>>=20
>>>> =20
>>>>=20
>>>> Inline:=20
>>>>=20
>>>> 2013/7/31 Prateek Mishra <prateek.mishra@oracle.com>
>>>>=20
>>>> Nat -=20
>>>>=20
>>>> your blog posting is helpful to those of us who are looking for a minim=
al extension of OAuth with=20
>>>> an authenticator.  Many implementors are seeking a modest extension of O=
Auth, not an entire new protocol
>>>> stack.   I believe that is the point of Phil Hunt's proposal to the OAu=
th committee.
>>>>=20
>>>> I do have some questions for about the statements made in the blog -=20=

>>>>=20
>>>> A) Can you direct me to a single OpenID Connect draft specification doc=
ument where steps 1 and 2 are described?
>>>>=20
>>>> =20
>>>>=20
>>>> Actually, it is not a single spec, that the Standard is referencing oth=
ers.=20
>>>>=20
>>>> The Standard is kind of cluttered because it has 6 response types and t=
hree request types in it.=20
>>>>=20
>>>> I suppose it would be much easier for the readers to split them into co=
herent pieces, though that means duplicate texts.=20
>>>>=20
>>>> =20
>>>>=20
>>>> The easiest approach here is to read the Basic Client Profile. http://o=
penid.net/specs/openid-connect-basic-1_0-28.html
>>>>=20
>>>> Then, read OAuth 2.0 Multiple Response Type Encoding Practices http://o=
penid.net/specs/oauth-v2-multiple-response-types-1_0-08.html .=20
>>>>=20
>>>> =20
>>>>=20
>>>>=20
>>>> B) If I implement steps 1 and 2, do I then have a conformant OpenID Con=
nect implementation? Are there no=20
>>>> other MTI protocol exchanges in OpenID Connect?
>>>>=20
>>>> =20
>>>>=20
>>>> Yes, for a non-dynamic OpenID Connect Server.=20
>>>>=20
>>>> =20
>>>>=20
>>>> Nat
>>>>=20
>>>>  =20
>>>>=20
>>>>=20
>>>> Thanks,
>>>> prateek
>>>>=20
>>>>=20
>>>>=20
>>>>   =20
>>>>=20
>>>> =20
>>>>=20
>>>> I have written a short blog post titled "Write an OpenID Connect server=
 in three simple steps".=20
>>>>=20
>>>> =20
>>>>=20
>>>> Really, there is not much you need to on top of OAuth 2.0.=20
>>>>=20
>>>> =20
>>>>=20
>>>> It puzzles me why you need to create a draft with only minor variances i=
n parameter names.=20
>>>>=20
>>>> =20
>>>>=20
>>>> e.g.,=20
>>>>=20
>>>> session instead of id_token
>>>>=20
>>>> lat instead of iat
>>>>=20
>>>> alv instead of acr
>>>>=20
>>>> etc.=20
>>>>=20
>>>> =20
>>>>=20
>>>> If you change those parameter names, you will have a conformant profile=
 of OpenID Connect.=20
>>>>=20
>>>> =20
>>>>=20
>>>> Nat
>>>>=20
>>>> =20
>>>>=20
>>>> 2013/7/31 John Bradley <ve7jtb@ve7jtb.com>
>>>>=20
>>>> Connect dosen't require a userinfo endpoint.   It is required for inter=
operability if you are building an open IdP.   For an enterprise type deploy=
ment discovery, registration, userifo are all optional.
>>>>=20
>>>> =20
>>>>=20
>>>> The server is required to pass the nonce which is equivalent to a reque=
st ID through to the JWT if the client sends it in the request.
>>>>=20
>>>> =20
>>>>=20
>>>> Justin is correct.
>>>>=20
>>>> =20
>>>>=20
>>>> John B.
>>>>=20
>>>> =20
>>>>=20
>>>> On 2013-07-30, at 5:30 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> Forgot reply all.
>>>>=20
>>>> Phil
>>>>=20
>>>>=20
>>>> Begin forwarded message:
>>>>=20
>>>> From: Phil Hunt <phil.hunt@oracle.com>
>>>> Date: 30 July, 2013 17:25:46 GMT+02:00
>>>> To: "Richer, Justin P." <jricher@mitre.org>
>>>> Subject: Re: [OAUTH-WG] New Version Notification for draft-hunt-oauth-v=
2-user-a4c-00.txt
>>>>=20
>>>> The whole point is authn only. Many do not want or need the userinfo en=
dpoint.=20
>>>>=20
>>>> Phil
>>>>=20
>>>>=20
>>>> On 2013-07-30, at 17:17, "Richer, Justin P." <jricher@mitre.org> wrote:=

>>>>=20
>>>> What do you mean? You absolutely can implement a compliant OIDC server n=
early as simply as this. The things that you're missing I think are necessar=
y for basic interoperable functionality, and are things that other folks usi=
ng OAuth for authentication have also implemented. Namely:
>>>>=20
>>>> =20
>>>>=20
>>>>  - Signing the ID token (OIDC specifies the RS256 flavor of JWS, which i=
s easy to do with JWT). Without a signed and verifiable ID token or equivale=
nt, you're asking for all kinds of token injection problems.
>>>>=20
>>>>  - Session management requests (max auth age, auth time)
>>>>=20
>>>>  - Not fall over with other parameters that you don't support (display,=
 prompt, etc).
>>>>=20
>>>> =20
>>>>=20
>>>> See here for more information:
>>>>=20
>>>> =20
>>>>=20
>>>>  http://openid.net/specs/openid-connect-messages-1_0.html#ServerMTI
>>>>=20
>>>> =20
>>>>=20
>>>> Additionally, something that's really important to support is the User I=
nfo Endpoint, so you can actually get user profile information beyond just t=
he simple "someone was here" claim -- this was the real value of Facebook Co=
nnect from an RP's perspective. Some people will probably want to use SCIM f=
or this, too, and that's fine.
>>>>=20
>>>> =20
>>>>=20
>>>>  -- Justin
>>>>=20
>>>> =20
>>>>=20
>>>> On Jul 30, 2013, at 10:54 AM, Phil Hunt <phil.hunt@oracle.com>
>>>>=20
>>>>  wrote:
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> The oidc specs do not allow this simple an implementation. The spec mem=
bers have not shown interest in making changes as they say they are too far d=
own the road.
>>>>=20
>>>> =20
>>>>=20
>>>> I have tried to make my draft as close as possible to oidc but maybe it=
 shouldn't be clarity wise. I am interested in what the group feels is clear=
est.=20
>>>>=20
>>>> =20
>>>>=20
>>>> =46rom an ietf perspective the concern is improper use of the 6749 for a=
uthn. Is this a bug or gap we need to address?
>>>>=20
>>>> Phil
>>>>=20
>>>>=20
>>>> On 2013-07-30, at 16:46, "Richer, Justin P." <jricher@mitre.org> wrote:=

>>>>=20
>>>> =46rom what I read, you've defined something that uses an OAuth 2 code f=
low to get an extra token which is specified as a JWT. You named it "session=
_token" instead of "id_token", and you've left off the User Information Endp=
oint -- but other than that, this is exactly the Basic Client for OpenID Con=
nect. In other words, if you change the names on things you've got OIDC, but=
 without the capabilities to go beyond a very basic "hey there's a user here=
" claim. This is the same place that OpenID 2.0 started, and it was very, ve=
ry quickly extended with SREG, AX, PAPE, and others for it to be useful in t=
he real world of distributed logins. You've also left out discovery and regi=
stration which are required for distributed deployments, but I'm guessing th=
at those would be modular components that could be added in (like they are i=
n OIDC).=20
>>>>=20
>>>> =20
>>>>=20
>>>> I've heard complaints that OIDC is complicated, but it's really not. Ye=
s, I agree that the giant stack of documents is intimidating and in my opini=
on it's a bit of a mess with Messages and Standard split up (but I lost that=
 argument years ago). However, at the core, you've got an OAuth2 authorizati=
on server that spits out access tokens and id tokens. The id token is a JWT w=
ith some known claims (iss, sub, etc) and is issued along side the access to=
ken, and its audience is the *client* and not the *protected resource*. The a=
ccess token is a regular old access token and its format is undefined (so yo=
u can use it with an existing OAuth2 server setup, like we have), and it can=
 be used at the User Info Endpoint to get profile information about the user=
 who authenticated. It could also be used for other services if your AS/IdP p=
rotects multiple things.
>>>>=20
>>>> =20
>>>>=20
>>>> So I guess what I'm missing is what's the value proposition in this spe=
c when we have something that can do this already? And this doesn't seem to d=
o anything different (apart from syntax changes)?
>>>>=20
>>>> =20
>>>>=20
>>>>  -- Justin
>>>>=20
>>>> =20
>>>>=20
>>>> On Jul 29, 2013, at 4:14 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> FYI.  I have been noticing a substantial number of sites acting as OAut=
h Clients using OAuth to authenticate users.
>>>>=20
>>>> =20
>>>>=20
>>>> I know several of us have blogged on the issue over the past year so I w=
on't re-hash it here.  In short, many of us recommended OIDC as the correct m=
ethodology.
>>>>=20
>>>> =20
>>>>=20
>>>> Never-the-less, I've spoken with a number of service providers who indi=
cate they are not ready to make the jump to OIDC, yet they agree there is a d=
esire to support authentication only (where as OIDC does IDP-like services).=

>>>>=20
>>>> =20
>>>>=20
>>>> This draft is intended as a minimum authentication only specification. =
 I've tried to make it as compatible as possible with OIDC.
>>>>=20
>>>> =20
>>>>=20
>>>> For now, I've just posted to keep track of the issue so we can address a=
t the next re-chartering.
>>>>=20
>>>> =20
>>>>=20
>>>> Happy to answer questions and discuss.=20
>>>>=20
>>>> =20
>>>>=20
>>>> Phil
>>>>=20
>>>> =20
>>>>=20
>>>> @independentid
>>>>=20
>>>> www.independentid.com
>>>>=20
>>>> phil.hunt@oracle.com
>>>>=20
>>>> =20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> =20
>>>>=20
>>>> Begin forwarded message:
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> From:internet-drafts@ietf.org
>>>>=20
>>>> Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.t=
xt
>>>>=20
>>>> Date:29 July, 2013 9:49:41 AM GMT+02:00
>>>>=20
>>>> To:Phil Hunt <phil.hunt@yahoo.com>, Phil Hunt <None@ietfa.amsl.com>, Ph=
il Hunt <>
>>>>=20
>>>> =20
>>>>=20
>>>>=20
>>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt
>>>> has been successfully submitted by Phil Hunt and posted to the
>>>> IETF repository.
>>>>=20
>>>> Filename: draft-hunt-oauth-v2-user-a4c
>>>> Revision: 00
>>>> Title: OAuth 2.0 User Authentication For Client
>>>> Creation date: 2013-07-29
>>>> Group: Individual Submission
>>>> Number of pages: 9
>>>> URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v=
2-user-a4c-00.txt
>>>> Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-us=
er-a4c
>>>> Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4=
c-00
>>>>=20
>>>>=20
>>>> Abstract:
>>>>   This specification defines a new OAuth2 endpoint that enables user
>>>>   authentication session information to be shared with client
>>>>   applications.
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> Please note that it may take a couple of minutes from the time of submi=
ssion
>>>> until the htmlized version and diff are available attools.ietf.org.
>>>>=20
>>>> The IETF Secretariat
>>>>=20
>>>> =20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>> =20
>>>>=20
>>>> =20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>> =20
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> =20
>>>>=20
>>>> --=20
>>>> Nat Sakimura (=3Dnat)
>>>>=20
>>>> Chairman, OpenID Foundation
>>>> http://nat.sakimura.org/
>>>> @_nat_en
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> =20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> =20
>>>>=20
>>>> --=20
>>>> Nat Sakimura (=3Dnat)
>>>>=20
>>>> Chairman, OpenID Foundation
>>>> http://nat.sakimura.org/
>>>> @_nat_en
>>>>=20
>>>> =20
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>>=20
>>>=20
>>> --=20
>>> Nat Sakimura (=3Dnat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>=20
>=20
>=20
> --=20
> Nat Sakimura (=3Dnat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en

--Apple-Mail-E0E5A9BF-8595-4027-88EA-552067160FD8
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>Yes. Forking is bad. This is not a for=
k.&nbsp;</div><div><br></div><div>It isn't like OIDF membership hasn't been a=
ware of the issue and hasn't had time to respond (over a year now). The clea=
r message was Connect is too far along to consider changes.</div><div><br></=
div><div>I brought the issue to the IETF because there is inappropriate use o=
f oauth in the wild. The draft submitted discusses the issue an describes a p=
ossible simple fix.</div><div><br></div><div>The WG has a wide range of choi=
ces to make. One of which is to refer to OpenId Foundation. Another might be=
 an errata to the security considerations. The first decision is to put it o=
n the next charter. &nbsp;</div><div><br></div><div>I think you are 'jumping=
 the gun' here.&nbsp;</div><div><br>Phil</div><div><br>On 2013-08-02, at 6:3=
4, Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail.com">sakimura@gmail.com=
</a>&gt; wrote:<br><br></div><blockquote type=3D"cite"><div><div dir=3D"ltr"=
>Not necessarily. Why would it be inappropriate?&nbsp;<div><br></div><div>I c=
all it NIH syndrome.&nbsp;</div><div>Respecting the work which is done outsi=
de is a good thing.&nbsp;</div><div>Just taking the content and taking a cre=
dit for it is a bad practice.&nbsp;</div>
<div><br></div><div>Forking is also bad.&nbsp;</div><div><br></div><div clas=
s=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2013/8/2 Phil Hunt <spa=
n dir=3D"ltr">&lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank">=
phil.hunt@oracle.com</a>&gt;</span><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px=
 #ccc solid;padding-left:1ex"><div dir=3D"auto"><div>OpenId specs can depend=
 on oAuth. Having OAuth depend on OpenId is not appropriate here.&nbsp;<span=
 class=3D"HOEnZb"><font color=3D"#888888"><br>
<br>Phil</font></span></div><div><div class=3D"h5"><div><br>On 2013-08-01, a=
t 18:07, Nat Sakimura &lt;<a href=3D"mailto:sakimura@gmail.com" target=3D"_b=
lank">sakimura@gmail.com</a>&gt; wrote:<br><br></div><blockquote type=3D"cit=
e">
<div><div dir=3D"ltr">Like Bill says, it can just be a profile of OpenID Con=
nect.&nbsp;<div>IETF specs already references OpenID Foundation specs.&nbsp;=
</div><div>It should not be a problem.&nbsp;</div><div>I do not think we wan=
t to folk.&nbsp;</div>

</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">2013/8/1=
 Anthony Nadalin <span dir=3D"ltr">&lt;<a href=3D"mailto:tonynad@microsoft.c=
om" target=3D"_blank">tonynad@microsoft.com</a>&gt;</span><br><blockquote cl=
ass=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pa=
dding-left:1ex">







<div lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">I believe it beneficial to h=
ave a common format and common values, and 1 way to handle the format and va=
lues. I believe that having this in oauth is beneficial,
 I believe that it would also be beneficial for OpenID if this were in oauth=
. There are cases for signed and unsigned formats.
<u></u><u></u></span></p>
<p class=3D"MsoNormal"><a name=3D"1403d1e1feb19c57_1403a4678daa8350__MailEnd=
Compose"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&qu=
ot;sans-serif&quot;;color:#1f497d"><u></u>&nbsp;<u></u></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0=
in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot;=
Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-si=
ze:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer, J=
ustin P. [mailto:<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">jric=
her@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 7:15 AM<br>
<b>To:</b> Nat Sakimura<br>
<b>Cc:</b> Anthony Nadalin; Bill Mills; Prateek Mishra; <a href=3D"mailto:oa=
uth@ietf.org" target=3D"_blank">oauth@ietf.org</a> WG</span></p><div><div><b=
r>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: =
Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)<u></u=
><u></u></div></div><p></p>
</div>
</div><div><div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
<p class=3D"MsoNormal">Also, it's (optionally) a token in the proposed docum=
ent we're discussing (=C2=A72.4.1), which means there are two ways to parse t=
he same information. OIDC uses JWTs for everything, signed and unsigned. Thi=
s means that OIDC is actually simpler
 from an implementation perspective, wouldn't you say? Instead of having two=
 parsers, you have one to cover both cases.&nbsp;
<u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">(And given your tendency to throw signed assertions a=
t every problem, I would have thought that you'd prefer this anyway.)
<u></u><u></u></p>
<div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;-- Justin<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 9:40 AM, Nat Sakimura &lt;<a href=3D=
"mailto:sakimura@gmail.com" target=3D"_blank">sakimura@gmail.com</a>&gt;<u><=
/u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<u></u><u></u></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal">Yes, it is a Token.&nbsp;<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">No, it does not have to be signed.&nbsp;<u></u><u></u=
></p>
</div>
<div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">As to be a token or no=
t to be a token question, it has been discussed in the WG before, and if I r=
emember correctly, &nbsp;Microsoft argued for token saying that it is just b=
ase64 decoding and I lost there. &nbsp;<u></u><u></u></p>


</div>
<div>
<p class=3D"MsoNormal">Nat<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
On Aug 1, 2013, at 14:24, Anthony Nadalin &lt;<a href=3D"mailto:tonynad@micr=
osoft.com" target=3D"_blank">tonynad@microsoft.com</a>&gt; wrote:<u></u><u><=
/u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">You can=E2=80=99t do this, f=
irst openid uses a token and second it=E2=80=99s signed, third there is no s=
pecification to just return a authentication JSON structure</span><u></u><u>=
</u></p>


<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span><u></u><u></u>=
</p>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0=
in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot;=
Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-si=
ze:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> Richer, J=
ustin P. [<a href=3D"mailto:jricher@mitre.org" target=3D"_blank">mailto:jric=
her@mitre.org</a>]
<br>
<b>Sent:</b> Thursday, August 1, 2013 5:15 AM<br>
<b>To:</b> Anthony Nadalin<br>
<b>Cc:</b> Bill Mills; Prateek Mishra; Nat Sakimura; <a href=3D"mailto:oauth=
@ietf.org" target=3D"_blank">
oauth@ietf.org</a> WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: =
Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)</span=
><u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
<p class=3D"MsoNormal">Tony, you can already return the authn result from th=
e token request (we discussed this specifically in May as I recall). That's w=
hat the "idtoken" and "code idtoken" responses are for in OpenID Connect. Th=
e proposed draft is nearly a duplicate
 of the core functionality of OIDC. <u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;-- Justin<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal">On Aug 1, 2013, at 7:31 AM, Anthony Nadalin &lt;<a hr=
ef=3D"mailto:tonynad@microsoft.com" target=3D"_blank">tonynad@microsoft.com<=
/a>&gt;<u></u><u></u></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;wrote:<u></u><u></u></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><u></u>&nbsp;<u></u></=
p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">The proposal does not dupli=
cate what OpenID does, there is clear benefit for returning an authenticatio=
n result in the token request result. This is being proposed
 as optional JSON structure.</span><u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Cal=
ibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span><u></u><u></u>=
</p>
</div>
</div>
<div>
<div style=3D"border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0=
in 0in">
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot;=
Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span><span style=3D"f=
ont-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;">&nbs=
p;</span></span><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&qu=
ot;,&quot;sans-serif&quot;"><a href=3D"mailto:oauth-bounces@ietf.org" target=
=3D"_blank"><span style=3D"color:purple">oauth-bounces@ietf.org</span></a><s=
pan>&nbsp;</span>[mailto:<a href=3D"mailto:oauth-" target=3D"_blank">oauth-<=
/a><a href=3D"mailto:bounces@ietf.org" target=3D"_blank"><span style=3D"colo=
r:purple">bounces@ietf.org</span></a>]<span>&nbsp;</span><b>On
 Behalf Of<span>&nbsp;</span></b>Bill Mills<br>
<b>Sent:</b><span>&nbsp;</span>Wednesday, July 31, 2013 2:50 PM<br>
<b>To:</b><span>&nbsp;</span>Prateek Mishra; Nat Sakimura<br>
<b>Cc:</b><span>&nbsp;</span><a href=3D"mailto:oauth@ietf.org" target=3D"_bl=
ank"><span style=3D"color:purple">oauth@ietf.org</span></a><span>&nbsp;</spa=
n>WG<br>
<b>Subject:</b><span>&nbsp;</span>Re: [OAUTH-WG] Need for Extending OAuth wi=
th AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user=
-a4c-00.txt)</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-family=
:&quot;Courier New&quot;">Rather than extending OAuth for something OpenID a=
lready does... &nbsp;why don't we get a simple informational example doc to s=
how how to implement the most basic OpenID service,
 which is the same functionality on a standard that's already written?</span=
><u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">&=
nbsp;</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Courier New&quot;">T=
his is sounding more and mor elike a documentation problem.</span><u></u><u>=
</u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-family=
:&quot;Courier New&quot;">&nbsp;</span><u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<div class=3D"MsoNormal" align=3D"center" style=3D"text-align:center;backgro=
und:white">
<hr size=3D"1" width=3D"100%" align=3D"center">
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span><=
/b><span><span style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&quot=
;sans-serif&quot;">&nbsp;</span></span><span style=3D"font-size:10.0pt;font-=
family:&quot;Arial&quot;,&quot;sans-serif&quot;">Prateek
 Mishra &lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<br>
<b>To:</b><span>&nbsp;</span>Nat Sakimura &lt;<a href=3D"mailto:sakimura@gma=
il.com" target=3D"_blank"><span style=3D"color:purple">sakimura@gmail.com</s=
pan></a>&gt;<span>&nbsp;</span><br>
<b>Cc:</b><span>&nbsp;</span>"<a href=3D"mailto:oauth@ietf.org%20WG" target=3D=
"_blank"><span style=3D"color:purple">oauth@ietf.org WG</span></a>" &lt;<a h=
ref=3D"mailto:oauth@ietf.org" target=3D"_blank"><span style=3D"color:purple"=
>oauth@ietf.org</span></a>&gt;<span>&nbsp;</span><br>


<b>Sent:</b><span>&nbsp;</span>Wednesday, July 31, 2013 2:38 PM<br>
<b>Subject:</b><span>&nbsp;</span>[OAUTH-WG] Need for Extending OAuth with A=
uthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c=
-00.txt)</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span>&nbsp;</span><b=
r>
<br>
thanks for the detailed response. I did review the links you sent out but it=
 remained unclear to me which<br>
features are MTI and which are not. For example, there is nothing in the Bas=
ic Client Profile that suggests<br>
that Section 2.3 is optional. I also could not find any definition for " non=
-dynamic OpenID Connect Server".<br>
<br>
I dont think there is a need to duplicate portions of the draft specificatio=
n text in a new document. One solution<br>
that was used in SAML 2.0 was to define a conformance document which describ=
ed several different<span>&nbsp;</span><br>
operational modes and explained how only a small set of features needed to b=
e implemented in certain modes.<br>
<br>
<a href=3D"http://docs.oasis-open.org/security/saml/v2.0/saml-conformance-2.=
0-os.pdf" target=3D"_blank"><span style=3D"color:purple">http://docs.oasis-o=
pen.org/security/saml/v2.0/saml-conformance-2.0-os.pdf</span></a><br>
<br>
There are probably other smarter ways to achieve the same effect.<br>
<br>
Given this situation, I do think its a reasonable task for the OAuth communi=
ty to consider the need for<span>&nbsp;</span><br>
a minimal extension to OAuth that accommodates authentication. The community=
 should be made aware that<span>&nbsp;</span><br>
RFC 6749 is being misused for federated authentication, as explained in&nbsp=
; -&nbsp;<span>&nbsp;</span><br>
<br>
<a href=3D"http://www.independentid.com/2013/07/simple-authentication-for-oa=
uth-2-what.html" target=3D"_blank"><span style=3D"color:purple">http://www.i=
ndependentid.com/2013/07/simple-authentication-for-oauth-2-what.html</span><=
/a><span>&nbsp;</span><br>


<br>
and that there doesn't appear to be a simple solution that is currently avai=
lable. It would be great if it turned<br>
out that OpenID Connect offered such a solution but that isn't clear to me.<=
br>
<br>
Thx,<br>
prateek<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
Inline:&nbsp;<u></u><u></u></p>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 Prateek Mishra &=
lt;<a href=3D"mailto:prateek.mishra@oracle.com" target=3D"_blank"><span styl=
e=3D"color:purple">prateek.mishra@oracle.com</span></a>&gt;<u></u><u></u></p=
>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat -<span>&nbsp;</span><b=
r>
<br>
your blog posting is helpful to those of us who are looking for a minimal ex=
tension of OAuth with<span>&nbsp;</span><br>
an authenticator.&nbsp; Many implementors are seeking a modest extension of O=
Auth, not an entire new protocol<br>
stack. &nbsp; I believe that is the point of Phil Hunt's proposal to the OAu=
th committee.<br>
<br>
I do have some questions for about the statements made in the blog -<span>&n=
bsp;</span><br>
<br>
A) Can you direct me to a single OpenID Connect draft specification document=
 where steps 1 and 2 are described?<u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Actually, it is not a sing=
le spec, that the Standard is referencing others.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The Standard is kind of cl=
uttered because it has 6 response types and three request types in it.&nbsp;=
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I suppose it would be much=
 easier for the readers to split them into coherent pieces, though that mean=
s duplicate texts.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The easiest approach here i=
s to read the Basic Client Profile.&nbsp;<a href=3D"http://openid.net/specs/=
openid-connect-basic-1_0-28.html" target=3D"_blank"><span style=3D"color:pur=
ple">http://openid.net/specs/openid-connect-basic-1_0-28.html</span></a><u><=
/u><u></u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Then, read&nbsp;OAuth 2.0 M=
ultiple Response Type Encoding Practices&nbsp;<a href=3D"http://openid.net/s=
pecs/oauth-v2-multiple-response-types-1_0-08.html" target=3D"_blank"><span s=
tyle=3D"color:purple">http://openid.net/specs/oauth-v2-multiple-response-typ=
es-1_0-08.html</span></a>&nbsp;.&nbsp;<u></u><u></u></p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
B) If I implement steps 1 and 2, do I then have a conformant OpenID Connect i=
mplementation? Are there no<span>&nbsp;</span><br>
other MTI protocol exchanges in OpenID Connect?<u></u><u></u></p>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Yes, for a non-dynamic Ope=
nID Connect Server.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;&nbsp;<u></u><u></u>=
</p>
</div>
</div>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
Thanks,<br>
prateek<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br>
&nbsp; &nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have written a short blo=
g post titled "<a href=3D"http://nat.sakimura.org/2013/07/28/write-openid-co=
nnect-server-in-three-simple-steps/" target=3D"_blank"><span style=3D"color:=
purple">Write an OpenID Connect server
 in three simple steps</span></a>".&nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Really, there is not much y=
ou need to on top of OAuth 2.0.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">It puzzles me why you need=
 to create a draft with only minor variances in parameter names.&nbsp;<u></u=
><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<blockquote style=3D"margin-left:30.0pt;margin-top:5.0pt;margin-right:0in;ma=
rgin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">e.g.,&nbsp;<u></u><u></u><=
/p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">session instead of id_toke=
n<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">lat instead of iat<u></u><=
u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">alv instead of acr<u></u><=
u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">etc.&nbsp;<u></u><u></u></=
p>
</div>
</div>
</blockquote>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">If you change those parame=
ter names, you will have a conformant profile of OpenID Connect.&nbsp;<u></u=
><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Nat<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div style=3D"margin-bottom:12.0pt;background-repeat:initial initial">
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">2013/7/31 John Bradley &lt=
;<a href=3D"mailto:ve7jtb@ve7jtb.com" target=3D"_blank"><span style=3D"color=
:purple">ve7jtb@ve7jtb.com</span></a>&gt;<u></u><u></u></p>
</div>
<blockquote style=3D"border:none;border-left:solid #cccccc 1.0pt;padding:0in=
 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bo=
ttom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Connect dosen't require a u=
serinfo endpoint. &nbsp; It is required for interoperability if you are buil=
ding an open IdP. &nbsp; For an enterprise type deployment discovery, regist=
ration, userifo are all optional.<u></u><u></u></p>


</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The server is required to p=
ass the nonce which is equivalent to a request ID through to the JWT if the c=
lient sends it in the request.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Justin is correct.<u></u><=
u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">John B.<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On 2013-07-30, at 5:30 PM,=
 Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><sp=
an style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u></u><=
u></u></p>


</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Forgot reply all.<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
Begin forwarded message:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<b>From:</b><span>&nbsp;</span>Phil Hunt &lt;<a href=3D"mailto:phil.hunt@ora=
cle.com" target=3D"_blank"><span style=3D"color:purple">phil.hunt@oracle.com=
</span></a>&gt;<br>
<b>Date:</b><span>&nbsp;</span>30 July, 2013 17:25:46 GMT+02:00<br>
<b>To:</b><span>&nbsp;</span>"Richer, Justin P." &lt;<a href=3D"mailto:jrich=
er@mitre.org" target=3D"_blank"><span style=3D"color:purple">jricher@mitre.o=
rg</span></a>&gt;<br>
<b>Subject:</b><span>&nbsp;</span><b>Re: [OAUTH-WG] New Version Notification=
 for draft-hunt-oauth-v2-user-a4c-00.txt</b><u></u><u></u></p>
</blockquote>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The whole point is authn o=
nly. Many do not want or need the userinfo endpoint.&nbsp;<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
On 2013-07-30, at 17:17, "Richer, Justin P." &lt;<a href=3D"mailto:jricher@m=
itre.org" target=3D"_blank"><span style=3D"color:purple">jricher@mitre.org</=
span></a>&gt; wrote:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">What do you mean? You abso=
lutely can implement a compliant OIDC server nearly as simply as this. The t=
hings that you're missing I think are necessary for basic interoperable func=
tionality, and are things that other
 folks using OAuth for authentication have also implemented. Namely:<u></u><=
u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Signing the ID tok=
en (OIDC specifies the RS256 flavor of JWS, which is easy to do with JWT). W=
ithout a signed and verifiable ID token or equivalent, you're asking for all=
 kinds of token injection problems.<u></u><u></u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Session management=
 requests (max auth age, auth time)<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;- Not fall over with=
 other parameters that you don't support (display, prompt, etc).<u></u><u></=
u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">See here for more informat=
ion:<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<a href=3D"http://op=
enid.net/specs/openid-connect-messages-1_0.html#ServerMTI" target=3D"_blank"=
><span style=3D"color:purple">http://openid.net/specs/openid-connect-message=
s-1_0.html#ServerMTI</span></a><u></u><u></u></p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Additionally, something th=
at's really important to support is the User Info Endpoint, so you can actua=
lly get user profile information beyond just the simple "someone was here" c=
laim -- this was the real value of
 Facebook Connect from an RP's perspective. Some people will probably want t=
o use SCIM for this, too, and that's fine.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin<u></u><u><=
/u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 30, 2013, at 10:54 A=
M, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt;<u></u><u></u=
></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;wrote:<u></u><u></u>=
</p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">The oidc specs do not allo=
w this simple an implementation. The spec members have not shown interest in=
 making changes as they say they are too far down the road.<u></u><u></u></p=
>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I have tried to make my dr=
aft as close as possible to oidc but maybe it shouldn't be clarity wise. I a=
m interested in what the group feels is clearest.&nbsp;<u></u><u></u></p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">=46rom an ietf perspective=
 the concern is improper use of the 6749 for authn. Is this a bug or gap we n=
eed to address?<br>
<br>
Phil<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
On 2013-07-30, at 16:46, "Richer, Justin P." &lt;<a href=3D"mailto:jricher@m=
itre.org" target=3D"_blank"><span style=3D"color:purple">jricher@mitre.org</=
span></a>&gt; wrote:<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"background:white">=46rom what I read, you've=
 defined something that uses an OAuth 2 code flow to get an extra token whic=
h is specified as a JWT. You named it "session_token" instead of "id_token",=
 and you've left off the User Information
 Endpoint -- but other than that, this is exactly the Basic Client for OpenI=
D Connect. In other words, if you change the names on things you've got OIDC=
, but without the capabilities to go beyond a very basic "hey there's a user=
 here" claim. This is the same
 place that OpenID 2.0 started, and it was very, very quickly extended with S=
REG, AX, PAPE, and others for it to be useful in the real world of distribut=
ed logins. You've also left out discovery and registration which are require=
d for distributed deployments,
 but I'm guessing that those would be modular components that could be added=
 in (like they are in OIDC).&nbsp;<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I've heard complaints that=
 OIDC is complicated, but it's really not. Yes, I agree that the giant stack=
 of documents is intimidating and in my opinion it's a bit of a mess with Me=
ssages and Standard split up (but
 I lost that argument years ago). However, at the core, you've got an OAuth2=
 authorization server that spits out access tokens and id tokens. The id tok=
en is a JWT with some known claims (iss, sub, etc) and is issued along side t=
he access token, and its audience
 is the *client* and not the *protected resource*. The access token is a reg=
ular old access token and its format is undefined (so you can use it with an=
 existing OAuth2 server setup, like we have), and it can be used at the User=
 Info Endpoint to get profile
 information about the user who authenticated. It could also be used for oth=
er services if your AS/IdP protects multiple things.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">So I guess what I'm missin=
g is what's the value proposition in this spec when we have something that c=
an do this already? And this doesn't seem to do anything different (apart fr=
om syntax changes)?<u></u><u></u></p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;-- Justin<u></u><u><=
/u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">On Jul 29, 2013, at 4:14 A=
M, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><=
span style=3D"color:purple">phil.hunt@oracle.com</span></a>&gt; wrote:<u></u=
><u></u></p>


</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">FYI. &nbsp;I have been not=
icing a substantial number of sites acting as OAuth Clients using OAuth to a=
uthenticate users.<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">I know several of us have b=
logged on the issue over the past year so I won't re-hash it here. &nbsp;In s=
hort, many of us recommended OIDC as the correct methodology.<u></u><u></u><=
/p>


</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Never-the-less, I've spoke=
n with a number of service providers who indicate they are not ready to make=
 the jump to OIDC, yet they agree there is a desire to support authenticatio=
n only (where as OIDC does IDP-like
 services).<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">This draft is intended as a=
 minimum authentication only specification. &nbsp;I've tried to make it as c=
ompatible as possible with OIDC.<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">For now, I've just posted t=
o keep track of the issue so we can address at the next re-chartering.<u></u=
><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Happy to answer questions a=
nd discuss.&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:9=
.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Phil</span><u=
></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:9=
.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">&nbsp;</span>=
<u></u><u></u></p>
</div>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:9=
.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">@independenti=
d</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:9=
.0pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><a href=3D"ht=
tp://www.independentid.com/" target=3D"_blank"><span style=3D"color:purple">=
www.independentid.com</span></a></span><u></u><u></u></p>


</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt;background:white;backgr=
ound-repeat:initial initial">
<span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans=
-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank"><spa=
n style=3D"color:purple">phil.hunt@oracle.com</span></a></span><u></u><u></u=
></p>


</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><span style=3D"font-size:1=
3.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">&nbsp;</span=
><u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Begin forwarded message:<u=
></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">From:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&qu=
ot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org" target=3D"_=
blank"><span style=3D"color:purple">internet-drafts@ietf.org</span></a></spa=
n><u></u><u></u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Subject: N=
ew Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt</span></b><u=
></u><u></u></p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Date:</sp=
an></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&qu=
ot;sans-serif&quot;">29 July, 2013 9:49:41 AM GMT+02:00</span><u></u><u></u>=
</p>


</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><b><span style=3D"font-siz=
e:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">To:</span=
></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot;,&quot=
;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.com" targ=
et=3D"_blank"><span style=3D"color:purple">phil.hunt@yahoo.com</span></a>&gt=
;,
 Phil Hunt &lt;<a href=3D"mailto:None@ietfa.amsl.com" target=3D"_blank"><spa=
n style=3D"color:purple">None@ietfa.amsl.com</span></a>&gt;, Phil Hunt &lt;&=
gt;</span><u></u><u></u></p>
</div>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-00.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename: draft-hunt-oauth-v2-user-a4c<br>
Revision: 00<br>
Title: OAuth 2.0 User Authentication For Client<br>
Creation date: 2013-07-29<br>
Group: Individual Submission<br>
Number of pages: 9<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c=
-00.txt" target=3D"_blank"><span style=3D"color:purple">http://www.ietf.org/=
internet-drafts/draft-hunt-oauth-v2-user-a4c-00.txt</span></a><br>


Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"htt=
p://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c" target=3D"_blank"=
><span style=3D"color:purple">http://datatracker.ietf.org/doc/draft-hunt-oau=
th-v2-user-a4c</span></a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools.=
ietf.org/html/draft-hunt-oauth-v2-user-a4c-00" target=3D"_blank"><span style=
=3D"color:purple">http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-00=
</span></a><br>
<br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables us=
er<br>
&nbsp;&nbsp;authentication session information to be shared with client<br>
&nbsp;&nbsp;applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submission=
<br>
until the htmlized version and diff are available at<a href=3D"http://tools.=
ietf.org/" target=3D"_blank"><span style=3D"color:purple">tools.ietf.org</sp=
an></a>.<br>
<br>
The IETF Secretariat<u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">__________________________=
_____________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">__________________________=
_____________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><u></u><u></u></p>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span>&nbsp;</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundatio=
n<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color:=
purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white"><br>
<br>
<u></u><u></u></p>
</div>
<pre style=3D"background:white;background-repeat:initial initial">__________=
_____________________________________<u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial">OAuth mail=
ing list<u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=3D=
"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:purple">OAuth=
@ietf.org</span></a><u></u><u></u></pre>
<pre style=3D"background:white;background-repeat:initial initial"><a href=3D=
"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><span style=3D=
"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span></a><u></u>=
<u></u></pre>


</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white"><br>
<br clear=3D"all">
<u></u><u></u></p>
</div>
<div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">--<span>&nbsp;</span><br>
Nat Sakimura (=3Dnat)<u></u><u></u></p>
</div>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">Chairman, OpenID Foundatio=
n<br>
<a href=3D"http://nat.sakimura.org/" target=3D"_blank"><span style=3D"color:=
purple">http://nat.sakimura.org/</span></a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
</blockquote>
<div>
<div>
<p class=3D"MsoNormal" style=3D"background:white">&nbsp;<u></u><u></u></p>
</div>
</div>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt;background:white;backgr=
ound-repeat:initial initial">
<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a><br>
<br>
<u></u><u></u></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">_______________________________________=
________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank"><span style=3D"color:pur=
ple">OAuth@ietf.org</span></a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank"><s=
pan style=3D"color:purple">https://www.ietf.org/mailman/listinfo/oauth</span=
></a></span><u></u><u></u></p>
</div>
</blockquote>
</div>
<div>
<p class=3D"MsoNormal">&nbsp;<u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p>
</div>
</div>
</div></div></div>
</div>

</blockquote></div><br><br clear=3D"all"><div><br></div>-- <br>Nat Sakimura (=
=3Dnat)<div>Chairman, OpenID Foundation<br><a href=3D"http://nat.sakimura.or=
g/" target=3D"_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>
</div></blockquote><blockquote type=3D"cite"><div><span>____________________=
___________________________</span><br><span>OAuth mailing list</span><br><sp=
an><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a></s=
pan><br>
<span><a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_bla=
nk">https://www.ietf.org/mailman/listinfo/oauth</a></span><br></div></blockq=
uote></div></div></div></blockquote></div><br><br clear=3D"all"><div><br></d=
iv>
-- <br>Nat Sakimura (=3Dnat)<div>Chairman, OpenID Foundation<br><a href=3D"h=
ttp://nat.sakimura.org/" target=3D"_blank">http://nat.sakimura.org/</a><br>@=
_nat_en</div>
</div></div>
</div></blockquote></body></html>=

--Apple-Mail-E0E5A9BF-8595-4027-88EA-552067160FD8--

From sakimura@gmail.com  Thu Aug  1 22:26:15 2013
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86B5711E8220 for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 22:26:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.571
X-Spam-Level: 
X-Spam-Status: No, score=-2.571 tagged_above=-999 required=5 tests=[AWL=0.028,  BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iDpXn382AZbL for <oauth@ietfa.amsl.com>; Thu,  1 Aug 2013 22:26:14 -0700 (PDT)
Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 0FCE911E8210 for <oauth@ietf.org>; Thu,  1 Aug 2013 22:26:13 -0700 (PDT)
Received: by mail-la0-f52.google.com with SMTP id fq13so144476lab.11 for <oauth@ietf.org>; Thu, 01 Aug 2013 22:26:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0GM2174PgDp/cXc7jJOQI8SdSBJbOC+kHorTF9ym9/Q=; b=rUWHH6MUCgN7IwRUOgchMMEw+/d/T71HacXeDaZbKGEMf6amMylkzddokbiGpz1dJ7 ZVtctbPwfMnK0y86ant9Bj6wwyZpSlfz8V6IM3V5J7WgPgnepD2MHXWJL8Hp1dN9dYX0 5nJ//U07kbx6igFy86oBz0xWKWaAL3JPckGKRVuXjAvwiPFvue9BlnxLw2kzrM1VCEmy QMiz161DzURWQ76/VVdxyHDD6IKyr3iFmO5U3zIJPR6IJFcEIbKBVVIRE7QKPFxr4zDc f0U7piAv0FsAwe/CN3FGEHqNAMzYlFIzqXrlY3hV0ZhOBhKCEqy3ibAa7nQZwdh0JMQR PpJQ==
MIME-Version: 1.0
X-Received: by 10.112.11.136 with SMTP id q8mr2673610lbb.94.1375421172850; Thu, 01 Aug 2013 22:26:12 -0700 (PDT)
Received: by 10.112.134.38 with HTTP; Thu, 1 Aug 2013 22:26:12 -0700 (PDT)
In-Reply-To: <CADD3F28-7865-4F38-86DA-EA20688C64A0@oracle.com>
References: <787A2184-CE90-49F4-ABB6-B8D049AE3941@oracle.com> <E2282016-1953-48A4-B0AC-7F138D29AB80@oracle.com> <BAB6DA63-5831-49D0-8CB9-13CF57F78806@ve7jtb.com> <CABzCy2C=DXtFUOZh=55xH_BwMz1Z8gb2ShUHAG7ZmATtc4E4zw@mail.gmail.com> <51F983E3.1020400@oracle.com> <1375307375.98370.YahooMailNeo@web142804.mail.bf1.yahoo.com> <5c5c607231e644f697c5a60b75688013@BY2PR03MB189.namprd03.prod.outlook.com> <5D020B1E-531D-444E-A492-046D444D48D2@mitre.org> <e68801da9fa547c69fee43b9cd7b22b8@BY2PR03MB189.namprd03.prod.outlook.com> <2117136733141454493@unknownmsgid> <8E6F38BA-E6BF-40E5-818A-45F506BB181D@mitre.org> <f4b99e49fbdd4e22b19391cdb720b15d@BY2PR03MB189.namprd03.prod.outlook.com> <CABzCy2Aou0eMqHKjxOh01mtfzQ8-mvU5BHF84kHHsnPsO3di=Q@mail.gmail.com> <6F19AC80-0BB9-4387-AA77-77D02CE1E772@oracle.com> <CABzCy2BA-fXy86NU+vZd96jV9yVo9GEBAmm_AoMeZoR-ECgyyQ@mail.gmail.com> <CADD3F28-7865-4F38-86DA-EA20688C64A0@oracle.com>
Date: Fri, 2 Aug 2013 07:26:12 +0200
Message-ID: <CABzCy2D4v=kP3SVSWWonWgE8Nv_ph3OAUhO7GheT8AuSQOiPpw@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary=001a11c3b61e6ca7a204e2f032e7
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Need for Extending OAuth with AuthN (was Re: Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-00.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 05:26:15 -0000

--001a11c3b61e6ca7a204e2f032e7
Content-Type: text/plain; charset=ISO-8859-1

2013/8/2 Phil Hunt <phil.hunt@oracle.com>

> Yes. Forking is bad. This is not a fork.
>
> It isn't like OIDF membership hasn't been aware of the issue and hasn't
> had time to respond (over a year now). The clear message was Connect is too
> far along to consider changes.
>

You are grossly misrepresenting it here.  You did not sign the IPR
agreement despite OIDF has done everything we could do to help you guys
out. We spent a lot of time / effort / legal fee to accommodate your
request but you have not signed the IPR agreement to date.

OIDF process mandates that the contributors signs the agreement before
being able to contribute anything to the WG. Unless you sign it, we cannot
take up the comment to avoid the IPR contamination. As the result, the
ticket was never created. If you have singed the IPR agreement and made a
comment, I am very sure that ticket was created and dealt with. You could
do it until couple of weeks ago. We had 45-days public review period. Did
you comment in there? Bunch of comments came in and we are accommodating
them.

Also, I have to point out that to join the OIDF WG, you do not have to be
an OIDF member. The only requirement is that you commit to the IPR
agreement, that you will not go after the implementers for your Patents
etc. for the implementation of the spec., that open source developers do
not have to worry about being sued.

As far as the Connect spec modification possibility is concerned, for
editorial changes, we can still do without a problem. We may also still do
some non-breaking changes if it is deemed necessary.
FYI, the Connect WG is contemplating the documentation structure change as
well, so that you know.


> I brought the issue to the IETF because there is inappropriate use of
> oauth in the wild. The draft submitted discusses the issue an describes a
> possible simple fix.
>
> The WG has a wide range of choices to make. One of which is to refer to
> OpenId Foundation. Another might be an errata to the security
> considerations. The first decision is to put it on the next charter.
>

Yes. My top priority here is not to fork. At least align the claim names.
Just saying alv instead of acr etc. does not make sense at all.


>
> I think you are 'jumping the gun' here.
>

I do hope that developers do not do 'jumping the gun', using slightly
different claim names.


> Phil
>
> On 2013-08-02, at 6:34, Nat Sakimura <sakimura@gmail.com> wrote:
>
> Not necessarily. Why would it be inappropriate?
>
> I call it NIH syndrome.
> Respecting the work which is done outside is a good thing.
> Just taking the content and taking a credit for it is a bad practice.
>
> Forking is also bad.
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en

--001a11c3b61e6ca7a204e2f032e7
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><div class=3D"gmail_quote">=
2013/8/2 Phil Hunt <span dir=3D"ltr">&lt;<a href=3D"mailto:phil.hunt@oracle=
.com" target=3D"_blank">phil.hunt@oracle.com</a>&gt;</span><br><blockquote =
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid=
;padding-left:1ex">
<div dir=3D"auto"><div>Yes. Forking is bad. This is not a fork.=A0</div><di=
v><br></div><div>It isn&#39;t like OIDF membership hasn&#39;t been aware of=
 the issue and hasn&#39;t had time to respond (over a year now). The clear =
message was Connect is too far along to consider changes.</div>
</div></blockquote><div><br></div><div>You are grossly misrepresenting it h=
ere. =A0You did not sign the IPR agreement despite OIDF has done everything=
 we could do to help you guys out. We spent a lot of time / effort / legal =
fee to accommodate your request but you have not signed the IPR agreement t=
o date.=A0</div>
<div><br></div><div>OIDF process mandates that the contributors signs the a=
greement before being able to contribute anything to the WG. Unless you sig=
n it, we cannot take up the comment to avoid the IPR contamination. As the =
result, the ticket was never created. If you have singed the IPR agreement =
and made a comment, I am very sure that ticket was created and dealt with. =
You could do it until couple of weeks ago. We had 45-days public review per=
iod. Did you comment in there? Bunch of comments came in and we are accommo=
dating them.=A0</div>
<div><br></div><div>Also, I have to point out that to join the OIDF WG, you=
 do not have to be an OIDF member. The only requirement is that you commit =
to the IPR agreement, that you will not go after the implementers for your =
Patents etc. for the implementation of the spec., that open source develope=
rs do not have to worry about being sued.=A0</div>
<div><br></div><div>As far as the Connect spec modification possibility is =
concerned, for editorial changes, we can still do without a problem. We may=
 also still do some non-breaking changes if it is deemed necessary. =A0</di=
v>
<div>FYI, the Connect WG is contemplating the documentation structure chang=
e as well, so that you know.=A0</div><div><br></div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex">
<div dir=3D"auto"><div><br></div><div>I brought the issue to the IETF becau=
se there is inappropriate use of oauth in the wild. The draft submitted dis=
cusses the issue an describes a possible simple fix.</div><div><br></div>
<div>The WG has a wide range of choices to make. One of which is to refer t=
o OpenId Foundation. Another might be an errata to the security considerati=
ons. The first decision is to put it on the next charter. </div></div></blo=
ckquote>
<div><br></div><div>Yes. My top priority here is not to fork. At least alig=
n the claim names.=A0</div><div>Just saying alv instead of acr etc. does no=
t make sense at all.=A0</div><div>=A0</div><blockquote class=3D"gmail_quote=
" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir=3D"auto"><div><br></div><div>I think you are &#39;jumping the gun&=
#39; here.=A0</div></div></blockquote><div>=A0</div><div>I do hope that dev=
elopers do not do &#39;jumping the gun&#39;, using slightly different claim=
 names.=A0</div>
<div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex=
;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"auto"><span class=
=3D"HOEnZb"><font color=3D"#888888"><div><br>Phil</div></font></span><div><=
div class=3D"h5">
<div><br>On 2013-08-02, at 6:34, Nat Sakimura &lt;<a href=3D"mailto:sakimur=
a@gmail.com" target=3D"_blank">sakimura@gmail.com</a>&gt; wrote:<br><br></d=
iv><blockquote type=3D"cite"><div><div dir=3D"ltr">Not necessarily. Why wou=
ld it be inappropriate?=A0<div>
<br></div><div>I call it NIH syndrome.=A0</div><div>Respecting the work whi=
ch is done outside is a good thing.=A0</div><div>Just taking the content an=
d taking a credit for it is a bad practice.=A0</div>
<div><br></div><div>Forking is also bad.=A0</div><div><br></div><div class=
=3D"gmail_extra"><br>
-- <br>Nat Sakimura (=3Dnat)<div>Chairman, OpenID Foundation<br><a href=3D"=
http://nat.sakimura.org/" target=3D"_blank">http://nat.sakimura.org/</a><br=
>@_nat_en</div>
</div></div>
</div></blockquote></div></div></div></blockquote></div><br><br clear=3D"al=
l"><div><br></div>-- <br>Nat Sakimura (=3Dnat)<div>Chairman, OpenID Foundat=
ion<br><a href=3D"http://nat.sakimura.org/" target=3D"_blank">http://nat.sa=
kimura.org/</a><br>
@_nat_en</div>
</div></div>

--001a11c3b61e6ca7a204e2f032e7--

From donald.coffin@reminetworks.com  Fri Aug  2 11:30:11 2013
Return-Path: <donald.coffin@reminetworks.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE51A11E80E8 for <oauth@ietfa.amsl.com>; Fri,  2 Aug 2013 11:30:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level: 
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iBbpBlsWFmEu for <oauth@ietfa.amsl.com>; Fri,  2 Aug 2013 11:30:03 -0700 (PDT)
Received: from oproxy7-pub.bluehost.com (oproxy7-pub.bluehost.com [67.222.55.9]) by ietfa.amsl.com (Postfix) with SMTP id D063611E8116 for <oauth@ietf.org>; Fri,  2 Aug 2013 11:29:56 -0700 (PDT)
Received: (qmail 31744 invoked by uid 0); 2 Aug 2013 18:29:23 -0000
Received: from unknown (HELO host125.hostmonster.com) (74.220.207.125) by oproxy7.bluehost.com with SMTP; 2 Aug 2013 18:29:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=reminetworks.com; s=default;  h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:To:From; bh=a4rvghqAITImK+nClfUbT4/kl2+qYJhRUD0QhUu/Cn4=;  b=o+TCLkTV3gXirf1bBrVBDZ49l4UAxGt0fuBOnIa2g/NwoVlrVx4MzcnU1UDM/9o59c5gVs/PJLOgd6vhqoBzyBdpck3qQ57zKOPkx1ZHtyFYRKvLkaaiWJwxjzdDoq8P;
Received: from [68.4.207.246] (port=2039 helo=HPPavilionElite) by host125.hostmonster.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <donald.coffin@reminetworks.com>) id 1V5K6M-0005lu-RJ for oauth@ietf.org; Fri, 02 Aug 2013 12:29:22 -0600
From: "Donald F Coffin" <donald.coffin@reminetworks.com>
To: <oauth@ietf.org>
References: <mailman.155.1375416142.3376.oauth@ietf.org>
In-Reply-To: <mailman.155.1375416142.3376.oauth@ietf.org>
Date: Fri, 2 Aug 2013 11:27:27 -0700
Message-ID: <00c301ce8fad$f254f010$d6fed030$@reminetworks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIFQSSmBOXv/HfQ/TI+ArgEnLpw/pkU2Y+A
Content-Language: en-us
X-Identified-User: {1395:host125.hostmonster.com:reminetw:reminetworks.com} {sentby:smtp auth 68.4.207.246 authed with donald.coffin@reminetworks.com}
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 58, Issue 15
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 18:30:11 -0000

+1

Best regards,
Don
Donald F. Coffin
Founder/CTO

REMI Networks
22751 El Prado Suite 6216
Rancho Santa Margarita, CA  92688-3836

Phone:      (949) 636-8571
Email:       donald.coffin@reminetworks.com

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of
oauth-request@ietf.org
Sent: Thursday, August 01, 2013 9:02 PM
To: oauth@ietf.org
Subject: OAuth Digest, Vol 58, Issue 15

If you have received this digest without all the individual message
attachments you will need to update your digest options in your list
subscription.  To do so, go to 

https://www.ietf.org/mailman/listinfo/oauth

Click the 'Unsubscribe or edit options' button, log in, and set "Get MIME or
Plain Text Digests?" to MIME.  You can set this option globally for all the
list digests you receive at this point.



Send OAuth mailing list submissions to
	oauth@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.ietf.org/mailman/listinfo/oauth
or, via email, send a message with subject or body 'help' to
	oauth-request@ietf.org

You can reach the person managing the list at
	oauth-owner@ietf.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of OAuth digest..."


From zhou.sujing@zte.com.cn  Mon Aug  5 02:42:48 2013
Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E427C21F8467 for <oauth@ietfa.amsl.com>; Mon,  5 Aug 2013 02:42:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.184
X-Spam-Level: 
X-Spam-Status: No, score=-100.184 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bc1aZIn9jaIj for <oauth@ietfa.amsl.com>; Mon,  5 Aug 2013 02:42:39 -0700 (PDT)
Received: from zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 80AF721F8411 for <oauth@ietf.org>; Mon,  5 Aug 2013 02:41:08 -0700 (PDT)
Received: from zte.com.cn (unknown [192.168.168.119]) by Websense Email Security Gateway with ESMTP id 5EEE812863C7 for <oauth@ietf.org>; Mon,  5 Aug 2013 17:40:30 +0800 (CST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id E69F8728A36; Mon,  5 Aug 2013 17:40:28 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id r759eRwe088988; Mon, 5 Aug 2013 17:40:27 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
To: Zachary.Zeltsan@alcatel-lucent.com, torsten@lodderstedt.net, gffletch@aol.com
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OFE117D818.698E0F58-ON48257BBE.0034B640-48257BBE.00353DF2@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Mon, 5 Aug 2013 17:40:29 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2013-08-05 17:40:29, Serialize complete at 2013-08-05 17:40:29
Content-Type: multipart/alternative; boundary="=_alternative 00353DF048257BBE_="
X-MAIL: mse02.zte.com.cn r759eRwe088988
Cc: oauth@ietf.org
Subject: [OAUTH-WG] Current Progress in use case document?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2013 09:42:48 -0000

This is a multipart message in MIME format.
--=_alternative 00353DF048257BBE_=
Content-Type: text/plain; charset="US-ASCII"

Hi, all
     The use case documemnt will not be updated?
     For a reader it is very difficult to discern a use case from another 
one.
     Could some diagram be added? Could some explanation be added to 
clarify why some cases cannot be supperted by oauth 2.0? 
 
 


--=_alternative 00353DF048257BBE_=
Content-Type: text/html; charset="US-ASCII"


<table>
<tr>
<td><font size=2>Hi, all</font>
<br><font size=2>&nbsp; &nbsp; &nbsp;The use case documemnt will not be
updated?</font>
<br><font size=2>&nbsp; &nbsp; &nbsp;For a reader it is very difficult
to discern a use case from another one.</font>
<br><font size=2>&nbsp; &nbsp; &nbsp;Could some diagram be added? Could
some explanation be added to clarify why some cases cannot be supperted
by oauth 2.0? </font>
<br><font size=2>&nbsp; &nbsp;</font>
<br><font size=2>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br>
</font></table>
<br>
--=_alternative 00353DF048257BBE_=--

From igor.faynberg@alcatel-lucent.com  Mon Aug  5 09:51:59 2013
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A5E31F0C87 for <oauth@ietfa.amsl.com>; Mon,  5 Aug 2013 09:51:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level: 
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1i5+0-VqOFz for <oauth@ietfa.amsl.com>; Mon,  5 Aug 2013 09:51:54 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id 232581F0C37 for <oauth@ietf.org>; Mon,  5 Aug 2013 09:51:53 -0700 (PDT)
Received: from usnavsmail1.ndc.alcatel-lucent.com (usnavsmail1.ndc.alcatel-lucent.com [135.3.39.9]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id r75GpkLS023781 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 5 Aug 2013 11:51:47 -0500 (CDT)
Received: from umail.lucent.com (umail.ndc.lucent.com [135.3.40.61]) by usnavsmail1.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id r75GpjNx003516 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 5 Aug 2013 11:51:45 -0500
Received: from [135.222.232.243] (USMUYN0L055118.mh.lucent.com [135.222.232.243]) by umail.lucent.com (8.13.8/TPES) with ESMTP id r75Gpi21015862; Mon, 5 Aug 2013 11:51:45 -0500 (CDT)
Message-ID: <51FFD820.2050200@alcatel-lucent.com>
Date: Mon, 05 Aug 2013 12:51:44 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: zhou.sujing@zte.com.cn
References: <OFE117D818.698E0F58-ON48257BBE.0034B640-48257BBE.00353DF2@zte.com.cn>
In-Reply-To: <OFE117D818.698E0F58-ON48257BBE.0034B640-48257BBE.00353DF2@zte.com.cn>
Content-Type: multipart/alternative; boundary="------------050403050709040004060308"
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.9
Cc: oauth@ietf.org, "zachary.zeltsan@gmail.com" <zachary.zeltsan@gmail.com>
Subject: Re: [OAUTH-WG] Current Progress in use case document?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2013 16:51:59 -0000

This is a multi-part message in MIME format.
--------------050403050709040004060308
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Zhou,

The correct addres for Zachary is on the (corrected) CC list.

My take on it is that the Use Cases document has been ready for approval 
for quite a while, and there were no concerns about misunderstandings. 
The cases are clearly delineated by their respective 1) descriptions, 2) 
pre-conditions, and 3) post-conditions.

I might try to to help, but I don't quite understand what "some diagram" 
means here and why it should be added.  Nor do I understand what your 
difficulty in discerning one use case from another is.   If you see 
something specifically wrong with what is there please point this out.

If you need a tutorial on Use Cases, please write to Zachary.

With thanks,

Igor


On 8/5/2013 5:40 AM, zhou.sujing@zte.com.cn wrote:
> Hi, all
>      The use case documemnt will not be updated?
>      For a reader it is very difficult to discern a use case from 
> another one.
>      Could some diagram be added? Could some explanation be added to 
> clarify why some cases cannot be supperted by oauth 2.0?
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--------------050403050709040004060308
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#ffffff">
    Zhou,<br>
    <br>
    The correct addres for Zachary is on the (corrected) CC list.<br>
    <br>
    My take on it is that the Use Cases document has been ready for
    approval for quite a while, and there were no concerns about
    misunderstandings. The cases are clearly delineated by their
    respective 1) descriptions, 2) pre-conditions, and 3)
    post-conditions.<br>
    <br>
    I might try to to help, but I don't quite understand what "some
    diagram" means here and why it should be added.&nbsp; Nor do I understand
    what your difficulty in discerning one use case from another is. &nbsp;
    If you see something specifically wrong with what is there please
    point this out.&nbsp; <br>
    <br>
    If you need a tutorial on Use Cases, please write to Zachary.<br>
    <br>
    With thanks,<br>
    <br>
    Igor<br>
    <br>
    <br>
    On 8/5/2013 5:40 AM, <a class="moz-txt-link-abbreviated" href="mailto:zhou.sujing@zte.com.cn">zhou.sujing@zte.com.cn</a> wrote:
    <blockquote
cite="mid:OFE117D818.698E0F58-ON48257BBE.0034B640-48257BBE.00353DF2@zte.com.cn"
      type="cite">
      <table>
        <tbody>
          <tr>
            <td><font size="2">Hi, all</font>
              <br>
              <font size="2">&nbsp; &nbsp; &nbsp;The use case documemnt will not be
                updated?</font>
              <br>
              <font size="2">&nbsp; &nbsp; &nbsp;For a reader it is very difficult
                to discern a use case from another one.</font>
              <br>
              <font size="2">&nbsp; &nbsp; &nbsp;Could some diagram be added? Could
                some explanation be added to clarify why some cases
                cannot be supperted
                by oauth 2.0? </font>
              <br>
              <font size="2">&nbsp; &nbsp;</font>
              <br>
              <font size="2">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<br>
              </font></td>
          </tr>
        </tbody>
      </table>
      <br>
      <pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
  </body>
</html>

--------------050403050709040004060308--

From sberyozkin@gmail.com  Tue Aug  6 04:26:41 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F35DD21F9CBD for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 04:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.374
X-Spam-Level: 
X-Spam-Status: No, score=-2.374 tagged_above=-999 required=5 tests=[AWL=0.225,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MHIiqO+qytRt for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 04:26:40 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) by ietfa.amsl.com (Postfix) with ESMTP id 35BB821F9C72 for <oauth@ietf.org>; Tue,  6 Aug 2013 04:26:39 -0700 (PDT)
Received: by mail-wg0-f51.google.com with SMTP id a12so241267wgh.30 for <oauth@ietf.org>; Tue, 06 Aug 2013 04:26:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=RP6E4wLsJ1YhKYL/tmOtJPf0bWc/XjzDddEk8s3L4Ms=; b=u1mcKhsXnNVYyFh0Np+4CBi8SFgPhVlU6iTtcPhECSDd4LmwSlCXNM3tmALZnRNWjl KPyjE5qV/AaqQmvlDV0Xa3HA2CLrihvw/0dpB4N0gzghYOiU13ryqQXjmjBk/BQi8eKT Trv8UN0JC0KdgpbDW11kUfl5PIh/g6U1FDaLUEAow40YjOVm81BthxFaxqYvmGNaLz08 t6/DC1Ta1xNUT57HQIKEZDcowDQbnD321nlZMH5yhg6Vwx+Uz1xU1pyewxMWoWGW5i2f jzAdbvJwREJ+GNiQ6BI0K61fsPcwnT2W1SI01O2EMTchth/PIqxHH3MtvSyzB7ukZMsj ubeQ==
X-Received: by 10.194.77.99 with SMTP id r3mr758110wjw.5.1375788399244; Tue, 06 Aug 2013 04:26:39 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id l5sm1576673wia.6.2013.08.06.04.26.37 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 Aug 2013 04:26:38 -0700 (PDT)
Message-ID: <5200DD6C.3010003@gmail.com>
Date: Tue, 06 Aug 2013 12:26:36 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 11:26:41 -0000

Hi

Suppose a given user has approved a client's grant request and that 
client is now working with the access token tied to the user's login 
name (or some other representation of that user's login credentials).

What would be the recommended course of action when that user's 
credentials (example, the user's login name) change, as far as the 
existing access tokens tied to that user are concerned ?

I haven't seen anything specific in Security Considerations document.
Should the access tokens be simply refreshed internally, or invalidated, 
or is it nothing to do at all with OAuth2 (code flow), the fact the end 
user may change the login name ?

I wonder what the best practice is in this case

Thanks, Sergey

From barryleiba.mailing.lists@gmail.com  Tue Aug  6 05:47:04 2013
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D810321F9346 for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 05:47:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.972
X-Spam-Level: 
X-Spam-Status: No, score=-101.972 tagged_above=-999 required=5 tests=[AWL=0.006, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LeeCgan-ypAk for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 05:47:04 -0700 (PDT)
Received: from mail-ve0-x22b.google.com (mail-ve0-x22b.google.com [IPv6:2607:f8b0:400c:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 5062421F9A51 for <oauth@ietf.org>; Tue,  6 Aug 2013 05:47:04 -0700 (PDT)
Received: by mail-ve0-f171.google.com with SMTP id pa12so335166veb.2 for <oauth@ietf.org>; Tue, 06 Aug 2013 05:47:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=JiL2tnfaka8OXGwXaMmCq4agcG2oGMKJC1M6gaycBYQ=; b=Un+3PqPA6ZVtRo1MjQEWxpBNqAuZ6RKNp1XDf7bNrNRlBgJUyoQHwvT8Rr7qCxitE7 Es54I1KsydhFKcKm4QRZZ9dxa90coBCPM5Kox3JmeP6A6SbygDNv1EefnzCx0tAXXvrA XGzita6QvIUEM828eIq354xa46hYnmVhxk3tY4veS+02kyHGTV8v+Sdj1dlXuJzCH260 1MVgpaFSK0f9010oITZlDLlEtsRMVrZCfIciozzZsc4vuLJw6f+7h5GKcRwlo4Lh/7Pp mnRz8iEM/l2r5k8weqqpFJoHKrWUg7rlYpTpHWQV5K8puxfzxxewbfkFYpy6CmMxUoaH TlLQ==
MIME-Version: 1.0
X-Received: by 10.58.80.38 with SMTP id o6mr302937vex.69.1375793223701; Tue, 06 Aug 2013 05:47:03 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.58.137.227 with HTTP; Tue, 6 Aug 2013 05:47:03 -0700 (PDT)
In-Reply-To: <5200DD6C.3010003@gmail.com>
References: <5200DD6C.3010003@gmail.com>
Date: Tue, 6 Aug 2013 14:47:03 +0200
X-Google-Sender-Auth: L2Uv4H1GWsxQmUf9ADpWqPxCpGo
Message-ID: <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 12:47:05 -0000

> Suppose a given user has approved a client's grant request and that client
> is now working with the access token tied to the user's login name (or some
> other representation of that user's login credentials).
>
> What would be the recommended course of action when that user's credentials
> (example, the user's login name) change, as far as the existing access
> tokens tied to that user are concerned ?

An interesting question.

I think it's not the OAuth protocol's concern, but a document
describing operations and deployment might suggest what to do.
Groping here (I'm not a UI expert):

I expect that some changes (and/or some reasons for changes) would
make no difference to the authorizations the user has approved.  If I
change my username from "barryleiba" to "bigkahuna" because I want to
be cool, I would want my authorizations to persist.  If I change my
password because I routinely change my password, I would want my
authorizations to persist.  If I change my password because I think my
old password was compromised, I would want to review my authorizations
and make sure nothing untoward is there.  Alternatively, I might just
want to invalidate all of them and re-establish them as needed
afterward.

So it would probably be good for the system in question to ask me what
to do about the authorizations I've given out, and allow me to review
them and address them one by one, and/or make a blanket decision for
the lot.

Maybe:

    Your password has been changed.

    Do you want to revoke authorizations you have approved?  [YES / NO]

Or maybe:

    Your password has been changed.

    Do you want to review authorizations you have approved?  [YES / NO]

--
Barry

From sberyozkin@gmail.com  Tue Aug  6 07:37:10 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D112621F9B4D for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 07:37:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.419
X-Spam-Level: 
X-Spam-Status: No, score=-2.419 tagged_above=-999 required=5 tests=[AWL=0.180,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EISeMX80frCc for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 07:37:10 -0700 (PDT)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 0236521F9C13 for <oauth@ietf.org>; Tue,  6 Aug 2013 07:37:09 -0700 (PDT)
Received: by mail-we0-f174.google.com with SMTP id q54so452051wes.33 for <oauth@ietf.org>; Tue, 06 Aug 2013 07:37:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=IL6VCSAtJf/DnB8s+ptARPfSAMjX3R0R1HWkpnfxJVQ=; b=bsK7/xmO5bacTVmGbLlGXkltNqwOHFYDGMuEH2f1Gk6SpiRpW94n0jJKLwwEAAa+DW Ank/N0r+CjuOfxApeFxZO16OGdqNlmt7PwAWFQnm04pI0XX2KjxWYqG4Ll7PQr60CKWl 5BfCKKtm9U/ON+VTJIBKF53CztB0n6AbdEfVhjymzj/VP6K0edn0PrIgQqoaVQkAxD7m SeT55FanJXyE5T6tYFnYwd3THW9fSUFGK7m2cgBhZpk8nHkdmMDTexQRXgv/s40ruOOd nHl4uArE5lfmylObBqZ6FgYylCyc/36dKvfVO0IOgkEaIZ6iCl2VyH/8MlfE0g1N2RtM 5tpQ==
X-Received: by 10.180.185.97 with SMTP id fb1mr1192676wic.61.1375799829124; Tue, 06 Aug 2013 07:37:09 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id v9sm5956975wiw.8.2013.08.06.07.37.07 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 Aug 2013 07:37:08 -0700 (PDT)
Message-ID: <52010A12.6020203@gmail.com>
Date: Tue, 06 Aug 2013 15:37:06 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Barry Leiba <barryleiba@computer.org>
References: <5200DD6C.3010003@gmail.com> <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com>
In-Reply-To: <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 14:37:11 -0000

Hi

thanks for your thoughts, comments below,
On 06/08/13 13:47, Barry Leiba wrote:
>> Suppose a given user has approved a client's grant request and that client
>> is now working with the access token tied to the user's login name (or some
>> other representation of that user's login credentials).
>>
>> What would be the recommended course of action when that user's credentials
>> (example, the user's login name) change, as far as the existing access
>> tokens tied to that user are concerned ?
>
> An interesting question.
>
> I think it's not the OAuth protocol's concern, but a document
> describing operations and deployment might suggest what to do.
> Groping here (I'm not a UI expert):
>
> I expect that some changes (and/or some reasons for changes) would
> make no difference to the authorizations the user has approved.  If I
> change my username from "barryleiba" to "bigkahuna" because I want to
> be cool, I would want my authorizations to persist.  If I change my
> password because I routinely change my password, I would want my
> authorizations to persist.  If I change my password because I think my
> old password was compromised, I would want to review my authorizations
> and make sure nothing untoward is there.  Alternatively, I might just
> want to invalidate all of them and re-establish them as needed
> afterward.
>
> So it would probably be good for the system in question to ask me what
> to do about the authorizations I've given out, and allow me to review
> them and address them one by one, and/or make a blanket decision for
> the lot.
>
> Maybe:
>
>      Your password has been changed.
>
>      Do you want to revoke authorizations you have approved?  [YES / NO]
>
> Or maybe:
>
>      Your password has been changed.
>
>      Do you want to review authorizations you have approved?  [YES / NO]

Letting the user to decide what has to happen to authorizations in such 
cases seems like a nice idea. It would probably be good if Security 
Considerations doc had some dedicated section, but either way I think I 
have my question answered :-)
Thanks, Sergey
>
> --
> Barry
>



From hannes.tschofenig@gmx.net  Tue Aug  6 12:42:17 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D35D21F9E80 for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 12:42:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qx5lxW89tCQq for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 12:42:12 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 652E221F944C for <oauth@ietf.org>; Tue,  6 Aug 2013 12:42:12 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.118.158]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0LgqQQ-1Vv00T1HEM-00oGPC for <oauth@ietf.org>; Tue, 06 Aug 2013 21:42:11 +0200
Message-ID: <520151A1.5070207@gmx.net>
Date: Tue, 06 Aug 2013 21:42:25 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:k/MG9UnmSqUd8KkzsDxUZLh4n4bk2fK3QJSXI+SjFMN/0zJQDpJ oq0ARI4TGUXYS0FDOdN0rY83waAHshbGGD61Ee2kTj99uGMhaeo+Sjlt+lRrefSjOcLpfR3 7O4oWbTnY4+RPvSKtEeE32gXAmCEU8m59wEfXXpytZ9cfbkiz6Yg0M+jOQIr6+477V4etdj ePiRNzKiAnHQ8RDb5sSFw==
Subject: [OAUTH-WG] IETF #87 OAuth Meeting Minutes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 19:42:17 -0000

Hi all,

Please have a look at the meeting minutes:
http://www.ietf.org/proceedings/87/minutes/minutes-87-oauth

There are a couple of action items in there.  As a short summary:
  * A few folks volunteered to review the use case document.
  * We will form a design team to work on the dynamic client 
registration document.
  * We will start WGLC for the JWT document.
  * An (minor) update to the assertion docs is needed.
  * We will schedule conf. calls for the security work.
  * Recharting is coming up!

Ciao
Hannes & Derek




From jricher@mitre.org  Tue Aug  6 14:20:35 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC87921F9E6B for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 14:20:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.532
X-Spam-Level: 
X-Spam-Status: No, score=-6.532 tagged_above=-999 required=5 tests=[AWL=0.067,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51tD+2Z12Mah for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 14:20:29 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 6224021F9E5B for <oauth@ietf.org>; Tue,  6 Aug 2013 14:20:29 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E50871F02FE for <oauth@ietf.org>; Tue,  6 Aug 2013 17:20:28 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C91B01F028B for <oauth@ietf.org>; Tue,  6 Aug 2013 17:20:28 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 6 Aug 2013 17:20:28 -0400
Message-ID: <52016822.2090703@mitre.org>
Date: Tue, 6 Aug 2013 17:18:26 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Subject: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 21:20:36 -0000

At last week's IETF meeting, there was quite a lot of talk about the 
Dynamic Registration draft as well as a few other related drafts in this 
space. I would like to propose to the group what I think would be a 
positive working structure among the different approaches that would let 
us move everything forward. The source documents in discussion here are 
the WG's Dynamic Registration (draft 14) and Phil Hunt's individual 
submission of a SCIM-based alternative with some software assertion 
components to it. I suggest we refactor these into three documents:

  - OAuth Dynamic Registration
  - SCIM-based OAuth Dynamic Registration
  - Software Statements for OAuth Dynamic Registration

I think that they all have their place in the world, and this is how I 
see them fitting together:


OAuth Dynamic Registration

What it is: Essentially the draft we have today, draft 14. This draft 
defines a standalone RESTful API for dealing with client registrations, 
it allows for open registration as well as protected registration, and 
perhaps most importantly we know that it works because people have 
implemented it as part of several different APIs. This could have an 
informational pointer to the SCIM draft and the Software Statements 
draft. We could call this one "core" or "basic" or some other modifier, 
but I don't think that's necessary because it already does what it says 
on the tin.

What it needs to concentrate on: This needs to be a "base" document with 
extension hooks in key places (such as the client metadata, which is 
already extensible, and places that have been made extensible like the 
token_endpoint_auth_method, and perhaps others). It needs to get its job 
done, allowing for full specification of the simple case in an 
interoperable way (anonymous registration of self-asserted client 
metadata to receive a client identifier and manage the registration) and 
be extensible and flexible enough for the more complex cases.

What we should do: I think that we should continue shepherding this 
document through WGLC in the OAuth WG because there are no specific open 
issues in the spec (that I, the editor, am aware of) and I've seen what 
I would personally consider to be rough consensus on it (not unanimous, 
but that's not necessary anyway).



SCIM-based OAuth Dynamic Registration:

What it is: Most of Phil's draft, this defines a SCIM profile for 
managing OAuth clients dynamically. This will accomplish the same kinds 
of things that the OAuth Dynamic Registration Draft will accomplish, but 
in a SCIM-like manner. This will have a normative dependency on SCIM (of 
some version), and probably an informational dependency on OAuth Dynamic 
Registration. This could have an informational pointer to the Software 
Statements draft. This draft is very useful if you're already deploying 
a SCIM based system, and if you're investing in SCIM then it's going to 
be a smaller step to support this than it would be the base draft. 
However, I strongly believe that SCIM is a really big jump for 
implementing basic functionality that this is trying to accomplish.

What it needs to concentrate on: Tracking with the overall SCIM 
specification (on which it depends) and tracking with the data model and 
general usage of the OAuth Dynamic Registration protocol (wherever it 
makes sense to do so).

What we should do: I think that this draft should be picked up and 
worked on as an IETF document, but I think that it probably makes more 
sense for that work to be done inside of the SCIM working group. The 
reasons for this are twofold: First, this draft really should look and 
feel like SCIM, and to do that it really needs the attention of the 
group that's defining SCIM. Second, SCIM isn't completed and likely 
won't be for some time to come, and this draft needs to track with that 
protocol as it moves through the IETF process.



Software Statements for OAuth Dynamic Registration

What it is: Section 4 of Phil's draft (plus a few other bits, discussed 
here), this defines a method for presenting signed and/or verifiable 
claims to the registration server's endpoint. This is most useful when 
an authorization server can verify the claims being presented, such as 
being able to discover the signing key from the "iss" claim and validate 
the signature. This could also be used (with some additional 
specification) by a discovery-based system that could fix ahead of time 
some of the claims for a given piece of software (like we've done with 
BlueButton+). In some circumstances, this assertion could even contain 
all relevant bits of the registration, leaving the rest of the metadata 
fields blank. This is essentially the "use the assertion as the 
registration" flow that Phil discussed at the meeting, from what I 
understand. In all of these cases, it can give us a higher assurance for 
the registration and means to tie together multiple instances of a piece 
of software across a network.

What it needs to concentrate on: Making the software statements 
interoperable. I don't think this is going to be an easy task, and I 
think it's going to be a long process to get it *right* for all players.

What we should do: I think that this draft should be picked up by the 
OAuth Working Group as a WG document, and it should be built as an 
extension to both the OAuth Dynamic Registration and SCIM-based OAuth 
Dynamic Registration documents. I think it's important, but it's added 
functionality on top of either the RESTful or the SCIM-based 
registration documents, and as such it should have a normative reference 
to both of them with detailed profiles of how to use them.






So in all, we've got three main documents, each with different purposes 
and concentrations, and with different timelines. I don't see any 
problem with these coexisting, and I think doing things this way can 
cover all of our known use cases and let us actually progress these 
documents and move forward.

  -- Justin

From tonynad@microsoft.com  Tue Aug  6 16:20:24 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B8F521F9984 for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 16:20:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.057
X-Spam-Level: 
X-Spam-Status: No, score=-1.057 tagged_above=-999 required=5 tests=[AWL=-0.590, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PwJb0YkaX9XS for <oauth@ietfa.amsl.com>; Tue,  6 Aug 2013 16:20:12 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ietfa.amsl.com (Postfix) with ESMTP id 1D8F021F9425 for <oauth@ietf.org>; Tue,  6 Aug 2013 16:20:12 -0700 (PDT)
Received: from mail76-ch1-R.bigfish.com (10.43.68.250) by CH1EHSOBE015.bigfish.com (10.43.70.65) with Microsoft SMTP Server id 14.1.225.22; Tue, 6 Aug 2013 23:20:11 +0000
Received: from mail76-ch1 (localhost [127.0.0.1])	by mail76-ch1-R.bigfish.com (Postfix) with ESMTP id 4561C34008E	for <oauth@ietf.org>; Tue,  6 Aug 2013 23:20:11 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC107.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -17
X-BigFish: VS-17(zz9371I542I1418Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz1de098h1033IL1de096h8275dh15d4I1de097hz2fh2a8h683h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail76-ch1: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC107.redmond.corp.microsoft.com ; icrosoft.com ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail76-ch1 (localhost.localdomain [127.0.0.1]) by mail76-ch1 (MessageSwitch) id 1375831208743941_21136; Tue,  6 Aug 2013 23:20:08 +0000 (UTC)
Received: from CH1EHSMHS022.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.241])	by mail76-ch1.bigfish.com (Postfix) with ESMTP id B1B40140047 for <oauth@ietf.org>; Tue,  6 Aug 2013 23:20:08 +0000 (UTC)
Received: from TK5EX14HUBC107.redmond.corp.microsoft.com (131.107.125.8) by CH1EHSMHS022.bigfish.com (10.43.70.22) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 6 Aug 2013 23:20:08 +0000
Received: from CO9EHSOBE031.bigfish.com (157.54.51.114) by mail.microsoft.com (157.54.80.67) with Microsoft SMTP Server (TLS) id 14.3.136.1; Tue, 6 Aug 2013 23:20:07 +0000
Received: from mail56-co9-R.bigfish.com (10.236.132.242) by CO9EHSOBE031.bigfish.com (10.236.130.94) with Microsoft SMTP Server id 14.1.225.22; Tue, 6 Aug 2013 23:19:00 +0000
Received: from mail56-co9 (localhost [127.0.0.1])	by mail56-co9-R.bigfish.com (Postfix) with ESMTP id 8A6E4DC00DF	for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Tue,  6 Aug 2013 23:19:00 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(51444003)(13464003)(55885003)(377454003)(189002)(199002)(16406001)(53806001)(69226001)(74876001)(4396001)(79102001)(561944002)(47736001)(49866001)(81542001)(74316001)(74502001)(81342001)(47446002)(31966008)(74662001)(76482001)(54316002)(56776001)(77096001)(54356001)(80976001)(56816003)(74706001)(80022001)(65816001)(77982001)(59766001)(74366001)(51856001)(47976001)(46102001)(50986001)(63696002)(76576001)(83072001)(19580385001)(19580395003)(33646001)(19580405001)(76786001)(76796001)(83322001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::7d; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Received: from mail56-co9 (localhost.localdomain [127.0.0.1]) by mail56-co9 (MessageSwitch) id 1375831138402742_4731; Tue,  6 Aug 2013 23:18:58 +0000 (UTC)
Received: from CO9EHSMHS026.bigfish.com (unknown [10.236.132.252])	by mail56-co9.bigfish.com (Postfix) with ESMTP id 5194F500047; Tue,  6 Aug 2013 23:18:58 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com (157.56.240.21) by CO9EHSMHS026.bigfish.com (10.236.130.36) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 6 Aug 2013 23:18:57 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BL2PRD0310HT003.namprd03.prod.outlook.com (10.255.97.38) with Microsoft SMTP Server (TLS) id 14.16.341.1; Tue, 6 Aug 2013 23:18:56 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 6 Aug 2013 23:18:53 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) with mapi id 15.00.0745.000; Tue, 6 Aug 2013 23:18:53 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] A Proposal for Dynamic Registration
Thread-Index: AQHOkusVub8uV8Fzs026F8FprsDzrJmIzgQQ
Date: Tue, 6 Aug 2013 23:18:53 +0000
Message-ID: <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com>
References: <52016822.2090703@mitre.org>
In-Reply-To: <52016822.2090703@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::7d]
x-forefront-prvs: 0930AAFAD9
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB189.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC107.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC107.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 23:20:25 -0000

I think that the IETF meeting and session on Dynamic Registration showed ho=
w fractured it was and how we don't have consensus on what needs to be done=
 and how it needs to be done. I would not support moving any draft further =
along in the IETF process. I looked on mailing list and could not find out =
where any dynamic registration document went to WGLC, so maybe someone can =
point me to that.

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of J=
ustin Richer
Sent: Tuesday, August 6, 2013 2:18 PM
To: oauth@ietf.org
Subject: [OAUTH-WG] A Proposal for Dynamic Registration

At last week's IETF meeting, there was quite a lot of talk about the Dynami=
c Registration draft as well as a few other related drafts in this space. I=
 would like to propose to the group what I think would be a positive workin=
g structure among the different approaches that would let us move everythin=
g forward. The source documents in discussion here are the WG's Dynamic Reg=
istration (draft 14) and Phil Hunt's individual submission of a SCIM-based =
alternative with some software assertion components to it. I suggest we ref=
actor these into three documents:

  - OAuth Dynamic Registration
  - SCIM-based OAuth Dynamic Registration
  - Software Statements for OAuth Dynamic Registration

I think that they all have their place in the world, and this is how I see =
them fitting together:


OAuth Dynamic Registration

What it is: Essentially the draft we have today, draft 14. This draft=20
defines a standalone RESTful API for dealing with client registrations,=20
it allows for open registration as well as protected registration, and=20
perhaps most importantly we know that it works because people have=20
implemented it as part of several different APIs. This could have an=20
informational pointer to the SCIM draft and the Software Statements=20
draft. We could call this one "core" or "basic" or some other modifier,=20
but I don't think that's necessary because it already does what it says=20
on the tin.

What it needs to concentrate on: This needs to be a "base" document with=20
extension hooks in key places (such as the client metadata, which is=20
already extensible, and places that have been made extensible like the=20
token_endpoint_auth_method, and perhaps others). It needs to get its job=20
done, allowing for full specification of the simple case in an=20
interoperable way (anonymous registration of self-asserted client=20
metadata to receive a client identifier and manage the registration) and=20
be extensible and flexible enough for the more complex cases.

What we should do: I think that we should continue shepherding this=20
document through WGLC in the OAuth WG because there are no specific open=20
issues in the spec (that I, the editor, am aware of) and I've seen what=20
I would personally consider to be rough consensus on it (not unanimous,=20
but that's not necessary anyway).



SCIM-based OAuth Dynamic Registration:

What it is: Most of Phil's draft, this defines a SCIM profile for=20
managing OAuth clients dynamically. This will accomplish the same kinds=20
of things that the OAuth Dynamic Registration Draft will accomplish, but=20
in a SCIM-like manner. This will have a normative dependency on SCIM (of=20
some version), and probably an informational dependency on OAuth Dynamic=20
Registration. This could have an informational pointer to the Software=20
Statements draft. This draft is very useful if you're already deploying=20
a SCIM based system, and if you're investing in SCIM then it's going to=20
be a smaller step to support this than it would be the base draft.=20
However, I strongly believe that SCIM is a really big jump for=20
implementing basic functionality that this is trying to accomplish.

What it needs to concentrate on: Tracking with the overall SCIM=20
specification (on which it depends) and tracking with the data model and=20
general usage of the OAuth Dynamic Registration protocol (wherever it=20
makes sense to do so).

What we should do: I think that this draft should be picked up and=20
worked on as an IETF document, but I think that it probably makes more=20
sense for that work to be done inside of the SCIM working group. The=20
reasons for this are twofold: First, this draft really should look and=20
feel like SCIM, and to do that it really needs the attention of the=20
group that's defining SCIM. Second, SCIM isn't completed and likely=20
won't be for some time to come, and this draft needs to track with that=20
protocol as it moves through the IETF process.



Software Statements for OAuth Dynamic Registration

What it is: Section 4 of Phil's draft (plus a few other bits, discussed=20
here), this defines a method for presenting signed and/or verifiable=20
claims to the registration server's endpoint. This is most useful when=20
an authorization server can verify the claims being presented, such as=20
being able to discover the signing key from the "iss" claim and validate=20
the signature. This could also be used (with some additional=20
specification) by a discovery-based system that could fix ahead of time=20
some of the claims for a given piece of software (like we've done with=20
BlueButton+). In some circumstances, this assertion could even contain=20
all relevant bits of the registration, leaving the rest of the metadata=20
fields blank. This is essentially the "use the assertion as the=20
registration" flow that Phil discussed at the meeting, from what I=20
understand. In all of these cases, it can give us a higher assurance for=20
the registration and means to tie together multiple instances of a piece=20
of software across a network.

What it needs to concentrate on: Making the software statements=20
interoperable. I don't think this is going to be an easy task, and I=20
think it's going to be a long process to get it *right* for all players.

What we should do: I think that this draft should be picked up by the=20
OAuth Working Group as a WG document, and it should be built as an=20
extension to both the OAuth Dynamic Registration and SCIM-based OAuth=20
Dynamic Registration documents. I think it's important, but it's added=20
functionality on top of either the RESTful or the SCIM-based=20
registration documents, and as such it should have a normative reference=20
to both of them with detailed profiles of how to use them.






So in all, we've got three main documents, each with different purposes=20
and concentrations, and with different timelines. I don't see any=20
problem with these coexisting, and I think doing things this way can=20
cover all of our known use cases and let us actually progress these=20
documents and move forward.

  -- Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




From barryleiba.mailing.lists@gmail.com  Wed Aug  7 01:26:17 2013
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32AF921F8F24 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 01:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.976
X-Spam-Level: 
X-Spam-Status: No, score=-101.976 tagged_above=-999 required=5 tests=[AWL=0.002, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10KTGVet6BCi for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 01:26:16 -0700 (PDT)
Received: from mail-ve0-x235.google.com (mail-ve0-x235.google.com [IPv6:2607:f8b0:400c:c01::235]) by ietfa.amsl.com (Postfix) with ESMTP id 9187021F8EC3 for <oauth@ietf.org>; Wed,  7 Aug 2013 01:26:16 -0700 (PDT)
Received: by mail-ve0-f181.google.com with SMTP id jz10so1466481veb.12 for <oauth@ietf.org>; Wed, 07 Aug 2013 01:26:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=z82tYcSR7Ufx0cw2qG3a8LheCNpar3SCGjqkS5g8tNI=; b=rJXQmzecTyfCu6AnDfjlsAeKdM8Z1cQ3PxlAJX565Kdi8+asp9qBlaTCgUTRnpPHQN TZfVn+xxz6H35047k9p9lJ2DXO0lPKoRRVvgJtlkT/uXkpkRVOEve2q+sRlxQa70i1kD G15NdCoQCM4wsrkI4OXh8xI/CSp6fiXBGLBCHj48Gq3Xv3nF9TG0tQvsbsV8yVm0XzAq Mox3dZ/uGgkpCDOIyxafFtfePGlLw1wZRr5SKl/eN3J9vV7A5J0G9ILuPDIQfL31X0tr 8VZngqsGqy6rhYltrwJI25daFsYY2Lqy/mNne46tZ/RDRvgfnHGkgF9ro6bivSaLseW2 bqKg==
MIME-Version: 1.0
X-Received: by 10.58.211.7 with SMTP id my7mr650479vec.54.1375863976064; Wed, 07 Aug 2013 01:26:16 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.58.137.227 with HTTP; Wed, 7 Aug 2013 01:26:16 -0700 (PDT)
In-Reply-To: <520151A1.5070207@gmx.net>
References: <520151A1.5070207@gmx.net>
Date: Wed, 7 Aug 2013 10:26:16 +0200
X-Google-Sender-Auth: iyHoPE7qWvRd2LzC50szBCYx_Ko
Message-ID: <CAC4RtVBbOFXeAT3jTWAer3sbv=H9OFeRAEeKNfusWuRsEp6sbQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] IETF #87 OAuth Meeting Minutes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 08:26:17 -0000

> Please have a look at the meeting minutes:
> http://www.ietf.org/proceedings/87/minutes/minutes-87-oauth

In the discussion of Assertions:

    - BC: describe how you could combine specifications to make at
least one interoperable specification

This was me, (BL).

    - ML: profiles exists for both SAML and OpenIDC. those are not
IETF specifications though

That should be MJ, not ML.

    - PHO: use implementation experience format?
    - BL: "njaee"

I'm quite sure I did not say "njaee".  Say what?

    - BC: interop does not require external profiles actually
    - TL: support that - no addl profiles are needed

Who is TL?  Do you mean TN?

    - JB and TL volunteered to make a review.

There's that TL guy again.  You have him in a few other places in the
minutes as well.

Barry (BL)

From sakimura@gmail.com  Wed Aug  7 01:43:40 2013
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89BB711E8116 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 01:43:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.829
X-Spam-Level: 
X-Spam-Status: No, score=-1.829 tagged_above=-999 required=5 tests=[AWL=-0.718, BAYES_05=-1.11, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IsIqGW2Cj805 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 01:43:40 -0700 (PDT)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id C548A11E8117 for <oauth@ietf.org>; Wed,  7 Aug 2013 01:43:39 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id ec20so1028052lab.28 for <oauth@ietf.org>; Wed, 07 Aug 2013 01:43:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:from:mime-version:in-reply-to:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=qu4Fz8sVOydy7GBJrsG65Z7sWBCys1T1U8Le/8HGgEE=; b=rB3NMb/XNlNL5pWbVCTF7HY/QWkZjdv7NLTL2b+dEED9ZpAIJb0Rg3jnwNU5BTHsEP bLUmRmerMV64IcvQpkDCDLXn1Zt/ISivV7Ctm4mK2Nu2f2boiUiDluesE9z1yXpmsxLw bFV+200lXNo4VKS/pOnW58Vd9j5g9Eb0RY42V3td8MQE56NOrF2VUOa3BQtM6Wp3YGTz oDIoMxxFkf13BJiy7nc4u5wK8Pre2zqyGJVORvZJ7x1m/90b5Ce0ejzK0d8s8TESzEkx VetDDz910vzSyH5w72qXytkqbxEA+/6UAL5qdfpKTQi4mE8gUtGCXJo8jV+j6YHk5tZJ UpQw==
X-Received: by 10.152.45.5 with SMTP id i5mr958887lam.32.1375865016392; Wed, 07 Aug 2013 01:43:36 -0700 (PDT)
References: <520151A1.5070207@gmx.net> <CAC4RtVBbOFXeAT3jTWAer3sbv=H9OFeRAEeKNfusWuRsEp6sbQ@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <CAC4RtVBbOFXeAT3jTWAer3sbv=H9OFeRAEeKNfusWuRsEp6sbQ@mail.gmail.com>
Date: Wed, 7 Aug 2013 17:43:35 +0900
Message-ID: <-7386129994108078844@unknownmsgid>
To: Barry Leiba <barryleiba@computer.org>
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] IETF #87 OAuth Meeting Minutes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 08:43:40 -0000

TL probably is Torsten L.

=nat via iPhone

Aug 7, 2013 17:26$B!"(BBarry Leiba <barryleiba@computer.org> $B$N%a%C%;!<%8(B:

>> Please have a look at the meeting minutes:
>> http://www.ietf.org/proceedings/87/minutes/minutes-87-oauth
>
> In the discussion of Assertions:
>
>    - BC: describe how you could combine specifications to make at
> least one interoperable specification
>
> This was me, (BL).
>
>    - ML: profiles exists for both SAML and OpenIDC. those are not
> IETF specifications though
>
> That should be MJ, not ML.
>
>    - PHO: use implementation experience format?
>    - BL: "njaee"
>
> I'm quite sure I did not say "njaee".  Say what?
>
>    - BC: interop does not require external profiles actually
>    - TL: support that - no addl profiles are needed
>
> Who is TL?  Do you mean TN?
>
>    - JB and TL volunteered to make a review.
>
> There's that TL guy again.  You have him in a few other places in the
> minutes as well.
>
> Barry (BL)
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From barryleiba.mailing.lists@gmail.com  Wed Aug  7 01:58:30 2013
Return-Path: <barryleiba.mailing.lists@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9C3D11E8116 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 01:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.976
X-Spam-Level: 
X-Spam-Status: No, score=-101.976 tagged_above=-999 required=5 tests=[AWL=0.002, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CdC86JIqTRqr for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 01:58:30 -0700 (PDT)
Received: from mail-ve0-x234.google.com (mail-ve0-x234.google.com [IPv6:2607:f8b0:400c:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id 42CD711E80E6 for <oauth@ietf.org>; Wed,  7 Aug 2013 01:58:30 -0700 (PDT)
Received: by mail-ve0-f180.google.com with SMTP id pb11so1468952veb.25 for <oauth@ietf.org>; Wed, 07 Aug 2013 01:58:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=4af+EmL2fLOBXCtvUzZfTcQCJVB5ECiCbIAgNzLT4Wk=; b=OqEua2/YEluFs8fKbcvLb8PNYhPv9HOGbASbYPgbeQiDG0KfOmhjWxgN1fRApWha8C aBx+URxon6lum95HX7fiUgTvVwl0/HkOWtr6YKhKJpd0S1/YH15DZbW35ROOoniRkUiR TofEoUP56dZ7lv7/ydUyP7ZMm2vrpRRcNA2Hezif6LzuDoo+AfMGLfZiyVLVwaV7i+6I VIb6/MzkO+fSdOqsK7u2pzh2BBWyqoxTsfRzqyLA8wT9tuGsBAN+p8Ev4D/3Rtnerhn0 9HU6rLlOGVKA0uyNCNUFtn2+YAyfM4YsxC6iXLlG1ly/5LvT9as8M06Ib64OqHvHDMwe yVNA==
MIME-Version: 1.0
X-Received: by 10.58.200.73 with SMTP id jq9mr690735vec.53.1375865909667; Wed, 07 Aug 2013 01:58:29 -0700 (PDT)
Sender: barryleiba.mailing.lists@gmail.com
Received: by 10.58.137.227 with HTTP; Wed, 7 Aug 2013 01:58:29 -0700 (PDT)
In-Reply-To: <-7386129994108078844@unknownmsgid>
References: <520151A1.5070207@gmx.net> <CAC4RtVBbOFXeAT3jTWAer3sbv=H9OFeRAEeKNfusWuRsEp6sbQ@mail.gmail.com> <-7386129994108078844@unknownmsgid>
Date: Wed, 7 Aug 2013 10:58:29 +0200
X-Google-Sender-Auth: 2VAaD2iY1ofER3pJ_QdMU4WCaBc
Message-ID: <CAC4RtVBr_-8be7d_=KQzR-VADXgJB0w=6AyVdbboSQ4fumv4cg@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Nat Sakimura <sakimura@gmail.com>
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] IETF #87 OAuth Meeting Minutes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 08:58:30 -0000

> TL probably is Torsten L.

Oh, duh!  Yes, of course.  Sorry to've forgotten you, Torsten.

BL

> Aug 7, 2013 17:26$B!"(BBarry Leiba <barryleiba@computer.org> $B$N%a%C%;!<%8(B:
>
>>> Please have a look at the meeting minutes:
>>> http://www.ietf.org/proceedings/87/minutes/minutes-87-oauth
>>
>> In the discussion of Assertions:
>>
>>    - BC: describe how you could combine specifications to make at
>> least one interoperable specification
>>
>> This was me, (BL).
>>
>>    - ML: profiles exists for both SAML and OpenIDC. those are not
>> IETF specifications though
>>
>> That should be MJ, not ML.
>>
>>    - PHO: use implementation experience format?
>>    - BL: "njaee"
>>
>> I'm quite sure I did not say "njaee".  Say what?
>>
>>    - BC: interop does not require external profiles actually
>>    - TL: support that - no addl profiles are needed
>>
>> Who is TL?  Do you mean TN?
>>
>>    - JB and TL volunteered to make a review.
>>
>> There's that TL guy again.  You have him in a few other places in the
>> minutes as well.
>>
>> Barry (BL)
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From hannes.tschofenig@gmx.net  Wed Aug  7 02:12:03 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88A4A11E80FC for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 02:12:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WGJsLDb2nf3d for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 02:11:58 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 8B00711E8100 for <oauth@ietf.org>; Wed,  7 Aug 2013 02:11:58 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.118.158]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0M7Hao-1W2xWE0u3y-00x313 for <oauth@ietf.org>; Wed, 07 Aug 2013 11:11:56 +0200
Message-ID: <52020F67.8030105@gmx.net>
Date: Wed, 07 Aug 2013 11:12:07 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Barry Leiba <barryleiba@computer.org>
References: <520151A1.5070207@gmx.net> <CAC4RtVBbOFXeAT3jTWAer3sbv=H9OFeRAEeKNfusWuRsEp6sbQ@mail.gmail.com> <-7386129994108078844@unknownmsgid> <CAC4RtVBr_-8be7d_=KQzR-VADXgJB0w=6AyVdbboSQ4fumv4cg@mail.gmail.com>
In-Reply-To: <CAC4RtVBr_-8be7d_=KQzR-VADXgJB0w=6AyVdbboSQ4fumv4cg@mail.gmail.com>
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:tRXHiQ2+zOw4MRip/5Cy1rVI6qHQNaIm5B+G1sXIC2inHjjKWYL nXniLoarTE6CoeyQPDMbXGbi2LgZ5o9sfpalnhhReZOjf43bmhJzvGlJmVcxsOZaXeuN2M+ FO1Gxw/Z9DR/amTuc9ATfo8vNh7ygJKfkVwY+xQxz4pqJixXzuiwyd8JNWtLxQOKf1SDKCA DbcuWUzZldngQbKlp6l4g==
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] IETF #87 OAuth Meeting Minutes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 09:12:03 -0000

I have updated the meeting minutes:
http://www.ietf.org/proceedings/87/minutes/minutes-87-oauth

I added the abbreviations at the beginning.

Ciao
Hannes

On 08/07/2013 10:58 AM, Barry Leiba wrote:
>> TL probably is Torsten L.
> 
> Oh, duh!  Yes, of course.  Sorry to've forgotten you, Torsten.
> 
> BL
> 
>> Aug 7, 2013 17:26$B!"(BBarry Leiba <barryleiba@computer.org> $B$N%a%C%;!<%8(B:
>>
>>>> Please have a look at the meeting minutes:
>>>> http://www.ietf.org/proceedings/87/minutes/minutes-87-oauth
>>>
>>> In the discussion of Assertions:
>>>
>>>     - BC: describe how you could combine specifications to make at
>>> least one interoperable specification
>>>
>>> This was me, (BL).
>>>
>>>     - ML: profiles exists for both SAML and OpenIDC. those are not
>>> IETF specifications though
>>>
>>> That should be MJ, not ML.
>>>
>>>     - PHO: use implementation experience format?
>>>     - BL: "njaee"
>>>
>>> I'm quite sure I did not say "njaee".  Say what?
>>>
>>>     - BC: interop does not require external profiles actually
>>>     - TL: support that - no addl profiles are needed
>>>
>>> Who is TL?  Do you mean TN?
>>>
>>>     - JB and TL volunteered to make a review.
>>>
>>> There's that TL guy again.  You have him in a few other places in the
>>> minutes as well.
>>>
>>> Barry (BL)
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 


From hannes.tschofenig@gmx.net  Wed Aug  7 02:17:30 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A442A21F9F5F for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 02:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bhhrh88ESb82 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 02:17:24 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC1A21F997B for <oauth@ietf.org>; Wed,  7 Aug 2013 02:17:24 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.118.158]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0Lb5Tp-1VreLj1DdB-00kj6I for <oauth@ietf.org>; Wed, 07 Aug 2013 11:17:22 +0200
Message-ID: <520210AF.5010300@gmx.net>
Date: Wed, 07 Aug 2013 11:17:35 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:AzqvS/oqM/Od+0P7RC2D9amHdpJVswXEOCaPGbb630JTWmIr4nt nBiaNZV71gKEHO42Z+UanQm7K8XytnMuwbS+re9JEMPbHXsCStp3JVoeSBBgKMPw1d2KMT3 eM6hV5qsSWB1e7uFJAKzr11zFohauOYg2FOIv/Sd23Mtz/rvRfecs63HpDY/dtjvtC8WhHF gYfAPSwBTqO9NxUoAA21g==
Subject: [OAUTH-WG] Design Team on Dynamic Client Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 09:17:30 -0000

Hi all,

as discussed at the IETF meeting last week we are planning to create a 
design team to progress the work on dynamic client registration.

The chairs had gotten the impression that various participants in the 
conversation are looking at slightly different use cases but lump them 
all into the same bucket. The discussion at the meeting reinforced our 
impression.

We believe that it should be possible to create separable building 
blocks; some of these building blocks will only be useful in certain 
environments.

 From a procedural point of view we will post some dates for conference 
calls and those who are interested please express your preferences as 
soon as possible. We understand that August is for many the vacation period.

As input to the conference calls we are soliciting text about the use 
cases that justify functionality. We will later worry about what should 
go into the main document and what are extensions.

The design team is open for everyone. We will use the OAuth mailing list 
for discussions.

We hope that this approach will help to advance the document.

Ciao
Hannes & Derek

From hannes.tschofenig@gmx.net  Wed Aug  7 02:19:52 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 037FF21F9AFE for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 02:19:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11kz2KYyW0CA for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 02:19:47 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id 1196621F9A30 for <oauth@ietf.org>; Wed,  7 Aug 2013 02:19:47 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.118.158]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0LejNC-1VwJY90Sx4-00qOWg for <oauth@ietf.org>; Wed, 07 Aug 2013 11:19:43 +0200
Message-ID: <5202113B.1020505@gmx.net>
Date: Wed, 07 Aug 2013 11:19:55 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:M9CHn44vzWrJL5o68SBn8GMTnS1Ggp59cDM87xos/RWTuOby+c2 zKgCbLy7H3N9T3xtV8S45edymkfl9ppLLmrOQxKqvTHeFijaxGM3rgAKotdIQjdjdRGvHxa hXwGqOJtYfdfqtfBoXgMCIgqt55yUMPZh1Lgwfqp71jwZfbGtt4HZs7V1onmrU3JyxrTnzk lc/hjM6rMM3V8H4mqDIhA==
Subject: [OAUTH-WG] WGLC on JSON Web Token (JWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 09:19:52 -0000

Hi all,

this is a working group last call for the JSON Web Token (JWT).

Here is the document:
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11

Please send you comments to the OAuth mailing list by August 21, 2013.

Ciao
Hannes & Derek

From hannes.tschofenig@gmx.net  Wed Aug  7 02:55:14 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5888321F9B85 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 02:55:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.953
X-Spam-Level: 
X-Spam-Status: No, score=-101.953 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_00=-2.599, MISSING_HEADERS=1.292, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9AY5hlEqPtJE for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 02:55:08 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 544D221F9B53 for <oauth@ietf.org>; Wed,  7 Aug 2013 02:55:08 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.118.158]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MNuwp-1VDJ2z31Tf-007X3Y for <oauth@ietf.org>; Wed, 07 Aug 2013 11:55:03 +0200
Message-ID: <52021985.1040203@gmx.net>
Date: Wed, 07 Aug 2013 11:55:17 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:t+G3sse5NKjLtUXnDhtuZJy+JlzqaBX5ZS5zjVUWuESJhx3sMXO X5uWDCPbVVW+KXsMYKZLFb4s1/yhgTy/bpkGITGShtTGapnriUydoq4Mz/0/BnznPTqPwuE hsWTA8q6Qb/dpWl9UXwVxK9v6TJwBYVRY50x1NIwR1g3OhADj8p0aCebsZjdGfG14iiVYaG zXd5yjRoC5jQ/iZUkfN9g==
Cc: Derek Atkins <derek@ihtfp.com>, "oauth@ietf.org WG" <oauth@ietf.org>
Subject: [OAUTH-WG] Dynamic Client Registration: Contacting Implementers
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 09:55:14 -0000

Hi all,

during the OAuth meeting last week we also said that we want to get in 
touch with dynamic client registration implementers to better understand 
what their experience is, what use cases they care about, and what 
timelines they have in mind.

So, if you are an implementer of the dynamic client registration 
protocol please drop us (Derek and myself) a mail*.

Ciao
Hannes & Derek

*: If you know an implementer who is not subscribed to the list please 
ping him.

From lainhart@us.ibm.com  Wed Aug  7 06:40:50 2013
Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7FC421E8129 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 06:40:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level: 
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6mg87+LrsBY for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 06:40:45 -0700 (PDT)
Received: from e7.ny.us.ibm.com (e7.ny.us.ibm.com [32.97.182.137]) by ietfa.amsl.com (Postfix) with ESMTP id BB22721F9C34 for <oauth@ietf.org>; Wed,  7 Aug 2013 06:40:44 -0700 (PDT)
Received: from /spool/local by e7.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Wed, 7 Aug 2013 09:40:43 -0400
Received: from d01dlp02.pok.ibm.com (9.56.250.167) by e7.ny.us.ibm.com (192.168.1.107) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;  Wed, 7 Aug 2013 09:40:40 -0400
Received: from d01relay03.pok.ibm.com (d01relay03.pok.ibm.com [9.56.227.235]) by d01dlp02.pok.ibm.com (Postfix) with ESMTP id DF3E56E8041; Wed,  7 Aug 2013 09:40:34 -0400 (EDT)
Received: from d01av02.pok.ibm.com (d01av02.pok.ibm.com [9.56.224.216]) by d01relay03.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r77DedIf070238; Wed, 7 Aug 2013 09:40:40 -0400
Received: from d01av02.pok.ibm.com (loopback [127.0.0.1]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r77DecAe017521; Wed, 7 Aug 2013 10:40:38 -0300
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av02.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r77DeaJa017453; Wed, 7 Aug 2013 10:40:36 -0300
In-Reply-To: <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com>
References: <5200DD6C.3010003@gmail.com> <CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
MIME-Version: 1.0
X-KeepSent: DF319810:D5537EBC-85257BC0:004AB0BC; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP4 SHF39 May 13, 2013
Message-ID: <OFDF319810.D5537EBC-ON85257BC0.004AB0BC-85257BC0.004B203C@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Wed, 7 Aug 2013 09:40:34 -0400
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF5|February, 2013) at 08/07/2013 09:40:36, Serialize complete at 08/07/2013 09:40:36
Content-Type: multipart/alternative; boundary="=_alternative 004B203B85257BC0_="
X-TM-AS-MML: No
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13080713-5806-0000-0000-00002255C6B5
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 13:40:50 -0000

This is a multipart message in MIME format.
--=_alternative 004B203B85257BC0_=
Content-Type: text/plain; charset="US-ASCII"

Assuming of course that the AS was notified by the IdP (or could inquire 
from same, say, during introspection) that something about the user's 
account had changed - there's nothing in the protocol that speaks to that.

Would anyone be surprised if the authorizations granted to the previous 
confirmation of identity were now void?  That seems like the simplest way 
to handle it.







Todd Lainhart
Rational software
IBM Corporation
550 King Street, Littleton, MA 01460-1250
1-978-899-4705
2-276-4705 (T/L)
lainhart@us.ibm.com




From:   Barry Leiba <barryleiba@computer.org>
To:     Sergey Beryozkin <sberyozkin@gmail.com>, 
Cc:     "<oauth@ietf.org>" <oauth@ietf.org>
Date:   08/06/2013 08:50 AM
Subject:        Re: [OAUTH-WG] What should happen to access tokens when 
the end user credentials change
Sent by:        oauth-bounces@ietf.org



> Suppose a given user has approved a client's grant request and that 
client
> is now working with the access token tied to the user's login name (or 
some
> other representation of that user's login credentials).
>
> What would be the recommended course of action when that user's 
credentials
> (example, the user's login name) change, as far as the existing access
> tokens tied to that user are concerned ?

An interesting question.

I think it's not the OAuth protocol's concern, but a document
describing operations and deployment might suggest what to do.
Groping here (I'm not a UI expert):

I expect that some changes (and/or some reasons for changes) would
make no difference to the authorizations the user has approved.  If I
change my username from "barryleiba" to "bigkahuna" because I want to
be cool, I would want my authorizations to persist.  If I change my
password because I routinely change my password, I would want my
authorizations to persist.  If I change my password because I think my
old password was compromised, I would want to review my authorizations
and make sure nothing untoward is there.  Alternatively, I might just
want to invalidate all of them and re-establish them as needed
afterward.

So it would probably be good for the system in question to ask me what
to do about the authorizations I've given out, and allow me to review
them and address them one by one, and/or make a blanket decision for
the lot.

Maybe:

    Your password has been changed.

    Do you want to revoke authorizations you have approved?  [YES / NO]

Or maybe:

    Your password has been changed.

    Do you want to review authorizations you have approved?  [YES / NO]

--
Barry
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



--=_alternative 004B203B85257BC0_=
Content-Type: text/html; charset="US-ASCII"

<font size=2 face="sans-serif">Assuming of course that the AS was notified
by the IdP (or could inquire from same, say, during introspection) that
something about the user's account had changed - there's nothing in the
protocol that speaks to that.</font>
<br>
<br><font size=2 face="sans-serif">Would anyone be surprised if the authorizations
granted to the previous confirmation of identity were now void? &nbsp;That
seems like the simplest way to handle it.</font>
<br>
<br><font size=2 face="sans-serif"><br>
</font>
<br>
<table width=223 style="border-collapse:collapse;">
<tr height=8>
<td width=223 bgcolor=white style="border-style:solid;border-color:#000000;border-width:0px 0px 0px 0px;padding:0px 0px;"><font size=1 face="Verdana"><b><br>
<br>
<br>
Todd Lainhart<br>
Rational software<br>
IBM Corporation<br>
550 King Street, Littleton, MA 01460-1250</b></font><font size=1 face="Arial"><b><br>
1-978-899-4705<br>
2-276-4705 (T/L)<br>
lainhart@us.ibm.com</b></font></table>
<br>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From: &nbsp; &nbsp; &nbsp;
&nbsp;</font><font size=1 face="sans-serif">Barry Leiba &lt;barryleiba@computer.org&gt;</font>
<br><font size=1 color=#5f5f5f face="sans-serif">To: &nbsp; &nbsp; &nbsp;
&nbsp;</font><font size=1 face="sans-serif">Sergey Beryozkin &lt;sberyozkin@gmail.com&gt;,
</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Cc: &nbsp; &nbsp; &nbsp;
&nbsp;</font><font size=1 face="sans-serif">&quot;&lt;oauth@ietf.org&gt;&quot;
&lt;oauth@ietf.org&gt;</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date: &nbsp; &nbsp; &nbsp;
&nbsp;</font><font size=1 face="sans-serif">08/06/2013 08:50 AM</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject: &nbsp; &nbsp;
&nbsp; &nbsp;</font><font size=1 face="sans-serif">Re: [OAUTH-WG]
What should happen to access tokens when the end user credentials change</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Sent by: &nbsp; &nbsp;
&nbsp; &nbsp;</font><font size=1 face="sans-serif">oauth-bounces@ietf.org</font>
<br>
<hr noshade>
<br>
<br>
<br><tt><font size=2>&gt; Suppose a given user has approved a client's
grant request and that client<br>
&gt; is now working with the access token tied to the user's login name
(or some<br>
&gt; other representation of that user's login credentials).<br>
&gt;<br>
&gt; What would be the recommended course of action when that user's credentials<br>
&gt; (example, the user's login name) change, as far as the existing access<br>
&gt; tokens tied to that user are concerned ?<br>
<br>
An interesting question.<br>
<br>
I think it's not the OAuth protocol's concern, but a document<br>
describing operations and deployment might suggest what to do.<br>
Groping here (I'm not a UI expert):<br>
<br>
I expect that some changes (and/or some reasons for changes) would<br>
make no difference to the authorizations the user has approved. &nbsp;If
I<br>
change my username from &quot;barryleiba&quot; to &quot;bigkahuna&quot;
because I want to<br>
be cool, I would want my authorizations to persist. &nbsp;If I change my<br>
password because I routinely change my password, I would want my<br>
authorizations to persist. &nbsp;If I change my password because I think
my<br>
old password was compromised, I would want to review my authorizations<br>
and make sure nothing untoward is there. &nbsp;Alternatively, I might just<br>
want to invalidate all of them and re-establish them as needed<br>
afterward.<br>
<br>
So it would probably be good for the system in question to ask me what<br>
to do about the authorizations I've given out, and allow me to review<br>
them and address them one by one, and/or make a blanket decision for<br>
the lot.<br>
<br>
Maybe:<br>
<br>
 &nbsp; &nbsp;Your password has been changed.<br>
<br>
 &nbsp; &nbsp;Do you want to revoke authorizations you have approved? &nbsp;[YES
/ NO]<br>
<br>
Or maybe:<br>
<br>
 &nbsp; &nbsp;Your password has been changed.<br>
<br>
 &nbsp; &nbsp;Do you want to review authorizations you have approved? &nbsp;[YES
/ NO]<br>
<br>
--<br>
Barry<br>
_______________________________________________<br>
OAuth mailing list<br>
OAuth@ietf.org<br>
</font></tt><a href=https://www.ietf.org/mailman/listinfo/oauth><tt><font size=2>https://www.ietf.org/mailman/listinfo/oauth</font></tt></a><tt><font size=2><br>
<br>
</font></tt>
<br>
--=_alternative 004B203B85257BC0_=--


From jricher@mitre.org  Wed Aug  7 07:11:20 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CBA921F9A17 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 07:11:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.539
X-Spam-Level: 
X-Spam-Status: No, score=-6.539 tagged_above=-999 required=5 tests=[AWL=0.060,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VV8WD43N-P20 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 07:11:15 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id DFA3711E812B for <oauth@ietf.org>; Wed,  7 Aug 2013 07:11:11 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 2691D1F03C9; Wed,  7 Aug 2013 10:11:11 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 042951F0AA9; Wed,  7 Aug 2013 10:11:11 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 7 Aug 2013 10:11:10 -0400
Message-ID: <52025504.1000705@mitre.org>
Date: Wed, 7 Aug 2013 10:09:08 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 14:11:20 -0000

Tony, it happened several months ago:

   http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html

This triggered a lot of discussion and brought up several changes in the 
document, in general for the good. The vast majority of changes were 
editorial in nature, clearing up the intent of the text, but the 
underlying protocol is pretty solid and not very different qualitatively 
from draft -10. At this point, I believe that all open issues are 
addressed in the document or directed towards specific proposed 
extensions, and I haven't heard anything to the contrary.

And I think you're reading the tone content of the discussion 
incorrectly. As I tried to carefully lay out below, I don't see 
fractures. I see multiple components that can work together and fit 
fairly nicely into a larger system. The existence of multiple solutions 
does not invalidate the applicability of a known good solution. We can 
not shelve something good just because there's a hint of something else 
on the horizon (which might be good or bad, we don't know yet).

There is a lot of support for the Dynamic Registration draft that's 
there today, just look at the number of implementers and protocols that 
are actually using it. This is not a theoretical draft, this is not an 
intellectual exercise, this is not a speculative document -- this is a 
codification of real practice that we know works and has been 
implemented and deployed and tested.

And speaking of these other protocols and systems -- they're going to 
move on whether we at the IETF want them to or not. Nobody is going to 
sit around and wait for the IETF-blessed version of this functionality. 
As a matter of fact, this document was born of the output of two groups 
who specifically *didn't* wait around for the IETF to solve this 
problem. We brought it "in house" here because we believed that it would 
be better to have a generally applicable solution than to have a dozen 
proprietary implementations. That's where true fragmentation comes from: 
implementations and deployments, not from minor quibbles about syntax. 
So could we stuff dynamic registration on a shelf and wait for a perfect 
solution to descend from heaven? Sure we could, but that would be so 
profoundly stupid that I would question the sanity of everyone in this 
working group. But if we come up with a solution that works, can be 
implemented, and is done in a timely fashion, then the world *will* use 
it. That's what we have, and that's what I want to move forward.

There's also a lot of support for extensions (software statements) and 
different instantiations (SCIM) of the same basic protocol. These are 
good things, and they speak to the strength of the registration 
protocol, not its weakness.  I believe that what I've laid out below is 
a solid and reasonable plan for moving things forward and addressing 
everything that's been brought up, and so I invite the commentary of the 
whole of the working group. After all, the IETF is an organization of 
individuals and we work on rough consensus and running code.

  -- Justin

On 08/06/2013 07:18 PM, Anthony Nadalin wrote:
> I think that the IETF meeting and session on Dynamic Registration showed how fractured it was and how we don't have consensus on what needs to be done and how it needs to be done. I would not support moving any draft further along in the IETF process. I looked on mailing list and could not find out where any dynamic registration document went to WGLC, so maybe someone can point me to that.
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Justin Richer
> Sent: Tuesday, August 6, 2013 2:18 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] A Proposal for Dynamic Registration
>
> At last week's IETF meeting, there was quite a lot of talk about the Dynamic Registration draft as well as a few other related drafts in this space. I would like to propose to the group what I think would be a positive working structure among the different approaches that would let us move everything forward. The source documents in discussion here are the WG's Dynamic Registration (draft 14) and Phil Hunt's individual submission of a SCIM-based alternative with some software assertion components to it. I suggest we refactor these into three documents:
>
>    - OAuth Dynamic Registration
>    - SCIM-based OAuth Dynamic Registration
>    - Software Statements for OAuth Dynamic Registration
>
> I think that they all have their place in the world, and this is how I see them fitting together:
>
>
> OAuth Dynamic Registration
>
> What it is: Essentially the draft we have today, draft 14. This draft
> defines a standalone RESTful API for dealing with client registrations,
> it allows for open registration as well as protected registration, and
> perhaps most importantly we know that it works because people have
> implemented it as part of several different APIs. This could have an
> informational pointer to the SCIM draft and the Software Statements
> draft. We could call this one "core" or "basic" or some other modifier,
> but I don't think that's necessary because it already does what it says
> on the tin.
>
> What it needs to concentrate on: This needs to be a "base" document with
> extension hooks in key places (such as the client metadata, which is
> already extensible, and places that have been made extensible like the
> token_endpoint_auth_method, and perhaps others). It needs to get its job
> done, allowing for full specification of the simple case in an
> interoperable way (anonymous registration of self-asserted client
> metadata to receive a client identifier and manage the registration) and
> be extensible and flexible enough for the more complex cases.
>
> What we should do: I think that we should continue shepherding this
> document through WGLC in the OAuth WG because there are no specific open
> issues in the spec (that I, the editor, am aware of) and I've seen what
> I would personally consider to be rough consensus on it (not unanimous,
> but that's not necessary anyway).
>
>
>
> SCIM-based OAuth Dynamic Registration:
>
> What it is: Most of Phil's draft, this defines a SCIM profile for
> managing OAuth clients dynamically. This will accomplish the same kinds
> of things that the OAuth Dynamic Registration Draft will accomplish, but
> in a SCIM-like manner. This will have a normative dependency on SCIM (of
> some version), and probably an informational dependency on OAuth Dynamic
> Registration. This could have an informational pointer to the Software
> Statements draft. This draft is very useful if you're already deploying
> a SCIM based system, and if you're investing in SCIM then it's going to
> be a smaller step to support this than it would be the base draft.
> However, I strongly believe that SCIM is a really big jump for
> implementing basic functionality that this is trying to accomplish.
>
> What it needs to concentrate on: Tracking with the overall SCIM
> specification (on which it depends) and tracking with the data model and
> general usage of the OAuth Dynamic Registration protocol (wherever it
> makes sense to do so).
>
> What we should do: I think that this draft should be picked up and
> worked on as an IETF document, but I think that it probably makes more
> sense for that work to be done inside of the SCIM working group. The
> reasons for this are twofold: First, this draft really should look and
> feel like SCIM, and to do that it really needs the attention of the
> group that's defining SCIM. Second, SCIM isn't completed and likely
> won't be for some time to come, and this draft needs to track with that
> protocol as it moves through the IETF process.
>
>
>
> Software Statements for OAuth Dynamic Registration
>
> What it is: Section 4 of Phil's draft (plus a few other bits, discussed
> here), this defines a method for presenting signed and/or verifiable
> claims to the registration server's endpoint. This is most useful when
> an authorization server can verify the claims being presented, such as
> being able to discover the signing key from the "iss" claim and validate
> the signature. This could also be used (with some additional
> specification) by a discovery-based system that could fix ahead of time
> some of the claims for a given piece of software (like we've done with
> BlueButton+). In some circumstances, this assertion could even contain
> all relevant bits of the registration, leaving the rest of the metadata
> fields blank. This is essentially the "use the assertion as the
> registration" flow that Phil discussed at the meeting, from what I
> understand. In all of these cases, it can give us a higher assurance for
> the registration and means to tie together multiple instances of a piece
> of software across a network.
>
> What it needs to concentrate on: Making the software statements
> interoperable. I don't think this is going to be an easy task, and I
> think it's going to be a long process to get it *right* for all players.
>
> What we should do: I think that this draft should be picked up by the
> OAuth Working Group as a WG document, and it should be built as an
> extension to both the OAuth Dynamic Registration and SCIM-based OAuth
> Dynamic Registration documents. I think it's important, but it's added
> functionality on top of either the RESTful or the SCIM-based
> registration documents, and as such it should have a normative reference
> to both of them with detailed profiles of how to use them.
>
>
>
>
>
>
> So in all, we've got three main documents, each with different purposes
> and concentrations, and with different timelines. I don't see any
> problem with these coexisting, and I think doing things this way can
> cover all of our known use cases and let us actually progress these
> documents and move forward.
>
>    -- Justin
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>


From gffletch@aol.com  Wed Aug  7 07:26:26 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03FE621F9FF2 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 07:26:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pURYPA-DuFYp for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 07:26:21 -0700 (PDT)
Received: from omr-d08.mx.aol.com (omr-d08.mx.aol.com [205.188.109.207]) by ietfa.amsl.com (Postfix) with ESMTP id 72BBD21E8130 for <oauth@ietf.org>; Wed,  7 Aug 2013 07:26:05 -0700 (PDT)
Received: from mtaout-da05.r1000.mx.aol.com (mtaout-da05.r1000.mx.aol.com [172.29.51.133]) by omr-d08.mx.aol.com (Outbound Mail Relay) with ESMTP id 1CEFD700443CB; Wed,  7 Aug 2013 10:26:04 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da05.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id C79D0E0000B3; Wed,  7 Aug 2013 10:26:03 -0400 (EDT)
Message-ID: <520258FB.8040305@aol.com>
Date: Wed, 07 Aug 2013 10:26:03 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Justin Richer <jricher@mitre.org>
References: <52016822.2090703@mitre.org>
In-Reply-To: <52016822.2090703@mitre.org>
Content-Type: multipart/alternative; boundary="------------000703080707080204090400"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/92756
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1375885564; bh=QB5C+w/uU3df1BvNiVmFbcPgfqULr4Ji3alkk6DwWiA=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=fSUMAvAwYSewzjLXCO3x6euHBU7+thYkGN71Snzvijsa1M3GU9PoAQhVtFlwDb+lO 1Shmqz1mPbQAQ33/LSRUubsdPC2lsz6XxQb/BeR4PhBccjtG87wpl9vvoKRLuqx187 kzWp5aZA74dvojVyUoQTjBr8M1U9w1e+1Dla66LU=
x-aol-sid: 3039ac1d3385520258fb0d27
X-AOL-IP: 10.181.176.30
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 14:26:26 -0000

This is a multi-part message in MIME format.
--------------000703080707080204090400
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

+1

On 8/6/13 5:18 PM, Justin Richer wrote:
> At last week's IETF meeting, there was quite a lot of talk about the 
> Dynamic Registration draft as well as a few other related drafts in 
> this space. I would like to propose to the group what I think would be 
> a positive working structure among the different approaches that would 
> let us move everything forward. The source documents in discussion 
> here are the WG's Dynamic Registration (draft 14) and Phil Hunt's 
> individual submission of a SCIM-based alternative with some software 
> assertion components to it. I suggest we refactor these into three 
> documents:
>
>  - OAuth Dynamic Registration
>  - SCIM-based OAuth Dynamic Registration
>  - Software Statements for OAuth Dynamic Registration
>
> I think that they all have their place in the world, and this is how I 
> see them fitting together:
>
>
> OAuth Dynamic Registration
>
> What it is: Essentially the draft we have today, draft 14. This draft 
> defines a standalone RESTful API for dealing with client 
> registrations, it allows for open registration as well as protected 
> registration, and perhaps most importantly we know that it works 
> because people have implemented it as part of several different APIs. 
> This could have an informational pointer to the SCIM draft and the 
> Software Statements draft. We could call this one "core" or "basic" or 
> some other modifier, but I don't think that's necessary because it 
> already does what it says on the tin.
>
> What it needs to concentrate on: This needs to be a "base" document 
> with extension hooks in key places (such as the client metadata, which 
> is already extensible, and places that have been made extensible like 
> the token_endpoint_auth_method, and perhaps others). It needs to get 
> its job done, allowing for full specification of the simple case in an 
> interoperable way (anonymous registration of self-asserted client 
> metadata to receive a client identifier and manage the registration) 
> and be extensible and flexible enough for the more complex cases.
>
> What we should do: I think that we should continue shepherding this 
> document through WGLC in the OAuth WG because there are no specific 
> open issues in the spec (that I, the editor, am aware of) and I've 
> seen what I would personally consider to be rough consensus on it (not 
> unanimous, but that's not necessary anyway).
>
>
>
> SCIM-based OAuth Dynamic Registration:
>
> What it is: Most of Phil's draft, this defines a SCIM profile for 
> managing OAuth clients dynamically. This will accomplish the same 
> kinds of things that the OAuth Dynamic Registration Draft will 
> accomplish, but in a SCIM-like manner. This will have a normative 
> dependency on SCIM (of some version), and probably an informational 
> dependency on OAuth Dynamic Registration. This could have an 
> informational pointer to the Software Statements draft. This draft is 
> very useful if you're already deploying a SCIM based system, and if 
> you're investing in SCIM then it's going to be a smaller step to 
> support this than it would be the base draft. However, I strongly 
> believe that SCIM is a really big jump for implementing basic 
> functionality that this is trying to accomplish.
>
> What it needs to concentrate on: Tracking with the overall SCIM 
> specification (on which it depends) and tracking with the data model 
> and general usage of the OAuth Dynamic Registration protocol (wherever 
> it makes sense to do so).
>
> What we should do: I think that this draft should be picked up and 
> worked on as an IETF document, but I think that it probably makes more 
> sense for that work to be done inside of the SCIM working group. The 
> reasons for this are twofold: First, this draft really should look and 
> feel like SCIM, and to do that it really needs the attention of the 
> group that's defining SCIM. Second, SCIM isn't completed and likely 
> won't be for some time to come, and this draft needs to track with 
> that protocol as it moves through the IETF process.
>
>
>
> Software Statements for OAuth Dynamic Registration
>
> What it is: Section 4 of Phil's draft (plus a few other bits, 
> discussed here), this defines a method for presenting signed and/or 
> verifiable claims to the registration server's endpoint. This is most 
> useful when an authorization server can verify the claims being 
> presented, such as being able to discover the signing key from the 
> "iss" claim and validate the signature. This could also be used (with 
> some additional specification) by a discovery-based system that could 
> fix ahead of time some of the claims for a given piece of software 
> (like we've done with BlueButton+). In some circumstances, this 
> assertion could even contain all relevant bits of the registration, 
> leaving the rest of the metadata fields blank. This is essentially the 
> "use the assertion as the registration" flow that Phil discussed at 
> the meeting, from what I understand. In all of these cases, it can 
> give us a higher assurance for the registration and means to tie 
> together multiple instances of a piece of software across a network.
>
> What it needs to concentrate on: Making the software statements 
> interoperable. I don't think this is going to be an easy task, and I 
> think it's going to be a long process to get it *right* for all players.
>
> What we should do: I think that this draft should be picked up by the 
> OAuth Working Group as a WG document, and it should be built as an 
> extension to both the OAuth Dynamic Registration and SCIM-based OAuth 
> Dynamic Registration documents. I think it's important, but it's added 
> functionality on top of either the RESTful or the SCIM-based 
> registration documents, and as such it should have a normative 
> reference to both of them with detailed profiles of how to use them.
>
>
>
>
>
>
> So in all, we've got three main documents, each with different 
> purposes and concentrations, and with different timelines. I don't see 
> any problem with these coexisting, and I think doing things this way 
> can cover all of our known use cases and let us actually progress 
> these documents and move forward.
>
>  -- Justin
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------000703080707080204090400
Content-Type: multipart/related;
 boundary="------------090104080002070101080904"


--------------090104080002070101080904
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">+1<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/6/13 5:18 PM, Justin Richer wrote:<br>
    </div>
    <blockquote cite="mid:52016822.2090703@mitre.org" type="cite">At
      last week's IETF meeting, there was quite a lot of talk about the
      Dynamic Registration draft as well as a few other related drafts
      in this space. I would like to propose to the group what I think
      would be a positive working structure among the different
      approaches that would let us move everything forward. The source
      documents in discussion here are the WG's Dynamic Registration
      (draft 14) and Phil Hunt's individual submission of a SCIM-based
      alternative with some software assertion components to it. I
      suggest we refactor these into three documents:
      <br>
      <br>
      &nbsp;- OAuth Dynamic Registration
      <br>
      &nbsp;- SCIM-based OAuth Dynamic Registration
      <br>
      &nbsp;- Software Statements for OAuth Dynamic Registration
      <br>
      <br>
      I think that they all have their place in the world, and this is
      how I see them fitting together:
      <br>
      <br>
      <br>
      OAuth Dynamic Registration
      <br>
      <br>
      What it is: Essentially the draft we have today, draft 14. This
      draft defines a standalone RESTful API for dealing with client
      registrations, it allows for open registration as well as
      protected registration, and perhaps most importantly we know that
      it works because people have implemented it as part of several
      different APIs. This could have an informational pointer to the
      SCIM draft and the Software Statements draft. We could call this
      one "core" or "basic" or some other modifier, but I don't think
      that's necessary because it already does what it says on the tin.
      <br>
      <br>
      What it needs to concentrate on: This needs to be a "base"
      document with extension hooks in key places (such as the client
      metadata, which is already extensible, and places that have been
      made extensible like the token_endpoint_auth_method, and perhaps
      others). It needs to get its job done, allowing for full
      specification of the simple case in an interoperable way
      (anonymous registration of self-asserted client metadata to
      receive a client identifier and manage the registration) and be
      extensible and flexible enough for the more complex cases.
      <br>
      <br>
      What we should do: I think that we should continue shepherding
      this document through WGLC in the OAuth WG because there are no
      specific open issues in the spec (that I, the editor, am aware of)
      and I've seen what I would personally consider to be rough
      consensus on it (not unanimous, but that's not necessary anyway).
      <br>
      <br>
      <br>
      <br>
      SCIM-based OAuth Dynamic Registration:
      <br>
      <br>
      What it is: Most of Phil's draft, this defines a SCIM profile for
      managing OAuth clients dynamically. This will accomplish the same
      kinds of things that the OAuth Dynamic Registration Draft will
      accomplish, but in a SCIM-like manner. This will have a normative
      dependency on SCIM (of some version), and probably an
      informational dependency on OAuth Dynamic Registration. This could
      have an informational pointer to the Software Statements draft.
      This draft is very useful if you're already deploying a SCIM based
      system, and if you're investing in SCIM then it's going to be a
      smaller step to support this than it would be the base draft.
      However, I strongly believe that SCIM is a really big jump for
      implementing basic functionality that this is trying to
      accomplish.
      <br>
      <br>
      What it needs to concentrate on: Tracking with the overall SCIM
      specification (on which it depends) and tracking with the data
      model and general usage of the OAuth Dynamic Registration protocol
      (wherever it makes sense to do so).
      <br>
      <br>
      What we should do: I think that this draft should be picked up and
      worked on as an IETF document, but I think that it probably makes
      more sense for that work to be done inside of the SCIM working
      group. The reasons for this are twofold: First, this draft really
      should look and feel like SCIM, and to do that it really needs the
      attention of the group that's defining SCIM. Second, SCIM isn't
      completed and likely won't be for some time to come, and this
      draft needs to track with that protocol as it moves through the
      IETF process.
      <br>
      <br>
      <br>
      <br>
      Software Statements for OAuth Dynamic Registration
      <br>
      <br>
      What it is: Section 4 of Phil's draft (plus a few other bits,
      discussed here), this defines a method for presenting signed
      and/or verifiable claims to the registration server's endpoint.
      This is most useful when an authorization server can verify the
      claims being presented, such as being able to discover the signing
      key from the "iss" claim and validate the signature. This could
      also be used (with some additional specification) by a
      discovery-based system that could fix ahead of time some of the
      claims for a given piece of software (like we've done with
      BlueButton+). In some circumstances, this assertion could even
      contain all relevant bits of the registration, leaving the rest of
      the metadata fields blank. This is essentially the "use the
      assertion as the registration" flow that Phil discussed at the
      meeting, from what I understand. In all of these cases, it can
      give us a higher assurance for the registration and means to tie
      together multiple instances of a piece of software across a
      network.
      <br>
      <br>
      What it needs to concentrate on: Making the software statements
      interoperable. I don't think this is going to be an easy task, and
      I think it's going to be a long process to get it *right* for all
      players.
      <br>
      <br>
      What we should do: I think that this draft should be picked up by
      the OAuth Working Group as a WG document, and it should be built
      as an extension to both the OAuth Dynamic Registration and
      SCIM-based OAuth Dynamic Registration documents. I think it's
      important, but it's added functionality on top of either the
      RESTful or the SCIM-based registration documents, and as such it
      should have a normative reference to both of them with detailed
      profiles of how to use them.
      <br>
      <br>
      <br>
      <br>
      <br>
      <br>
      <br>
      So in all, we've got three main documents, each with different
      purposes and concentrations, and with different timelines. I don't
      see any problem with these coexisting, and I think doing things
      this way can cover all of our known use cases and let us actually
      progress these documents and move forward.
      <br>
      <br>
      &nbsp;-- Justin
      <br>
      _______________________________________________
      <br>
      OAuth mailing list
      <br>
      <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
      <br>
      <a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
      <br>
      <br>
      <br>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part1.05020409.03050008@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------090104080002070101080904
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part1.05020409.03050008@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------090104080002070101080904--

--------------000703080707080204090400--

From tonynad@microsoft.com  Wed Aug  7 07:59:51 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C56911E8144 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 07:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.503
X-Spam-Level: 
X-Spam-Status: No, score=-2.503 tagged_above=-999 required=5 tests=[AWL=0.964,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b7DQk-fY7zvI for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 07:59:45 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe005.messaging.microsoft.com [65.55.88.15]) by ietfa.amsl.com (Postfix) with ESMTP id 76A0C11E813D for <oauth@ietf.org>; Wed,  7 Aug 2013 07:59:45 -0700 (PDT)
Received: from mail224-tx2-R.bigfish.com (10.9.14.250) by TX2EHSOBE008.bigfish.com (10.9.40.28) with Microsoft SMTP Server id 14.1.225.22; Wed, 7 Aug 2013 14:59:44 +0000
Received: from mail224-tx2 (localhost [127.0.0.1])	by mail224-tx2-R.bigfish.com (Postfix) with ESMTP id 9358EB801CD	for <oauth@ietf.org>; Wed,  7 Aug 2013 14:59:44 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC104.redmond.corp.microsoft.com; RD:autodiscover.service.exchange.microsoft.com; EFVD:NLI
X-SpamScore: -20
X-BigFish: VS-20(zzbb2dI98dI9371I542I1432I1418Idb82hzz1f42h208ch1ee6h1de0h1fdah2073h1202h1e76h1d1ah1d2ah1fc6h1082kzz1de098h1033IL17326ah1de096h8275dh15d4I1de097hz2fh2a8h683h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h1b0ah1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1e1dh17ej9a9j1155h)
Received-SPF: pass (mail224-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=tonynad@microsoft.com; helo=TK5EX14HUBC104.redmond.corp.microsoft.com ; icrosoft.com ; 
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail224-tx2 (localhost.localdomain [127.0.0.1]) by mail224-tx2 (MessageSwitch) id 13758875818006_18090; Wed,  7 Aug 2013 14:59:41 +0000 (UTC)
Received: from TX2EHSMHS018.bigfish.com (unknown [10.9.14.237])	by mail224-tx2.bigfish.com (Postfix) with ESMTP id F1652540046	for <oauth@ietf.org>; Wed,  7 Aug 2013 14:59:40 +0000 (UTC)
Received: from TK5EX14HUBC104.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS018.bigfish.com (10.9.99.118) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 7 Aug 2013 14:59:33 +0000
Received: from va3outboundpool.messaging.microsoft.com (157.54.51.80) by mail.microsoft.com (157.54.80.25) with Microsoft SMTP Server (TLS) id 14.3.136.1; Wed, 7 Aug 2013 14:59:31 +0000
Received: from mail221-va3-R.bigfish.com (10.7.14.245) by VA3EHSOBE011.bigfish.com (10.7.40.61) with Microsoft SMTP Server id 14.1.225.22; Wed, 7 Aug 2013 14:58:16 +0000
Received: from mail221-va3 (localhost [127.0.0.1])	by mail221-va3-R.bigfish.com (Postfix) with ESMTP id 51281C0374	for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed,  7 Aug 2013 14:58:16 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(51704005)(189002)(199002)(55885003)(24454002)(479174003)(51444003)(377454003)(13464003)(69226001)(74876001)(81542001)(81342001)(74366001)(65816001)(80022001)(47736001)(47976001)(31966008)(74662001)(49866001)(50986001)(51856001)(74502001)(46102001)(47446002)(74706001)(80976001)(15202345003)(4396001)(83072001)(79102001)(561944002)(77982001)(59766001)(53806001)(16406001)(56816003)(77096001)(19580405001)(76786001)(63696002)(76796001)(56776001)(54316002)(83322001)(19580395003)(74316001)(19580385001)(76482001)(33646001)(76576001)(54356001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::f4; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Received: from mail221-va3 (localhost.localdomain [127.0.0.1]) by mail221-va3 (MessageSwitch) id 1375887493529990_12550; Wed,  7 Aug 2013 14:58:13 +0000 (UTC)
Received: from VA3EHSMHS028.bigfish.com (unknown [10.7.14.250])	by mail221-va3.bigfish.com (Postfix) with ESMTP id 7EA4644004B; Wed,  7 Aug 2013 14:58:13 +0000 (UTC)
Received: from BL2PRD0310HT003.namprd03.prod.outlook.com (157.56.240.21) by VA3EHSMHS028.bigfish.com (10.7.99.38) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 7 Aug 2013 14:58:13 +0000
Received: from BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) by BL2PRD0310HT003.namprd03.prod.outlook.com (10.255.97.38) with Microsoft SMTP Server (TLS) id 14.16.341.1; Wed, 7 Aug 2013 14:58:13 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 7 Aug 2013 14:58:10 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) with mapi id 15.00.0745.000; Wed, 7 Aug 2013 14:58:10 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] A Proposal for Dynamic Registration
Thread-Index: AQHOkusVub8uV8Fzs026F8FprsDzrJmIzgQQgAD7gwCAAAaN4A==
Date: Wed, 7 Aug 2013 14:58:09 +0000
Message-ID: <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org>
In-Reply-To: <52025504.1000705@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e8:ed31::f4]
x-forefront-prvs: 0931CB1479
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB192.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%corpf5vips-237160.customer.frontbridge.com$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC104.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC104.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 14:59:51 -0000

I see plenty of fractures, we discussed many of these at the meeting and se=
veral side meetings last week. Specification that are brought to IETF under=
go changes, morf into something different all the time regardless of who ha=
s implemented the original specifications, OAUTH Core is a fine example of =
how lots of running code was changed because the specification changed, so =
because you may have code based upon this is not a reason that it is correc=
t and should not change. I'm not aware of many people using this draft, as =
in the meeting last week I think we had 2 examples, so more people saying t=
hat they have implemented this at scale and the problems it solves would be=
 a good thing. Here are the problems that I see with the current proposal a=
nd why we would/could not use it:

1. The schema proposal is not extensible, please look at the issues with SC=
IM and how the scheme was made extensible in SCIM.
2. This proposal requires that I now provide management at the registration=
 endpoint to manage users and secrets, this is costly.=20
3. Yet the development of another endpoint.
4. I don't see any use cases, maybe these should be documented (or point pe=
ople to these) so we understand what this is actually trying to solve, as t=
his is somewhat of a mystery to me and others.
5. There are a lot of issues that OAUTH does not solve, I don't think that =
this issue (as I understand it) is in the realm of OAUTH, maybe the applica=
tions area would be a better place for this specification



-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org]=20
Sent: Wednesday, August 7, 2013 7:09 AM
To: Anthony Nadalin
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration

Tony, it happened several months ago:

   http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html

This triggered a lot of discussion and brought up several changes in the do=
cument, in general for the good. The vast majority of changes were editoria=
l in nature, clearing up the intent of the text, but the underlying protoco=
l is pretty solid and not very different qualitatively from draft -10. At t=
his point, I believe that all open issues are addressed in the document or =
directed towards specific proposed extensions, and I haven't heard anything=
 to the contrary.

And I think you're reading the tone content of the discussion incorrectly. =
As I tried to carefully lay out below, I don't see fractures. I see multipl=
e components that can work together and fit fairly nicely into a larger sys=
tem. The existence of multiple solutions does not invalidate the applicabil=
ity of a known good solution. We can not shelve something good just because=
 there's a hint of something else on the horizon (which might be good or ba=
d, we don't know yet).

There is a lot of support for the Dynamic Registration draft that's there t=
oday, just look at the number of implementers and protocols that are actual=
ly using it. This is not a theoretical draft, this is not an intellectual e=
xercise, this is not a speculative document -- this is a codification of re=
al practice that we know works and has been implemented and deployed and te=
sted.

And speaking of these other protocols and systems -- they're going to move =
on whether we at the IETF want them to or not. Nobody is going to sit aroun=
d and wait for the IETF-blessed version of this functionality.=20
As a matter of fact, this document was born of the output of two groups who=
 specifically *didn't* wait around for the IETF to solve this problem. We b=
rought it "in house" here because we believed that it would be better to ha=
ve a generally applicable solution than to have a dozen proprietary impleme=
ntations. That's where true fragmentation comes from:=20
implementations and deployments, not from minor quibbles about syntax.=20
So could we stuff dynamic registration on a shelf and wait for a perfect so=
lution to descend from heaven? Sure we could, but that would be so profound=
ly stupid that I would question the sanity of everyone in this working grou=
p. But if we come up with a solution that works, can be implemented, and is=
 done in a timely fashion, then the world *will* use it. That's what we hav=
e, and that's what I want to move forward.

There's also a lot of support for extensions (software statements) and diff=
erent instantiations (SCIM) of the same basic protocol. These are good thin=
gs, and they speak to the strength of the registration protocol, not its we=
akness.  I believe that what I've laid out below is a solid and reasonable =
plan for moving things forward and addressing everything that's been brough=
t up, and so I invite the commentary of the whole of the working group. Aft=
er all, the IETF is an organization of individuals and we work on rough con=
sensus and running code.

  -- Justin

On 08/06/2013 07:18 PM, Anthony Nadalin wrote:
> I think that the IETF meeting and session on Dynamic Registration showed =
how fractured it was and how we don't have consensus on what needs to be do=
ne and how it needs to be done. I would not support moving any draft furthe=
r along in the IETF process. I looked on mailing list and could not find ou=
t where any dynamic registration document went to WGLC, so maybe someone ca=
n point me to that.
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf=20
> Of Justin Richer
> Sent: Tuesday, August 6, 2013 2:18 PM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] A Proposal for Dynamic Registration
>
> At last week's IETF meeting, there was quite a lot of talk about the Dyna=
mic Registration draft as well as a few other related drafts in this space.=
 I would like to propose to the group what I think would be a positive work=
ing structure among the different approaches that would let us move everyth=
ing forward. The source documents in discussion here are the WG's Dynamic R=
egistration (draft 14) and Phil Hunt's individual submission of a SCIM-base=
d alternative with some software assertion components to it. I suggest we r=
efactor these into three documents:
>
>    - OAuth Dynamic Registration
>    - SCIM-based OAuth Dynamic Registration
>    - Software Statements for OAuth Dynamic Registration
>
> I think that they all have their place in the world, and this is how I se=
e them fitting together:
>
>
> OAuth Dynamic Registration
>
> What it is: Essentially the draft we have today, draft 14. This draft=20
> defines a standalone RESTful API for dealing with client=20
> registrations, it allows for open registration as well as protected=20
> registration, and perhaps most importantly we know that it works=20
> because people have implemented it as part of several different APIs.=20
> This could have an informational pointer to the SCIM draft and the=20
> Software Statements draft. We could call this one "core" or "basic" or=20
> some other modifier, but I don't think that's necessary because it=20
> already does what it says on the tin.
>
> What it needs to concentrate on: This needs to be a "base" document=20
> with extension hooks in key places (such as the client metadata, which=20
> is already extensible, and places that have been made extensible like=20
> the token_endpoint_auth_method, and perhaps others). It needs to get=20
> its job done, allowing for full specification of the simple case in an=20
> interoperable way (anonymous registration of self-asserted client=20
> metadata to receive a client identifier and manage the registration)=20
> and be extensible and flexible enough for the more complex cases.
>
> What we should do: I think that we should continue shepherding this=20
> document through WGLC in the OAuth WG because there are no specific=20
> open issues in the spec (that I, the editor, am aware of) and I've=20
> seen what I would personally consider to be rough consensus on it (not=20
> unanimous, but that's not necessary anyway).
>
>
>
> SCIM-based OAuth Dynamic Registration:
>
> What it is: Most of Phil's draft, this defines a SCIM profile for=20
> managing OAuth clients dynamically. This will accomplish the same=20
> kinds of things that the OAuth Dynamic Registration Draft will=20
> accomplish, but in a SCIM-like manner. This will have a normative=20
> dependency on SCIM (of some version), and probably an informational=20
> dependency on OAuth Dynamic Registration. This could have an=20
> informational pointer to the Software Statements draft. This draft is=20
> very useful if you're already deploying a SCIM based system, and if=20
> you're investing in SCIM then it's going to be a smaller step to support =
this than it would be the base draft.
> However, I strongly believe that SCIM is a really big jump for=20
> implementing basic functionality that this is trying to accomplish.
>
> What it needs to concentrate on: Tracking with the overall SCIM=20
> specification (on which it depends) and tracking with the data model=20
> and general usage of the OAuth Dynamic Registration protocol (wherever=20
> it makes sense to do so).
>
> What we should do: I think that this draft should be picked up and=20
> worked on as an IETF document, but I think that it probably makes more=20
> sense for that work to be done inside of the SCIM working group. The=20
> reasons for this are twofold: First, this draft really should look and=20
> feel like SCIM, and to do that it really needs the attention of the=20
> group that's defining SCIM. Second, SCIM isn't completed and likely=20
> won't be for some time to come, and this draft needs to track with=20
> that protocol as it moves through the IETF process.
>
>
>
> Software Statements for OAuth Dynamic Registration
>
> What it is: Section 4 of Phil's draft (plus a few other bits,=20
> discussed here), this defines a method for presenting signed and/or=20
> verifiable claims to the registration server's endpoint. This is most=20
> useful when an authorization server can verify the claims being=20
> presented, such as being able to discover the signing key from the=20
> "iss" claim and validate the signature. This could also be used (with=20
> some additional
> specification) by a discovery-based system that could fix ahead of=20
> time some of the claims for a given piece of software (like we've done=20
> with
> BlueButton+). In some circumstances, this assertion could even contain
> all relevant bits of the registration, leaving the rest of the=20
> metadata fields blank. This is essentially the "use the assertion as=20
> the registration" flow that Phil discussed at the meeting, from what I=20
> understand. In all of these cases, it can give us a higher assurance=20
> for the registration and means to tie together multiple instances of a=20
> piece of software across a network.
>
> What it needs to concentrate on: Making the software statements=20
> interoperable. I don't think this is going to be an easy task, and I=20
> think it's going to be a long process to get it *right* for all players.
>
> What we should do: I think that this draft should be picked up by the=20
> OAuth Working Group as a WG document, and it should be built as an=20
> extension to both the OAuth Dynamic Registration and SCIM-based OAuth=20
> Dynamic Registration documents. I think it's important, but it's added=20
> functionality on top of either the RESTful or the SCIM-based=20
> registration documents, and as such it should have a normative=20
> reference to both of them with detailed profiles of how to use them.
>
>
>
>
>
>
> So in all, we've got three main documents, each with different=20
> purposes and concentrations, and with different timelines. I don't see=20
> any problem with these coexisting, and I think doing things this way=20
> can cover all of our known use cases and let us actually progress=20
> these documents and move forward.
>
>    -- Justin
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>





From jricher@mitre.org  Wed Aug  7 08:20:48 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 193A311E814D for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 08:20:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.544
X-Spam-Level: 
X-Spam-Status: No, score=-6.544 tagged_above=-999 required=5 tests=[AWL=0.055,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59reNUsPGwtz for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 08:20:42 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id AA6A911E8142 for <oauth@ietf.org>; Wed,  7 Aug 2013 08:20:39 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4150F1F0AE8; Wed,  7 Aug 2013 11:20:39 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 367921F0ACB; Wed,  7 Aug 2013 11:20:39 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 7 Aug 2013 11:20:38 -0400
Message-ID: <5202654C.2040500@mitre.org>
Date: Wed, 7 Aug 2013 11:18:36 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org> <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 15:20:48 -0000

Addressing your points inline:

On 08/07/2013 10:58 AM, Anthony Nadalin wrote:
> I see plenty of fractures, we discussed many of these at the meeting and several side meetings last week. Specification that are brought to IETF undergo changes, morf into something different all the time regardless of who has implemented the original specifications, OAUTH Core is a fine example of how lots of running code was changed because the specification changed, so because you may have code based upon this is not a reason that it is correct and should not change.
And all that has happened with this draft as well. Things have changed 
quite a bit from the original specs, breaking changes that caused huge 
ripples through existing implementations. Eventually though you need to 
say "it's good enough" -- if you keep changing things and don't declare 
something done, people will just get bored and move on. I'm glad that 
you mention OAuth core because it is a great example of our previous 
failure at this -- we took so long to get it out there that there are 
several major non-compliant implementations on the web today, most 
notably Facebook, who have no incentive to change to the final draft 
just because the IETF says so. Let's not screw this up again.

>   I'm not aware of many people using this draft, as in the meeting last week I think we had 2 examples, so more people saying that they have implemented this at scale and the problems it solves would be a good thing.
I agree that more people implementing it would be a good thing, but 
you're ignoring the people that already are. There are also a number of 
people that I've spoken to who are hesitant to implement until things 
are deemed fairly "stable", if not final. Those people will come up with 
their own, mutually-incompatible versions.

> Here are the problems that I see with the current proposal and why we would/could not use it:
>
> 1. The schema proposal is not extensible, please look at the issues with SCIM and how the scheme was made extensible in SCIM.
Yes, it is extensible, I really don't know where you're getting that. 
It's JSON, schema-by-fiat. If you want an extension parameter, just add 
it. Your server has to deal with (as in, not crash if it sees) anything 
in the base spec, and it it has to ignore anything that it doesn't 
understand. Best thing I could think to add here would be an IANA 
registry for the client metadata names -- I personally find such things 
overkill but if the WG wants to go that route, we certainly can.
> 2. This proposal requires that I now provide management at the registration endpoint to manage users and secrets, this is costly.
What users are you talking about here? There aren't any users here that 
I know of. As for secrets, you already have to manage client secrets.

> 3. Yet the development of another endpoint.
Adding an endpoint for specific functionality is a good thing, it lets 
you separate out concerns. You talk like URLs are expensive, which is 
ludicrous. Would you propose we try to cram everything through a single 
URL like SOAP? Let's learn from the mistakes of the past instead of 
repeating them.

> 4. I don't see any use cases, maybe these should be documented (or point people to these) so we understand what this is actually trying to solve, as this is somewhat of a mystery to me and others.
Read appendix B. That's why it's there. If there are more cases that we 
can add, suggest text.
> 5. There are a lot of issues that OAUTH does not solve, I don't think that this issue (as I understand it) is in the realm of OAUTH, maybe the applications area would be a better place for this specification
This was a chartered item for the group to solve (check the charter for 
yourself), we discussed it several times over the last few years before 
it was made a chartered item (check the archives for yourself), and 
there are people willing to work on the document. That's all it takes 
for this to be in scope in the IETF. Trying to boot it into another 
working group at this stage is just odd to me.

  -- Justin
>
>
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Wednesday, August 7, 2013 7:09 AM
> To: Anthony Nadalin
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>
> Tony, it happened several months ago:
>
>     http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html
>
> This triggered a lot of discussion and brought up several changes in the document, in general for the good. The vast majority of changes were editorial in nature, clearing up the intent of the text, but the underlying protocol is pretty solid and not very different qualitatively from draft -10. At this point, I believe that all open issues are addressed in the document or directed towards specific proposed extensions, and I haven't heard anything to the contrary.
>
> And I think you're reading the tone content of the discussion incorrectly. As I tried to carefully lay out below, I don't see fractures. I see multiple components that can work together and fit fairly nicely into a larger system. The existence of multiple solutions does not invalidate the applicability of a known good solution. We can not shelve something good just because there's a hint of something else on the horizon (which might be good or bad, we don't know yet).
>
> There is a lot of support for the Dynamic Registration draft that's there today, just look at the number of implementers and protocols that are actually using it. This is not a theoretical draft, this is not an intellectual exercise, this is not a speculative document -- this is a codification of real practice that we know works and has been implemented and deployed and tested.
>
> And speaking of these other protocols and systems -- they're going to move on whether we at the IETF want them to or not. Nobody is going to sit around and wait for the IETF-blessed version of this functionality.
> As a matter of fact, this document was born of the output of two groups who specifically *didn't* wait around for the IETF to solve this problem. We brought it "in house" here because we believed that it would be better to have a generally applicable solution than to have a dozen proprietary implementations. That's where true fragmentation comes from:
> implementations and deployments, not from minor quibbles about syntax.
> So could we stuff dynamic registration on a shelf and wait for a perfect solution to descend from heaven? Sure we could, but that would be so profoundly stupid that I would question the sanity of everyone in this working group. But if we come up with a solution that works, can be implemented, and is done in a timely fashion, then the world *will* use it. That's what we have, and that's what I want to move forward.
>
> There's also a lot of support for extensions (software statements) and different instantiations (SCIM) of the same basic protocol. These are good things, and they speak to the strength of the registration protocol, not its weakness.  I believe that what I've laid out below is a solid and reasonable plan for moving things forward and addressing everything that's been brought up, and so I invite the commentary of the whole of the working group. After all, the IETF is an organization of individuals and we work on rough consensus and running code.
>
>    -- Justin
>
> On 08/06/2013 07:18 PM, Anthony Nadalin wrote:
>> I think that the IETF meeting and session on Dynamic Registration showed how fractured it was and how we don't have consensus on what needs to be done and how it needs to be done. I would not support moving any draft further along in the IETF process. I looked on mailing list and could not find out where any dynamic registration document went to WGLC, so maybe someone can point me to that.
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Justin Richer
>> Sent: Tuesday, August 6, 2013 2:18 PM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] A Proposal for Dynamic Registration
>>
>> At last week's IETF meeting, there was quite a lot of talk about the Dynamic Registration draft as well as a few other related drafts in this space. I would like to propose to the group what I think would be a positive working structure among the different approaches that would let us move everything forward. The source documents in discussion here are the WG's Dynamic Registration (draft 14) and Phil Hunt's individual submission of a SCIM-based alternative with some software assertion components to it. I suggest we refactor these into three documents:
>>
>>     - OAuth Dynamic Registration
>>     - SCIM-based OAuth Dynamic Registration
>>     - Software Statements for OAuth Dynamic Registration
>>
>> I think that they all have their place in the world, and this is how I see them fitting together:
>>
>>
>> OAuth Dynamic Registration
>>
>> What it is: Essentially the draft we have today, draft 14. This draft
>> defines a standalone RESTful API for dealing with client
>> registrations, it allows for open registration as well as protected
>> registration, and perhaps most importantly we know that it works
>> because people have implemented it as part of several different APIs.
>> This could have an informational pointer to the SCIM draft and the
>> Software Statements draft. We could call this one "core" or "basic" or
>> some other modifier, but I don't think that's necessary because it
>> already does what it says on the tin.
>>
>> What it needs to concentrate on: This needs to be a "base" document
>> with extension hooks in key places (such as the client metadata, which
>> is already extensible, and places that have been made extensible like
>> the token_endpoint_auth_method, and perhaps others). It needs to get
>> its job done, allowing for full specification of the simple case in an
>> interoperable way (anonymous registration of self-asserted client
>> metadata to receive a client identifier and manage the registration)
>> and be extensible and flexible enough for the more complex cases.
>>
>> What we should do: I think that we should continue shepherding this
>> document through WGLC in the OAuth WG because there are no specific
>> open issues in the spec (that I, the editor, am aware of) and I've
>> seen what I would personally consider to be rough consensus on it (not
>> unanimous, but that's not necessary anyway).
>>
>>
>>
>> SCIM-based OAuth Dynamic Registration:
>>
>> What it is: Most of Phil's draft, this defines a SCIM profile for
>> managing OAuth clients dynamically. This will accomplish the same
>> kinds of things that the OAuth Dynamic Registration Draft will
>> accomplish, but in a SCIM-like manner. This will have a normative
>> dependency on SCIM (of some version), and probably an informational
>> dependency on OAuth Dynamic Registration. This could have an
>> informational pointer to the Software Statements draft. This draft is
>> very useful if you're already deploying a SCIM based system, and if
>> you're investing in SCIM then it's going to be a smaller step to support this than it would be the base draft.
>> However, I strongly believe that SCIM is a really big jump for
>> implementing basic functionality that this is trying to accomplish.
>>
>> What it needs to concentrate on: Tracking with the overall SCIM
>> specification (on which it depends) and tracking with the data model
>> and general usage of the OAuth Dynamic Registration protocol (wherever
>> it makes sense to do so).
>>
>> What we should do: I think that this draft should be picked up and
>> worked on as an IETF document, but I think that it probably makes more
>> sense for that work to be done inside of the SCIM working group. The
>> reasons for this are twofold: First, this draft really should look and
>> feel like SCIM, and to do that it really needs the attention of the
>> group that's defining SCIM. Second, SCIM isn't completed and likely
>> won't be for some time to come, and this draft needs to track with
>> that protocol as it moves through the IETF process.
>>
>>
>>
>> Software Statements for OAuth Dynamic Registration
>>
>> What it is: Section 4 of Phil's draft (plus a few other bits,
>> discussed here), this defines a method for presenting signed and/or
>> verifiable claims to the registration server's endpoint. This is most
>> useful when an authorization server can verify the claims being
>> presented, such as being able to discover the signing key from the
>> "iss" claim and validate the signature. This could also be used (with
>> some additional
>> specification) by a discovery-based system that could fix ahead of
>> time some of the claims for a given piece of software (like we've done
>> with
>> BlueButton+). In some circumstances, this assertion could even contain
>> all relevant bits of the registration, leaving the rest of the
>> metadata fields blank. This is essentially the "use the assertion as
>> the registration" flow that Phil discussed at the meeting, from what I
>> understand. In all of these cases, it can give us a higher assurance
>> for the registration and means to tie together multiple instances of a
>> piece of software across a network.
>>
>> What it needs to concentrate on: Making the software statements
>> interoperable. I don't think this is going to be an easy task, and I
>> think it's going to be a long process to get it *right* for all players.
>>
>> What we should do: I think that this draft should be picked up by the
>> OAuth Working Group as a WG document, and it should be built as an
>> extension to both the OAuth Dynamic Registration and SCIM-based OAuth
>> Dynamic Registration documents. I think it's important, but it's added
>> functionality on top of either the RESTful or the SCIM-based
>> registration documents, and as such it should have a normative
>> reference to both of them with detailed profiles of how to use them.
>>
>>
>>
>>
>>
>>
>> So in all, we've got three main documents, each with different
>> purposes and concentrations, and with different timelines. I don't see
>> any problem with these coexisting, and I think doing things this way
>> can cover all of our known use cases and let us actually progress
>> these documents and move forward.
>>
>>     -- Justin
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>
>
>


From wmills_92105@yahoo.com  Wed Aug  7 08:25:10 2013
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B72DA21F9A30 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 08:25:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9XZ27veDPN47 for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 08:25:03 -0700 (PDT)
Received: from nm14-vm0.bullet.mail.bf1.yahoo.com (nm14-vm0.bullet.mail.bf1.yahoo.com [98.139.213.164]) by ietfa.amsl.com (Postfix) with ESMTP id 4246311E8142 for <oauth@ietf.org>; Wed,  7 Aug 2013 08:24:40 -0700 (PDT)
Received: from [98.139.215.141] by nm14.bullet.mail.bf1.yahoo.com with NNFMP; 07 Aug 2013 15:24:39 -0000
Received: from [98.139.212.222] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 07 Aug 2013 15:24:39 -0000
Received: from [127.0.0.1] by omp1031.mail.bf1.yahoo.com with NNFMP; 07 Aug 2013 15:24:39 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 605068.25248.bm@omp1031.mail.bf1.yahoo.com
Received: (qmail 87079 invoked by uid 60001); 7 Aug 2013 15:24:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1375889079; bh=nDTX0vROmhr6p47UUckYKyVNn43Dx0zKtVO/e4Xm85c=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=gDl33iF/orY/ReCRQfY72UxCADdULQaSAMdcNvwMY4A+zGqCSYoZRL2nMFZUPHwpgiVf7Rd0JPKM3TRh0fqCzF5R8Zxa7dA+aG/3TuSoDDaOCwd+jRfSKSng2HUqcpYi34k8FyiT4Hidlz5yn18bnzK1V8PpPuAF8fhUPAjxCKc=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=NbLSVS1Qc11nNKU0XQ/GuimoAngnQjz87ITF/QZ6QNUrJz+tXJC93koxL7/N/5Efwh8Xh8fR01punDZIQEMc0k41CF1M4Vxozudc4MjHpNZT4F6K5h05zO2zsYr0Mma6WbtcNKJEujOqnmBRbU6exWR6BJUneDPlGumvdUzdlrU=;
X-YMail-OSG: 8gfLKMAVM1n3ZFmCFJF3YB6UynYUfhlh_Ta6O6OUy6WRfKI Yc5xh7vFP_Yb6Zpdhtm3gGHEEkD_3GHMGVkzTvWXpuBsDqXTx90qKACuJksJ 5uB3YsvYU8B9cZVNzsG7Vvqpjiq8tGiIyAccXZ4sB_g0d_FXfP0v.JkNpMjO 59QczBUoDIS0BPZzmfNLAmYoq0uuG53k32kq4hqau8me2N4UwbgNpGxZUkyn U2pKw5QAijw_kFbtIHhMRSBswVQGjEa9n97Vtscb6U6ToFc2wFX24XlPjxs0 cdh9wy7NQnozXHbuB_UOltkHuK.BsrzMb7u72ZcEDtTeRWdYG0NoKXu0wQU0 HpvaHzMlHAUXBQRFl8Ue4jbRdr3RBvOTkPlTBgafWxrmnWbT3Dtpx6oRN5lS iNc_hroShUcZeMVg_QbfIXgAXNhFeUra9kG7rAL5vxAHrTWN_NfmQ29OCYbw 0k63PsEd1WgVb1T77l3ClaIAPMze7_92MWL0xOdwSuZRs9hrdXXhYcfyXP_1 uzIe9O5_UpmhdFjbwGNY0ZnZtf42knW7bY9CiJtKBmngofyRw90rdfRuYG7n W8b.AqVXorzo4LB.mz41.rkTBM6TF60lIIah_2hIXMyzzY4U.
Received: from [209.131.62.115] by web142805.mail.bf1.yahoo.com via HTTP; Wed, 07 Aug 2013 08:24:39 PDT
X-Rocket-MIMEInfo: 002.001, WWFob28gZ2VuZXJhbGx5LCBidXQgbm90IGFsd2F5cyAodGhlcmUgYXJlIHNwZWNpYWwgY2FzZXMpLCBpbnZhbGlkYXRlcyBhbGwgY3JlZGVudGlhbHMgb24gcGFzc3dvcmQgY2hhbmdlLiDCoFRoaXMgYXBwbGllcyB0byByZWZyZXNoIHRva2VucywgYWNjZXNzIHRva2VucywgY29va2llcywgZXRjLiDCoAoKCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCiBGcm9tOiBUb2RkIFcgTGFpbmhhcnQgPGxhaW5oYXJ0QHVzLmlibS5jb20.ClRvOiBCYXJyeSBMZWliYSA8YmFycnlsZWliYUBjb21wdXRlci4BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.152.567
References: <5200DD6C.3010003@gmail.com>	<CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com> <OFDF319810.D5537EBC-ON85257BC0.004AB0BC-85257BC0.004B203C@us.ibm.com>
Message-ID: <1375889079.85708.YahooMailNeo@web142805.mail.bf1.yahoo.com>
Date: Wed, 7 Aug 2013 08:24:39 -0700 (PDT)
From: Bill Mills <wmills_92105@yahoo.com>
To: Todd W Lainhart <lainhart@us.ibm.com>, Barry Leiba <barryleiba@computer.org>
In-Reply-To: <OFDF319810.D5537EBC-ON85257BC0.004AB0BC-85257BC0.004B203C@us.ibm.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1583497461-778032492-1375889079=:85708"
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 15:25:10 -0000

--1583497461-778032492-1375889079=:85708
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

Yahoo generally, but not always (there are special cases), invalidates all =
credentials on password change. =A0This applies to refresh tokens, access t=
okens, cookies, etc. =A0=0A=0A=0A________________________________=0A From: =
Todd W Lainhart <lainhart@us.ibm.com>=0ATo: Barry Leiba <barryleiba@compute=
r.org> =0ACc: "<oauth@ietf.org>" <oauth@ietf.org>; oauth-bounces@ietf.org =
=0ASent: Wednesday, August 7, 2013 6:40 AM=0ASubject: Re: [OAUTH-WG] What s=
hould happen to access tokens when the end user credentials change=0A =0A=
=0A=0AAssuming of course that the AS was notified=0Aby the IdP (or could in=
quire from same, say, during introspection) that=0Asomething about the user=
's account had changed - there's nothing in the=0Aprotocol that speaks to t=
hat. =0A=0AWould anyone be surprised if the authorizations=0Agranted to the=
 previous confirmation of identity were now void? =A0That=0Aseems like the =
simplest way to handle it. =0A=0A=0A =0A=0A=0A=0A=0ATodd Lainhart=0ARationa=
l software=0AIBM Corporation=0A550 King Street, Littleton, MA 01460-1250=0A=
1-978-899-4705=0A2-276-4705 (T/L)=0Alainhart@us.ibm.com =0A=0A=0A=0A=0AFrom=
: =A0 =A0 =A0=0A=A0Barry Leiba <barryleiba@computer.org> =0ATo: =A0 =A0 =A0=
=0A=A0Sergey Beryozkin <sberyozkin@gmail.com>,  =0ACc: =A0 =A0 =A0=0A=A0"<o=
auth@ietf.org>"=0A<oauth@ietf.org> =0ADate: =A0 =A0 =A0=0A=A008/06/2013 08:=
50 AM =0ASubject: =A0 =A0=0A=A0 =A0Re: [OAUTH-WG]=0AWhat should happen to a=
ccess tokens when the end user credentials change =0ASent by: =A0 =A0=0A=A0=
 =A0oauth-bounces@ietf.org =0A________________________________=0A =0A=0A=0A=
> Suppose a given user has approved a client's=0Agrant request and that cli=
ent=0A> is now working with the access token tied to the user's login name=
=0A(or some=0A> other representation of that user's login credentials).=0A>=
=0A> What would be the recommended course of action when that user's creden=
tials=0A> (example, the user's login name) change, as far as the existing a=
ccess=0A> tokens tied to that user are concerned ?=0A=0AAn interesting ques=
tion.=0A=0AI think it's not the OAuth protocol's concern, but a document=0A=
describing operations and deployment might suggest what to do.=0AGroping he=
re (I'm not a UI expert):=0A=0AI expect that some changes (and/or some reas=
ons for changes) would=0Amake no difference to the authorizations the user =
has approved. =A0If=0AI=0Achange my username from "barryleiba" to "bigkahun=
a"=0Abecause I want to=0Abe cool, I would want my authorizations to persist=
. =A0If I change my=0Apassword because I routinely change my password, I wo=
uld want my=0Aauthorizations to persist. =A0If I change my password because=
 I think=0Amy=0Aold password was compromised, I would want to review my aut=
horizations=0Aand make sure nothing untoward is there. =A0Alternatively, I =
might just=0Awant to invalidate all of them and re-establish them as needed=
=0Aafterward.=0A=0ASo it would probably be good for the system in question =
to ask me what=0Ato do about the authorizations I've given out, and allow m=
e to review=0Athem and address them one by one, and/or make a blanket decis=
ion for=0Athe lot.=0A=0AMaybe:=0A=0A=A0 =A0Your password has been changed.=
=0A=0A=A0 =A0Do you want to revoke authorizations you have approved? =A0[YE=
S=0A/ NO]=0A=0AOr maybe:=0A=0A=A0 =A0Your password has been changed.=0A=0A=
=A0 =A0Do you want to review authorizations you have approved? =A0[YES=0A/ =
NO]=0A=0A--=0ABarry=0A_______________________________________________=0AOAu=
th mailing list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oa=
uth=0A=0A =0A=0A_______________________________________________=0AOAuth mai=
ling list=0AOAuth@ietf.org=0Ahttps://www.ietf.org/mailman/listinfo/oauth
--1583497461-778032492-1375889079=:85708
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable

<html><body><div style=3D"color:#000; background-color:#fff; font-family:Co=
urier New, courier, monaco, monospace, sans-serif;font-size:12pt"><div><spa=
n>Yahoo generally, but not always (there are special cases), invalidates al=
l credentials on password change. &nbsp;This applies to refresh tokens, acc=
ess tokens, cookies, etc. &nbsp;</span></div><div><br></div>  <div style=3D=
"font-family: 'Courier New', courier, monaco, monospace, sans-serif; font-s=
ize: 12pt;"> <div style=3D"font-family: 'times new roman', 'new york', time=
s, serif; font-size: 12pt;"> <div dir=3D"ltr"> <hr size=3D"1">  <font size=
=3D"2" face=3D"Arial"> <b><span style=3D"font-weight:bold;">From:</span></b=
> Todd W Lainhart &lt;lainhart@us.ibm.com&gt;<br> <b><span style=3D"font-we=
ight: bold;">To:</span></b> Barry Leiba &lt;barryleiba@computer.org&gt; <br=
><b><span style=3D"font-weight: bold;">Cc:</span></b> "&lt;oauth@ietf.org&g=
t;" &lt;oauth@ietf.org&gt;; oauth-bounces@ietf.org <br> <b><span style=3D"f=
ont-weight:
 bold;">Sent:</span></b> Wednesday, August 7, 2013 6:40 AM<br> <b><span sty=
le=3D"font-weight: bold;">Subject:</span></b> Re: [OAUTH-WG] What should ha=
ppen to access tokens when the end user credentials change<br> </font> </di=
v> <div class=3D"y_msg_container"><br><div id=3D"yiv8486421788"><font size=
=3D"2" face=3D"sans-serif">Assuming of course that the AS was notified=0Aby=
 the IdP (or could inquire from same, say, during introspection) that=0Asom=
ething about the user's account had changed - there's nothing in the=0Aprot=
ocol that speaks to that.</font>=0A<br>=0A<br><font size=3D"2" face=3D"sans=
-serif">Would anyone be surprised if the authorizations=0Agranted to the pr=
evious confirmation of identity were now void? &nbsp;That=0Aseems like the =
simplest way to handle it.</font>=0A<br>=0A<br><font size=3D"2" face=3D"san=
s-serif"><br>=0A</font>=0A<br>=0A<table width=3D"223" style=3D"border-colla=
pse:collapse;">=0A<tbody><tr height=3D"8">=0A<td width=3D"223" bgcolor=3D"w=
hite" style=3D"border-style:solid;border-color:#000000;border-width:0px 0px=
 0px 0px;padding:0px 0px;"><font size=3D"1" face=3D"Verdana"><b><br>=0A<br>=
=0A<br>=0ATodd Lainhart<br>=0ARational software<br>=0AIBM Corporation<br>=
=0A550 King Street, Littleton, MA 01460-1250</b></font><font size=3D"1" fac=
e=3D"Arial"><b><br>=0A1-978-899-4705<br>=0A2-276-4705 (T/L)<br>=0Alainhart@=
us.ibm.com</b></font></td></tr></tbody></table>=0A<br>=0A<br>=0A<br>=0A<br>=
=0A<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">From: &nbsp; =
&nbsp; &nbsp;=0A&nbsp;</font><font size=3D"1" face=3D"sans-serif">Barry Lei=
ba &lt;barryleiba@computer.org&gt;</font>=0A<br><font size=3D"1" color=3D"#=
5f5f5f" face=3D"sans-serif">To: &nbsp; &nbsp; &nbsp;=0A&nbsp;</font><font s=
ize=3D"1" face=3D"sans-serif">Sergey Beryozkin &lt;sberyozkin@gmail.com&gt;=
,=0A</font>=0A<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">Cc=
: &nbsp; &nbsp; &nbsp;=0A&nbsp;</font><font size=3D"1" face=3D"sans-serif">=
"&lt;oauth@ietf.org&gt;"=0A&lt;oauth@ietf.org&gt;</font>=0A<br><font size=
=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">Date: &nbsp; &nbsp; &nbsp;=0A&=
nbsp;</font><font size=3D"1" face=3D"sans-serif">08/06/2013 08:50 AM</font>=
=0A<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">Subject: &nbs=
p; &nbsp;=0A&nbsp; &nbsp;</font><font size=3D"1" face=3D"sans-serif">Re: [O=
AUTH-WG]=0AWhat should happen to access tokens when the end user credential=
s change</font>=0A<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif=
">Sent by: &nbsp; &nbsp;=0A&nbsp; &nbsp;</font><font size=3D"1" face=3D"san=
s-serif">oauth-bounces@ietf.org</font>=0A<br>=0A<hr noshade=3D"">=0A<br>=0A=
<br>=0A<br><tt><font size=3D"2">&gt; Suppose a given user has approved a cl=
ient's=0Agrant request and that client<br>=0A&gt; is now working with the a=
ccess token tied to the user's login name=0A(or some<br>=0A&gt; other repre=
sentation of that user's login credentials).<br>=0A&gt;<br>=0A&gt; What wou=
ld be the recommended course of action when that user's credentials<br>=0A&=
gt; (example, the user's login name) change, as far as the existing access<=
br>=0A&gt; tokens tied to that user are concerned ?<br>=0A<br>=0AAn interes=
ting question.<br>=0A<br>=0AI think it's not the OAuth protocol's concern, =
but a document<br>=0Adescribing operations and deployment might suggest wha=
t to do.<br>=0AGroping here (I'm not a UI expert):<br>=0A<br>=0AI expect th=
at some changes (and/or some reasons for changes) would<br>=0Amake no diffe=
rence to the authorizations the user has approved. &nbsp;If=0AI<br>=0Achang=
e my username from "barryleiba" to "bigkahuna"=0Abecause I want to<br>=0Abe=
 cool, I would want my authorizations to persist. &nbsp;If I change my<br>=
=0Apassword because I routinely change my password, I would want my<br>=0Aa=
uthorizations to persist. &nbsp;If I change my password because I think=0Am=
y<br>=0Aold password was compromised, I would want to review my authorizati=
ons<br>=0Aand make sure nothing untoward is there. &nbsp;Alternatively, I m=
ight just<br>=0Awant to invalidate all of them and re-establish them as nee=
ded<br>=0Aafterward.<br>=0A<br>=0ASo it would probably be good for the syst=
em in question to ask me what<br>=0Ato do about the authorizations I've giv=
en out, and allow me to review<br>=0Athem and address them one by one, and/=
or make a blanket decision for<br>=0Athe lot.<br>=0A<br>=0AMaybe:<br>=0A<br=
>=0A &nbsp; &nbsp;Your password has been changed.<br>=0A<br>=0A &nbsp; &nbs=
p;Do you want to revoke authorizations you have approved? &nbsp;[YES=0A/ NO=
]<br>=0A<br>=0AOr maybe:<br>=0A<br>=0A &nbsp; &nbsp;Your password has been =
changed.<br>=0A<br>=0A &nbsp; &nbsp;Do you want to review authorizations yo=
u have approved? &nbsp;[YES=0A/ NO]<br>=0A<br>=0A--<br>=0ABarry<br>=0A_____=
__________________________________________<br>=0AOAuth mailing list<br>=0AO=
Auth@ietf.org<br>=0A</font></tt><a rel=3D"nofollow" target=3D"_blank" href=
=3D"https://www.ietf.org/mailman/listinfo/oauth"><tt><font size=3D"2">https=
://www.ietf.org/mailman/listinfo/oauth</font></tt></a><tt><font size=3D"2">=
<br>=0A<br>=0A</font></tt>=0A<br></div><br>________________________________=
_______________<br>OAuth mailing list<br><a ymailto=3D"mailto:OAuth@ietf.or=
g" href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a href=3D"https://=
www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">https://www.ietf.org=
/mailman/listinfo/oauth</a><br><br><br></div> </div> </div>  </div></body><=
/html>
--1583497461-778032492-1375889079=:85708--

From tonynad@microsoft.com  Wed Aug  7 15:14:52 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CD4211E815C for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 15:14:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level: 
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lGJYY+o2tcpY for <oauth@ietfa.amsl.com>; Wed,  7 Aug 2013 15:14:48 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0243.outbound.protection.outlook.com [207.46.163.243]) by ietfa.amsl.com (Postfix) with ESMTP id 209A011E8164 for <oauth@ietf.org>; Wed,  7 Aug 2013 15:14:43 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB190.namprd03.prod.outlook.com (10.242.36.141) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 7 Aug 2013 21:59:34 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) with mapi id 15.00.0745.000; Wed, 7 Aug 2013 21:59:34 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] A Proposal for Dynamic Registration
Thread-Index: AQHOkusVub8uV8Fzs026F8FprsDzrJmIzgQQgAD7gwCAAAaN4IAADNsAgABo01A=
Date: Wed, 7 Aug 2013 21:59:34 +0000
Message-ID: <e8fbaf0f44a047f2aee747586643ba9b@BY2PR03MB189.namprd03.prod.outlook.com>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org> <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com> <5202654C.2040500@mitre.org>
In-Reply-To: <5202654C.2040500@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e8:ed31::f4]
x-forefront-prvs: 0931CB1479
x-forefront-antispam-report: SFV:NSPM; SFS:(51444003)(13464003)(55885003)(24454002)(479174003)(377454003)(51704005)(199002)(189002)(69226001)(16406001)(54356001)(74876001)(15202345003)(4396001)(79102001)(47736001)(49866001)(74316001)(81542001)(561944002)(81342001)(31966008)(74662001)(47446002)(74502001)(76482001)(54316002)(56776001)(53806001)(80976001)(56816003)(77096001)(74706001)(50986001)(47976001)(80022001)(65816001)(77982001)(59766001)(74366001)(51856001)(63696002)(46102001)(19580395003)(19580405001)(19580385001)(33646001)(83072001)(76796001)(76576001)(76786001)(83322001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB190; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::f4; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e8:ed31::f4
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB190.namprd03.prod.outlook.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2013 22:14:52 -0000

This proposal provisions and de-provisions clients and allows a client to r=
ead/update provisioning data (and it also has to deal with schema extensibi=
lity, internationalization among the other things), very similar to SCIM, w=
hy do we want different ways to do this ? We also have the JIT proposals in=
 SCIM which make even more sense for quick provisioning clients with limite=
d data. This is a lot of repeat of SCIM.

Schema extensibility is not just the ability to add or replace but the flex=
ibility to model desired objects and relationships that are in the target s=
tore schema. We would certainly not want to create yet another store/direct=
ory just to register clients.

-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org]=20
Sent: Wednesday, August 7, 2013 8:19 AM
To: Anthony Nadalin
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration

Addressing your points inline:

On 08/07/2013 10:58 AM, Anthony Nadalin wrote:
> I see plenty of fractures, we discussed many of these at the meeting and =
several side meetings last week. Specification that are brought to IETF und=
ergo changes, morf into something different all the time regardless of who =
has implemented the original specifications, OAUTH Core is a fine example o=
f how lots of running code was changed because the specification changed, s=
o because you may have code based upon this is not a reason that it is corr=
ect and should not change.
And all that has happened with this draft as well. Things have changed quit=
e a bit from the original specs, breaking changes that caused huge ripples =
through existing implementations. Eventually though you need to say "it's g=
ood enough" -- if you keep changing things and don't declare something done=
, people will just get bored and move on. I'm glad that you mention OAuth c=
ore because it is a great example of our previous failure at this -- we too=
k so long to get it out there that there are several major non-compliant im=
plementations on the web today, most notably Facebook, who have no incentiv=
e to change to the final draft just because the IETF says so. Let's not scr=
ew this up again.

>   I'm not aware of many people using this draft, as in the meeting last w=
eek I think we had 2 examples, so more people saying that they have impleme=
nted this at scale and the problems it solves would be a good thing.
I agree that more people implementing it would be a good thing, but you're =
ignoring the people that already are. There are also a number of people tha=
t I've spoken to who are hesitant to implement until things are deemed fair=
ly "stable", if not final. Those people will come up with their own, mutual=
ly-incompatible versions.

> Here are the problems that I see with the current proposal and why we wou=
ld/could not use it:
>
> 1. The schema proposal is not extensible, please look at the issues with =
SCIM and how the scheme was made extensible in SCIM.
Yes, it is extensible, I really don't know where you're getting that.=20
It's JSON, schema-by-fiat. If you want an extension parameter, just add it.=
 Your server has to deal with (as in, not crash if it sees) anything in the=
 base spec, and it it has to ignore anything that it doesn't understand. Be=
st thing I could think to add here would be an IANA registry for the client=
 metadata names -- I personally find such things overkill but if the WG wan=
ts to go that route, we certainly can.
> 2. This proposal requires that I now provide management at the registrati=
on endpoint to manage users and secrets, this is costly.
What users are you talking about here? There aren't any users here that I k=
now of. As for secrets, you already have to manage client secrets.

> 3. Yet the development of another endpoint.
Adding an endpoint for specific functionality is a good thing, it lets you =
separate out concerns. You talk like URLs are expensive, which is ludicrous=
. Would you propose we try to cram everything through a single URL like SOA=
P? Let's learn from the mistakes of the past instead of repeating them.

> 4. I don't see any use cases, maybe these should be documented (or point =
people to these) so we understand what this is actually trying to solve, as=
 this is somewhat of a mystery to me and others.
Read appendix B. That's why it's there. If there are more cases that we can=
 add, suggest text.
> 5. There are a lot of issues that OAUTH does not solve, I don't think=20
> that this issue (as I understand it) is in the realm of OAUTH, maybe=20
> the applications area would be a better place for this specification
This was a chartered item for the group to solve (check the charter for you=
rself), we discussed it several times over the last few years before it was=
 made a chartered item (check the archives for yourself), and there are peo=
ple willing to work on the document. That's all it takes for this to be in =
scope in the IETF. Trying to boot it into another working group at this sta=
ge is just odd to me.r

  -- Justin
>
>
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Wednesday, August 7, 2013 7:09 AM
> To: Anthony Nadalin
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>
> Tony, it happened several months ago:
>
>     http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html
>
> This triggered a lot of discussion and brought up several changes in the =
document, in general for the good. The vast majority of changes were editor=
ial in nature, clearing up the intent of the text, but the underlying proto=
col is pretty solid and not very different qualitatively from draft -10. At=
 this point, I believe that all open issues are addressed in the document o=
r directed towards specific proposed extensions, and I haven't heard anythi=
ng to the contrary.
>
> And I think you're reading the tone content of the discussion incorrectly=
. As I tried to carefully lay out below, I don't see fractures. I see multi=
ple components that can work together and fit fairly nicely into a larger s=
ystem. The existence of multiple solutions does not invalidate the applicab=
ility of a known good solution. We can not shelve something good just becau=
se there's a hint of something else on the horizon (which might be good or =
bad, we don't know yet).
>
> There is a lot of support for the Dynamic Registration draft that's there=
 today, just look at the number of implementers and protocols that are actu=
ally using it. This is not a theoretical draft, this is not an intellectual=
 exercise, this is not a speculative document -- this is a codification of =
real practice that we know works and has been implemented and deployed and =
tested.
>
> And speaking of these other protocols and systems -- they're going to mov=
e on whether we at the IETF want them to or not. Nobody is going to sit aro=
und and wait for the IETF-blessed version of this functionality.
> As a matter of fact, this document was born of the output of two groups w=
ho specifically *didn't* wait around for the IETF to solve this problem. We=
 brought it "in house" here because we believed that it would be better to =
have a generally applicable solution than to have a dozen proprietary imple=
mentations. That's where true fragmentation comes from:
> implementations and deployments, not from minor quibbles about syntax.
> So could we stuff dynamic registration on a shelf and wait for a perfect =
solution to descend from heaven? Sure we could, but that would be so profou=
ndly stupid that I would question the sanity of everyone in this working gr=
oup. But if we come up with a solution that works, can be implemented, and =
is done in a timely fashion, then the world *will* use it. That's what we h=
ave, and that's what I want to move forward.
>
> There's also a lot of support for extensions (software statements) and di=
fferent instantiations (SCIM) of the same basic protocol. These are good th=
ings, and they speak to the strength of the registration protocol, not its =
weakness.  I believe that what I've laid out below is a solid and reasonabl=
e plan for moving things forward and addressing everything that's been brou=
ght up, and so I invite the commentary of the whole of the working group. A=
fter all, the IETF is an organization of individuals and we work on rough c=
onsensus and running code.
>
>    -- Justin
>
> On 08/06/2013 07:18 PM, Anthony Nadalin wrote:
>> I think that the IETF meeting and session on Dynamic Registration showed=
 how fractured it was and how we don't have consensus on what needs to be d=
one and how it needs to be done. I would not support moving any draft furth=
er along in the IETF process. I looked on mailing list and could not find o=
ut where any dynamic registration document went to WGLC, so maybe someone c=
an point me to that.
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On=20
>> Behalf Of Justin Richer
>> Sent: Tuesday, August 6, 2013 2:18 PM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] A Proposal for Dynamic Registration
>>
>> At last week's IETF meeting, there was quite a lot of talk about the Dyn=
amic Registration draft as well as a few other related drafts in this space=
. I would like to propose to the group what I think would be a positive wor=
king structure among the different approaches that would let us move everyt=
hing forward. The source documents in discussion here are the WG's Dynamic =
Registration (draft 14) and Phil Hunt's individual submission of a SCIM-bas=
ed alternative with some software assertion components to it. I suggest we =
refactor these into three documents:
>>
>>     - OAuth Dynamic Registration
>>     - SCIM-based OAuth Dynamic Registration
>>     - Software Statements for OAuth Dynamic Registration
>>
>> I think that they all have their place in the world, and this is how I s=
ee them fitting together:
>>
>>
>> OAuth Dynamic Registration
>>
>> What it is: Essentially the draft we have today, draft 14. This draft=20
>> defines a standalone RESTful API for dealing with client=20
>> registrations, it allows for open registration as well as protected=20
>> registration, and perhaps most importantly we know that it works=20
>> because people have implemented it as part of several different APIs.
>> This could have an informational pointer to the SCIM draft and the=20
>> Software Statements draft. We could call this one "core" or "basic"=20
>> or some other modifier, but I don't think that's necessary because it=20
>> already does what it says on the tin.
>>
>> What it needs to concentrate on: This needs to be a "base" document=20
>> with extension hooks in key places (such as the client metadata,=20
>> which is already extensible, and places that have been made=20
>> extensible like the token_endpoint_auth_method, and perhaps others).=20
>> It needs to get its job done, allowing for full specification of the=20
>> simple case in an interoperable way (anonymous registration of=20
>> self-asserted client metadata to receive a client identifier and=20
>> manage the registration) and be extensible and flexible enough for the m=
ore complex cases.
>>
>> What we should do: I think that we should continue shepherding this=20
>> document through WGLC in the OAuth WG because there are no specific=20
>> open issues in the spec (that I, the editor, am aware of) and I've=20
>> seen what I would personally consider to be rough consensus on it=20
>> (not unanimous, but that's not necessary anyway).
>>
>>
>>
>> SCIM-based OAuth Dynamic Registration:
>>
>> What it is: Most of Phil's draft, this defines a SCIM profile for=20
>> managing OAuth clients dynamically. This will accomplish the same=20
>> kinds of things that the OAuth Dynamic Registration Draft will=20
>> accomplish, but in a SCIM-like manner. This will have a normative=20
>> dependency on SCIM (of some version), and probably an informational=20
>> dependency on OAuth Dynamic Registration. This could have an=20
>> informational pointer to the Software Statements draft. This draft is=20
>> very useful if you're already deploying a SCIM based system, and if=20
>> you're investing in SCIM then it's going to be a smaller step to support=
 this than it would be the base draft.
>> However, I strongly believe that SCIM is a really big jump for=20
>> implementing basic functionality that this is trying to accomplish.
>>
>> What it needs to concentrate on: Tracking with the overall SCIM=20
>> specification (on which it depends) and tracking with the data model=20
>> and general usage of the OAuth Dynamic Registration protocol=20
>> (wherever it makes sense to do so).
>>
>> What we should do: I think that this draft should be picked up and=20
>> worked on as an IETF document, but I think that it probably makes=20
>> more sense for that work to be done inside of the SCIM working group.=20
>> The reasons for this are twofold: First, this draft really should=20
>> look and feel like SCIM, and to do that it really needs the attention=20
>> of the group that's defining SCIM. Second, SCIM isn't completed and=20
>> likely won't be for some time to come, and this draft needs to track=20
>> with that protocol as it moves through the IETF process.
>>
>>
>>
>> Software Statements for OAuth Dynamic Registration
>>
>> What it is: Section 4 of Phil's draft (plus a few other bits,=20
>> discussed here), this defines a method for presenting signed and/or=20
>> verifiable claims to the registration server's endpoint. This is most=20
>> useful when an authorization server can verify the claims being=20
>> presented, such as being able to discover the signing key from the=20
>> "iss" claim and validate the signature. This could also be used (with=20
>> some additional
>> specification) by a discovery-based system that could fix ahead of=20
>> time some of the claims for a given piece of software (like we've=20
>> done with
>> BlueButton+). In some circumstances, this assertion could even=20
>> BlueButton+contain
>> all relevant bits of the registration, leaving the rest of the=20
>> metadata fields blank. This is essentially the "use the assertion as=20
>> the registration" flow that Phil discussed at the meeting, from what=20
>> I understand. In all of these cases, it can give us a higher=20
>> assurance for the registration and means to tie together multiple=20
>> instances of a piece of software across a network.
>>
>> What it needs to concentrate on: Making the software statements=20
>> interoperable. I don't think this is going to be an easy task, and I=20
>> think it's going to be a long process to get it *right* for all players.
>>
>> What we should do: I think that this draft should be picked up by the=20
>> OAuth Working Group as a WG document, and it should be built as an=20
>> extension to both the OAuth Dynamic Registration and SCIM-based OAuth=20
>> Dynamic Registration documents. I think it's important, but it's=20
>> added functionality on top of either the RESTful or the SCIM-based=20
>> registration documents, and as such it should have a normative=20
>> reference to both of them with detailed profiles of how to use them.
>>
>>
>>
>>
>>
>>
>> So in all, we've got three main documents, each with different=20
>> purposes and concentrations, and with different timelines. I don't=20
>> see any problem with these coexisting, and I think doing things this=20
>> way can cover all of our known use cases and let us actually progress=20
>> these documents and move forward.
>>
>>     -- Justin
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>
>
>



From jricher@mitre.org  Thu Aug  8 06:52:40 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE61D21F9D7C for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 06:52:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level: 
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XaQKIvKjJDZl for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 06:52:31 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id D042421F8F4A for <oauth@ietf.org>; Thu,  8 Aug 2013 06:52:30 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4E7011F0549; Thu,  8 Aug 2013 09:52:30 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id EE9BE1F0583; Thu,  8 Aug 2013 09:52:29 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 8 Aug 2013 09:52:29 -0400
Message-ID: <5203A221.3030705@mitre.org>
Date: Thu, 8 Aug 2013 09:50:25 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org> <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com> <5202654C.2040500@mitre.org> <e8fbaf0f44a047f2aee747586643ba9b@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <e8fbaf0f44a047f2aee747586643ba9b@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 13:52:41 -0000

You could make that argument about any RESTful patterned API. While SCIM 
is making great progress and is a very good protocol, and I think it's a 
gross mistake to hit every REST-shaped nail with a SCIM-shaped hammer. 
It might make a lot of sense to you if you've already got an investment 
in a SCIM architecture, but not everyone who's doing OAuth-protected 
APIs is doing SCIM. As a matter of fact, the overwhelmingly vast 
majority of protected APIs aren't SCIM, and adopting all of the 
trappings of SCIM for just this one use case doesn't make sense for all 
of these folks.

However, for those who already have SCIM and want to do something SCIM 
based for OAuth client provisioning, I think that's fine for them, and 
that's why I suggest that the SCIM based proposal go forward as well 
(and probably in the SCIM working group). But the existence of a 
SCIM-based method of doing this doesn't invalidate the RESTful protocol 
any more than the existence of several proprietary or otherwise 
protocol-specific means of doing this are. It's the same way that 
someone with a SCIM endpoint who wants to do OpenID Connect will 
probably use their SCIM endpoints instead of the UserInfo Endpoint. So 
you want something SCIM based? Go build it. I'm not stopping you, and in 
fact, I'm encouraging you to do so. I'll review and help edit the crap 
out of that spec, too.

In spite of what you're arguing, the Dyn Reg spec doesn't have to die in 
order for the SCIM spec to move forward. Maybe in five years time, 
everyone will implement that standard and not this one, or maybe it'll 
be the other way around, or maybe we'll all be off of OAuth by then on 
to the next shiny thing. But that's all pointless conjecture when we've 
got one proposed standard that's basically done and that people are 
using, one proposed standard with a clear path forward (as it's parent 
standard isn't done yet, it has some time to go), and one proposed 
extension to both of them that has a lot of potential but needs a lot of 
work. So let's do that.

And I think there's a point that a lot of people are missing here: 
standards are only worth something if people actually implement them. 
People are already implementing the spec that we have, and will continue 
to do so even if the IETF drops it. Doesn't it make more sense to codify 
this practice instead of pretending the world will march to what we say 
in our little working group? I'd like to remind the group that this is 
how this spec started and where it came from: several groups were 
already building mutually incompatible registration specifications. We 
decided to talk with all of these groups and try and make a common 
protocol that everyone could use and extend. I know of at least four 
protocol-specific specs that (over time) went into the dyn reg we have 
now, and there are others out there as well I'm sure.

  -- Justin

On 08/07/2013 05:59 PM, Anthony Nadalin wrote:
> This proposal provisions and de-provisions clients and allows a client to read/update provisioning data (and it also has to deal with schema extensibility, internationalization among the other things), very similar to SCIM, why do we want different ways to do this ? We also have the JIT proposals in SCIM which make even more sense for quick provisioning clients with limited data. This is a lot of repeat of SCIM.
>
> Schema extensibility is not just the ability to add or replace but the flexibility to model desired objects and relationships that are in the target store schema. We would certainly not want to create yet another store/directory just to register clients.
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Wednesday, August 7, 2013 8:19 AM
> To: Anthony Nadalin
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>
> Addressing your points inline:
>
> On 08/07/2013 10:58 AM, Anthony Nadalin wrote:
>> I see plenty of fractures, we discussed many of these at the meeting and several side meetings last week. Specification that are brought to IETF undergo changes, morf into something different all the time regardless of who has implemented the original specifications, OAUTH Core is a fine example of how lots of running code was changed because the specification changed, so because you may have code based upon this is not a reason that it is correct and should not change.
> And all that has happened with this draft as well. Things have changed quite a bit from the original specs, breaking changes that caused huge ripples through existing implementations. Eventually though you need to say "it's good enough" -- if you keep changing things and don't declare something done, people will just get bored and move on. I'm glad that you mention OAuth core because it is a great example of our previous failure at this -- we took so long to get it out there that there are several major non-compliant implementations on the web today, most notably Facebook, who have no incentive to change to the final draft just because the IETF says so. Let's not screw this up again.
>
>>    I'm not aware of many people using this draft, as in the meeting last week I think we had 2 examples, so more people saying that they have implemented this at scale and the problems it solves would be a good thing.
> I agree that more people implementing it would be a good thing, but you're ignoring the people that already are. There are also a number of people that I've spoken to who are hesitant to implement until things are deemed fairly "stable", if not final. Those people will come up with their own, mutually-incompatible versions.
>
>> Here are the problems that I see with the current proposal and why we would/could not use it:
>>
>> 1. The schema proposal is not extensible, please look at the issues with SCIM and how the scheme was made extensible in SCIM.
> Yes, it is extensible, I really don't know where you're getting that.
> It's JSON, schema-by-fiat. If you want an extension parameter, just add it. Your server has to deal with (as in, not crash if it sees) anything in the base spec, and it it has to ignore anything that it doesn't understand. Best thing I could think to add here would be an IANA registry for the client metadata names -- I personally find such things overkill but if the WG wants to go that route, we certainly can.
>> 2. This proposal requires that I now provide management at the registration endpoint to manage users and secrets, this is costly.
> What users are you talking about here? There aren't any users here that I know of. As for secrets, you already have to manage client secrets.
>
>> 3. Yet the development of another endpoint.
> Adding an endpoint for specific functionality is a good thing, it lets you separate out concerns. You talk like URLs are expensive, which is ludicrous. Would you propose we try to cram everything through a single URL like SOAP? Let's learn from the mistakes of the past instead of repeating them.
>
>> 4. I don't see any use cases, maybe these should be documented (or point people to these) so we understand what this is actually trying to solve, as this is somewhat of a mystery to me and others.
> Read appendix B. That's why it's there. If there are more cases that we can add, suggest text.
>> 5. There are a lot of issues that OAUTH does not solve, I don't think
>> that this issue (as I understand it) is in the realm of OAUTH, maybe
>> the applications area would be a better place for this specification
> This was a chartered item for the group to solve (check the charter for yourself), we discussed it several times over the last few years before it was made a chartered item (check the archives for yourself), and there are people willing to work on the document. That's all it takes for this to be in scope in the IETF. Trying to boot it into another working group at this stage is just odd to me.r
>
>    -- Justin
>>
>>
>> -----Original Message-----
>> From: Justin Richer [mailto:jricher@mitre.org]
>> Sent: Wednesday, August 7, 2013 7:09 AM
>> To: Anthony Nadalin
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>>
>> Tony, it happened several months ago:
>>
>>      http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html
>>
>> This triggered a lot of discussion and brought up several changes in the document, in general for the good. The vast majority of changes were editorial in nature, clearing up the intent of the text, but the underlying protocol is pretty solid and not very different qualitatively from draft -10. At this point, I believe that all open issues are addressed in the document or directed towards specific proposed extensions, and I haven't heard anything to the contrary.
>>
>> And I think you're reading the tone content of the discussion incorrectly. As I tried to carefully lay out below, I don't see fractures. I see multiple components that can work together and fit fairly nicely into a larger system. The existence of multiple solutions does not invalidate the applicability of a known good solution. We can not shelve something good just because there's a hint of something else on the horizon (which might be good or bad, we don't know yet).
>>
>> There is a lot of support for the Dynamic Registration draft that's there today, just look at the number of implementers and protocols that are actually using it. This is not a theoretical draft, this is not an intellectual exercise, this is not a speculative document -- this is a codification of real practice that we know works and has been implemented and deployed and tested.
>>
>> And speaking of these other protocols and systems -- they're going to move on whether we at the IETF want them to or not. Nobody is going to sit around and wait for the IETF-blessed version of this functionality.
>> As a matter of fact, this document was born of the output of two groups who specifically *didn't* wait around for the IETF to solve this problem. We brought it "in house" here because we believed that it would be better to have a generally applicable solution than to have a dozen proprietary implementations. That's where true fragmentation comes from:
>> implementations and deployments, not from minor quibbles about syntax.
>> So could we stuff dynamic registration on a shelf and wait for a perfect solution to descend from heaven? Sure we could, but that would be so profoundly stupid that I would question the sanity of everyone in this working group. But if we come up with a solution that works, can be implemented, and is done in a timely fashion, then the world *will* use it. That's what we have, and that's what I want to move forward.
>>
>> There's also a lot of support for extensions (software statements) and different instantiations (SCIM) of the same basic protocol. These are good things, and they speak to the strength of the registration protocol, not its weakness.  I believe that what I've laid out below is a solid and reasonable plan for moving things forward and addressing everything that's been brought up, and so I invite the commentary of the whole of the working group. After all, the IETF is an organization of individuals and we work on rough consensus and running code.
>>
>>     -- Justin
>>
>> On 08/06/2013 07:18 PM, Anthony Nadalin wrote:
>>> I think that the IETF meeting and session on Dynamic Registration showed how fractured it was and how we don't have consensus on what needs to be done and how it needs to be done. I would not support moving any draft further along in the IETF process. I looked on mailing list and could not find out where any dynamic registration document went to WGLC, so maybe someone can point me to that.
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>> Behalf Of Justin Richer
>>> Sent: Tuesday, August 6, 2013 2:18 PM
>>> To: oauth@ietf.org
>>> Subject: [OAUTH-WG] A Proposal for Dynamic Registration
>>>
>>> At last week's IETF meeting, there was quite a lot of talk about the Dynamic Registration draft as well as a few other related drafts in this space. I would like to propose to the group what I think would be a positive working structure among the different approaches that would let us move everything forward. The source documents in discussion here are the WG's Dynamic Registration (draft 14) and Phil Hunt's individual submission of a SCIM-based alternative with some software assertion components to it. I suggest we refactor these into three documents:
>>>
>>>      - OAuth Dynamic Registration
>>>      - SCIM-based OAuth Dynamic Registration
>>>      - Software Statements for OAuth Dynamic Registration
>>>
>>> I think that they all have their place in the world, and this is how I see them fitting together:
>>>
>>>
>>> OAuth Dynamic Registration
>>>
>>> What it is: Essentially the draft we have today, draft 14. This draft
>>> defines a standalone RESTful API for dealing with client
>>> registrations, it allows for open registration as well as protected
>>> registration, and perhaps most importantly we know that it works
>>> because people have implemented it as part of several different APIs.
>>> This could have an informational pointer to the SCIM draft and the
>>> Software Statements draft. We could call this one "core" or "basic"
>>> or some other modifier, but I don't think that's necessary because it
>>> already does what it says on the tin.
>>>
>>> What it needs to concentrate on: This needs to be a "base" document
>>> with extension hooks in key places (such as the client metadata,
>>> which is already extensible, and places that have been made
>>> extensible like the token_endpoint_auth_method, and perhaps others).
>>> It needs to get its job done, allowing for full specification of the
>>> simple case in an interoperable way (anonymous registration of
>>> self-asserted client metadata to receive a client identifier and
>>> manage the registration) and be extensible and flexible enough for the more complex cases.
>>>
>>> What we should do: I think that we should continue shepherding this
>>> document through WGLC in the OAuth WG because there are no specific
>>> open issues in the spec (that I, the editor, am aware of) and I've
>>> seen what I would personally consider to be rough consensus on it
>>> (not unanimous, but that's not necessary anyway).
>>>
>>>
>>>
>>> SCIM-based OAuth Dynamic Registration:
>>>
>>> What it is: Most of Phil's draft, this defines a SCIM profile for
>>> managing OAuth clients dynamically. This will accomplish the same
>>> kinds of things that the OAuth Dynamic Registration Draft will
>>> accomplish, but in a SCIM-like manner. This will have a normative
>>> dependency on SCIM (of some version), and probably an informational
>>> dependency on OAuth Dynamic Registration. This could have an
>>> informational pointer to the Software Statements draft. This draft is
>>> very useful if you're already deploying a SCIM based system, and if
>>> you're investing in SCIM then it's going to be a smaller step to support this than it would be the base draft.
>>> However, I strongly believe that SCIM is a really big jump for
>>> implementing basic functionality that this is trying to accomplish.
>>>
>>> What it needs to concentrate on: Tracking with the overall SCIM
>>> specification (on which it depends) and tracking with the data model
>>> and general usage of the OAuth Dynamic Registration protocol
>>> (wherever it makes sense to do so).
>>>
>>> What we should do: I think that this draft should be picked up and
>>> worked on as an IETF document, but I think that it probably makes
>>> more sense for that work to be done inside of the SCIM working group.
>>> The reasons for this are twofold: First, this draft really should
>>> look and feel like SCIM, and to do that it really needs the attention
>>> of the group that's defining SCIM. Second, SCIM isn't completed and
>>> likely won't be for some time to come, and this draft needs to track
>>> with that protocol as it moves through the IETF process.
>>>
>>>
>>>
>>> Software Statements for OAuth Dynamic Registration
>>>
>>> What it is: Section 4 of Phil's draft (plus a few other bits,
>>> discussed here), this defines a method for presenting signed and/or
>>> verifiable claims to the registration server's endpoint. This is most
>>> useful when an authorization server can verify the claims being
>>> presented, such as being able to discover the signing key from the
>>> "iss" claim and validate the signature. This could also be used (with
>>> some additional
>>> specification) by a discovery-based system that could fix ahead of
>>> time some of the claims for a given piece of software (like we've
>>> done with
>>> BlueButton+). In some circumstances, this assertion could even
>>> BlueButton+contain
>>> all relevant bits of the registration, leaving the rest of the
>>> metadata fields blank. This is essentially the "use the assertion as
>>> the registration" flow that Phil discussed at the meeting, from what
>>> I understand. In all of these cases, it can give us a higher
>>> assurance for the registration and means to tie together multiple
>>> instances of a piece of software across a network.
>>>
>>> What it needs to concentrate on: Making the software statements
>>> interoperable. I don't think this is going to be an easy task, and I
>>> think it's going to be a long process to get it *right* for all players.
>>>
>>> What we should do: I think that this draft should be picked up by the
>>> OAuth Working Group as a WG document, and it should be built as an
>>> extension to both the OAuth Dynamic Registration and SCIM-based OAuth
>>> Dynamic Registration documents. I think it's important, but it's
>>> added functionality on top of either the RESTful or the SCIM-based
>>> registration documents, and as such it should have a normative
>>> reference to both of them with detailed profiles of how to use them.
>>>
>>>
>>>
>>>
>>>
>>>
>>> So in all, we've got three main documents, each with different
>>> purposes and concentrations, and with different timelines. I don't
>>> see any problem with these coexisting, and I think doing things this
>>> way can cover all of our known use cases and let us actually progress
>>> these documents and move forward.
>>>
>>>      -- Justin
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>
>>
>


From jmandel@gmail.com  Thu Aug  8 07:51:21 2013
Return-Path: <jmandel@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D91B921F991F for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 07:51:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C-Kv-0SqETZ0 for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 07:51:21 -0700 (PDT)
Received: from mail-oa0-x22b.google.com (mail-oa0-x22b.google.com [IPv6:2607:f8b0:4003:c02::22b]) by ietfa.amsl.com (Postfix) with ESMTP id E15C021F8D90 for <oauth@ietf.org>; Thu,  8 Aug 2013 07:51:16 -0700 (PDT)
Received: by mail-oa0-f43.google.com with SMTP id i10so5445547oag.16 for <oauth@ietf.org>; Thu, 08 Aug 2013 07:51:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Y96K52yqMXJEjgTbeV+qYV5qnt617pWwfMQxR/T+S1g=; b=b9hmm2sS6QKeBQvsnpuHOL50Rk1h8HTydEEURi+hxXwnoVTq1TLmGdqwZ48ogzdEYE n6aUmLmhgcfDy/mTXwWCzRgyg0WXKJ2X4kjO5SYrdTYQyuf3rMy9UY/7CSCmbOu5Dy96 tEiAv7mQ4P0f2UtJ1dR1pDYIbayNDb3aVMMJZaJmis/yAN3S6aySWJKxLn4Eel0YzWwZ Va9nLQSnBLvg79ZAk/d8Zkc3O2h0Oa0Kzwg85iwFIvWklBb13d8kIIDUkjaiy4fNKlgw w/ajjd897GqMGW9jPxgtV3750689p22K8A2iMk/g1nvdHB4Ljrc3hjxCb17IQfMfbZh0 cyAA==
X-Received: by 10.182.153.200 with SMTP id vi8mr6684459obb.27.1375973476405; Thu, 08 Aug 2013 07:51:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.60.125.197 with HTTP; Thu, 8 Aug 2013 07:51:00 -0700 (PDT)
In-Reply-To: <5203A221.3030705@mitre.org>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org> <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com> <5202654C.2040500@mitre.org> <e8fbaf0f44a047f2aee747586643ba9b@BY2PR03MB189.namprd03.prod.outlook.com> <5203A221.3030705@mitre.org>
From: Josh Mandel <jmandel@gmail.com>
Date: Thu, 8 Aug 2013 07:51:00 -0700
Message-ID: <CANSMLKGnseN5v2rjSVeGNK-7U8hbPnF=v1JhoebX2m1V+By75w@mail.gmail.com>
To: Justin Richer <jricher@mitre.org>
Content-Type: multipart/alternative; boundary=089e01494a5048167104e370cacb
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 14:51:22 -0000

--089e01494a5048167104e370cacb
Content-Type: text/plain; charset=ISO-8859-1

> not everyone who's doing OAuth-protected APIs is doing SCIM

+1.  (I'd wager very few have even heard of it.)


> People are already implementing the spec that we have, and will continue
> to do so even if the IETF drops it.


+1.

--089e01494a5048167104e370cacb
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">&gt; not everyone who&#39;s doing OAuth-protected APIs is =
doing SCIM<div><br></div><div>+1. =A0(I&#39;d wager very few have even hear=
d of it.)</div><div><div class=3D"gmail_extra"><div class=3D"gmail_quote"><=
div>=A0</div>



<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">People are already implementing the spec tha=
t we have, and will continue to do so even if the IETF drops it.</blockquot=
e>



<div><br></div><div>+1.=A0</div></div></div>
</div></div>

--089e01494a5048167104e370cacb--

From James.H.Manger@team.telstra.com  Thu Aug  8 07:55:10 2013
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8E8C11E81D9 for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 07:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.499
X-Spam-Level: 
X-Spam-Status: No, score=-1.499 tagged_above=-999 required=5 tests=[AWL=1.402,  BAYES_00=-2.599, GB_I_LETTER=-2, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RELAY_IS_203=0.994]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nB5hYG7XlOo4 for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 07:55:05 -0700 (PDT)
Received: from ipxano.tcif.telstra.com.au (ipxano.tcif.telstra.com.au [203.35.82.200]) by ietfa.amsl.com (Postfix) with ESMTP id 3D77311E8168 for <oauth@ietf.org>; Thu,  8 Aug 2013 07:55:05 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.89,839,1367935200"; d="scan'208";a="151439843"
Received: from unknown (HELO ipcdni.tcif.telstra.com.au) ([10.97.216.212]) by ipoani.tcif.telstra.com.au with ESMTP; 09 Aug 2013 00:54:59 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,7160"; a="111269079"
Received: from wsmsg3701.srv.dir.telstra.com ([172.49.40.169]) by ipcdni.tcif.telstra.com.au with ESMTP; 09 Aug 2013 00:54:59 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3701.srv.dir.telstra.com ([172.49.40.169]) with mapi; Fri, 9 Aug 2013 00:54:59 +1000
From: "Manger, James H" <James.H.Manger@team.telstra.com>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Date: Fri, 9 Aug 2013 00:54:56 +1000
Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT)
Thread-Index: Ac6TT0vhulQYMkb2Ta+CwLXXkxiM9wAeaQCA
Message-ID: <255B9BB34FB7D647A506DC292726F6E1152869AC01@WSMSG3153V.srv.dir.telstra.com>
References: <5202113B.1020505@gmx.net>
In-Reply-To: <5202113B.1020505@gmx.net>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 14:55:11 -0000

Q29tbWVudHMgb24gZHJhZnQtaWV0Zi1vYXV0aC1qc29uLXdlYi10b2tlbi0xMToNCg0KMS4gU2hv
dWxkIEpXVCByZWFsbHkgZ28gdG8gV0dMQyBiZWZvcmUgdGhlIEpPU0UgZG9jcyB0aGF0IGl0IGRl
cGVuZHMgb24gc28gaGVhdmlseSAoSldTL0pXRS8uLi4pPyBFdmVuIGlmIHRoZSAiYnl0ZXMtb24t
dGhlLXdpcmUiIGFyZSBmYWlybHkgc3RhYmxlLCBKV1QgcmVwZWF0cyBhIGxvdCBvZiB0ZXh0IGZy
b20gSldTL0pXRSBzb21lIG9mIHdoaWNoIGlzIGxpa2VseSB0byBjaGFuZ2UuIEZpbmlzaGluZyBX
R0xDIG5vdyBhbmQgcXVldWluZyB0aGUgZG9jIHRvIGJlIGF1dG8tcHVibGlzaGVkIHdoZW4gSldT
L0pXRSBhcmUgcHVibGlzaGVkIHdvdWxkIGJlIGJhZCAodW5sZXNzIHRoZSBkdXBsaWNhdGUgdGV4
dCBpcyByZW1vdmVkKS4NCg0KMi4gVGhlIEpXVCBkb2Mgd291bGQgYmUgc28gbXVjaCBtb3JlIHJl
YWRhYmxlIGlmIGl0IGNvdWxkIHJlZmVyIHRvIGEgIkpPU0UgbWVzc2FnZSIsICJKT1NFIGhlYWRl
ciIsIGFuZCAiSk9TRSBjb21wYWN0IHNlcmlhbGl6YXRpb24iOyBpbnN0ZWFkIG9mIGhhdmluZyB0
byBleHBsaWNpdGx5IHRhbGsgYWJvdXQgSldTIGFuZCBKV0UgZXZlcnkgdGltZSBldmVuIHdoZW4g
dGFsa2luZyBhYm91dCBhc3BlY3RzIGNvbW1vbiB0byBib3RoLiBJdCB3b3VsZCBhbHNvIGF2b2lk
IGludHJvZHVjaW5nICJKV1QgSGVhZGVyIiwgIkVuY29kZWQgSldUIEhlYWRlciIsICJOZXN0ZWQg
SldUIiwgIlBsYWludGV4dCBKV1QiIGV0YyBhcyB0aG91Z2ggdGhlc2UgYXJlIG5ldyBpdGVtcywg
d2hlbiBpbiBmYWN0IHRoZXkgYXJlIGp1c3QgYWRkaXRpb25hbCBuYW1lcyBmb3IgSk9TRSBpdGVt
cy4gRm9yIGluc3RhbmNlLCAiSldUIEhlYWRlciIgaXMgZWZmZWN0aXZlbHkgc2hvcnRoYW5kIGZv
ciAiSldTIG9yIEpXRSBoZWFkZXIiIGJ1dCBpdCBpcyBwcmVzZW50ZWQgYXMgYSBKV1Qtc3BlY2lm
aWMgdGhpbmcuDQoNCjMuIFRoZSBkb2Mgc2hvdWxkIG5vdCByZXBlYXQgZGVmaW5pdGlvbnMgZnJv
bSBKV1MgYW5kIEpXRS4gRm9yIGluc3RhbmNlLCB0aGUgd2hvbGUgZmlyc3QgcGFyYWdyYXBoIG9m
IHNlY3Rpb24gNSAiSldUIEhlYWRlciIgKEpTT04gb2JqZWN0OyBkZXNjcmliZXMgY3J5cHRvIG9w
czsgdW5pcXVlIG5hbWVzOyByZWplY3QgZHVwbGljYXRlcyBvciB1c2UgbGFzdCkgaXMgYW4gYWxt
b3N0IGlkZW50aWNhbCBjb3B5IG9mIHBhcmFncmFwaHMgZnJvbSBKV1MgYW5kIEpXRS4gVGhlIGR1
cGxpY2F0aW9uIChvZnRlbiB0cmlwbGljYXRpb24pIGFkZHMgY29uZnVzaW9uIChlZyB3aGF0IGlz
IHRoZSBkaWZmZXJlbmNlIGJldHdlZW4gYSBKV1QgSGVhZGVyIGFuZCBKV1MgSGVhZGVyPykgYW5k
IGdldHMgc3VidGx5IG91dCBvZiBzeW5jIChlZyAiY3R5IiBlaXRoZXIgImRlY2xhcmVzIHN0cnVj
dHVyYWwgaW5mb3JtYXRpb24gYWJvdXQgdGhlIEpXVCIgb3IgImRlY2xhcmVzIHRoZSB0eXBlIG9m
IHRoZSBzZWN1cmVkL2VuY3J5cHRlZCBjb250ZW50ICh0aGUgcGF5bG9hZC9QbGFpbnRleHQpIGlu
IGFuIGFwcGxpY2F0aW9uLXNwZWNpZmljIG1hbm5lciIpLiANCk90aGVyIGV4YW1wbGVzIG9mIHVu
bmVjZXNzYXJpbHkgZHVwbGljYXRlZCB0ZXh0IGluY2x1ZGU6IHNlY3Rpb24gNyBzdGVwcyAzICYg
NCAoY3JlYXRpbmcpIGFuZCBzdGVwcyAxLTggKHZhbGlkYXRpbmcpOyBzZWN0aW9uIDcuMSB0ZXh0
IGFib3V0IGNvbXBhcmluZyAiYWxnIiB2YWx1ZXM7IHBhcnRzIG9mIHRoZSBsYXN0IDIgcGFyYWdy
YXBocyBvZiBzZWN0aW9uIDMgIkpXVCBvdmVydmlldyI7IDFzdCBhbmQgM3JkIHBhcmFncmFwaHMg
b2Ygc2VjdGlvbiA1LjIgImN0eSI7IDFzdCwgMm5kLCBhbmQgNHRoIHNlbnRlbmNlIG9mIHNlY3Rp
b24gNS4xICJ0eXAiLg0KDQo0LiBIYXJkbHkgYW55b25lIHByb25vdW5jZXMgSldUIGFzICJqb3Qi
IC0tIGl0IGlzIHVzdWFsbHkgc3BlbHQgb3V0IC0tIHNvIGRyb3AgdGhlIHNlbnRlbmNlIGluIHRo
ZSBhYnN0cmFjdCBzdWdnZXN0aW5nIHRoZSAiam90IiBwcm9udW5jaWF0aW9uLg0KDQo1LiBDb2xs
aXNpb24gUmVzaXN0YW50IE5hbWVzcGFjZSAoc2VjdGlvbiAyICJUZXJtaW5vbG9neSIpIG1lbnRp
b25zIGRvbWFpbiBuYW1lcywgT0lEcywgYW5kIFVVSURzIGFzIGV4YW1wbGVzLCBidXQgZmFpbHMg
dG8gbWVudGlvbiBVUklzLCB3aGljaCBpcyBhIGxpa2VseSBjaG9pY2UuIERvbWFpbiBuYW1lcyB3
aWxsIHN0YXJ0IGNvbGxpZGluZyB3aXRoICJyZXNlcnZlZCIgbmFtZXMgc29vbiB3aXRoIGFsbCB0
aGUgbmV3IHRvcC1sZXZlbCBkb21haW5zLiBTaG91bGQgVVVJRHMgdXNlIGEgInVybjp1dWlkOiIg
cHJlZml4LCBvciAidXVpZDoiLCBvciBubyBwcmVmaXg/IFNob3VsZCBVVUlEcyBvbmx5IHVzZSBs
b3dlci1jYXNlIGhleCBkaWdpdHMgKG90aGVyd2lzZSBkdXBsaWNhdGUgVVVJRHMgd2lsbCBsb29r
IGxpa2UgZGlzdGluY3QgSlNPTiBuYW1lcyk/IFNob3VsZCBhbiBPSUQgYmUgIjIuNS40LjMiIG9y
ICJvaWQ6Mi41LjQuMyIgb3IgIlVSTjpPSUQ6Mi41LjQuMyIgb3IgImNvbW1vbk5hbWUiIG9yICJj
biI/IENvbGxpc2lvbiByZXNpc3RhbnQgbmFtZXNwYWNlcyBsb3NlIGNvbGxpc2lvbi1yZXNpc3Rh
bmNlIHdoZW4geW91IGNvbWJpbmUgbmFtZXNwYWNlcyBhcyBpcyBkb25lIGhlcmUuDQoNCkNvdWxk
IHRoZSByZXNlcnZlZC9wdWJsaWMvcHJpdmF0ZSBtZXNzIGJlIHNpbXBsaWZpZWQgYnkgc2F5aW5n
IChhdCB0aGUgZW5kIG9mIHNlY3Rpb24gNCAiSldUIENsYWltcyIpOg0KDQogIEEgY2xhaW0gbmFt
ZSBjYW4gYmUgYW55IHN0cmluZy4gVXNpbmcgVVJJcyBhcyBjbGFpbSBuYW1lcyBpcyBvbmUNCiAg
d2F5IHRvIGVuc3VyZSBjbGFpbSBuYW1lcyBhcmUgdW5hbWJpZ3VvdXMuIENsYWltIG5hbWVzIHRo
YXQgYXJlDQogIG5vdCBVUklzIFNIT1VMRCBiZSByZWdpc3RlcmVkIGluIHRoZSBJQU5BIENsYWlt
cyByZWdpc3RyeSBbc2VjdGlvbiA5LjFdDQoNClRoZW4gZHJvcCB0aGUgbGFzdCBwYXJhZ3JhcGgg
b2Ygc2VjdGlvbiA0ICJKV1QgY2xhaW1zIiB0aGF0IHN0YXJ0cyAidGhlcmUgYXJlIHRocmVlIGNs
YXNzZXMgb2YgSlQgQ2xhaW0gTmFtZXMiOyBkcm9wIHNlY3Rpb24gNC4yICJQdWJsaWMgY2xhaW0g
bmFtZXMiOyBkcm9wIHNlY3Rpb24gNC4zICJQcml2YXRlIGNsYWltIG5hbWVzIjsgZHJvcCB0aGUg
ImNvbGxpc2lvbiByZXNpc3RhbnQgbmFtZXNwYWNlIiB0ZXJtLg0KDQo2LiBUaGUgZG9jcyBzYXlz
IGluY2x1ZGluZyBhICJ0eXAiIGZpZWxkIGlzIE9QVElPTkFMLiBFdmVuIHdoZW4gcHJlc2VudCAi
dHlwIiBjYW4gaGF2ZSBhbnkgdmFsdWUgc2luY2UgdGhlIHR3byBzdWdnZXN0aW9ucyBpbiB0aGUg
ZG9jICgiSldUIiBvciAidXJuOmlldGY6cGFyYW1zOm9hdXRoOnRva2VuLXR5cGU6and0IikgYXJl
IG9ubHkgUkVDT01NRU5ERUQuIEdpdmVuIHRoaXMsIHRoZXJlIGRvZXNuJ3Qgc2VlbSB0byBiZSBh
bnl0aGluZyBhIEpXVCByZWNpcGllbnQgY2FuIHVzZWZ1bGx5IGRvIHdpdGggInR5cCIuIElmIGl0
IHRyaWVzIHRvIHVzZSAidHlwIiBpdCB3aWxsIGp1c3QgYmUgaW5jb21wYXRpYmxlIHdpdGggY29t
cGxpYW50IEpXVCBzZW5kZXJzIHRoYXQgZWl0aGVyIG9taXQgInR5cCIgb3IgdXNlIGFub3RoZXIg
dmFsdWUuIEl0IHdvdWxkIGJlIGJldHRlciB0byBkcm9wIHNlY3Rpb24gNS4xICJUeXBlIEhlYWRl
ciBQYXJhbWV0ZXIiIGVudGlyZWx5IC0tIGxlYXZpbmcgYW55ICJ0eXAiIHZhbHVlIGRlZmluaXRp
b25zIHRvIHByb2ZpbGVzIHRoYXQgYWN0dWFsbHkgZGVmaW5lIHByb2Nlc3NpbmcgZm9yIHN1Y2gg
dmFsdWVzLg0KDQo3LiBUaGUgZG9jIHJlZGVmaW5lcyB0aGUgImN0eSIgaGVhZGVyIHBhcmFtZXRl
ciwgd2hpY2ggaXMgYWxyZWFkeSBkZWZpbmVkIGluIEpXUyBhbmQgSldFIChzbGlnaHRseSBkaWZm
ZXJlbnRseSBpbiBhbGwgMyBjYXNlcyAtIGFyZ2gpLiBKV1QgdXNlcyAiY3R5IiB0byBpbmRpY2F0
ZSBuZXN0ZWQgSk9TRSBtZXNzYWdlcywgd2hpY2ggc2hvdWxkIGJlIGEgSk9TRSBmZWF0dXJlIGFz
IGl0IGlzIG5vdCBzcGVjaWZpYyB0byBKV1QgKGhlbmNlICJjdHkiOiJqd3QiIGlzIGEgcG9vciBj
aG9pY2UpLg0KDQo4LiBbRWRpdG9yaWFsXSAiSldBIHNpZ25pbmcgYWxnb3JpdGhtIiBhbmQgIkpX
QSBlbmNyeXB0aW9uIGFsZ29yaXRobXMiIGFyZSB0aGUgd3JvbmcgcGhyYXNlcy4gVGhlc2UgYXJl
IEpXUyBzaWduaW5nIGFsZ3MgYW5kIEpXRSBlbmNyeXB0aW9uIGFsZ3MgdGhhdCBoYXBwZW4gdG8g
YmUgc3BlY2lmaWVkIGluIEpXQS4NCg0KOS4gSW5jbHVkaW5nIGEgc2hvcnQgZGVzY3JpcHRpb24g
Zm9yIGVhY2ggY2xhaW0gbmFtZSBpbiB0aGUgcmVnaXN0cnkgd291bGQgYmUgdXNlZnVsLiBKdXN0
IGEgMy1sZXR0ZXIgYWJicmV2aWF0aW9uIGlzIG5vdCBoZWxwZnVsIGVub3VnaC4gRWcgYWRkIGEg
Q2xhaW0gZGVzY3JpcHRpb24gZmllbGQ6DQogIENsYWltIG5hbWU6ICJuYmYiDQogIENsYWltIGRl
c2NyaXB0aW9uOiBub3QgYmVmb3JlDQogIENoYW5nZSBjb250cm9sbGVyOiBJRVRGDQogIFNwZWNp
ZmljYXRpb24gZG9jdW1lbnQ6IHNlY3Rpb24gNC4xLjUuIG9mIFtbIHRoaXMgZG9jIF1dDQogIA0K
DQotLQ0KSmFtZXMgTWFuZ2VyDQoNCj4gLS0tLS0tLS0tLQ0KPiBTZW50OiBXZWRuZXNkYXksIDcg
QXVndXN0IDIwMTMgNzoyMCBQTQ0KPiBTdWJqZWN0OiBbT0FVVEgtV0ddIFdHTEMgb24gSlNPTiBX
ZWIgVG9rZW4gKEpXVCkNCj4gDQo+IEhpIGFsbCwNCj4gDQo+IHRoaXMgaXMgYSB3b3JraW5nIGdy
b3VwIGxhc3QgY2FsbCBmb3IgdGhlIEpTT04gV2ViIFRva2VuIChKV1QpLg0KPiANCj4gSGVyZSBp
cyB0aGUgZG9jdW1lbnQ6DQo+IGh0dHA6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYt
b2F1dGgtanNvbi13ZWItdG9rZW4tMTENCj4gDQo+IFBsZWFzZSBzZW5kIHlvdSBjb21tZW50cyB0
byB0aGUgT0F1dGggbWFpbGluZyBsaXN0IGJ5IEF1Z3VzdCAyMSwgMjAxMy4NCj4gDQo+IENpYW8N
Cj4gSGFubmVzICYgRGVyZWsNCg0K

From tonynad@microsoft.com  Thu Aug  8 09:13:50 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B07411E8132 for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 09:13:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_21=0.6, J_CHICKENPOX_83=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7xdoaEVTAzT for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 09:13:46 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id 3BDA011E815E for <oauth@ietf.org>; Thu,  8 Aug 2013 09:13:45 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Thu, 8 Aug 2013 15:43:28 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) with mapi id 15.00.0745.000; Thu, 8 Aug 2013 15:43:28 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] A Proposal for Dynamic Registration
Thread-Index: AQHOkusVub8uV8Fzs026F8FprsDzrJmIzgQQgAD7gwCAAAaN4IAADNsAgABo01CAARDfgIAAFCrw
Date: Thu, 8 Aug 2013 15:43:27 +0000
Message-ID: <572b383a902245ab99f82c9c3bdc3082@BY2PR03MB189.namprd03.prod.outlook.com>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org> <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com> <5202654C.2040500@mitre.org> <e8fbaf0f44a047f2aee747586643ba9b@BY2PR03MB189.namprd03.prod.outlook.com> <5203A221.3030705@mitre.org>
In-Reply-To: <5203A221.3030705@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.255.124.4]
x-forefront-prvs: 093290AD39
x-forefront-antispam-report: SFV:NSPM; SFS:(479174003)(377454003)(51444003)(51704005)(55885003)(24454002)(13464003)(199002)(189002)(16406001)(19580395003)(54316002)(47976001)(50986001)(76482001)(47736001)(53806001)(83322001)(77982001)(59766001)(54356001)(49866001)(19580385001)(4396001)(19580405001)(56776001)(33646001)(76576001)(83072001)(81686001)(76786001)(76796001)(15202345003)(65816001)(80022001)(77096001)(56816003)(74876001)(63696002)(74366001)(80976001)(74316001)(74502001)(47446002)(31966008)(74662001)(69226001)(81342001)(51856001)(79102001)(46102001)(74706001)(561944002)(81542001)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:10.255.124.4; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 10.255.124.4
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB192.namprd03.prod.outlook.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 16:13:50 -0000

There are implantation of SCIM out there in production in large and small s=
cale companies provisioning a heck of a lot of clients, so fully understand=
 all your points about implementations, and thus my concerns about what is =
being proposed with the dyn reg, who would use it, do we already have somet=
hing that is close enough, is it solving the right issues, can it be made b=
etter more flexible to include other extensible mechanisms, does it include=
 things that are beyond the scope (like client configuration endpoint)etc. =
 I don't think this spec is anywhere near WGLC, thus all the activity on th=
e list, in the meetings and interim calls, fixing the specification and ans=
wering the concerns may help drive more adoption and usage.=20

I'm not sure 2 or more specifications solving the same or close issues will=
 really help IETF and the various participants, as this just adds to confus=
ion and potential interoperability issues.


-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org]=20
Sent: Thursday, August 8, 2013 6:50 AM
To: Anthony Nadalin
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration

You could make that argument about any RESTful patterned API. While SCIM is=
 making great progress and is a very good protocol, and I think it's a gros=
s mistake to hit every REST-shaped nail with a SCIM-shaped hammer.=20
It might make a lot of sense to you if you've already got an investment in =
a SCIM architecture, but not everyone who's doing OAuth-protected APIs is d=
oing SCIM. As a matter of fact, the overwhelmingly vast majority of protect=
ed APIs aren't SCIM, and adopting all of the trappings of SCIM for just thi=
s one use case doesn't make sense for all of these folks.

However, for those who already have SCIM and want to do something SCIM base=
d for OAuth client provisioning, I think that's fine for them, and that's w=
hy I suggest that the SCIM based proposal go forward as well (and probably =
in the SCIM working group). But the existence of a SCIM-based method of doi=
ng this doesn't invalidate the RESTful protocol any more than the existence=
 of several proprietary or otherwise protocol-specific means of doing this =
are. It's the same way that someone with a SCIM endpoint who wants to do Op=
enID Connect will probably use their SCIM endpoints instead of the UserInfo=
 Endpoint. So you want something SCIM based? Go build it. I'm not stopping =
you, and in fact, I'm encouraging you to do so. I'll review and help edit t=
he crap out of that spec, too.

In spite of what you're arguing, the Dyn Reg spec doesn't have to die in or=
der for the SCIM spec to move forward. Maybe in five years time, everyone w=
ill implement that standard and not this one, or maybe it'll be the other w=
ay around, or maybe we'll all be off of OAuth by then on to the next shiny =
thing. But that's all pointless conjecture when we've got one proposed stan=
dard that's basically done and that people are using, one proposed standard=
 with a clear path forward (as it's parent standard isn't done yet, it has =
some time to go), and one proposed extension to both of them that has a lot=
 of potential but needs a lot of work. So let's do that.

And I think there's a point that a lot of people are missing here:=20
standards are only worth something if people actually implement them.=20
People are already implementing the spec that we have, and will continue to=
 do so even if the IETF drops it. Doesn't it make more sense to codify this=
 practice instead of pretending the world will march to what we say in our =
little working group? I'd like to remind the group that this is how this sp=
ec started and where it came from: several groups were already building mut=
ually incompatible registration specifications. We decided to talk with all=
 of these groups and try and make a common protocol that everyone could use=
 and extend. I know of at least four protocol-specific specs that (over tim=
e) went into the dyn reg we have now, and there are others out there as wel=
l I'm sure.

  -- Justin

On 08/07/2013 05:59 PM, Anthony Nadalin wrote:
> This proposal provisions and de-provisions clients and allows a client to=
 read/update provisioning data (and it also has to deal with schema extensi=
bility, internationalization among the other things), very similar to SCIM,=
 why do we want different ways to do this ? We also have the JIT proposals =
in SCIM which make even more sense for quick provisioning clients with limi=
ted data. This is a lot of repeat of SCIM.
>
> Schema extensibility is not just the ability to add or replace but the fl=
exibility to model desired objects and relationships that are in the target=
 store schema. We would certainly not want to create yet another store/dire=
ctory just to register clients.
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Wednesday, August 7, 2013 8:19 AM
> To: Anthony Nadalin
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>
> Addressing your points inline:
>
> On 08/07/2013 10:58 AM, Anthony Nadalin wrote:
>> I see plenty of fractures, we discussed many of these at the meeting and=
 several side meetings last week. Specification that are brought to IETF un=
dergo changes, morf into something different all the time regardless of who=
 has implemented the original specifications, OAUTH Core is a fine example =
of how lots of running code was changed because the specification changed, =
so because you may have code based upon this is not a reason that it is cor=
rect and should not change.
> And all that has happened with this draft as well. Things have changed qu=
ite a bit from the original specs, breaking changes that caused huge ripple=
s through existing implementations. Eventually though you need to say "it's=
 good enough" -- if you keep changing things and don't declare something do=
ne, people will just get bored and move on. I'm glad that you mention OAuth=
 core because it is a great example of our previous failure at this -- we t=
ook so long to get it out there that there are several major non-compliant =
implementations on the web today, most notably Facebook, who have no incent=
ive to change to the final draft just because the IETF says so. Let's not s=
crew this up again.
>
>>    I'm not aware of many people using this draft, as in the meeting last=
 week I think we had 2 examples, so more people saying that they have imple=
mented this at scale and the problems it solves would be a good thing.
> I agree that more people implementing it would be a good thing, but you'r=
e ignoring the people that already are. There are also a number of people t=
hat I've spoken to who are hesitant to implement until things are deemed fa=
irly "stable", if not final. Those people will come up with their own, mutu=
ally-incompatible versions.
>
>> Here are the problems that I see with the current proposal and why we wo=
uld/could not use it:
>>
>> 1. The schema proposal is not extensible, please look at the issues with=
 SCIM and how the scheme was made extensible in SCIM.
> Yes, it is extensible, I really don't know where you're getting that.
> It's JSON, schema-by-fiat. If you want an extension parameter, just add i=
t. Your server has to deal with (as in, not crash if it sees) anything in t=
he base spec, and it it has to ignore anything that it doesn't understand. =
Best thing I could think to add here would be an IANA registry for the clie=
nt metadata names -- I personally find such things overkill but if the WG w=
ants to go that route, we certainly can.
>> 2. This proposal requires that I now provide management at the registrat=
ion endpoint to manage users and secrets, this is costly.
> What users are you talking about here? There aren't any users here that I=
 know of. As for secrets, you already have to manage client secrets.
>
>> 3. Yet the development of another endpoint.
> Adding an endpoint for specific functionality is a good thing, it lets yo=
u separate out concerns. You talk like URLs are expensive, which is ludicro=
us. Would you propose we try to cram everything through a single URL like S=
OAP? Let's learn from the mistakes of the past instead of repeating them.
>
>> 4. I don't see any use cases, maybe these should be documented (or point=
 people to these) so we understand what this is actually trying to solve, a=
s this is somewhat of a mystery to me and others.
> Read appendix B. That's why it's there. If there are more cases that we c=
an add, suggest text.
>> 5. There are a lot of issues that OAUTH does not solve, I don't think=20
>> that this issue (as I understand it) is in the realm of OAUTH, maybe=20
>> the applications area would be a better place for this specification
> This was a chartered item for the group to solve (check the charter=20
> for yourself), we discussed it several times over the last few years=20
> before it was made a chartered item (check the archives for yourself),=20
> and there are people willing to work on the document. That's all it=20
> takes for this to be in scope in the IETF. Trying to boot it into=20
> another working group at this stage is just odd to me.r
>
>    -- Justin
>>
>>
>> -----Original Message-----
>> From: Justin Richer [mailto:jricher@mitre.org]
>> Sent: Wednesday, August 7, 2013 7:09 AM
>> To: Anthony Nadalin
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>>
>> Tony, it happened several months ago:
>>
>>      http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html
>>
>> This triggered a lot of discussion and brought up several changes in the=
 document, in general for the good. The vast majority of changes were edito=
rial in nature, clearing up the intent of the text, but the underlying prot=
ocol is pretty solid and not very different qualitatively from draft -10. A=
t this point, I believe that all open issues are addressed in the document =
or directed towards specific proposed extensions, and I haven't heard anyth=
ing to the contrary.
>>
>> And I think you're reading the tone content of the discussion incorrectl=
y. As I tried to carefully lay out below, I don't see fractures. I see mult=
iple components that can work together and fit fairly nicely into a larger =
system. The existence of multiple solutions does not invalidate the applica=
bility of a known good solution. We can not shelve something good just beca=
use there's a hint of something else on the horizon (which might be good or=
 bad, we don't know yet).
>>
>> There is a lot of support for the Dynamic Registration draft that's ther=
e today, just look at the number of implementers and protocols that are act=
ually using it. This is not a theoretical draft, this is not an intellectua=
l exercise, this is not a speculative document -- this is a codification of=
 real practice that we know works and has been implemented and deployed and=
 tested.
>>
>> And speaking of these other protocols and systems -- they're going to mo=
ve on whether we at the IETF want them to or not. Nobody is going to sit ar=
ound and wait for the IETF-blessed version of this functionality.
>> As a matter of fact, this document was born of the output of two groups =
who specifically *didn't* wait around for the IETF to solve this problem. W=
e brought it "in house" here because we believed that it would be better to=
 have a generally applicable solution than to have a dozen proprietary impl=
ementations. That's where true fragmentation comes from:
>> implementations and deployments, not from minor quibbles about syntax.
>> So could we stuff dynamic registration on a shelf and wait for a perfect=
 solution to descend from heaven? Sure we could, but that would be so profo=
undly stupid that I would question the sanity of everyone in this working g=
roup. But if we come up with a solution that works, can be implemented, and=
 is done in a timely fashion, then the world *will* use it. That's what we =
have, and that's what I want to move forward.
>>
>> There's also a lot of support for extensions (software statements) and d=
ifferent instantiations (SCIM) of the same basic protocol. These are good t=
hings, and they speak to the strength of the registration protocol, not its=
 weakness.  I believe that what I've laid out below is a solid and reasonab=
le plan for moving things forward and addressing everything that's been bro=
ught up, and so I invite the commentary of the whole of the working group. =
After all, the IETF is an organization of individuals and we work on rough =
consensus and running code.
>>
>>     -- Justin
>>
>> On 08/06/2013 07:18 PM, Anthony Nadalin wrote:
>>> I think that the IETF meeting and session on Dynamic Registration showe=
d how fractured it was and how we don't have consensus on what needs to be =
done and how it needs to be done. I would not support moving any draft furt=
her along in the IETF process. I looked on mailing list and could not find =
out where any dynamic registration document went to WGLC, so maybe someone =
can point me to that.
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On=20
>>> Behalf Of Justin Richer
>>> Sent: Tuesday, August 6, 2013 2:18 PM
>>> To: oauth@ietf.org
>>> Subject: [OAUTH-WG] A Proposal for Dynamic Registration
>>>
>>> At last week's IETF meeting, there was quite a lot of talk about the Dy=
namic Registration draft as well as a few other related drafts in this spac=
e. I would like to propose to the group what I think would be a positive wo=
rking structure among the different approaches that would let us move every=
thing forward. The source documents in discussion here are the WG's Dynamic=
 Registration (draft 14) and Phil Hunt's individual submission of a SCIM-ba=
sed alternative with some software assertion components to it. I suggest we=
 refactor these into three documents:
>>>
>>>      - OAuth Dynamic Registration
>>>      - SCIM-based OAuth Dynamic Registration
>>>      - Software Statements for OAuth Dynamic Registration
>>>
>>> I think that they all have their place in the world, and this is how I =
see them fitting together:
>>>
>>>
>>> OAuth Dynamic Registration
>>>
>>> What it is: Essentially the draft we have today, draft 14. This=20
>>> draft defines a standalone RESTful API for dealing with client=20
>>> registrations, it allows for open registration as well as protected=20
>>> registration, and perhaps most importantly we know that it works=20
>>> because people have implemented it as part of several different APIs.
>>> This could have an informational pointer to the SCIM draft and the=20
>>> Software Statements draft. We could call this one "core" or "basic"
>>> or some other modifier, but I don't think that's necessary because=20
>>> it already does what it says on the tin.
>>>
>>> What it needs to concentrate on: This needs to be a "base" document=20
>>> with extension hooks in key places (such as the client metadata,=20
>>> which is already extensible, and places that have been made=20
>>> extensible like the token_endpoint_auth_method, and perhaps others).
>>> It needs to get its job done, allowing for full specification of the=20
>>> simple case in an interoperable way (anonymous registration of=20
>>> self-asserted client metadata to receive a client identifier and=20
>>> manage the registration) and be extensible and flexible enough for the =
more complex cases.
>>>
>>> What we should do: I think that we should continue shepherding this=20
>>> document through WGLC in the OAuth WG because there are no specific=20
>>> open issues in the spec (that I, the editor, am aware of) and I've=20
>>> seen what I would personally consider to be rough consensus on it=20
>>> (not unanimous, but that's not necessary anyway).
>>>
>>>
>>>
>>> SCIM-based OAuth Dynamic Registration:
>>>
>>> What it is: Most of Phil's draft, this defines a SCIM profile for=20
>>> managing OAuth clients dynamically. This will accomplish the same=20
>>> kinds of things that the OAuth Dynamic Registration Draft will=20
>>> accomplish, but in a SCIM-like manner. This will have a normative=20
>>> dependency on SCIM (of some version), and probably an informational=20
>>> dependency on OAuth Dynamic Registration. This could have an=20
>>> informational pointer to the Software Statements draft. This draft=20
>>> is very useful if you're already deploying a SCIM based system, and=20
>>> if you're investing in SCIM then it's going to be a smaller step to sup=
port this than it would be the base draft.
>>> However, I strongly believe that SCIM is a really big jump for=20
>>> implementing basic functionality that this is trying to accomplish.
>>>
>>> What it needs to concentrate on: Tracking with the overall SCIM=20
>>> specification (on which it depends) and tracking with the data model=20
>>> and general usage of the OAuth Dynamic Registration protocol=20
>>> (wherever it makes sense to do so).
>>>
>>> What we should do: I think that this draft should be picked up and=20
>>> worked on as an IETF document, but I think that it probably makes=20
>>> more sense for that work to be done inside of the SCIM working group.
>>> The reasons for this are twofold: First, this draft really should=20
>>> look and feel like SCIM, and to do that it really needs the=20
>>> attention of the group that's defining SCIM. Second, SCIM isn't=20
>>> completed and likely won't be for some time to come, and this draft=20
>>> needs to track with that protocol as it moves through the IETF process.
>>>
>>>
>>>
>>> Software Statements for OAuth Dynamic Registration
>>>
>>> What it is: Section 4 of Phil's draft (plus a few other bits,=20
>>> discussed here), this defines a method for presenting signed and/or=20
>>> verifiable claims to the registration server's endpoint. This is=20
>>> most useful when an authorization server can verify the claims being=20
>>> presented, such as being able to discover the signing key from the=20
>>> "iss" claim and validate the signature. This could also be used=20
>>> (with some additional
>>> specification) by a discovery-based system that could fix ahead of=20
>>> time some of the claims for a given piece of software (like we've=20
>>> done with
>>> BlueButton+). In some circumstances, this assertion could even=20
>>> BlueButton+contain
>>> all relevant bits of the registration, leaving the rest of the=20
>>> metadata fields blank. This is essentially the "use the assertion as=20
>>> the registration" flow that Phil discussed at the meeting, from what=20
>>> I understand. In all of these cases, it can give us a higher=20
>>> assurance for the registration and means to tie together multiple=20
>>> instances of a piece of software across a network.
>>>
>>> What it needs to concentrate on: Making the software statements=20
>>> interoperable. I don't think this is going to be an easy task, and I=20
>>> think it's going to be a long process to get it *right* for all players=
.
>>>
>>> What we should do: I think that this draft should be picked up by=20
>>> the OAuth Working Group as a WG document, and it should be built as=20
>>> an extension to both the OAuth Dynamic Registration and SCIM-based=20
>>> OAuth Dynamic Registration documents. I think it's important, but=20
>>> it's added functionality on top of either the RESTful or the=20
>>> SCIM-based registration documents, and as such it should have a=20
>>> normative reference to both of them with detailed profiles of how to us=
e them.
>>>
>>>
>>>
>>>
>>>
>>>
>>> So in all, we've got three main documents, each with different=20
>>> purposes and concentrations, and with different timelines. I don't=20
>>> see any problem with these coexisting, and I think doing things this=20
>>> way can cover all of our known use cases and let us actually=20
>>> progress these documents and move forward.
>>>
>>>      -- Justin
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>
>>
>



From hannes.tschofenig@gmx.net  Thu Aug  8 10:20:52 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41D2111E8153 for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 10:20:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.469
X-Spam-Level: 
X-Spam-Status: No, score=-101.469 tagged_above=-999 required=5 tests=[AWL=-0.729, BAYES_20=-0.74, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5OnqKMyb7aPM for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 10:20:47 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) by ietfa.amsl.com (Postfix) with ESMTP id E45EF21F9FD6 for <oauth@ietf.org>; Thu,  8 Aug 2013 10:20:46 -0700 (PDT)
Received: from [172.16.254.200] ([195.149.223.173]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0LzHZ7-1WB0nt3Bab-014Tr0 for <oauth@ietf.org>; Thu, 08 Aug 2013 19:20:44 +0200
Message-ID: <5203D379.9020501@gmx.net>
Date: Thu, 08 Aug 2013 19:20:57 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:3zD6RCYS4kV3CPiGrgByfeUTyregI2FShe1A0cRt8d245DMENPv qmqhUCzc1KKyX/0WtipCj7sqGDixKqE9cMnOduwRlNnhf3UuGdjHr12EWimLuuGp8D0eqAP DtCiAkJPB8WHipKEnK6Uwf51orc5TjCaKqeMexqqEYI2pkSgPah+BhfJNGyVJQx1NXma0Gi EnQByWWHl+FamfzZTIoLA==
Subject: [OAUTH-WG] Dynamic Client Registration Design Team: Conference Call Dates
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 17:20:52 -0000

Hi all,

please enter your availability for a conference call regarding the 
'dynamic client registration' design team into this webpage:
http://moreganize.com/bltr4C3YmGj

The table looks a bit scary but I am essentially offering three slots 
per day, namely
* 6am PDT
* 2pm PDT
* 9pm PDT
starting with August 19th to October 4th.

Deadline for indicating your preference is the August 18th.

Ciao
Hannes

From mike@gluu.org  Thu Aug  8 13:23:06 2013
Return-Path: <mike@gluu.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7305811E820D for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 13:23:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.335
X-Spam-Level: 
X-Spam-Status: No, score=0.335 tagged_above=-999 required=5 tests=[BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKdmjYBXKlnc for <oauth@ietfa.amsl.com>; Thu,  8 Aug 2013 13:22:52 -0700 (PDT)
Received: from gateway08.websitewelcome.com (gateway08.websitewelcome.com [67.18.66.17]) by ietfa.amsl.com (Postfix) with ESMTP id 72EB811E81BA for <oauth@ietf.org>; Thu,  8 Aug 2013 13:22:45 -0700 (PDT)
Received: by gateway08.websitewelcome.com (Postfix, from userid 5007) id BDBD1FD1CDED7; Thu,  8 Aug 2013 15:22:44 -0500 (CDT)
Received: from gator405.hostgator.com (gator405.hostgator.com [184.172.165.9]) by gateway08.websitewelcome.com (Postfix) with ESMTP id A8006FD1CDE61 for <oauth@ietf.org>; Thu,  8 Aug 2013 15:22:44 -0500 (CDT)
Received: from [127.0.0.1] (port=37430 helo=mail.gluu.org) by gator405.hostgator.com with esmtpa (Exim 4.80) (envelope-from <mike@gluu.org>) id 1V7WjM-0000M8-Hd for oauth@ietf.org; Thu, 08 Aug 2013 15:22:44 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Date: Thu, 08 Aug 2013 15:22:44 -0500
From: mike@gluu.org
To: <oauth@ietf.org>
Message-ID: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org>
X-Sender: mike@gluu.org
User-Agent: Roundcube Webmail/0.8.4
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator405.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - gluu.org
X-BWhitelist: no
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: (mail.gluu.org) [127.0.0.1]:37430
X-Source-Auth: mike@gluu.org
X-Email-Count: 2
X-Source-Cap: ZGlnaW1vbjtkaWdpbW9uO2dhdG9yNDA1Lmhvc3RnYXRvci5jb20=
X-Mailman-Approved-At: Fri, 09 Aug 2013 10:33:39 -0700
Subject: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2013 20:24:24 -0000

OAuth WG,

As some of you may know, the OX open source project provides an 
implementation of Enterprise UMA, which enables organizations to control 
which people and clients can access web resources.

I rarely weigh in, because you all are doing such great job. However, I 
was quite distressed to learn about the suggestion to stop work on the 
dynamic client registration spec. This proposed change would have a 
negative impact on OX, and the varied adopters of our software from 
around the world.

No standard for dynamic client registration would make OX less 
"standard" by creating a bigger delta between UMA and other OAuth2 
implementations. As OX also implements the OpenID Connect OP endpoints, 
and dropping this effort would also makes a convergence path for client 
registration less likely.

Please leave dynamic client registration!

Thanks for all your great work!

- Mike Schwartz
Founder / CEO
Gluu
http://gluu.org

PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD : 
http://www.gluu.co/uma-apache


From phil.hunt@oracle.com  Sun Aug 11 16:33:25 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6903421F9D62 for <oauth@ietfa.amsl.com>; Sun, 11 Aug 2013 16:33:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level: 
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_50=0.001, J_CHICKENPOX_21=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUWDyzTAWkbc for <oauth@ietfa.amsl.com>; Sun, 11 Aug 2013 16:33:19 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 028A021F9D70 for <oauth@ietf.org>; Sun, 11 Aug 2013 16:27:59 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7BNRvfe027068 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 11 Aug 2013 23:27:58 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7BNRuac025151 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 11 Aug 2013 23:27:57 GMT
Received: from abhmt113.oracle.com (abhmt113.oracle.com [141.146.116.65]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7BNRuC6007292; Sun, 11 Aug 2013 23:27:56 GMT
Received: from [25.66.38.15] (/24.114.40.62) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 11 Aug 2013 16:27:55 -0700
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org> <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com> <5202654C.2040500@mitre.org> <e8fbaf0f44a047f2aee747586643ba9b@BY2PR03MB189.namprd03.prod.outlook.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <e8fbaf0f44a047f2aee747586643ba9b@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <6448B6AA-4F40-48CF-AFDD-3F535959349F@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Sun, 11 Aug 2013 16:27:49 -0700
To: Anthony Nadalin <tonynad@microsoft.com>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Aug 2013 23:33:25 -0000

+1=20

I also would like to explore the assertion exchange concept that doesn't req=
uire any endpoint.=20

I see no point in rushing here.=20

More than one method makes no sense unless there is a fundamental reason. We=
 have none.=20

Dyn reg duplicates scim and we have to reconcile this now or with the iesg.=20=


Phil

On 2013-08-07, at 14:59, Anthony Nadalin <tonynad@microsoft.com> wrote:

> This proposal provisions and de-provisions clients and allows a client to r=
ead/update provisioning data (and it also has to deal with schema extensibil=
ity, internationalization among the other things), very similar to SCIM, why=
 do we want different ways to do this ? We also have the JIT proposals in SC=
IM which make even more sense for quick provisioning clients with limited da=
ta. This is a lot of repeat of SCIM.
>=20
> Schema extensibility is not just the ability to add or replace but the fle=
xibility to model desired objects and relationships that are in the target s=
tore schema. We would certainly not want to create yet another store/directo=
ry just to register clients.
>=20
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]=20
> Sent: Wednesday, August 7, 2013 8:19 AM
> To: Anthony Nadalin
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>=20
> Addressing your points inline:
>=20
> On 08/07/2013 10:58 AM, Anthony Nadalin wrote:
>> I see plenty of fractures, we discussed many of these at the meeting and s=
everal side meetings last week. Specification that are brought to IETF under=
go changes, morf into something different all the time regardless of who has=
 implemented the original specifications, OAUTH Core is a fine example of ho=
w lots of running code was changed because the specification changed, so bec=
ause you may have code based upon this is not a reason that it is correct an=
d should not change.
> And all that has happened with this draft as well. Things have changed qui=
te a bit from the original specs, breaking changes that caused huge ripples t=
hrough existing implementations. Eventually though you need to say "it's goo=
d enough" -- if you keep changing things and don't declare something done, p=
eople will just get bored and move on. I'm glad that you mention OAuth core b=
ecause it is a great example of our previous failure at this -- we took so l=
ong to get it out there that there are several major non-compliant implement=
ations on the web today, most notably Facebook, who have no incentive to cha=
nge to the final draft just because the IETF says so. Let's not screw this u=
p again.
>=20
>>  I'm not aware of many people using this draft, as in the meeting last we=
ek I think we had 2 examples, so more people saying that they have implement=
ed this at scale and the problems it solves would be a good thing.
> I agree that more people implementing it would be a good thing, but you're=
 ignoring the people that already are. There are also a number of people tha=
t I've spoken to who are hesitant to implement until things are deemed fairl=
y "stable", if not final. Those people will come up with their own, mutually=
-incompatible versions.
>=20
>> Here are the problems that I see with the current proposal and why we wou=
ld/could not use it:
>>=20
>> 1. The schema proposal is not extensible, please look at the issues with S=
CIM and how the scheme was made extensible in SCIM.
> Yes, it is extensible, I really don't know where you're getting that.=20
> It's JSON, schema-by-fiat. If you want an extension parameter, just add it=
. Your server has to deal with (as in, not crash if it sees) anything in the=
 base spec, and it it has to ignore anything that it doesn't understand. Bes=
t thing I could think to add here would be an IANA registry for the client m=
etadata names -- I personally find such things overkill but if the WG wants t=
o go that route, we certainly can.
>> 2. This proposal requires that I now provide management at the registrati=
on endpoint to manage users and secrets, this is costly.
> What users are you talking about here? There aren't any users here that I k=
now of. As for secrets, you already have to manage client secrets.
>=20
>> 3. Yet the development of another endpoint.
> Adding an endpoint for specific functionality is a good thing, it lets you=
 separate out concerns. You talk like URLs are expensive, which is ludicrous=
. Would you propose we try to cram everything through a single URL like SOAP=
? Let's learn from the mistakes of the past instead of repeating them.
>=20
>> 4. I don't see any use cases, maybe these should be documented (or point p=
eople to these) so we understand what this is actually trying to solve, as t=
his is somewhat of a mystery to me and others.
> Read appendix B. That's why it's there. If there are more cases that we ca=
n add, suggest text.
>> 5. There are a lot of issues that OAUTH does not solve, I don't think=20
>> that this issue (as I understand it) is in the realm of OAUTH, maybe=20
>> the applications area would be a better place for this specification
> This was a chartered item for the group to solve (check the charter for yo=
urself), we discussed it several times over the last few years before it was=
 made a chartered item (check the archives for yourself), and there are peop=
le willing to work on the document. That's all it takes for this to be in sc=
ope in the IETF. Trying to boot it into another working group at this stage i=
s just odd to me.r
>=20
>  -- Justin
>>=20
>>=20
>>=20
>> -----Original Message-----
>> From: Justin Richer [mailto:jricher@mitre.org]
>> Sent: Wednesday, August 7, 2013 7:09 AM
>> To: Anthony Nadalin
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>>=20
>> Tony, it happened several months ago:
>>=20
>>    http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html
>>=20
>> This triggered a lot of discussion and brought up several changes in the d=
ocument, in general for the good. The vast majority of changes were editoria=
l in nature, clearing up the intent of the text, but the underlying protocol=
 is pretty solid and not very different qualitatively from draft -10. At thi=
s point, I believe that all open issues are addressed in the document or dir=
ected towards specific proposed extensions, and I haven't heard anything to t=
he contrary.
>>=20
>> And I think you're reading the tone content of the discussion incorrectly=
. As I tried to carefully lay out below, I don't see fractures. I see multip=
le components that can work together and fit fairly nicely into a larger sys=
tem. The existence of multiple solutions does not invalidate the applicabili=
ty of a known good solution. We can not shelve something good just because t=
here's a hint of something else on the horizon (which might be good or bad, w=
e don't know yet).
>>=20
>> There is a lot of support for the Dynamic Registration draft that's there=
 today, just look at the number of implementers and protocols that are actua=
lly using it. This is not a theoretical draft, this is not an intellectual e=
xercise, this is not a speculative document -- this is a codification of rea=
l practice that we know works and has been implemented and deployed and test=
ed.
>>=20
>> And speaking of these other protocols and systems -- they're going to mov=
e on whether we at the IETF want them to or not. Nobody is going to sit arou=
nd and wait for the IETF-blessed version of this functionality.
>> As a matter of fact, this document was born of the output of two groups w=
ho specifically *didn't* wait around for the IETF to solve this problem. We b=
rought it "in house" here because we believed that it would be better to hav=
e a generally applicable solution than to have a dozen proprietary implement=
ations. That's where true fragmentation comes from:
>> implementations and deployments, not from minor quibbles about syntax.
>> So could we stuff dynamic registration on a shelf and wait for a perfect s=
olution to descend from heaven? Sure we could, but that would be so profound=
ly stupid that I would question the sanity of everyone in this working group=
. But if we come up with a solution that works, can be implemented, and is d=
one in a timely fashion, then the world *will* use it. That's what we have, a=
nd that's what I want to move forward.
>>=20
>> There's also a lot of support for extensions (software statements) and di=
fferent instantiations (SCIM) of the same basic protocol. These are good thi=
ngs, and they speak to the strength of the registration protocol, not its we=
akness.  I believe that what I've laid out below is a solid and reasonable p=
lan for moving things forward and addressing everything that's been brought u=
p, and so I invite the commentary of the whole of the working group. After a=
ll, the IETF is an organization of individuals and we work on rough consensu=
s and running code.
>>=20
>>   -- Justin
>>=20
>> On 08/06/2013 07:18 PM, Anthony Nadalin wrote:
>>> I think that the IETF meeting and session on Dynamic Registration showed=
 how fractured it was and how we don't have consensus on what needs to be do=
ne and how it needs to be done. I would not support moving any draft further=
 along in the IETF process. I looked on mailing list and could not find out w=
here any dynamic registration document went to WGLC, so maybe someone can po=
int me to that.
>>>=20
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On=20
>>> Behalf Of Justin Richer
>>> Sent: Tuesday, August 6, 2013 2:18 PM
>>> To: oauth@ietf.org
>>> Subject: [OAUTH-WG] A Proposal for Dynamic Registration
>>>=20
>>> At last week's IETF meeting, there was quite a lot of talk about the Dyn=
amic Registration draft as well as a few other related drafts in this space.=
 I would like to propose to the group what I think would be a positive worki=
ng structure among the different approaches that would let us move everythin=
g forward. The source documents in discussion here are the WG's Dynamic Regi=
stration (draft 14) and Phil Hunt's individual submission of a SCIM-based al=
ternative with some software assertion components to it. I suggest we refact=
or these into three documents:
>>>=20
>>>    - OAuth Dynamic Registration
>>>    - SCIM-based OAuth Dynamic Registration
>>>    - Software Statements for OAuth Dynamic Registration
>>>=20
>>> I think that they all have their place in the world, and this is how I s=
ee them fitting together:
>>>=20
>>>=20
>>> OAuth Dynamic Registration
>>>=20
>>> What it is: Essentially the draft we have today, draft 14. This draft=20=

>>> defines a standalone RESTful API for dealing with client=20
>>> registrations, it allows for open registration as well as protected=20
>>> registration, and perhaps most importantly we know that it works=20
>>> because people have implemented it as part of several different APIs.
>>> This could have an informational pointer to the SCIM draft and the=20
>>> Software Statements draft. We could call this one "core" or "basic"=20
>>> or some other modifier, but I don't think that's necessary because it=20=

>>> already does what it says on the tin.
>>>=20
>>> What it needs to concentrate on: This needs to be a "base" document=20
>>> with extension hooks in key places (such as the client metadata,=20
>>> which is already extensible, and places that have been made=20
>>> extensible like the token_endpoint_auth_method, and perhaps others).=20
>>> It needs to get its job done, allowing for full specification of the=20
>>> simple case in an interoperable way (anonymous registration of=20
>>> self-asserted client metadata to receive a client identifier and=20
>>> manage the registration) and be extensible and flexible enough for the m=
ore complex cases.
>>>=20
>>> What we should do: I think that we should continue shepherding this=20
>>> document through WGLC in the OAuth WG because there are no specific=20
>>> open issues in the spec (that I, the editor, am aware of) and I've=20
>>> seen what I would personally consider to be rough consensus on it=20
>>> (not unanimous, but that's not necessary anyway).
>>>=20
>>>=20
>>>=20
>>> SCIM-based OAuth Dynamic Registration:
>>>=20
>>> What it is: Most of Phil's draft, this defines a SCIM profile for=20
>>> managing OAuth clients dynamically. This will accomplish the same=20
>>> kinds of things that the OAuth Dynamic Registration Draft will=20
>>> accomplish, but in a SCIM-like manner. This will have a normative=20
>>> dependency on SCIM (of some version), and probably an informational=20
>>> dependency on OAuth Dynamic Registration. This could have an=20
>>> informational pointer to the Software Statements draft. This draft is=20=

>>> very useful if you're already deploying a SCIM based system, and if=20
>>> you're investing in SCIM then it's going to be a smaller step to support=
 this than it would be the base draft.
>>> However, I strongly believe that SCIM is a really big jump for=20
>>> implementing basic functionality that this is trying to accomplish.
>>>=20
>>> What it needs to concentrate on: Tracking with the overall SCIM=20
>>> specification (on which it depends) and tracking with the data model=20
>>> and general usage of the OAuth Dynamic Registration protocol=20
>>> (wherever it makes sense to do so).
>>>=20
>>> What we should do: I think that this draft should be picked up and=20
>>> worked on as an IETF document, but I think that it probably makes=20
>>> more sense for that work to be done inside of the SCIM working group.=20=

>>> The reasons for this are twofold: First, this draft really should=20
>>> look and feel like SCIM, and to do that it really needs the attention=20=

>>> of the group that's defining SCIM. Second, SCIM isn't completed and=20
>>> likely won't be for some time to come, and this draft needs to track=20
>>> with that protocol as it moves through the IETF process.
>>>=20
>>>=20
>>>=20
>>> Software Statements for OAuth Dynamic Registration
>>>=20
>>> What it is: Section 4 of Phil's draft (plus a few other bits,=20
>>> discussed here), this defines a method for presenting signed and/or=20
>>> verifiable claims to the registration server's endpoint. This is most=20=

>>> useful when an authorization server can verify the claims being=20
>>> presented, such as being able to discover the signing key from the=20
>>> "iss" claim and validate the signature. This could also be used (with=20=

>>> some additional
>>> specification) by a discovery-based system that could fix ahead of=20
>>> time some of the claims for a given piece of software (like we've=20
>>> done with
>>> BlueButton+). In some circumstances, this assertion could even=20
>>> BlueButton+contain
>>> all relevant bits of the registration, leaving the rest of the=20
>>> metadata fields blank. This is essentially the "use the assertion as=20
>>> the registration" flow that Phil discussed at the meeting, from what=20
>>> I understand. In all of these cases, it can give us a higher=20
>>> assurance for the registration and means to tie together multiple=20
>>> instances of a piece of software across a network.
>>>=20
>>> What it needs to concentrate on: Making the software statements=20
>>> interoperable. I don't think this is going to be an easy task, and I=20
>>> think it's going to be a long process to get it *right* for all players.=

>>>=20
>>> What we should do: I think that this draft should be picked up by the=20=

>>> OAuth Working Group as a WG document, and it should be built as an=20
>>> extension to both the OAuth Dynamic Registration and SCIM-based OAuth=20=

>>> Dynamic Registration documents. I think it's important, but it's=20
>>> added functionality on top of either the RESTful or the SCIM-based=20
>>> registration documents, and as such it should have a normative=20
>>> reference to both of them with detailed profiles of how to use them.
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>> So in all, we've got three main documents, each with different=20
>>> purposes and concentrations, and with different timelines. I don't=20
>>> see any problem with these coexisting, and I think doing things this=20
>>> way can cover all of our known use cases and let us actually progress=20=

>>> these documents and move forward.
>>>=20
>>>    -- Justin
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From jricher@mitre.org  Sun Aug 11 18:05:01 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 241A221F9F7F for <oauth@ietfa.amsl.com>; Sun, 11 Aug 2013 18:05:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.23
X-Spam-Level: 
X-Spam-Status: No, score=-6.23 tagged_above=-999 required=5 tests=[AWL=-0.231,  BAYES_00=-2.599, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mD-6v3tsTf25 for <oauth@ietfa.amsl.com>; Sun, 11 Aug 2013 18:04:56 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 6C56221F9CFB for <oauth@ietf.org>; Sun, 11 Aug 2013 17:59:26 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 9768F1F069E; Sun, 11 Aug 2013 20:59:25 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 8B1651F041D; Sun, 11 Aug 2013 20:59:25 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.45]) by IMCCAS04.MITRE.ORG ([129.83.29.81]) with mapi id 14.02.0342.003; Sun, 11 Aug 2013 20:59:25 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Phil Hunt <phil.hunt@oracle.com>, Anthony Nadalin <tonynad@microsoft.com>
Thread-Topic: [OAUTH-WG] A Proposal for Dynamic Registration
Thread-Index: AQHOkusV/QWdCAhI5Ei/C7qXUqlxpJmIzgQQgAD7gwCAAAaN4IAADNsAgABo01CABqw+gP//1myq
Date: Mon, 12 Aug 2013 00:59:23 +0000
Message-ID: <B33BFB58CCC8BE4998958016839DE27E26E89C82@IMCMBX01.MITRE.ORG>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org> <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com> <5202654C.2040500@mitre.org> <e8fbaf0f44a047f2aee747586643ba9b@BY2PR03MB189.namprd03.prod.outlook.com>, <6448B6AA-4F40-48CF-AFDD-3F535959349F@oracle.com>
In-Reply-To: <6448B6AA-4F40-48CF-AFDD-3F535959349F@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [129.83.31.52]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 01:05:01 -0000

I think it's more proper to say that SCIM duplicates every RESTful API, eve=
r. =0A=
=0A=
 -- Justin=0A=
________________________________________=0A=
From: Phil Hunt [phil.hunt@oracle.com]=0A=
Sent: Sunday, August 11, 2013 7:27 PM=0A=
To: Anthony Nadalin=0A=
Cc: Richer, Justin P.; oauth@ietf.org=0A=
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration=0A=
=0A=
+1=0A=
=0A=
I also would like to explore the assertion exchange concept that doesn't re=
quire any endpoint.=0A=
=0A=
I see no point in rushing here.=0A=
=0A=
More than one method makes no sense unless there is a fundamental reason. W=
e have none.=0A=
=0A=
Dyn reg duplicates scim and we have to reconcile this now or with the iesg.=
=0A=
=0A=
Phil=0A=
=0A=
On 2013-08-07, at 14:59, Anthony Nadalin <tonynad@microsoft.com> wrote:=0A=
=0A=
> This proposal provisions and de-provisions clients and allows a client to=
 read/update provisioning data (and it also has to deal with schema extensi=
bility, internationalization among the other things), very similar to SCIM,=
 why do we want different ways to do this ? We also have the JIT proposals =
in SCIM which make even more sense for quick provisioning clients with limi=
ted data. This is a lot of repeat of SCIM.=0A=
>=0A=
> Schema extensibility is not just the ability to add or replace but the fl=
exibility to model desired objects and relationships that are in the target=
 store schema. We would certainly not want to create yet another store/dire=
ctory just to register clients.=0A=
>=0A=
> -----Original Message-----=0A=
> From: Justin Richer [mailto:jricher@mitre.org]=0A=
> Sent: Wednesday, August 7, 2013 8:19 AM=0A=
> To: Anthony Nadalin=0A=
> Cc: oauth@ietf.org=0A=
> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration=0A=
>=0A=
> Addressing your points inline:=0A=
>=0A=
> On 08/07/2013 10:58 AM, Anthony Nadalin wrote:=0A=
>> I see plenty of fractures, we discussed many of these at the meeting and=
 several side meetings last week. Specification that are brought to IETF un=
dergo changes, morf into something different all the time regardless of who=
 has implemented the original specifications, OAUTH Core is a fine example =
of how lots of running code was changed because the specification changed, =
so because you may have code based upon this is not a reason that it is cor=
rect and should not change.=0A=
> And all that has happened with this draft as well. Things have changed qu=
ite a bit from the original specs, breaking changes that caused huge ripple=
s through existing implementations. Eventually though you need to say "it's=
 good enough" -- if you keep changing things and don't declare something do=
ne, people will just get bored and move on. I'm glad that you mention OAuth=
 core because it is a great example of our previous failure at this -- we t=
ook so long to get it out there that there are several major non-compliant =
implementations on the web today, most notably Facebook, who have no incent=
ive to change to the final draft just because the IETF says so. Let's not s=
crew this up again.=0A=
>=0A=
>>  I'm not aware of many people using this draft, as in the meeting last w=
eek I think we had 2 examples, so more people saying that they have impleme=
nted this at scale and the problems it solves would be a good thing.=0A=
> I agree that more people implementing it would be a good thing, but you'r=
e ignoring the people that already are. There are also a number of people t=
hat I've spoken to who are hesitant to implement until things are deemed fa=
irly "stable", if not final. Those people will come up with their own, mutu=
ally-incompatible versions.=0A=
>=0A=
>> Here are the problems that I see with the current proposal and why we wo=
uld/could not use it:=0A=
>>=0A=
>> 1. The schema proposal is not extensible, please look at the issues with=
 SCIM and how the scheme was made extensible in SCIM.=0A=
> Yes, it is extensible, I really don't know where you're getting that.=0A=
> It's JSON, schema-by-fiat. If you want an extension parameter, just add i=
t. Your server has to deal with (as in, not crash if it sees) anything in t=
he base spec, and it it has to ignore anything that it doesn't understand. =
Best thing I could think to add here would be an IANA registry for the clie=
nt metadata names -- I personally find such things overkill but if the WG w=
ants to go that route, we certainly can.=0A=
>> 2. This proposal requires that I now provide management at the registrat=
ion endpoint to manage users and secrets, this is costly.=0A=
> What users are you talking about here? There aren't any users here that I=
 know of. As for secrets, you already have to manage client secrets.=0A=
>=0A=
>> 3. Yet the development of another endpoint.=0A=
> Adding an endpoint for specific functionality is a good thing, it lets yo=
u separate out concerns. You talk like URLs are expensive, which is ludicro=
us. Would you propose we try to cram everything through a single URL like S=
OAP? Let's learn from the mistakes of the past instead of repeating them.=
=0A=
>=0A=
>> 4. I don't see any use cases, maybe these should be documented (or point=
 people to these) so we understand what this is actually trying to solve, a=
s this is somewhat of a mystery to me and others.=0A=
> Read appendix B. That's why it's there. If there are more cases that we c=
an add, suggest text.=0A=
>> 5. There are a lot of issues that OAUTH does not solve, I don't think=0A=
>> that this issue (as I understand it) is in the realm of OAUTH, maybe=0A=
>> the applications area would be a better place for this specification=0A=
> This was a chartered item for the group to solve (check the charter for y=
ourself), we discussed it several times over the last few years before it w=
as made a chartered item (check the archives for yourself), and there are p=
eople willing to work on the document. That's all it takes for this to be i=
n scope in the IETF. Trying to boot it into another working group at this s=
tage is just odd to me.r=0A=
>=0A=
>  -- Justin=0A=
>>=0A=
>>=0A=
>>=0A=
>> -----Original Message-----=0A=
>> From: Justin Richer [mailto:jricher@mitre.org]=0A=
>> Sent: Wednesday, August 7, 2013 7:09 AM=0A=
>> To: Anthony Nadalin=0A=
>> Cc: oauth@ietf.org=0A=
>> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration=0A=
>>=0A=
>> Tony, it happened several months ago:=0A=
>>=0A=
>>    http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html=0A=
>>=0A=
>> This triggered a lot of discussion and brought up several changes in the=
 document, in general for the good. The vast majority of changes were edito=
rial in nature, clearing up the intent of the text, but the underlying prot=
ocol is pretty solid and not very different qualitatively from draft -10. A=
t this point, I believe that all open issues are addressed in the document =
or directed towards specific proposed extensions, and I haven't heard anyth=
ing to the contrary.=0A=
>>=0A=
>> And I think you're reading the tone content of the discussion incorrectl=
y. As I tried to carefully lay out below, I don't see fractures. I see mult=
iple components that can work together and fit fairly nicely into a larger =
system. The existence of multiple solutions does not invalidate the applica=
bility of a known good solution. We can not shelve something good just beca=
use there's a hint of something else on the horizon (which might be good or=
 bad, we don't know yet).=0A=
>>=0A=
>> There is a lot of support for the Dynamic Registration draft that's ther=
e today, just look at the number of implementers and protocols that are act=
ually using it. This is not a theoretical draft, this is not an intellectua=
l exercise, this is not a speculative document -- this is a codification of=
 real practice that we know works and has been implemented and deployed and=
 tested.=0A=
>>=0A=
>> And speaking of these other protocols and systems -- they're going to mo=
ve on whether we at the IETF want them to or not. Nobody is going to sit ar=
ound and wait for the IETF-blessed version of this functionality.=0A=
>> As a matter of fact, this document was born of the output of two groups =
who specifically *didn't* wait around for the IETF to solve this problem. W=
e brought it "in house" here because we believed that it would be better to=
 have a generally applicable solution than to have a dozen proprietary impl=
ementations. That's where true fragmentation comes from:=0A=
>> implementations and deployments, not from minor quibbles about syntax.=
=0A=
>> So could we stuff dynamic registration on a shelf and wait for a perfect=
 solution to descend from heaven? Sure we could, but that would be so profo=
undly stupid that I would question the sanity of everyone in this working g=
roup. But if we come up with a solution that works, can be implemented, and=
 is done in a timely fashion, then the world *will* use it. That's what we =
have, and that's what I want to move forward.=0A=
>>=0A=
>> There's also a lot of support for extensions (software statements) and d=
ifferent instantiations (SCIM) of the same basic protocol. These are good t=
hings, and they speak to the strength of the registration protocol, not its=
 weakness.  I believe that what I've laid out below is a solid and reasonab=
le plan for moving things forward and addressing everything that's been bro=
ught up, and so I invite the commentary of the whole of the working group. =
After all, the IETF is an organization of individuals and we work on rough =
consensus and running code.=0A=
>>=0A=
>>   -- Justin=0A=
>>=0A=
>> On 08/06/2013 07:18 PM, Anthony Nadalin wrote:=0A=
>>> I think that the IETF meeting and session on Dynamic Registration showe=
d how fractured it was and how we don't have consensus on what needs to be =
done and how it needs to be done. I would not support moving any draft furt=
her along in the IETF process. I looked on mailing list and could not find =
out where any dynamic registration document went to WGLC, so maybe someone =
can point me to that.=0A=
>>>=0A=
>>> -----Original Message-----=0A=
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On=0A=
>>> Behalf Of Justin Richer=0A=
>>> Sent: Tuesday, August 6, 2013 2:18 PM=0A=
>>> To: oauth@ietf.org=0A=
>>> Subject: [OAUTH-WG] A Proposal for Dynamic Registration=0A=
>>>=0A=
>>> At last week's IETF meeting, there was quite a lot of talk about the Dy=
namic Registration draft as well as a few other related drafts in this spac=
e. I would like to propose to the group what I think would be a positive wo=
rking structure among the different approaches that would let us move every=
thing forward. The source documents in discussion here are the WG's Dynamic=
 Registration (draft 14) and Phil Hunt's individual submission of a SCIM-ba=
sed alternative with some software assertion components to it. I suggest we=
 refactor these into three documents:=0A=
>>>=0A=
>>>    - OAuth Dynamic Registration=0A=
>>>    - SCIM-based OAuth Dynamic Registration=0A=
>>>    - Software Statements for OAuth Dynamic Registration=0A=
>>>=0A=
>>> I think that they all have their place in the world, and this is how I =
see them fitting together:=0A=
>>>=0A=
>>>=0A=
>>> OAuth Dynamic Registration=0A=
>>>=0A=
>>> What it is: Essentially the draft we have today, draft 14. This draft=
=0A=
>>> defines a standalone RESTful API for dealing with client=0A=
>>> registrations, it allows for open registration as well as protected=0A=
>>> registration, and perhaps most importantly we know that it works=0A=
>>> because people have implemented it as part of several different APIs.=
=0A=
>>> This could have an informational pointer to the SCIM draft and the=0A=
>>> Software Statements draft. We could call this one "core" or "basic"=0A=
>>> or some other modifier, but I don't think that's necessary because it=
=0A=
>>> already does what it says on the tin.=0A=
>>>=0A=
>>> What it needs to concentrate on: This needs to be a "base" document=0A=
>>> with extension hooks in key places (such as the client metadata,=0A=
>>> which is already extensible, and places that have been made=0A=
>>> extensible like the token_endpoint_auth_method, and perhaps others).=0A=
>>> It needs to get its job done, allowing for full specification of the=0A=
>>> simple case in an interoperable way (anonymous registration of=0A=
>>> self-asserted client metadata to receive a client identifier and=0A=
>>> manage the registration) and be extensible and flexible enough for the =
more complex cases.=0A=
>>>=0A=
>>> What we should do: I think that we should continue shepherding this=0A=
>>> document through WGLC in the OAuth WG because there are no specific=0A=
>>> open issues in the spec (that I, the editor, am aware of) and I've=0A=
>>> seen what I would personally consider to be rough consensus on it=0A=
>>> (not unanimous, but that's not necessary anyway).=0A=
>>>=0A=
>>>=0A=
>>>=0A=
>>> SCIM-based OAuth Dynamic Registration:=0A=
>>>=0A=
>>> What it is: Most of Phil's draft, this defines a SCIM profile for=0A=
>>> managing OAuth clients dynamically. This will accomplish the same=0A=
>>> kinds of things that the OAuth Dynamic Registration Draft will=0A=
>>> accomplish, but in a SCIM-like manner. This will have a normative=0A=
>>> dependency on SCIM (of some version), and probably an informational=0A=
>>> dependency on OAuth Dynamic Registration. This could have an=0A=
>>> informational pointer to the Software Statements draft. This draft is=
=0A=
>>> very useful if you're already deploying a SCIM based system, and if=0A=
>>> you're investing in SCIM then it's going to be a smaller step to suppor=
t this than it would be the base draft.=0A=
>>> However, I strongly believe that SCIM is a really big jump for=0A=
>>> implementing basic functionality that this is trying to accomplish.=0A=
>>>=0A=
>>> What it needs to concentrate on: Tracking with the overall SCIM=0A=
>>> specification (on which it depends) and tracking with the data model=0A=
>>> and general usage of the OAuth Dynamic Registration protocol=0A=
>>> (wherever it makes sense to do so).=0A=
>>>=0A=
>>> What we should do: I think that this draft should be picked up and=0A=
>>> worked on as an IETF document, but I think that it probably makes=0A=
>>> more sense for that work to be done inside of the SCIM working group.=
=0A=
>>> The reasons for this are twofold: First, this draft really should=0A=
>>> look and feel like SCIM, and to do that it really needs the attention=
=0A=
>>> of the group that's defining SCIM. Second, SCIM isn't completed and=0A=
>>> likely won't be for some time to come, and this draft needs to track=0A=
>>> with that protocol as it moves through the IETF process.=0A=
>>>=0A=
>>>=0A=
>>>=0A=
>>> Software Statements for OAuth Dynamic Registration=0A=
>>>=0A=
>>> What it is: Section 4 of Phil's draft (plus a few other bits,=0A=
>>> discussed here), this defines a method for presenting signed and/or=0A=
>>> verifiable claims to the registration server's endpoint. This is most=
=0A=
>>> useful when an authorization server can verify the claims being=0A=
>>> presented, such as being able to discover the signing key from the=0A=
>>> "iss" claim and validate the signature. This could also be used (with=
=0A=
>>> some additional=0A=
>>> specification) by a discovery-based system that could fix ahead of=0A=
>>> time some of the claims for a given piece of software (like we've=0A=
>>> done with=0A=
>>> BlueButton+). In some circumstances, this assertion could even=0A=
>>> BlueButton+contain=0A=
>>> all relevant bits of the registration, leaving the rest of the=0A=
>>> metadata fields blank. This is essentially the "use the assertion as=0A=
>>> the registration" flow that Phil discussed at the meeting, from what=0A=
>>> I understand. In all of these cases, it can give us a higher=0A=
>>> assurance for the registration and means to tie together multiple=0A=
>>> instances of a piece of software across a network.=0A=
>>>=0A=
>>> What it needs to concentrate on: Making the software statements=0A=
>>> interoperable. I don't think this is going to be an easy task, and I=0A=
>>> think it's going to be a long process to get it *right* for all players=
.=0A=
>>>=0A=
>>> What we should do: I think that this draft should be picked up by the=
=0A=
>>> OAuth Working Group as a WG document, and it should be built as an=0A=
>>> extension to both the OAuth Dynamic Registration and SCIM-based OAuth=
=0A=
>>> Dynamic Registration documents. I think it's important, but it's=0A=
>>> added functionality on top of either the RESTful or the SCIM-based=0A=
>>> registration documents, and as such it should have a normative=0A=
>>> reference to both of them with detailed profiles of how to use them.=0A=
>>>=0A=
>>>=0A=
>>>=0A=
>>>=0A=
>>>=0A=
>>>=0A=
>>> So in all, we've got three main documents, each with different=0A=
>>> purposes and concentrations, and with different timelines. I don't=0A=
>>> see any problem with these coexisting, and I think doing things this=0A=
>>> way can cover all of our known use cases and let us actually progress=
=0A=
>>> these documents and move forward.=0A=
>>>=0A=
>>>    -- Justin=0A=
>>> _______________________________________________=0A=
>>> OAuth mailing list=0A=
>>> OAuth@ietf.org=0A=
>>> https://www.ietf.org/mailman/listinfo/oauth=0A=
>=0A=
>=0A=
> _______________________________________________=0A=
> OAuth mailing list=0A=
> OAuth@ietf.org=0A=
> https://www.ietf.org/mailman/listinfo/oauth=0A=

From leifj@mnt.se  Mon Aug 12 03:52:56 2013
Return-Path: <leifj@mnt.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52F7321E80CF for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 03:52:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.691
X-Spam-Level: 
X-Spam-Status: No, score=-1.691 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_ILLEGAL_IP=1.908, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H82rWX8VJ4L4 for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 03:52:23 -0700 (PDT)
Received: from mail-lb0-f180.google.com (mail-lb0-f180.google.com [209.85.217.180]) by ietfa.amsl.com (Postfix) with ESMTP id 5D0BB21E8117 for <oauth@ietf.org>; Mon, 12 Aug 2013 02:34:54 -0700 (PDT)
Received: by mail-lb0-f180.google.com with SMTP id a16so4661739lbj.11 for <oauth@ietf.org>; Mon, 12 Aug 2013 02:34:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=vCe1kTeBs5FR/xvpQJr6gW+yW0QqOkwv4A7mBX8qLco=; b=RRlxZF3Rb7tJ1NwHlJixfqX56CLxASpCyEFoscLx60+RnD6silUK5qld6gVd9vb9tp kWplcUlDA9YTc7dichQxA96PGaQNvRYiv2H+X9MT1dsm0VmCIHj6ZyQr6F7blOSvLJSv 1ByGsLSmEG3QbQvJjj4dKoDYV7QUjOcY0O8W9fCPALz4Op9IVtPdsALNGv2rd/mDRIoV 9nPYJ2aH4OgjILXqeiYNA6vVOGu3KWjdIv4mktryQYs0Fl9MZI9R0inACIZQmtVV+Rwm ozoBiQ3TGPqYyzDggPx6TMNIQAOt49a34Trg1jfEFaH4d2yVr5Z+fY6Etk/Cpy1OUlDO Q0nA==
X-Gm-Message-State: ALoCoQmZOw43db5f/hI7ETBrXH5URWUVbkI9LRA8PXe7rd3I5p35uajPBIa4iDaJXfW8HEbmeVnc
X-Received: by 10.152.9.194 with SMTP id c2mr11128875lab.83.1376300064117; Mon, 12 Aug 2013 02:34:24 -0700 (PDT)
Received: from [172.20.10.6] (2.69.142.214.mobile.tre.se. [2.69.142.214]) by mx.google.com with ESMTPSA id js17sm11496544lab.5.2013.08.12.02.34.22 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 12 Aug 2013 02:34:23 -0700 (PDT)
Message-ID: <5208AC1A.5060606@mnt.se>
Date: Mon, 12 Aug 2013 11:34:18 +0200
From: Leif Johansson <leifj@mnt.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <52016822.2090703@mitre.org>
In-Reply-To: <52016822.2090703@mitre.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 10:53:19 -0000

On 08/06/2013 11:18 PM, Justin Richer wrote:

<snip>
>  - OAuth Dynamic Registration
>  - SCIM-based OAuth Dynamic Registration
>  - Software Statements for OAuth Dynamic Registration
>

This thread makes me think we should break out the EXPERIMENTAL
track: spin two or more proposed solutions as EXPERIMENTAL. Let the
various groups do what they're gona do (which they'll do anyway) and
the the chips fall where they may.

Tony is right in interpreting the discussions in Berlin as quite fractured.
Pushing for standards track seems premature.

OTOH the transition from EXPERIMENTAL to STANDARDS TRACK can
be as quick as a couple of I-Ds describing the outcome of the
implementation and deployment work that will happen anyway (as
you so correctly observe) after which the WG decides how to move
forward.

Since bb+ and openidc will do dynreg anyway the document track
doesn't really matter which means the usual "vendors won't implement
unless its a real RFC"-argument doesn't apply here anyway.

        Cheers Leif




From prateek.mishra@oracle.com  Mon Aug 12 06:12:13 2013
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0771321F9C4C for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 06:12:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.999
X-Spam-Level: 
X-Spam-Status: No, score=-5.999 tagged_above=-999 required=5 tests=[AWL=0.000,  BAYES_00=-2.599, J_CHICKENPOX_21=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id giphybXSZHEl for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 06:12:07 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 7C42111E80AD for <oauth@ietf.org>; Mon, 12 Aug 2013 06:02:22 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7CD2LrY010206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 12 Aug 2013 13:02:22 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CD2Kl4024345 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 12 Aug 2013 13:02:21 GMT
Received: from abhmt115.oracle.com (abhmt115.oracle.com [141.146.116.67]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CD2KVi000092; Mon, 12 Aug 2013 13:02:20 GMT
Received: from [192.168.2.5] (/24.91.51.58) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 12 Aug 2013 06:02:19 -0700
Message-ID: <5208DCDC.80700@oracle.com>
Date: Mon, 12 Aug 2013 09:02:20 -0400
From: Prateek Mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
References: <52016822.2090703@mitre.org> <bd9eb305a4a34669a4bd6a29d5b04066@BY2PR03MB189.namprd03.prod.outlook.com> <52025504.1000705@mitre.org> <caa0ee4331d444a6ac2a1dc03c1b42fa@BY2PR03MB189.namprd03.prod.outlook.com> <5202654C.2040500@mitre.org> <e8fbaf0f44a047f2aee747586643ba9b@BY2PR03MB189.namprd03.prod.outlook.com> <6448B6AA-4F40-48CF-AFDD-3F535959349F@oracle.com>
In-Reply-To: <6448B6AA-4F40-48CF-AFDD-3F535959349F@oracle.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 13:12:13 -0000

+1

I dont see a consensus within the community in this area.

My own sense is that people are exploring many different approaches to 
the problem; there seem to be wide-variety of use-cases involved.

- prateek

> +1
>
> I also would like to explore the assertion exchange concept that doesn't require any endpoint.
>
> I see no point in rushing here.
>
> More than one method makes no sense unless there is a fundamental reason. We have none.
>
> Dyn reg duplicates scim and we have to reconcile this now or with the iesg.
>
> Phil
>
> On 2013-08-07, at 14:59, Anthony Nadalin <tonynad@microsoft.com> wrote:
>
>> This proposal provisions and de-provisions clients and allows a client to read/update provisioning data (and it also has to deal with schema extensibility, internationalization among the other things), very similar to SCIM, why do we want different ways to do this ? We also have the JIT proposals in SCIM which make even more sense for quick provisioning clients with limited data. This is a lot of repeat of SCIM.
>>
>> Schema extensibility is not just the ability to add or replace but the flexibility to model desired objects and relationships that are in the target store schema. We would certainly not want to create yet another store/directory just to register clients.
>>
>> -----Original Message-----
>> From: Justin Richer [mailto:jricher@mitre.org]
>> Sent: Wednesday, August 7, 2013 8:19 AM
>> To: Anthony Nadalin
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>>
>> Addressing your points inline:
>>
>> On 08/07/2013 10:58 AM, Anthony Nadalin wrote:
>>> I see plenty of fractures, we discussed many of these at the meeting and several side meetings last week. Specification that are brought to IETF undergo changes, morf into something different all the time regardless of who has implemented the original specifications, OAUTH Core is a fine example of how lots of running code was changed because the specification changed, so because you may have code based upon this is not a reason that it is correct and should not change.
>> And all that has happened with this draft as well. Things have changed quite a bit from the original specs, breaking changes that caused huge ripples through existing implementations. Eventually though you need to say "it's good enough" -- if you keep changing things and don't declare something done, people will just get bored and move on. I'm glad that you mention OAuth core because it is a great example of our previous failure at this -- we took so long to get it out there that there are several major non-compliant implementations on the web today, most notably Facebook, who have no incentive to change to the final draft just because the IETF says so. Let's not screw this up again.
>>
>>>   I'm not aware of many people using this draft, as in the meeting last week I think we had 2 examples, so more people saying that they have implemented this at scale and the problems it solves would be a good thing.
>> I agree that more people implementing it would be a good thing, but you're ignoring the people that already are. There are also a number of people that I've spoken to who are hesitant to implement until things are deemed fairly "stable", if not final. Those people will come up with their own, mutually-incompatible versions.
>>
>>> Here are the problems that I see with the current proposal and why we would/could not use it:
>>>
>>> 1. The schema proposal is not extensible, please look at the issues with SCIM and how the scheme was made extensible in SCIM.
>> Yes, it is extensible, I really don't know where you're getting that.
>> It's JSON, schema-by-fiat. If you want an extension parameter, just add it. Your server has to deal with (as in, not crash if it sees) anything in the base spec, and it it has to ignore anything that it doesn't understand. Best thing I could think to add here would be an IANA registry for the client metadata names -- I personally find such things overkill but if the WG wants to go that route, we certainly can.
>>> 2. This proposal requires that I now provide management at the registration endpoint to manage users and secrets, this is costly.
>> What users are you talking about here? There aren't any users here that I know of. As for secrets, you already have to manage client secrets.
>>
>>> 3. Yet the development of another endpoint.
>> Adding an endpoint for specific functionality is a good thing, it lets you separate out concerns. You talk like URLs are expensive, which is ludicrous. Would you propose we try to cram everything through a single URL like SOAP? Let's learn from the mistakes of the past instead of repeating them.
>>
>>> 4. I don't see any use cases, maybe these should be documented (or point people to these) so we understand what this is actually trying to solve, as this is somewhat of a mystery to me and others.
>> Read appendix B. That's why it's there. If there are more cases that we can add, suggest text.
>>> 5. There are a lot of issues that OAUTH does not solve, I don't think
>>> that this issue (as I understand it) is in the realm of OAUTH, maybe
>>> the applications area would be a better place for this specification
>> This was a chartered item for the group to solve (check the charter for yourself), we discussed it several times over the last few years before it was made a chartered item (check the archives for yourself), and there are people willing to work on the document. That's all it takes for this to be in scope in the IETF. Trying to boot it into another working group at this stage is just odd to me.r
>>
>>   -- Justin
>>>
>>>
>>> -----Original Message-----
>>> From: Justin Richer [mailto:jricher@mitre.org]
>>> Sent: Wednesday, August 7, 2013 7:09 AM
>>> To: Anthony Nadalin
>>> Cc: oauth@ietf.org
>>> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>>>
>>> Tony, it happened several months ago:
>>>
>>>     http://www.ietf.org/mail-archive/web/oauth/current/msg11326.html
>>>
>>> This triggered a lot of discussion and brought up several changes in the document, in general for the good. The vast majority of changes were editorial in nature, clearing up the intent of the text, but the underlying protocol is pretty solid and not very different qualitatively from draft -10. At this point, I believe that all open issues are addressed in the document or directed towards specific proposed extensions, and I haven't heard anything to the contrary.
>>>
>>> And I think you're reading the tone content of the discussion incorrectly. As I tried to carefully lay out below, I don't see fractures. I see multiple components that can work together and fit fairly nicely into a larger system. The existence of multiple solutions does not invalidate the applicability of a known good solution. We can not shelve something good just because there's a hint of something else on the horizon (which might be good or bad, we don't know yet).
>>>
>>> There is a lot of support for the Dynamic Registration draft that's there today, just look at the number of implementers and protocols that are actually using it. This is not a theoretical draft, this is not an intellectual exercise, this is not a speculative document -- this is a codification of real practice that we know works and has been implemented and deployed and tested.
>>>
>>> And speaking of these other protocols and systems -- they're going to move on whether we at the IETF want them to or not. Nobody is going to sit around and wait for the IETF-blessed version of this functionality.
>>> As a matter of fact, this document was born of the output of two groups who specifically *didn't* wait around for the IETF to solve this problem. We brought it "in house" here because we believed that it would be better to have a generally applicable solution than to have a dozen proprietary implementations. That's where true fragmentation comes from:
>>> implementations and deployments, not from minor quibbles about syntax.
>>> So could we stuff dynamic registration on a shelf and wait for a perfect solution to descend from heaven? Sure we could, but that would be so profoundly stupid that I would question the sanity of everyone in this working group. But if we come up with a solution that works, can be implemented, and is done in a timely fashion, then the world *will* use it. That's what we have, and that's what I want to move forward.
>>>
>>> There's also a lot of support for extensions (software statements) and different instantiations (SCIM) of the same basic protocol. These are good things, and they speak to the strength of the registration protocol, not its weakness.  I believe that what I've laid out below is a solid and reasonable plan for moving things forward and addressing everything that's been brought up, and so I invite the commentary of the whole of the working group. After all, the IETF is an organization of individuals and we work on rough consensus and running code.
>>>
>>>    -- Justin
>>>
>>> On 08/06/2013 07:18 PM, Anthony Nadalin wrote:
>>>> I think that the IETF meeting and session on Dynamic Registration showed how fractured it was and how we don't have consensus on what needs to be done and how it needs to be done. I would not support moving any draft further along in the IETF process. I looked on mailing list and could not find out where any dynamic registration document went to WGLC, so maybe someone can point me to that.
>>>>
>>>> -----Original Message-----
>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>> Behalf Of Justin Richer
>>>> Sent: Tuesday, August 6, 2013 2:18 PM
>>>> To: oauth@ietf.org
>>>> Subject: [OAUTH-WG] A Proposal for Dynamic Registration
>>>>
>>>> At last week's IETF meeting, there was quite a lot of talk about the Dynamic Registration draft as well as a few other related drafts in this space. I would like to propose to the group what I think would be a positive working structure among the different approaches that would let us move everything forward. The source documents in discussion here are the WG's Dynamic Registration (draft 14) and Phil Hunt's individual submission of a SCIM-based alternative with some software assertion components to it. I suggest we refactor these into three documents:
>>>>
>>>>     - OAuth Dynamic Registration
>>>>     - SCIM-based OAuth Dynamic Registration
>>>>     - Software Statements for OAuth Dynamic Registration
>>>>
>>>> I think that they all have their place in the world, and this is how I see them fitting together:
>>>>
>>>>
>>>> OAuth Dynamic Registration
>>>>
>>>> What it is: Essentially the draft we have today, draft 14. This draft
>>>> defines a standalone RESTful API for dealing with client
>>>> registrations, it allows for open registration as well as protected
>>>> registration, and perhaps most importantly we know that it works
>>>> because people have implemented it as part of several different APIs.
>>>> This could have an informational pointer to the SCIM draft and the
>>>> Software Statements draft. We could call this one "core" or "basic"
>>>> or some other modifier, but I don't think that's necessary because it
>>>> already does what it says on the tin.
>>>>
>>>> What it needs to concentrate on: This needs to be a "base" document
>>>> with extension hooks in key places (such as the client metadata,
>>>> which is already extensible, and places that have been made
>>>> extensible like the token_endpoint_auth_method, and perhaps others).
>>>> It needs to get its job done, allowing for full specification of the
>>>> simple case in an interoperable way (anonymous registration of
>>>> self-asserted client metadata to receive a client identifier and
>>>> manage the registration) and be extensible and flexible enough for the more complex cases.
>>>>
>>>> What we should do: I think that we should continue shepherding this
>>>> document through WGLC in the OAuth WG because there are no specific
>>>> open issues in the spec (that I, the editor, am aware of) and I've
>>>> seen what I would personally consider to be rough consensus on it
>>>> (not unanimous, but that's not necessary anyway).
>>>>
>>>>
>>>>
>>>> SCIM-based OAuth Dynamic Registration:
>>>>
>>>> What it is: Most of Phil's draft, this defines a SCIM profile for
>>>> managing OAuth clients dynamically. This will accomplish the same
>>>> kinds of things that the OAuth Dynamic Registration Draft will
>>>> accomplish, but in a SCIM-like manner. This will have a normative
>>>> dependency on SCIM (of some version), and probably an informational
>>>> dependency on OAuth Dynamic Registration. This could have an
>>>> informational pointer to the Software Statements draft. This draft is
>>>> very useful if you're already deploying a SCIM based system, and if
>>>> you're investing in SCIM then it's going to be a smaller step to support this than it would be the base draft.
>>>> However, I strongly believe that SCIM is a really big jump for
>>>> implementing basic functionality that this is trying to accomplish.
>>>>
>>>> What it needs to concentrate on: Tracking with the overall SCIM
>>>> specification (on which it depends) and tracking with the data model
>>>> and general usage of the OAuth Dynamic Registration protocol
>>>> (wherever it makes sense to do so).
>>>>
>>>> What we should do: I think that this draft should be picked up and
>>>> worked on as an IETF document, but I think that it probably makes
>>>> more sense for that work to be done inside of the SCIM working group.
>>>> The reasons for this are twofold: First, this draft really should
>>>> look and feel like SCIM, and to do that it really needs the attention
>>>> of the group that's defining SCIM. Second, SCIM isn't completed and
>>>> likely won't be for some time to come, and this draft needs to track
>>>> with that protocol as it moves through the IETF process.
>>>>
>>>>
>>>>
>>>> Software Statements for OAuth Dynamic Registration
>>>>
>>>> What it is: Section 4 of Phil's draft (plus a few other bits,
>>>> discussed here), this defines a method for presenting signed and/or
>>>> verifiable claims to the registration server's endpoint. This is most
>>>> useful when an authorization server can verify the claims being
>>>> presented, such as being able to discover the signing key from the
>>>> "iss" claim and validate the signature. This could also be used (with
>>>> some additional
>>>> specification) by a discovery-based system that could fix ahead of
>>>> time some of the claims for a given piece of software (like we've
>>>> done with
>>>> BlueButton+). In some circumstances, this assertion could even
>>>> BlueButton+contain
>>>> all relevant bits of the registration, leaving the rest of the
>>>> metadata fields blank. This is essentially the "use the assertion as
>>>> the registration" flow that Phil discussed at the meeting, from what
>>>> I understand. In all of these cases, it can give us a higher
>>>> assurance for the registration and means to tie together multiple
>>>> instances of a piece of software across a network.
>>>>
>>>> What it needs to concentrate on: Making the software statements
>>>> interoperable. I don't think this is going to be an easy task, and I
>>>> think it's going to be a long process to get it *right* for all players.
>>>>
>>>> What we should do: I think that this draft should be picked up by the
>>>> OAuth Working Group as a WG document, and it should be built as an
>>>> extension to both the OAuth Dynamic Registration and SCIM-based OAuth
>>>> Dynamic Registration documents. I think it's important, but it's
>>>> added functionality on top of either the RESTful or the SCIM-based
>>>> registration documents, and as such it should have a normative
>>>> reference to both of them with detailed profiles of how to use them.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> So in all, we've got three main documents, each with different
>>>> purposes and concentrations, and with different timelines. I don't
>>>> see any problem with these coexisting, and I think doing things this
>>>> way can cover all of our known use cases and let us actually progress
>>>> these documents and move forward.
>>>>
>>>>     -- Justin
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Mon Aug 12 07:19:20 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C973D11E80DC for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 07:19:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.513
X-Spam-Level: 
X-Spam-Status: No, score=-6.513 tagged_above=-999 required=5 tests=[AWL=0.086,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FO8Ugt2mntuK for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 07:19:15 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 7F62621F96EF for <oauth@ietf.org>; Mon, 12 Aug 2013 07:11:18 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1DEE41F0796; Mon, 12 Aug 2013 10:11:18 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 10A851F0710; Mon, 12 Aug 2013 10:11:18 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 12 Aug 2013 10:11:17 -0400
Message-ID: <5208EC80.3060707@mitre.org>
Date: Mon, 12 Aug 2013 10:09:04 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Leif Johansson <leifj@mnt.se>
References: <52016822.2090703@mitre.org> <5208AC1A.5060606@mnt.se>
In-Reply-To: <5208AC1A.5060606@mnt.se>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 14:19:20 -0000

I think it's very important that we put *some* stake in the ground for 
the likes of OIDC, BB+, UMA, and the other higher-level protocols and 
systems that are looking toward us for Dyn Reg now. They weren't, 
previously -- all of these had mutually incompatible registration 
systems, but the work we've done so far with Dyn Reg has made a system 
that everyone can use. If we don't declare a baseline, and do so soon, 
then I fully believe that these groups will either fracture 
unnecessarily, or they'll ignore the IETF. Or both. I'll leave it to the 
chairs to decide if this gets tagged "experimental" or "standards", but 
I think that we're doing the world a disservice by not shipping what we 
have.

  -- Justin

On 08/12/2013 05:34 AM, Leif Johansson wrote:
> On 08/06/2013 11:18 PM, Justin Richer wrote:
>
> <snip>
>>   - OAuth Dynamic Registration
>>   - SCIM-based OAuth Dynamic Registration
>>   - Software Statements for OAuth Dynamic Registration
>>
> This thread makes me think we should break out the EXPERIMENTAL
> track: spin two or more proposed solutions as EXPERIMENTAL. Let the
> various groups do what they're gona do (which they'll do anyway) and
> the the chips fall where they may.
>
> Tony is right in interpreting the discussions in Berlin as quite fractured.
> Pushing for standards track seems premature.
>
> OTOH the transition from EXPERIMENTAL to STANDARDS TRACK can
> be as quick as a couple of I-Ds describing the outcome of the
> implementation and deployment work that will happen anyway (as
> you so correctly observe) after which the WG decides how to move
> forward.
>
> Since bb+ and openidc will do dynreg anyway the document track
> doesn't really matter which means the usual "vendors won't implement
> unless its a real RFC"-argument doesn't apply here anyway.
>
>          Cheers Leif
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From phil.hunt@oracle.com  Mon Aug 12 11:08:49 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3D1F21F9298; Mon, 12 Aug 2013 11:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.847
X-Spam-Level: 
X-Spam-Status: No, score=-5.847 tagged_above=-999 required=5 tests=[AWL=0.751,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id blQvD+yO6fxn; Mon, 12 Aug 2013 11:08:29 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 5591F21F9CF8; Mon, 12 Aug 2013 11:08:24 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7CI88XU013655 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 12 Aug 2013 18:08:09 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CI83Yp008689 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 12 Aug 2013 18:08:03 GMT
Received: from abhmt115.oracle.com (abhmt115.oracle.com [141.146.116.67]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CI82ca011382; Mon, 12 Aug 2013 18:08:02 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 12 Aug 2013 11:08:02 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_34B8953D-8092-4D68-8178-29A3445A9980"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <1375889079.85708.YahooMailNeo@web142805.mail.bf1.yahoo.com>
Date: Mon, 12 Aug 2013 20:08:00 +0200
Message-Id: <1E8ECD74-3356-4152-BC42-82BAB5F8F9B1@oracle.com>
References: <5200DD6C.3010003@gmail.com>	<CAC4RtVAoSB5vQPiNB2JCBjJ8vOmvyKZSkAdwithzziXfjsku3w@mail.gmail.com> <OFDF319810.D5537EBC-ON85257BC0.004AB0BC-85257BC0.004B203C@us.ibm.com> <1375889079.85708.YahooMailNeo@web142805.mail.bf1.yahoo.com>
To: Bill Mills <wmills_92105@yahoo.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, Barry Leiba <barryleiba@computer.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>
Subject: Re: [OAUTH-WG] What should happen to access tokens when the end user credentials change
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 18:08:56 -0000

--Apple-Mail=_34B8953D-8092-4D68-8178-29A3445A9980
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1

If you are building your security based on a multi-factor model, it =
would seem that password events might actually be one of the lesser =
value triggers for changing or invalidating tokens.

Example: a hacker exploits password reset process to invalidate the =
legit person's access to an account, and by doing so they invalidate all =
existing access tokens successfully taking over ALL access to the =
account.

It might be reasonable to have an existing authorized client be able to =
initiate special account recovery procedures as a backup assuming there =
is a higher value of trust in the client app.

I think token invalidation should be based on other issues like =
suspicious client activity or client credential rotation, etc.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2013-08-07, at 5:24 PM, Bill Mills <wmills_92105@yahoo.com> wrote:

> Yahoo generally, but not always (there are special cases), invalidates =
all credentials on password change.  This applies to refresh tokens, =
access tokens, cookies, etc. =20
>=20
> From: Todd W Lainhart <lainhart@us.ibm.com>
> To: Barry Leiba <barryleiba@computer.org>=20
> Cc: "<oauth@ietf.org>" <oauth@ietf.org>; oauth-bounces@ietf.org=20
> Sent: Wednesday, August 7, 2013 6:40 AM
> Subject: Re: [OAUTH-WG] What should happen to access tokens when the =
end user credentials change
>=20
> Assuming of course that the AS was notified by the IdP (or could =
inquire from same, say, during introspection) that something about the =
user's account had changed - there's nothing in the protocol that speaks =
to that.=20
>=20
> Would anyone be surprised if the authorizations granted to the =
previous confirmation of identity were now void?  That seems like the =
simplest way to handle it.=20
>=20
>=20
>=20
>=20
>=20
>=20
> Todd Lainhart
> Rational software
> IBM Corporation
> 550 King Street, Littleton, MA 01460-1250
> 1-978-899-4705
> 2-276-4705 (T/L)
> lainhart@us.ibm.com
>=20
>=20
>=20
>=20
>=20
> From:        Barry Leiba <barryleiba@computer.org>=20
> To:        Sergey Beryozkin <sberyozkin@gmail.com>,=20
> Cc:        "<oauth@ietf.org>" <oauth@ietf.org>=20
> Date:        08/06/2013 08:50 AM=20
> Subject:        Re: [OAUTH-WG] What should happen to access tokens =
when the end user credentials change=20
> Sent by:        oauth-bounces@ietf.org=20
>=20
>=20
>=20
> > Suppose a given user has approved a client's grant request and that =
client
> > is now working with the access token tied to the user's login name =
(or some
> > other representation of that user's login credentials).
> >
> > What would be the recommended course of action when that user's =
credentials
> > (example, the user's login name) change, as far as the existing =
access
> > tokens tied to that user are concerned ?
>=20
> An interesting question.
>=20
> I think it's not the OAuth protocol's concern, but a document
> describing operations and deployment might suggest what to do.
> Groping here (I'm not a UI expert):
>=20
> I expect that some changes (and/or some reasons for changes) would
> make no difference to the authorizations the user has approved.  If I
> change my username from "barryleiba" to "bigkahuna" because I want to
> be cool, I would want my authorizations to persist.  If I change my
> password because I routinely change my password, I would want my
> authorizations to persist.  If I change my password because I think my
> old password was compromised, I would want to review my authorizations
> and make sure nothing untoward is there.  Alternatively, I might just
> want to invalidate all of them and re-establish them as needed
> afterward.
>=20
> So it would probably be good for the system in question to ask me what
> to do about the authorizations I've given out, and allow me to review
> them and address them one by one, and/or make a blanket decision for
> the lot.
>=20
> Maybe:
>=20
>    Your password has been changed.
>=20
>    Do you want to revoke authorizations you have approved?  [YES / NO]
>=20
> Or maybe:
>=20
>    Your password has been changed.
>=20
>    Do you want to review authorizations you have approved?  [YES / NO]
>=20
> --
> Barry
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_34B8953D-8092-4D68-8178-29A3445A9980
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=iso-8859-1

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div>If you are building your security based on a multi-factor model, =
it would seem that password events might actually be one of the lesser =
value triggers for changing or invalidating =
tokens.</div><div><br></div><div>Example: a hacker exploits password =
reset&nbsp;process&nbsp;to invalidate the legit person's access to an =
account, and by doing so they invalidate all existing access tokens =
successfully taking over ALL access to the =
account.</div><div><br></div><div>It might be reasonable to have an =
existing authorized client be able to initiate special account recovery =
procedures as a backup assuming there is a higher value of trust in the =
client app.</div><div><br></div><div>I think token invalidation should =
be based on other issues like suspicious client activity or client =
credential rotation, etc.</div><div><br></div><div><span =
style=3D"font-size: 12px; ">Phil</span></div><div><div =
apple-content-edited=3D"true"><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: =
0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; =
-webkit-border-vertical-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br><br></div=
></span><br class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></span><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-07, at 5:24 PM, Bill Mills &lt;<a =
href=3D"mailto:wmills_92105@yahoo.com">wmills_92105@yahoo.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><div><div style=3D"background-color: rgb(255, 255, 255); =
font-family: 'Courier New', courier, monaco, monospace, sans-serif; =
font-size: 12pt; "><div><span>Yahoo generally, but not always (there are =
special cases), invalidates all credentials on password change. =
&nbsp;This applies to refresh tokens, access tokens, cookies, etc. =
&nbsp;</span></div><div><br></div>  <div style=3D"font-family: 'Courier =
New', courier, monaco, monospace, sans-serif; font-size: 12pt;"> <div =
style=3D"font-family: 'times new roman', 'new york', times, serif; =
font-size: 12pt;"> <div dir=3D"ltr"> <hr size=3D"1">  <font size=3D"2" =
face=3D"Arial"> <b><span style=3D"font-weight:bold;">From:</span></b> =
Todd W Lainhart &lt;<a =
href=3D"mailto:lainhart@us.ibm.com">lainhart@us.ibm.com</a>&gt;<br> =
<b><span style=3D"font-weight: bold;">To:</span></b> Barry Leiba &lt;<a =
href=3D"mailto:barryleiba@computer.org">barryleiba@computer.org</a>&gt; =
<br><b><span style=3D"font-weight: bold;">Cc:</span></b> "&lt;<a =
href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a>&gt;" &lt;<a =
href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a>&gt;; <a =
href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> <br> =
<b><span style=3D"font-weight:
 bold;">Sent:</span></b> Wednesday, August 7, 2013 6:40 AM<br> <b><span =
style=3D"font-weight: bold;">Subject:</span></b> Re: [OAUTH-WG] What =
should happen to access tokens when the end user credentials change<br> =
</font> </div> <div class=3D"y_msg_container"><br><div =
id=3D"yiv8486421788"><font size=3D"2" face=3D"sans-serif">Assuming of =
course that the AS was notified
by the IdP (or could inquire from same, say, during introspection) that
something about the user's account had changed - there's nothing in the
protocol that speaks to that.</font>
<br>
<br><font size=3D"2" face=3D"sans-serif">Would anyone be surprised if =
the authorizations
granted to the previous confirmation of identity were now void? =
&nbsp;That
seems like the simplest way to handle it.</font>
<br>
<br><font size=3D"2" face=3D"sans-serif"><br>
</font>
<br>
<table width=3D"223" style=3D"border-collapse:collapse;">
<tbody><tr height=3D"8">
<td width=3D"223" bgcolor=3D"white" =
style=3D"border-style:solid;border-color:#000000;border-width:0px 0px =
0px 0px;padding:0px 0px;"><font size=3D"1" face=3D"Verdana"><b><br>
<br>
<br>
Todd Lainhart<br>
Rational software<br>
IBM Corporation<br>
550 King Street, Littleton, MA 01460-1250</b></font><font size=3D"1" =
face=3D"Arial"><b><br>
1-978-899-4705<br>
2-276-4705 (T/L)<br>
<a =
href=3D"mailto:lainhart@us.ibm.com">lainhart@us.ibm.com</a></b></font></td=
></tr></tbody></table>
<br>
<br>
<br>
<br>
<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">From: &nbsp; =
&nbsp; &nbsp;
&nbsp;</font><font size=3D"1" face=3D"sans-serif">Barry Leiba &lt;<a =
href=3D"mailto:barryleiba@computer.org">barryleiba@computer.org</a>&gt;</f=
ont>
<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">To: &nbsp; =
&nbsp; &nbsp;
&nbsp;</font><font size=3D"1" face=3D"sans-serif">Sergey Beryozkin =
&lt;<a href=3D"mailto:sberyozkin@gmail.com">sberyozkin@gmail.com</a>&gt;,
</font>
<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">Cc: &nbsp; =
&nbsp; &nbsp;
&nbsp;</font><font size=3D"1" face=3D"sans-serif">"&lt;<a =
href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a>&gt;"
&lt;<a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a>&gt;</font>
<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">Date: &nbsp; =
&nbsp; &nbsp;
&nbsp;</font><font size=3D"1" face=3D"sans-serif">08/06/2013 08:50 =
AM</font>
<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">Subject: =
&nbsp; &nbsp;
&nbsp; &nbsp;</font><font size=3D"1" face=3D"sans-serif">Re: [OAUTH-WG]
What should happen to access tokens when the end user credentials =
change</font>
<br><font size=3D"1" color=3D"#5f5f5f" face=3D"sans-serif">Sent by: =
&nbsp; &nbsp;
&nbsp; &nbsp;</font><font size=3D"1" face=3D"sans-serif"><a =
href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a></font>
<br>
<hr noshade=3D"">
<br>
<br>
<br><tt><font size=3D"2">&gt; Suppose a given user has approved a =
client's
grant request and that client<br>
&gt; is now working with the access token tied to the user's login name
(or some<br>
&gt; other representation of that user's login credentials).<br>
&gt;<br>
&gt; What would be the recommended course of action when that user's =
credentials<br>
&gt; (example, the user's login name) change, as far as the existing =
access<br>
&gt; tokens tied to that user are concerned ?<br>
<br>
An interesting question.<br>
<br>
I think it's not the OAuth protocol's concern, but a document<br>
describing operations and deployment might suggest what to do.<br>
Groping here (I'm not a UI expert):<br>
<br>
I expect that some changes (and/or some reasons for changes) would<br>
make no difference to the authorizations the user has approved. &nbsp;If
I<br>
change my username from "barryleiba" to "bigkahuna"
because I want to<br>
be cool, I would want my authorizations to persist. &nbsp;If I change =
my<br>
password because I routinely change my password, I would want my<br>
authorizations to persist. &nbsp;If I change my password because I think
my<br>
old password was compromised, I would want to review my =
authorizations<br>
and make sure nothing untoward is there. &nbsp;Alternatively, I might =
just<br>
want to invalidate all of them and re-establish them as needed<br>
afterward.<br>
<br>
So it would probably be good for the system in question to ask me =
what<br>
to do about the authorizations I've given out, and allow me to =
review<br>
them and address them one by one, and/or make a blanket decision for<br>
the lot.<br>
<br>
Maybe:<br>
<br>
 &nbsp; &nbsp;Your password has been changed.<br>
<br>
 &nbsp; &nbsp;Do you want to revoke authorizations you have approved? =
&nbsp;[YES
/ NO]<br>
<br>
Or maybe:<br>
<br>
 &nbsp; &nbsp;Your password has been changed.<br>
<br>
 &nbsp; &nbsp;Do you want to review authorizations you have approved? =
&nbsp;[YES
/ NO]<br>
<br>
--<br>
Barry<br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
</font></tt><a rel=3D"nofollow" target=3D"_blank" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth"><tt><font =
size=3D"2">https://www.ietf.org/mailman/listinfo/oauth</font></tt></a><tt>=
<font size=3D"2"><br>
<br>
</font></tt>
<br></div><br>_______________________________________________<br>OAuth =
mailing list<br><a ymailto=3D"mailto:OAuth@ietf.org" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br><br><=
br></div> </div> </div>  =
</div></div>_______________________________________________<br>OAuth =
mailing list<br><a =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>https://www.ietf.org/=
mailman/listinfo/oauth<br></blockquote></div><br></div></body></html>=

--Apple-Mail=_34B8953D-8092-4D68-8178-29A3445A9980--

From phil.hunt@oracle.com  Mon Aug 12 11:09:33 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6249521F9B92 for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 11:09:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.91
X-Spam-Level: 
X-Spam-Status: No, score=-5.91 tagged_above=-999 required=5 tests=[AWL=0.689,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzViDidBdY-v for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 11:09:28 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id AD13E21F8C7C for <oauth@ietf.org>; Mon, 12 Aug 2013 11:09:19 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7CI9EQO001403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 12 Aug 2013 18:09:15 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CI9COP014434 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 12 Aug 2013 18:09:14 GMT
Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CI9C5S022052; Mon, 12 Aug 2013 18:09:12 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 12 Aug 2013 11:09:12 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <5203D379.9020501@gmx.net>
Date: Mon, 12 Aug 2013 20:09:10 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <D45E1E6E-FB95-40D8-AAA3-304A642EA7BC@oracle.com>
References: <5203D379.9020501@gmx.net>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Design Team: Conference Call Dates
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 18:09:33 -0000

Any time can work.  Though I prefer 2pm and 9pm. PDT.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2013-08-08, at 7:20 PM, Hannes Tschofenig <Hannes.Tschofenig@gmx.net> =
wrote:

> Hi all,
>=20
> please enter your availability for a conference call regarding the =
'dynamic client registration' design team into this webpage:
> http://moreganize.com/bltr4C3YmGj
>=20
> The table looks a bit scary but I am essentially offering three slots =
per day, namely
> * 6am PDT
> * 2pm PDT
> * 9pm PDT
> starting with August 19th to October 4th.
>=20
> Deadline for indicating your preference is the August 18th.
>=20
> Ciao
> Hannes
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From phil.hunt@oracle.com  Mon Aug 12 11:43:25 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D45C121F9EE0 for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 11:43:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.963
X-Spam-Level: 
X-Spam-Status: No, score=-5.963 tagged_above=-999 required=5 tests=[AWL=0.636,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CNWDug3DTIDY for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 11:43:20 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id AA6F821F9ED2 for <oauth@ietf.org>; Mon, 12 Aug 2013 11:43:20 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7CIhJQQ004902 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Mon, 12 Aug 2013 18:43:20 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CIhJZG023921 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <oauth@ietf.org>; Mon, 12 Aug 2013 18:43:19 GMT
Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CIhJwi023903 for <oauth@ietf.org>; Mon, 12 Aug 2013 18:43:19 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 12 Aug 2013 11:43:18 -0700
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <5208EC80.3060707@mitre.org>
Date: Mon, 12 Aug 2013 20:43:17 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <0C7A9772-5D04-4CF6-8723-42AEF0877B43@oracle.com>
References: <52016822.2090703@mitre.org> <5208AC1A.5060606@mnt.se> <5208EC80.3060707@mitre.org>
To: "oauth@ietf.org WG" <oauth@ietf.org>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 18:43:26 -0000

Inline=85

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com





On 2013-08-12, at 4:09 PM, Justin Richer <jricher@mitre.org> wrote:

> I think it's very important that we put *some* stake in the ground for =
the likes of OIDC, BB+, UMA, and the other higher-level protocols and =
systems that are looking toward us for Dyn Reg now. They weren't, =
previously -- all of these had mutually incompatible registration =
systems, but the work we've done so far with Dyn Reg has made a system =
that everyone can use. If we don't declare a baseline, and do so soon, =
then I fully believe that these groups will either fracture =
unnecessarily, or they'll ignore the IETF. Or both.

[PH] Your position here indicates to me that there is not a lot of =
natural consensus between OIDC, BB+, UMA and others. If these groups are =
aligning solely because of moral pressure to have a single standard -- =
which you seem to imply by the need to "put a stake in the ground", it =
suggests the technical proposal is not right yet.

Despite your disparaging of SCIM, I don't think that's the issue.  =
Whether SCIM or custom API, the Dyn Reg model places too much complexity =
solely on the client to registration endpoint relationship.

For example, the information content of what the client is asserting is =
*not* dynamic - only the act of registration is. The client app is for =
the most part, "fixed", coded in a particular way for use with a =
specific set of APIs. Dyn Reg (and the SCIM variant) go well beyond just =
issuing a client_id and exchange all oauth protocol information on the =
assumption any value might change.  This is a very complex approach.

Then there is the issue of needing full CRUD support, I have not bought =
into the need for apps to be able to update registration.  Why would =
they do this?  We do we need de-registration, wouldn't Torsten's =
revocation draft suffice?

The reason I think the assertion model might be a better path, is that =
it assumes a larger multi-party flow which moves complexity away from =
the registration endpoint to the point that in most cases a simple cert =
swap is all that is needed from the clients perspective.

When Tony and I put forward the SCIM variant, we thought that might be a =
compromise.  Still after putting it forward, I now feel the same way =
about it as I do the Dyn Reg draft.  What is useful from it, is the =
notion of defining a software statement which can be used to simplify =
the registration process greatly.

> I'll leave it to the chairs to decide if this gets tagged =
"experimental" or "standards", but I think that we're doing the world a =
disservice by not shipping what we have.
>=20
> -- Justin
>=20
> On 08/12/2013 05:34 AM, Leif Johansson wrote:
>> On 08/06/2013 11:18 PM, Justin Richer wrote:
>>=20
>> <snip>
>>>  - OAuth Dynamic Registration
>>>  - SCIM-based OAuth Dynamic Registration
>>>  - Software Statements for OAuth Dynamic Registration
>>>=20
>> This thread makes me think we should break out the EXPERIMENTAL
>> track: spin two or more proposed solutions as EXPERIMENTAL. Let the
>> various groups do what they're gona do (which they'll do anyway) and
>> the the chips fall where they may.
>>=20
>> Tony is right in interpreting the discussions in Berlin as quite =
fractured.
>> Pushing for standards track seems premature.
>>=20
>> OTOH the transition from EXPERIMENTAL to STANDARDS TRACK can
>> be as quick as a couple of I-Ds describing the outcome of the
>> implementation and deployment work that will happen anyway (as
>> you so correctly observe) after which the WG decides how to move
>> forward.
>>=20
>> Since bb+ and openidc will do dynreg anyway the document track
>> doesn't really matter which means the usual "vendors won't implement
>> unless its a real RFC"-argument doesn't apply here anyway.
>>=20
>>         Cheers Leif
>>=20
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Mon Aug 12 12:33:29 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A73F21F8BCE for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 12:33:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.519
X-Spam-Level: 
X-Spam-Status: No, score=-6.519 tagged_above=-999 required=5 tests=[AWL=0.080,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGj18hShZQZk for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 12:33:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 6C9BF21F9F12 for <oauth@ietf.org>; Mon, 12 Aug 2013 12:33:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C7E8E1F03C9; Mon, 12 Aug 2013 15:33:22 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id A8DCE1F085A; Mon, 12 Aug 2013 15:33:22 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 12 Aug 2013 15:33:22 -0400
Message-ID: <520937F2.5060700@mitre.org>
Date: Mon, 12 Aug 2013 15:30:58 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <52016822.2090703@mitre.org> <5208AC1A.5060606@mnt.se> <5208EC80.3060707@mitre.org> <0C7A9772-5D04-4CF6-8723-42AEF0877B43@oracle.com>
In-Reply-To: <0C7A9772-5D04-4CF6-8723-42AEF0877B43@oracle.com>
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 19:33:29 -0000

I think you're misunderstanding what I'm saying with regard to the 
various protocols -- the different registration systems weren't 
incompatible for any deep seated assumptions or different data models. 
They were incompatible because of different names, different formats, 
different things being used to do the same thing. Small, stupid 
differences that none of the groups were particularly tied to at the 
time, but getting them all to agree to call something "foo" and not 
"bar" is where the draft that we have came in. Now you're suggesting 
that we go back to all these groups and say "well we know we told you to 
use 'foo' for this field, but now instead we're going to change it to 
'bar', except that 'bar' isn't exactly 'bar', it's more like 'baz', and 
you need to throw out half your use cases". Ridiculous, is it not?

All of your questions about what's required or not for supporting 
dynamic client registration have been brought up and discussed in the 
history of the document in its various forms over the past couple years. 
It started out as a one-way registration, no CRUD ops or lifecycle 
management. Then people started to use it and realized that we needed 
those things, so we've added them. Once we were in that direction, we 
realized we were doing CRUD-like operations but weren't being RESTful 
where it made sense to be, so now it's a JSON-based RESTful API. We used 
to force client secrets to be used (even by public clients using things 
like the implicit or assertion flows) to access this API, but then we 
realized we could eat our own dogfood and use OAuth tokens, and that's 
where we got the registration access token. We used to have registration 
be an open POST only, but then there were very real use cases, real 
deployments, and real extension mechanisms that could be enabled by 
having the initial registration optionally be protected as an OAuth2 
protected resource as well, so that's where we got the initial access 
token. We originally had a fixed set of client parameters, but groups 
quickly wanted to add more, so we made that extensible. We originally 
had simple string values, but people wanted to be able to have localized 
text as well, so that was added.

All of these are visible in the document history, particularly if you 
look at it across the IETF, UMA, and OpenID specs as a whole. You make 
it sound as if we simply waved our hands and grabbed a bunch of features 
out of thin air and implemented them, and that's absolutely not the 
case. Everything in that draft is the result of lots of discussion, 
implementation, and deployment. Do I need to mention again that people 
are actively running this code today?

Also, I don't intend to disparage the SCIM protocol -- it's a great 
protocol for what it does, and in user and group provisioning it's 
exactly what I look toward. We're looking to potentially deploy it on 
some of my projects as well, so I'm certainly not against it. However, 
I'm not one to see it as a silver bullet for solving all RESTful API 
problems in the world, and that's exactly what I see it being positioned 
as here. Every function in the Dyn Reg spec that you claim "duplicates" 
SCIM are actually just things that it gets from being RESTful. So in 
other words, the similarities are from similar genetics, not from direct 
competition. Quite frankly, I think that what's happening here is that 
by taking the SCIM-hammer in hand you're seeing OAuth Dyn Reg as a nail. 
Also, I still think that you're ignoring the cost of implementing SCIM 
for people who aren't already doing so, especially when compared to the 
cost of implementing another (smaller, simpler, fit-to-purpose) RESTful API.

As to the direct assertions, I'm interested in seeing where it goes, but 
I don't yet (today) see how it can work in practice. And in any case it 
needs a lot more work. Take the code flow, for example -- how does the 
client present the assertion to the authorization endpoint? And what 
does it use for client_id (a required parameter)? Also, to the question 
that I asked at the IETF meeting, what about the case where you've got 
hundreds of thousands of auth servers protecting the same kind of API -- 
where does a client go to get its assertion then?

As to the "dynamic" nature of the clients, it's the *relationship* 
that's dynamic. You're once again conflating the code that executes with 
the instance of the code as seen by a particular authorization server. 
Also, in my own personal experience, there are things that change for a 
given piece of code depending on its deployment circumstances -- the 
redirect_uris for a web client, for instance, are going to be different 
depending on *where* that client software is served from.

Judging by our past conversations, I think that your model of what makes 
up a client and what makes up an auth server is valid, but limited, and 
this is continuing to color your view of what this protocol needs. I'd 
rather have something that works across the many ways that OAuth is 
being used today and can be used in the future.

  -- Justin

On 08/12/2013 02:43 PM, Phil Hunt wrote:
> Inline…
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
> On 2013-08-12, at 4:09 PM, Justin Richer <jricher@mitre.org> wrote:
>
>> I think it's very important that we put *some* stake in the ground for the likes of OIDC, BB+, UMA, and the other higher-level protocols and systems that are looking toward us for Dyn Reg now. They weren't, previously -- all of these had mutually incompatible registration systems, but the work we've done so far with Dyn Reg has made a system that everyone can use. If we don't declare a baseline, and do so soon, then I fully believe that these groups will either fracture unnecessarily, or they'll ignore the IETF. Or both.
> [PH] Your position here indicates to me that there is not a lot of natural consensus between OIDC, BB+, UMA and others. If these groups are aligning solely because of moral pressure to have a single standard -- which you seem to imply by the need to "put a stake in the ground", it suggests the technical proposal is not right yet.
>
> Despite your disparaging of SCIM, I don't think that's the issue.  Whether SCIM or custom API, the Dyn Reg model places too much complexity solely on the client to registration endpoint relationship.
>
> For example, the information content of what the client is asserting is *not* dynamic - only the act of registration is. The client app is for the most part, "fixed", coded in a particular way for use with a specific set of APIs. Dyn Reg (and the SCIM variant) go well beyond just issuing a client_id and exchange all oauth protocol information on the assumption any value might change.  This is a very complex approach.
>
> Then there is the issue of needing full CRUD support, I have not bought into the need for apps to be able to update registration.  Why would they do this?  We do we need de-registration, wouldn't Torsten's revocation draft suffice?
>
> The reason I think the assertion model might be a better path, is that it assumes a larger multi-party flow which moves complexity away from the registration endpoint to the point that in most cases a simple cert swap is all that is needed from the clients perspective.
>
> When Tony and I put forward the SCIM variant, we thought that might be a compromise.  Still after putting it forward, I now feel the same way about it as I do the Dyn Reg draft.  What is useful from it, is the notion of defining a software statement which can be used to simplify the registration process greatly.
>
>> I'll leave it to the chairs to decide if this gets tagged "experimental" or "standards", but I think that we're doing the world a disservice by not shipping what we have.
>>
>> -- Justin
>>
>> On 08/12/2013 05:34 AM, Leif Johansson wrote:
>>> On 08/06/2013 11:18 PM, Justin Richer wrote:
>>>
>>> <snip>
>>>>   - OAuth Dynamic Registration
>>>>   - SCIM-based OAuth Dynamic Registration
>>>>   - Software Statements for OAuth Dynamic Registration
>>>>
>>> This thread makes me think we should break out the EXPERIMENTAL
>>> track: spin two or more proposed solutions as EXPERIMENTAL. Let the
>>> various groups do what they're gona do (which they'll do anyway) and
>>> the the chips fall where they may.
>>>
>>> Tony is right in interpreting the discussions in Berlin as quite fractured.
>>> Pushing for standards track seems premature.
>>>
>>> OTOH the transition from EXPERIMENTAL to STANDARDS TRACK can
>>> be as quick as a couple of I-Ds describing the outcome of the
>>> implementation and deployment work that will happen anyway (as
>>> you so correctly observe) after which the WG decides how to move
>>> forward.
>>>
>>> Since bb+ and openidc will do dynreg anyway the document track
>>> doesn't really matter which means the usual "vendors won't implement
>>> unless its a real RFC"-argument doesn't apply here anyway.
>>>
>>>          Cheers Leif
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From phil.hunt@oracle.com  Mon Aug 12 16:55:16 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5288111E80E6 for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 16:55:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.31
X-Spam-Level: 
X-Spam-Status: No, score=-5.31 tagged_above=-999 required=5 tests=[AWL=-0.107,  BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zIzdzvb2UM0u for <oauth@ietfa.amsl.com>; Mon, 12 Aug 2013 16:55:11 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 035F611E80E0 for <oauth@ietf.org>; Mon, 12 Aug 2013 16:55:10 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7CNt8jf012203 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 12 Aug 2013 23:55:09 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CNt7g6028064 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 12 Aug 2013 23:55:08 GMT
Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7CNt7vr018939; Mon, 12 Aug 2013 23:55:07 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 12 Aug 2013 16:55:07 -0700
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 12 Aug 2013 16:55:05 -0700
To: "mike@gluu.org" <mike@gluu.org>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2013 23:55:16 -0000

I don't think there is a call to stop work. However there is a lack of conse=
nsus on the current draft moving forward.=20

I too want a single, simple solution.=20

Phil

On 2013-08-08, at 13:22, mike@gluu.org wrote:

> OAuth WG,
>=20
> As some of you may know, the OX open source project provides an implementa=
tion of Enterprise UMA, which enables organizations to control which people a=
nd clients can access web resources.
>=20
> I rarely weigh in, because you all are doing such great job. However, I wa=
s quite distressed to learn about the suggestion to stop work on the dynamic=
 client registration spec. This proposed change would have a negative impact=
 on OX, and the varied adopters of our software from around the world.
>=20
> No standard for dynamic client registration would make OX less "standard" b=
y creating a bigger delta between UMA and other OAuth2 implementations. As O=
X also implements the OpenID Connect OP endpoints, and dropping this effort w=
ould also makes a convergence path for client registration less likely.
>=20
> Please leave dynamic client registration!
>=20
> Thanks for all your great work!
>=20
> - Mike Schwartz
> Founder / CEO
> Gluu
> http://gluu.org
>=20
> PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD : http:=
//www.gluu.co/uma-apache
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From sberyozkin@gmail.com  Tue Aug 13 00:45:26 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A979D21F9D05 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 00:45:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level: 
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ut61QC7NtlCR for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 00:45:25 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) by ietfa.amsl.com (Postfix) with ESMTP id DFBFB21F99FD for <oauth@ietf.org>; Tue, 13 Aug 2013 00:45:24 -0700 (PDT)
Received: by mail-wi0-f171.google.com with SMTP id hr7so276069wib.10 for <oauth@ietf.org>; Tue, 13 Aug 2013 00:45:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=61HYBE/K6hqW32FIQkeaHY6Tl4tifX38UradEZE6L8U=; b=jNvUCYbo0PhRnm2QteeA67W9/VGn9DqfWSpRa+iO5w1iSbBxarMxMSELZZvUar7dUM nI3CNwfFDWFbr2uSM2m3O0fsbTnUPs6iwy7C1l7uNV1YJi5rYgdQPUwM1GyUJk1kBPa8 OyzNx5joM0eMH6KBp3x8eT+gAUTh9yqUjROOk3nq612WcpKx/YDMNqw6gZu7tXWNCsHz G7fWOilmphaChYahqZJbakA8BW8umX3oiXIecqxT5F0AUzsJ42FiEantaoZFdM2fYSMy KzbAslALAE9y8i8DbY+FVQn9cYr9oHCzMk5YbYSKcBTSz//TSKPmvTg527FMk/NFRowu gcOQ==
X-Received: by 10.194.8.9 with SMTP id n9mr2035803wja.11.1376379922780; Tue, 13 Aug 2013 00:45:22 -0700 (PDT)
Received: from [10.39.0.31] ([87.252.227.100]) by mx.google.com with ESMTPSA id z2sm1453525wiv.11.2013.08.13.00.45.21 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 13 Aug 2013 00:45:22 -0700 (PDT)
Message-ID: <5209E3F9.9090402@gmail.com>
Date: Tue, 13 Aug 2013 10:44:57 +0300
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <52016822.2090703@mitre.org> <5208AC1A.5060606@mnt.se> <5208EC80.3060707@mitre.org> <0C7A9772-5D04-4CF6-8723-42AEF0877B43@oracle.com> <520937F2.5060700@mitre.org>
In-Reply-To: <520937F2.5060700@mitre.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 07:45:26 -0000

For whatever it is worth, let me add my 2c, I've briefly looked through 
the latest Dynamic Registration Draft, and also briefly looked at SCIM - 
interesting specification, did not know it even exists :-).

IMHO these are 2 rather different texts, SCIM looks very useful, look 
forward to understanding it better :-), but it appears to be at a higher 
level than Dyn Reg Draft is - the latter is centric around a specific 
use case as far as I can see and the whole language of the latter is 
about addressing this specific use case. Appears to me SCIM and DynReq 
of OAuth2 Clients texts complement each other as opposed to 'compete' 
with each other, and they intersect simply because they use some similar 
terminology. I may be repeating some of what is said below.

Re the use of assertions: I'd like to think that getting the assertions 
flowing in OAuth2 applications is useful only when we have a task of 
integrating with existing IDPs or some other involved scenarios. Using 
them as the central pieces of the protocol will raise the complexity bar.

Apologies for not commenting inline - the above is just the comments 
after a brief overview of the documents :-)

Cheers, Sergey

On 12/08/13 22:30, Justin Richer wrote:
> I think you're misunderstanding what I'm saying with regard to the
> various protocols -- the different registration systems weren't
> incompatible for any deep seated assumptions or different data models.
> They were incompatible because of different names, different formats,
> different things being used to do the same thing. Small, stupid
> differences that none of the groups were particularly tied to at the
> time, but getting them all to agree to call something "foo" and not
> "bar" is where the draft that we have came in. Now you're suggesting
> that we go back to all these groups and say "well we know we told you to
> use 'foo' for this field, but now instead we're going to change it to
> 'bar', except that 'bar' isn't exactly 'bar', it's more like 'baz', and
> you need to throw out half your use cases". Ridiculous, is it not?
>
> All of your questions about what's required or not for supporting
> dynamic client registration have been brought up and discussed in the
> history of the document in its various forms over the past couple years.
> It started out as a one-way registration, no CRUD ops or lifecycle
> management. Then people started to use it and realized that we needed
> those things, so we've added them. Once we were in that direction, we
> realized we were doing CRUD-like operations but weren't being RESTful
> where it made sense to be, so now it's a JSON-based RESTful API. We used
> to force client secrets to be used (even by public clients using things
> like the implicit or assertion flows) to access this API, but then we
> realized we could eat our own dogfood and use OAuth tokens, and that's
> where we got the registration access token. We used to have registration
> be an open POST only, but then there were very real use cases, real
> deployments, and real extension mechanisms that could be enabled by
> having the initial registration optionally be protected as an OAuth2
> protected resource as well, so that's where we got the initial access
> token. We originally had a fixed set of client parameters, but groups
> quickly wanted to add more, so we made that extensible. We originally
> had simple string values, but people wanted to be able to have localized
> text as well, so that was added.
>
> All of these are visible in the document history, particularly if you
> look at it across the IETF, UMA, and OpenID specs as a whole. You make
> it sound as if we simply waved our hands and grabbed a bunch of features
> out of thin air and implemented them, and that's absolutely not the
> case. Everything in that draft is the result of lots of discussion,
> implementation, and deployment. Do I need to mention again that people
> are actively running this code today?
>
> Also, I don't intend to disparage the SCIM protocol -- it's a great
> protocol for what it does, and in user and group provisioning it's
> exactly what I look toward. We're looking to potentially deploy it on
> some of my projects as well, so I'm certainly not against it. However,
> I'm not one to see it as a silver bullet for solving all RESTful API
> problems in the world, and that's exactly what I see it being positioned
> as here. Every function in the Dyn Reg spec that you claim "duplicates"
> SCIM are actually just things that it gets from being RESTful. So in
> other words, the similarities are from similar genetics, not from direct
> competition. Quite frankly, I think that what's happening here is that
> by taking the SCIM-hammer in hand you're seeing OAuth Dyn Reg as a nail.
> Also, I still think that you're ignoring the cost of implementing SCIM
> for people who aren't already doing so, especially when compared to the
> cost of implementing another (smaller, simpler, fit-to-purpose) RESTful
> API.
>
> As to the direct assertions, I'm interested in seeing where it goes, but
> I don't yet (today) see how it can work in practice. And in any case it
> needs a lot more work. Take the code flow, for example -- how does the
> client present the assertion to the authorization endpoint? And what
> does it use for client_id (a required parameter)? Also, to the question
> that I asked at the IETF meeting, what about the case where you've got
> hundreds of thousands of auth servers protecting the same kind of API --
> where does a client go to get its assertion then?
>
> As to the "dynamic" nature of the clients, it's the *relationship*
> that's dynamic. You're once again conflating the code that executes with
> the instance of the code as seen by a particular authorization server.
> Also, in my own personal experience, there are things that change for a
> given piece of code depending on its deployment circumstances -- the
> redirect_uris for a web client, for instance, are going to be different
> depending on *where* that client software is served from.
>
> Judging by our past conversations, I think that your model of what makes
> up a client and what makes up an auth server is valid, but limited, and
> this is continuing to color your view of what this protocol needs. I'd
> rather have something that works across the many ways that OAuth is
> being used today and can be used in the future.
>
>   -- Justin
>
> On 08/12/2013 02:43 PM, Phil Hunt wrote:
>> Inline…
>>
>> Phil
>>
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>
>>
>>
>>
>>
>> On 2013-08-12, at 4:09 PM, Justin Richer <jricher@mitre.org> wrote:
>>
>>> I think it's very important that we put *some* stake in the ground
>>> for the likes of OIDC, BB+, UMA, and the other higher-level protocols
>>> and systems that are looking toward us for Dyn Reg now. They weren't,
>>> previously -- all of these had mutually incompatible registration
>>> systems, but the work we've done so far with Dyn Reg has made a
>>> system that everyone can use. If we don't declare a baseline, and do
>>> so soon, then I fully believe that these groups will either fracture
>>> unnecessarily, or they'll ignore the IETF. Or both.
>> [PH] Your position here indicates to me that there is not a lot of
>> natural consensus between OIDC, BB+, UMA and others. If these groups
>> are aligning solely because of moral pressure to have a single
>> standard -- which you seem to imply by the need to "put a stake in the
>> ground", it suggests the technical proposal is not right yet.
>>
>> Despite your disparaging of SCIM, I don't think that's the issue.
>> Whether SCIM or custom API, the Dyn Reg model places too much
>> complexity solely on the client to registration endpoint relationship.
>>
>> For example, the information content of what the client is asserting
>> is *not* dynamic - only the act of registration is. The client app is
>> for the most part, "fixed", coded in a particular way for use with a
>> specific set of APIs. Dyn Reg (and the SCIM variant) go well beyond
>> just issuing a client_id and exchange all oauth protocol information
>> on the assumption any value might change.  This is a very complex
>> approach.
>>
>> Then there is the issue of needing full CRUD support, I have not
>> bought into the need for apps to be able to update registration.  Why
>> would they do this?  We do we need de-registration, wouldn't Torsten's
>> revocation draft suffice?
>>
>> The reason I think the assertion model might be a better path, is that
>> it assumes a larger multi-party flow which moves complexity away from
>> the registration endpoint to the point that in most cases a simple
>> cert swap is all that is needed from the clients perspective.
>>
>> When Tony and I put forward the SCIM variant, we thought that might be
>> a compromise.  Still after putting it forward, I now feel the same way
>> about it as I do the Dyn Reg draft.  What is useful from it, is the
>> notion of defining a software statement which can be used to simplify
>> the registration process greatly.
>>
>>> I'll leave it to the chairs to decide if this gets tagged
>>> "experimental" or "standards", but I think that we're doing the world
>>> a disservice by not shipping what we have.
>>>
>>> -- Justin
>>>
>>> On 08/12/2013 05:34 AM, Leif Johansson wrote:
>>>> On 08/06/2013 11:18 PM, Justin Richer wrote:
>>>>
>>>> <snip>
>>>>>   - OAuth Dynamic Registration
>>>>>   - SCIM-based OAuth Dynamic Registration
>>>>>   - Software Statements for OAuth Dynamic Registration
>>>>>
>>>> This thread makes me think we should break out the EXPERIMENTAL
>>>> track: spin two or more proposed solutions as EXPERIMENTAL. Let the
>>>> various groups do what they're gona do (which they'll do anyway) and
>>>> the the chips fall where they may.
>>>>
>>>> Tony is right in interpreting the discussions in Berlin as quite
>>>> fractured.
>>>> Pushing for standards track seems premature.
>>>>
>>>> OTOH the transition from EXPERIMENTAL to STANDARDS TRACK can
>>>> be as quick as a couple of I-Ds describing the outcome of the
>>>> implementation and deployment work that will happen anyway (as
>>>> you so correctly observe) after which the WG decides how to move
>>>> forward.
>>>>
>>>> Since bb+ and openidc will do dynreg anyway the document track
>>>> doesn't really matter which means the usual "vendors won't implement
>>>> unless its a real RFC"-argument doesn't apply here anyway.
>>>>
>>>>          Cheers Leif
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



From gffletch@aol.com  Tue Aug 13 06:34:09 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59A3B21E8135 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 06:34:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9UvZMdn+oUKo for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 06:34:05 -0700 (PDT)
Received: from omr-d02.mx.aol.com (omr-d02.mx.aol.com [205.188.109.194]) by ietfa.amsl.com (Postfix) with ESMTP id 12C7521E812F for <oauth@ietf.org>; Tue, 13 Aug 2013 06:34:05 -0700 (PDT)
Received: from mtaout-db06.r1000.mx.aol.com (mtaout-db06.r1000.mx.aol.com [172.29.51.198]) by omr-d02.mx.aol.com (Outbound Mail Relay) with ESMTP id E71C8700E4F31; Tue, 13 Aug 2013 09:34:02 -0400 (EDT)
Received: from ping-audit-10-181-176-212-20120320.ops.aol.com (ping-audit-10-181-176-212-20120320.ops.aol.com [10.181.176.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db06.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 6B4A2E0000EB; Tue, 13 Aug 2013 09:34:02 -0400 (EDT)
Message-ID: <520A35CA.50006@aol.com>
Date: Tue, 13 Aug 2013 09:34:02 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>
In-Reply-To: <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>
Content-Type: multipart/alternative; boundary="------------060007000504050304060603"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/92915
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1376400842; bh=ZBzimTHLikH7IfTXsaELIIkHycri+3AIzyULBs/6hEo=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=cV0EblzBLr4HhOIf6LNB08YRIIpP5ZqlHjAtx+jqd+43LzeJGLh6JeElKx5CGt8T9 0c83ye4+iTftKy1AuFlTgR1k3l1WB573kuKUVnmO8f6ALOQfX3o+NPRqV9YZ6pzXqk 3obPnVH+IcIeYQzIhTAXAyY1KxTRJmX6AFlMxbas=
x-aol-sid: 3039ac1d33c6520a35ca0d61
X-AOL-IP: 10.181.176.212
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 13:34:09 -0000

This is a multi-part message in MIME format.
--------------060007000504050304060603
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I know I wasn't at the IETF meeting but I'm confused regarding all this 
talk of "lack of consensus". It seems to me there is a lot of consensus 
regarding the existing spec (given all the current implementations). 
Couple that with the fact that the current spec doesn't exclude the 
additional use cases that you've raised, I don't see why we don't 
establish the current spec as the core document and then develop 
profiles for the additional use cases. It is unlikely that there is 
going to be a true single solution because to cover all the use cases it 
will have to be so flexible that profiles will arise regardless. In that 
case, let's build off the solid core that we have and add these 
additional profiles providing a win-win for implementers.

My 2 cents:)

Thanks,
George

On 8/12/13 7:55 PM, Phil Hunt wrote:
> I don't think there is a call to stop work. However there is a lack of consensus on the current draft moving forward.
>
> I too want a single, simple solution.
>
> Phil
>
> On 2013-08-08, at 13:22, mike@gluu.org wrote:
>
>> OAuth WG,
>>
>> As some of you may know, the OX open source project provides an implementation of Enterprise UMA, which enables organizations to control which people and clients can access web resources.
>>
>> I rarely weigh in, because you all are doing such great job. However, I was quite distressed to learn about the suggestion to stop work on the dynamic client registration spec. This proposed change would have a negative impact on OX, and the varied adopters of our software from around the world.
>>
>> No standard for dynamic client registration would make OX less "standard" by creating a bigger delta between UMA and other OAuth2 implementations. As OX also implements the OpenID Connect OP endpoints, and dropping this effort would also makes a convergence path for client registration less likely.
>>
>> Please leave dynamic client registration!
>>
>> Thanks for all your great work!
>>
>> - Mike Schwartz
>> Founder / CEO
>> Gluu
>> http://gluu.org
>>
>> PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD : http://www.gluu.co/uma-apache
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------060007000504050304060603
Content-Type: multipart/related;
 boundary="------------000605090707070002060306"


--------------000605090707070002060306
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">I know I wasn't at the
      IETF meeting but I'm confused regarding all this talk of "lack of
      consensus". It seems to me there is a lot of consensus regarding
      the existing spec (given all the current implementations). Couple
      that with the fact that the current spec doesn't exclude the additional
      use cases that you've raised, I don't see why we don't establish
      the current spec as the core document and then develop profiles
      for the additional use cases. It is unlikely that there is going
      to be a true single solution because to cover all the use cases it
      will have to be so flexible that profiles will arise regardless.
      In that case, let's build off the solid core that we have and add
      these additional profiles providing a win-win for implementers.<br>
      <br>
      My 2 cents:)<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/12/13 7:55 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com"
      type="cite">
      <pre wrap="">I don't think there is a call to stop work. However there is a lack of consensus on the current draft moving forward. 

I too want a single, simple solution. 

Phil

On 2013-08-08, at 13:22, <a class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">OAuth WG,

As some of you may know, the OX open source project provides an implementation of Enterprise UMA, which enables organizations to control which people and clients can access web resources.

I rarely weigh in, because you all are doing such great job. However, I was quite distressed to learn about the suggestion to stop work on the dynamic client registration spec. This proposed change would have a negative impact on OX, and the varied adopters of our software from around the world.

No standard for dynamic client registration would make OX less "standard" by creating a bigger delta between UMA and other OAuth2 implementations. As OX also implements the OpenID Connect OP endpoints, and dropping this effort would also makes a convergence path for client registration less likely.

Please leave dynamic client registration!

Thanks for all your great work!

- Mike Schwartz
Founder / CEO
Gluu
<a class="moz-txt-link-freetext" href="http://gluu.org">http://gluu.org</a>

PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD : <a class="moz-txt-link-freetext" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a>

_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
      </blockquote>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part1.01050301.09040206@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------000605090707070002060306
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part1.01050301.09040206@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------000605090707070002060306--

--------------060007000504050304060603--

From hannes.tschofenig@gmx.net  Tue Aug 13 06:56:12 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD8D421E811F for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 06:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y8Uqt98duwxD for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 06:56:05 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id 744E421E8125 for <oauth@ietf.org>; Tue, 13 Aug 2013 06:55:52 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.114.247]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0Lkwpt-1VjxP405Yr-00amRB for <oauth@ietf.org>; Tue, 13 Aug 2013 15:55:47 +0200
Message-ID: <520A3AEF.7000908@gmx.net>
Date: Tue, 13 Aug 2013 15:55:59 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com>
In-Reply-To: <520A35CA.50006@aol.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:Zlqor/yqSOwJIxuC32mD+11gs5SwLpPAwix9x3mLZd3RC5npXZV xW6DCWzfm3ds89XSILR2eCZhqkSmIvaVuGDyWMxNoWT6IK6TJNdQmw7Rt8Mgm359nN1amGb gJ9tQcudutJyIMUThwLBcwV6CqvBCJUEtMf8Lp5zVQShdJ6mOuOMf/7qTpAfJ612PHh0yxc gu6R/H2i3QDHvYPz3x4OQ==
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 13:56:13 -0000

Hi George, Hi Mike,

as expressed in my mails I am certainly interested to hear what 
implementers currently need and what their timelines are. If you have 
someone I need to talk to please let me know. Maybe you are one of the 
implementers.

I also believe that there isn't a single solution that will fit all 
scenarios. Use cases will help us to find out what the core components 
need to be and what other functionality we can easily "outsource" into 
extensions.

I also wanted to clarify that I am not suggesting to stop the work on 
dynamic client registration; on the contrary I am hoping to expedite the 
work by using the design team.

Various folks have entered their preference into the webpage already 
(see http://moreganize.com/bltr4C3YmGj). Let me know if you have time as 
well.

Ciao
Hannes

On 08/13/2013 03:34 PM, George Fletcher wrote:
> I know I wasn't at the IETF meeting but I'm confused regarding all this
> talk of "lack of consensus". It seems to me there is a lot of consensus
> regarding the existing spec (given all the current implementations).
> Couple that with the fact that the current spec doesn't exclude the
> additional use cases that you've raised, I don't see why we don't
> establish the current spec as the core document and then develop
> profiles for the additional use cases. It is unlikely that there is
> going to be a true single solution because to cover all the use cases it
> will have to be so flexible that profiles will arise regardless. In that
> case, let's build off the solid core that we have and add these
> additional profiles providing a win-win for implementers.
>
> My 2 cents:)
>
> Thanks,
> George
>
> On 8/12/13 7:55 PM, Phil Hunt wrote:
>> I don't think there is a call to stop work. However there is a lack of consensus on the current draft moving forward.
>>
>> I too want a single, simple solution.
>>
>> Phil
>>
>> On 2013-08-08, at 13:22,mike@gluu.org  wrote:
>>
>>> OAuth WG,
>>>
>>> As some of you may know, the OX open source project provides an implementation of Enterprise UMA, which enables organizations to control which people and clients can access web resources.
>>>
>>> I rarely weigh in, because you all are doing such great job. However, I was quite distressed to learn about the suggestion to stop work on the dynamic client registration spec. This proposed change would have a negative impact on OX, and the varied adopters of our software from around the world.
>>>
>>> No standard for dynamic client registration would make OX less "standard" by creating a bigger delta between UMA and other OAuth2 implementations. As OX also implements the OpenID Connect OP endpoints, and dropping this effort would also makes a convergence path for client registration less likely.
>>>
>>> Please leave dynamic client registration!
>>>
>>> Thanks for all your great work!
>>>
>>> - Mike Schwartz
>>> Founder / CEO
>>> Gluu
>>> http://gluu.org
>>>
>>> PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD :http://www.gluu.co/uma-apache
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
> --
> George Fletcher <http://connect.me/gffletch>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From jricher@mitre.org  Tue Aug 13 07:02:27 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF8AF21E80DF for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:02:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level: 
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SIOcxUapRYKw for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:02:21 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id C1A0A11E80EA for <oauth@ietf.org>; Tue, 13 Aug 2013 07:02:14 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 86D3A1F046E; Tue, 13 Aug 2013 10:02:08 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 2C1381F045B; Tue, 13 Aug 2013 10:02:08 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 13 Aug 2013 10:02:07 -0400
Message-ID: <520A3BAD.1050703@mitre.org>
Date: Tue, 13 Aug 2013 09:59:09 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com>
In-Reply-To: <520A35CA.50006@aol.com>
Content-Type: multipart/alternative; boundary="------------090602040309020002010407"
X-Originating-IP: [129.83.31.56]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:02:27 -0000

--------------090602040309020002010407
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

+1

On 08/13/2013 09:34 AM, George Fletcher wrote:
> I know I wasn't at the IETF meeting but I'm confused regarding all 
> this talk of "lack of consensus". It seems to me there is a lot of 
> consensus regarding the existing spec (given all the current 
> implementations). Couple that with the fact that the current spec 
> doesn't exclude the additional use cases that you've raised, I don't 
> see why we don't establish the current spec as the core document and 
> then develop profiles for the additional use cases. It is unlikely 
> that there is going to be a true single solution because to cover all 
> the use cases it will have to be so flexible that profiles will arise 
> regardless. In that case, let's build off the solid core that we have 
> and add these additional profiles providing a win-win for implementers.
>
> My 2 cents:)
>
> Thanks,
> George
>
> On 8/12/13 7:55 PM, Phil Hunt wrote:
>> I don't think there is a call to stop work. However there is a lack of consensus on the current draft moving forward.
>>
>> I too want a single, simple solution.
>>
>> Phil
>>
>> On 2013-08-08, at 13:22,mike@gluu.org  wrote:
>>
>>> OAuth WG,
>>>
>>> As some of you may know, the OX open source project provides an implementation of Enterprise UMA, which enables organizations to control which people and clients can access web resources.
>>>
>>> I rarely weigh in, because you all are doing such great job. However, I was quite distressed to learn about the suggestion to stop work on the dynamic client registration spec. This proposed change would have a negative impact on OX, and the varied adopters of our software from around the world.
>>>
>>> No standard for dynamic client registration would make OX less "standard" by creating a bigger delta between UMA and other OAuth2 implementations. As OX also implements the OpenID Connect OP endpoints, and dropping this effort would also makes a convergence path for client registration less likely.
>>>
>>> Please leave dynamic client registration!
>>>
>>> Thanks for all your great work!
>>>
>>> - Mike Schwartz
>>> Founder / CEO
>>> Gluu
>>> http://gluu.org
>>>
>>> PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD :http://www.gluu.co/uma-apache
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
> -- 
> George Fletcher <http://connect.me/gffletch>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------090602040309020002010407
Content-Type: multipart/related;
	boundary="------------060901050107090100020702"

--------------060901050107090100020702
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    +1<br>
    <br>
    <div class="moz-cite-prefix">On 08/13/2013 09:34 AM, George Fletcher
      wrote:<br>
    </div>
    <blockquote cite="mid:520A35CA.50006@aol.com" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <font face="Helvetica, Arial, sans-serif">I know I wasn't at the
        IETF meeting but I'm confused regarding all this talk of "lack
        of consensus". It seems to me there is a lot of consensus
        regarding the existing spec (given all the current
        implementations). Couple that with the fact that the current
        spec doesn't exclude the additional use cases that you've
        raised, I don't see why we don't establish the current spec as
        the core document and then develop profiles for the additional
        use cases. It is unlikely that there is going to be a true
        single solution because to cover all the use cases it will have
        to be so flexible that profiles will arise regardless. In that
        case, let's build off the solid core that we have and add these
        additional profiles providing a win-win for implementers.<br>
        <br>
        My 2 cents:)<br>
        <br>
        Thanks,<br>
        George<br>
        <br>
      </font>
      <div class="moz-cite-prefix">On 8/12/13 7:55 PM, Phil Hunt wrote:<br>
      </div>
      <blockquote
        cite="mid:4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com"
        type="cite">
        <pre wrap="">I don't think there is a call to stop work. However there is a lack of consensus on the current draft moving forward. 

I too want a single, simple solution. 

Phil

On 2013-08-08, at 13:22, <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a> wrote:

</pre>
        <blockquote type="cite">
          <pre wrap="">OAuth WG,

As some of you may know, the OX open source project provides an implementation of Enterprise UMA, which enables organizations to control which people and clients can access web resources.

I rarely weigh in, because you all are doing such great job. However, I was quite distressed to learn about the suggestion to stop work on the dynamic client registration spec. This proposed change would have a negative impact on OX, and the varied adopters of our software from around the world.

No standard for dynamic client registration would make OX less "standard" by creating a bigger delta between UMA and other OAuth2 implementations. As OX also implements the OpenID Connect OP endpoints, and dropping this effort would also makes a convergence path for client registration less likely.

Please leave dynamic client registration!

Thanks for all your great work!

- Mike Schwartz
Founder / CEO
Gluu
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://gluu.org">http://gluu.org</a>

PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a>

_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
        </blockquote>
        <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
      </blockquote>
      <br>
      <div class="moz-signature">-- <br>
        <a moz-do-not-send="true" href="http://connect.me/gffletch"
          title="View full card on Connect.Me"><img
            src="cid:part8.06040001.03010503@mitre.org" alt="George
            Fletcher" height="113" width="359"></a></div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------060901050107090100020702
Content-Type: image/png
Content-Transfer-Encoding: base64
Content-ID: <part8.06040001.03010503@mitre.org>

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------060901050107090100020702--

--------------090602040309020002010407--

From jricher@mitre.org  Tue Aug 13 07:19:51 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E312721E8119 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:19:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level: 
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9DuZ2rgO9B2W for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:19:47 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id D33C121E816C for <oauth@ietf.org>; Tue, 13 Aug 2013 07:19:46 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 7C0261F055A; Tue, 13 Aug 2013 10:19:46 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 2B6631F046E; Tue, 13 Aug 2013 10:19:44 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 13 Aug 2013 10:19:44 -0400
Message-ID: <520A3FCE.1040708@mitre.org>
Date: Tue, 13 Aug 2013 10:16:46 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>	<520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------050403020602080907030506"
X-Originating-IP: [129.83.31.56]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:19:52 -0000

--------------050403020602080907030506
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

We have:

https://id.mitre.org/connect/

  -- Justin

On 08/13/2013 10:15 AM, Anthony Nadalin wrote:
>
> Who has implemented draft-ietf-oauth-dyn-reg-14 
> <http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/> and is in 
> production (of some sort) ? We have no plans to implement as it does 
> not meet our requirements/use cases and causes additional management 
> and thus I believe would not serve as a valid core document to expand 
> upon.
>
> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On 
> Behalf Of *Justin Richer
> *Sent:* Tuesday, August 13, 2013 6:59 AM
> *To:* George Fletcher
> *Cc:* mike@gluu.org; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please don't 
> remove!
>
> +1
>
> On 08/13/2013 09:34 AM, George Fletcher wrote:
>
>     I know I wasn't at the IETF meeting but I'm confused regarding all
>     this talk of "lack of consensus". It seems to me there is a lot of
>     consensus regarding the existing spec (given all the current
>     implementations). Couple that with the fact that the current spec
>     doesn't exclude the additional use cases that you've raised, I
>     don't see why we don't establish the current spec as the core
>     document and then develop profiles for the additional use cases.
>     It is unlikely that there is going to be a true single solution
>     because to cover all the use cases it will have to be so flexible
>     that profiles will arise regardless. In that case, let's build off
>     the solid core that we have and add these additional profiles
>     providing a win-win for implementers.
>
>     My 2 cents:)
>
>     Thanks,
>     George
>
>     On 8/12/13 7:55 PM, Phil Hunt wrote:
>
>         I don't think there is a call to stop work. However there is a lack of consensus on the current draft moving forward.
>
>           
>
>         I too want a single, simple solution.
>
>           
>
>         Phil
>
>           
>
>         On 2013-08-08, at 13:22,mike@gluu.org  <mailto:mike@gluu.org>  wrote:
>
>           
>
>             OAuth WG,
>
>               
>
>             As some of you may know, the OX open source project provides an implementation of Enterprise UMA, which enables organizations to control which people and clients can access web resources.
>
>               
>
>             I rarely weigh in, because you all are doing such great job. However, I was quite distressed to learn about the suggestion to stop work on the dynamic client registration spec. This proposed change would have a negative impact on OX, and the varied adopters of our software from around the world.
>
>               
>
>             No standard for dynamic client registration would make OX less "standard" by creating a bigger delta between UMA and other OAuth2 implementations. As OX also implements the OpenID Connect OP endpoints, and dropping this effort would also makes a convergence path for client registration less likely.
>
>               
>
>             Please leave dynamic client registration!
>
>               
>
>             Thanks for all your great work!
>
>               
>
>             - Mike Schwartz
>
>             Founder / CEO
>
>             Gluu
>
>             http://gluu.org
>
>               
>
>             PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD :http://www.gluu.co/uma-apache
>
>               
>
>             _______________________________________________
>
>             OAuth mailing list
>
>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>             https://www.ietf.org/mailman/listinfo/oauth
>
>         _______________________________________________
>
>         OAuth mailing list
>
>         OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>         https://www.ietf.org/mailman/listinfo/oauth
>
>           
>
>           
>
>     -- 
>     George Fletcher <http://connect.me/gffletch>
>
>
>
>
>     _______________________________________________
>
>     OAuth mailing list
>
>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/oauth
>


--------------050403020602080907030506
Content-Type: multipart/related;
	boundary="------------060809030406070006030401"

--------------060809030406070006030401
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    We have:<br>
    <br>
    <a class="moz-txt-link-freetext" href="https://id.mitre.org/connect/">https://id.mitre.org/connect/</a><br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/13/2013 10:15 AM, Anthony Nadalin
      wrote:<br>
    </div>
    <blockquote
cite="mid:7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#44546A">Who
            has implemented
          </span><span
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;;color:#44546A"><a
              moz-do-not-send="true"
              href="http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/"><span
                style="color:#44546A">draft-ietf-oauth-dyn-reg-14</span></a>
            and is in production (of some sort) ? We have no plans to
            implement as it does not meet our requirements/use cases and
            causes additional management and thus I believe would not
            serve as a valid core document to expand upon.</span><span
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"></span><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#44546A"><o:p></o:p></span></p>
        <p class="MsoNormal"><a moz-do-not-send="true"
            name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></a></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">
                <a class="moz-txt-link-abbreviated" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a class="moz-txt-link-freetext" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>]
                <b>On Behalf Of </b>Justin Richer<br>
                <b>Sent:</b> Tuesday, August 13, 2013 6:59 AM<br>
                <b>To:</b> George Fletcher<br>
                <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a>; <a class="moz-txt-link-abbreviated" href="mailto:oauth@ietf.org">oauth@ietf.org</a><br>
                <b>Subject:</b> Re: [OAUTH-WG] OX needs Dynamic
                Registration: please don't remove!<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        <p class="MsoNormal" style="margin-bottom:12.0pt">+1<o:p></o:p></p>
        <div>
          <p class="MsoNormal">On 08/13/2013 09:34 AM, George Fletcher
            wrote:<o:p></o:p></p>
        </div>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <p class="MsoNormal" style="margin-bottom:12.0pt"><span
              style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">I
              know I wasn't at the IETF meeting but I'm confused
              regarding all this talk of "lack of consensus". It seems
              to me there is a lot of consensus regarding the existing
              spec (given all the current implementations). Couple that
              with the fact that the current spec doesn't exclude the
              additional use cases that you've raised, I don't see why
              we don't establish the current spec as the core document
              and then develop profiles for the additional use cases. It
              is unlikely that there is going to be a true single
              solution because to cover all the use cases it will have
              to be so flexible that profiles will arise regardless. In
              that case, let's build off the solid core that we have and
              add these additional profiles providing a win-win for
              implementers.<br>
              <br>
              My 2 cents:)<br>
              <br>
              Thanks,<br>
              George</span><o:p></o:p></p>
          <div>
            <p class="MsoNormal">On 8/12/13 7:55 PM, Phil Hunt wrote:<o:p></o:p></p>
          </div>
          <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
            <pre>I don't think there is a call to stop work. However there is a lack of consensus on the current draft moving forward. <o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>I too want a single, simple solution. <o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>Phil<o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>On 2013-08-08, at 13:22, <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a> wrote:<o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
              <pre>OAuth WG,<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>As some of you may know, the OX open source project provides an implementation of Enterprise UMA, which enables organizations to control which people and clients can access web resources.<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>I rarely weigh in, because you all are doing such great job. However, I was quite distressed to learn about the suggestion to stop work on the dynamic client registration spec. This proposed change would have a negative impact on OX, and the varied adopters of our software from around the world.<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>No standard for dynamic client registration would make OX less "standard" by creating a bigger delta between UMA and other OAuth2 implementations. As OX also implements the OpenID Connect OP endpoints, and dropping this effort would also makes a convergence path for client registration less likely.<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>Please leave dynamic client registration!<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>Thanks for all your great work!<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>- Mike Schwartz<o:p></o:p></pre>
              <pre>Founder / CEO<o:p></o:p></pre>
              <pre>Gluu<o:p></o:p></pre>
              <pre><a moz-do-not-send="true" href="http://gluu.org">http://gluu.org</a><o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD : <a moz-do-not-send="true" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a><o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>_______________________________________________<o:p></o:p></pre>
              <pre>OAuth mailing list<o:p></o:p></pre>
              <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
              <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
            </blockquote>
            <pre>_______________________________________________<o:p></o:p></pre>
            <pre>OAuth mailing list<o:p></o:p></pre>
            <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
            <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
          </blockquote>
          <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
          <div>
            <p class="MsoNormal">-- <br>
              <a moz-do-not-send="true"
                href="http://connect.me/gffletch" title="View full card
                on Connect.Me"><span style="text-decoration:none"><img
                    id="_x0000_i1025"
                    src="cid:part10.07020400.02030103@mitre.org"
                    alt="George Fletcher" height="113" border="0"
                    width="359"></span></a><o:p></o:p></p>
          </div>
          <p class="MsoNormal"><br>
            <br>
            <br>
            <o:p></o:p></p>
          <pre>_______________________________________________<o:p></o:p></pre>
          <pre>OAuth mailing list<o:p></o:p></pre>
          <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
          <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
        </blockquote>
        <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
      </div>
    </blockquote>
    <br>
  </body>
</html>

--------------060809030406070006030401
Content-Type: image/png
Content-Transfer-Encoding: base64
Content-ID: <part10.07020400.02030103@mitre.org>

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------060809030406070006030401--

--------------050403020602080907030506--

From mike@gluu.org  Tue Aug 13 07:22:11 2013
Return-Path: <mike@gluu.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97BFE11E817B for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:22:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.665
X-Spam-Level: 
X-Spam-Status: No, score=-1.665 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_31=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id un4HHW0u8xA3 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:22:07 -0700 (PDT)
Received: from gateway05.websitewelcome.com (gateway05.websitewelcome.com [67.18.44.15]) by ietfa.amsl.com (Postfix) with ESMTP id 32BA211E817A for <oauth@ietf.org>; Tue, 13 Aug 2013 07:21:55 -0700 (PDT)
Received: by gateway05.websitewelcome.com (Postfix, from userid 5007) id 84DBF15FA0883; Tue, 13 Aug 2013 09:21:54 -0500 (CDT)
Received: from gator405.hostgator.com (gator405.hostgator.com [184.172.165.9]) by gateway05.websitewelcome.com (Postfix) with ESMTP id 790C915FA085F for <oauth@ietf.org>; Tue, 13 Aug 2013 09:21:54 -0500 (CDT)
Received: from [127.0.0.1] (port=49256 helo=mail.gluu.org) by gator405.hostgator.com with esmtpa (Exim 4.80) (envelope-from <mike@gluu.org>) id 1V9FTu-0002Zf-7z; Tue, 13 Aug 2013 09:21:54 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 13 Aug 2013 09:21:54 -0500
From: mike@gluu.org
To: Anthony Nadalin <tonynad@microsoft.com>
In-Reply-To: <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> " <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>" <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com>
Message-ID: <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org>
X-Sender: mike@gluu.org
User-Agent: Roundcube Webmail/0.8.4
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator405.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - gluu.org
X-BWhitelist: no
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Source-Sender: (mail.gluu.org) [127.0.0.1]:49256
X-Source-Auth: mike@gluu.org
X-Email-Count: 7
X-Source-Cap: ZGlnaW1vbjtkaWdpbW9uO2dhdG9yNDA1Lmhvc3RnYXRvci5jb20=
X-Mailman-Approved-At: Tue, 13 Aug 2013 07:27:05 -0700
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:22:11 -0000

Anthony,

As I mentioned, we are using it as part of the OX UMA implementation. 
Can you be more specific?
   1) What parts of it would cause add'l management?
   2) What parts do not meet your requirements that could not be 
satisfied with a
      supplemental profile?

- Mike



On 2013-08-13 09:15, Anthony Nadalin wrote:
> Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in
> production (of some sort) ? We have no plans to implement as it does
> not meet our requirements/use cases and causes additional management
> and thus I believe would not serve as a valid core document to expand
> upon.
>
> FROM: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] ON
> BEHALF OF Justin Richer
>  SENT: Tuesday, August 13, 2013 6:59 AM
>  TO: George Fletcher
>  CC: mike@gluu.org; oauth@ietf.org
>  SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't 
> remove!
>
> +1
>
> On 08/13/2013 09:34 AM, George Fletcher wrote:
>
>> I know I wasn't at the IETF meeting but I'm confused regarding all 
>> this talk of "lack of consensus". It seems to me there is a lot of 
>> consensus regarding the existing spec (given all the current 
>> implementations). Couple that with the fact that the current spec 
>> doesn't exclude the additional use cases that you've raised, I don't 
>> see why we don't establish the current spec as the core document and 
>> then develop profiles for the additional use cases. It is unlikely 
>> that there is going to be a true single solution because to cover all 
>> the use cases it will have to be so flexible that profiles will arise 
>> regardless. In that case, let's build off the solid core that we have 
>> and add these additional profiles providing a win-win for 
>> implementers.
>>
>> My 2 cents:)
>>
>> Thanks,
>> George
>>
>> On 8/12/13 7:55 PM, Phil Hunt wrote:
>>
>>> I don't think there is a call to stop work. However there is a lack 
>>> of consensus on the current draft moving forward.
>>>
>>> I too want a single, simple solution.
>>>
>>> Phil
>>>
>>> On 2013-08-08, at 13:22, mike@gluu.org wrote:
>>>
>>>> OAuth WG,
>>>>
>>>> As some of you may know, the OX open source project provides an 
>>>> implementation of Enterprise UMA, which enables organizations to 
>>>> control which people and clients can access web resources.
>>>>
>>>> I rarely weigh in, because you all are doing such great job. 
>>>> However, I was quite distressed to learn about the suggestion to 
>>>> stop work on the dynamic client registration spec. This proposed 
>>>> change would have a negative impact on OX, and the varied adopters 
>>>> of our software from around the world.
>>>>
>>>> No standard for dynamic client registration would make OX less 
>>>> "standard" by creating a bigger delta between UMA and other OAuth2 
>>>> implementations. As OX also implements the OpenID Connect OP 
>>>> endpoints, and dropping this effort would also makes a convergence 
>>>> path for client registration less likely.
>>>>
>>>> Please leave dynamic client registration!
>>>>
>>>> Thanks for all your great work!
>>>>
>>>> - Mike Schwartz
>>>>
>>>> Founder / CEO
>>>>
>>>> Gluu
>>>>
>>>> http://gluu.org [1]
>>>>
>>>> PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD 
>>>> : http://www.gluu.co/uma-apache [2]
>>>>
>>>> _______________________________________________
>>>>
>>>> OAuth mailing list
>>>>
>>>> OAuth@ietf.org
>>>>
>>>> https://www.ietf.org/mailman/listinfo/oauth [3]
>>>
>>> _______________________________________________
>>>
>>> OAuth mailing list
>>>
>>> OAuth@ietf.org
>>>
>>> https://www.ietf.org/mailman/listinfo/oauth [3]
>>
>> --
>> [4]
>>
>> _______________________________________________
>>
>> OAuth mailing list
>>
>> OAuth@ietf.org
>>
>> https://www.ietf.org/mailman/listinfo/oauth [3]
>
>
>
> Links:
> ------
> [1] http://gluu.org
> [2] http://www.gluu.co/uma-apache
> [3] https://www.ietf.org/mailman/listinfo/oauth
> [4] http://connect.me/gffletch
> [5] http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/

From tonynad@microsoft.com  Tue Aug 13 07:34:28 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 296CC11E8176 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:34:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level: 
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vJ3j04fjlEIU for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:34:24 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0238.outbound.protection.outlook.com [207.46.163.238]) by ietfa.amsl.com (Postfix) with ESMTP id 57BAA11E815C for <oauth@ietf.org>; Tue, 13 Aug 2013 07:34:24 -0700 (PDT)
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BY2PR03MB141.namprd03.prod.outlook.com (10.242.35.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 13 Aug 2013 14:34:22 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 13 Aug 2013 14:34:20 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.176]) with mapi id 15.00.0745.000; Tue, 13 Aug 2013 14:34:20 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "mike@gluu.org" <mike@gluu.org>
Thread-Topic: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
Thread-Index: AQHOlScLf934cBBLpkeg6cyc2g+rW5mSRG2AgADk0ACAAAcFgIAAArgwgAADowCAAAGnEA==
Date: Tue, 13 Aug 2013 14:34:19 +0000
Message-ID: <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> " <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>" <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org>
In-Reply-To: <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0937FB07C5
x-forefront-antispam-report: SFV:NSPM; SFS:(13464003)(55885003)(69224002)(189002)(199002)(51704005)(24454002)(479174003)(377424004)(377454003)(164054003)(51856001)(74366001)(19580405001)(19580385001)(65816001)(77982001)(59766001)(76786001)(33646001)(83072001)(15395725003)(19580395003)(76796001)(83322001)(46102001)(47976001)(80022001)(76576001)(49866001)(47736001)(4396001)(79102001)(15202345003)(74316001)(81542001)(69226001)(74876001)(16406001)(53806001)(54356001)(16601075003)(50986001)(56816003)(63696002)(74706001)(56776001)(47446002)(80976001)(74502001)(31966008)(54316002)(76482001)(77096001)(74662001)(81686001)(81342001)(42262001)(24736002)(3826001)(564094006); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e0:ed43::3
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB191.namprd03.prod.outlook.com
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:34:28 -0000

U28sICgxKSBNYW5hZ2VtZW50IG9mIHRoZSBzZWNyZXQgY2F1c2VzIHVzIG1hbmFnZW1lbnQgaXNz
dWVzLCB5ZXQgYW5vdGhlciBlbmRwb2ludCB0byBtYW5hZ2UsIHRoZXJlIG1heSBiZSB3YXlzIGFy
b3VuZCB0aGlzIGlzc3VlIHdpdGggYXNzZXJ0aW9ucy4gKDIpIFRoZSBzY2hlbWEvZGF0YSBtb2Rl
bCBhcmUgbm90IHVzZWFibGUgYXMgZGVmaW5lZC4gSW50ZXJuYXRpb25hbGl6YXRpb24gaXMgYW4g
aXNzdWUuIE11bHRpLXRlbmFudCBpc3N1ZXMsIHRoaXMgYWxzbyBnb2VzIGJhY2sgdG8gc2NoZW1h
L2RhdGEgbW9kZWwuDQoNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IG1pa2VA
Z2x1dS5vcmcgW21haWx0bzptaWtlQGdsdXUub3JnXSANClNlbnQ6IFR1ZXNkYXksIEF1Z3VzdCAx
MywgMjAxMyA3OjIyIEFNDQpUbzogQW50aG9ueSBOYWRhbGluDQpDYzogSnVzdGluIFJpY2hlcjsg
R2VvcmdlIEZsZXRjaGVyOyBvYXV0aEBpZXRmLm9yZw0KU3ViamVjdDogUkU6IFtPQVVUSC1XR10g
T1ggbmVlZHMgRHluYW1pYyBSZWdpc3RyYXRpb246IHBsZWFzZSBkb24ndCByZW1vdmUhDQoNCkFu
dGhvbnksDQoNCkFzIEkgbWVudGlvbmVkLCB3ZSBhcmUgdXNpbmcgaXQgYXMgcGFydCBvZiB0aGUg
T1ggVU1BIGltcGxlbWVudGF0aW9uLiANCkNhbiB5b3UgYmUgbW9yZSBzcGVjaWZpYz8NCiAgIDEp
IFdoYXQgcGFydHMgb2YgaXQgd291bGQgY2F1c2UgYWRkJ2wgbWFuYWdlbWVudD8NCiAgIDIpIFdo
YXQgcGFydHMgZG8gbm90IG1lZXQgeW91ciByZXF1aXJlbWVudHMgdGhhdCBjb3VsZCBub3QgYmUg
c2F0aXNmaWVkIHdpdGggYQ0KICAgICAgc3VwcGxlbWVudGFsIHByb2ZpbGU/DQoNCi0gTWlrZQ0K
DQoNCg0KT24gMjAxMy0wOC0xMyAwOToxNSwgQW50aG9ueSBOYWRhbGluIHdyb3RlOg0KPiBXaG8g
aGFzIGltcGxlbWVudGVkIGRyYWZ0LWlldGYtb2F1dGgtZHluLXJlZy0xNCBbNV0gYW5kIGlzIGlu
IA0KPiBwcm9kdWN0aW9uIChvZiBzb21lIHNvcnQpID8gV2UgaGF2ZSBubyBwbGFucyB0byBpbXBs
ZW1lbnQgYXMgaXQgZG9lcyANCj4gbm90IG1lZXQgb3VyIHJlcXVpcmVtZW50cy91c2UgY2FzZXMg
YW5kIGNhdXNlcyBhZGRpdGlvbmFsIG1hbmFnZW1lbnQgDQo+IGFuZCB0aHVzIEkgYmVsaWV2ZSB3
b3VsZCBub3Qgc2VydmUgYXMgYSB2YWxpZCBjb3JlIGRvY3VtZW50IHRvIGV4cGFuZCANCj4gdXBv
bi4NCj4NCj4gRlJPTTogb2F1dGgtYm91bmNlc0BpZXRmLm9yZyBbbWFpbHRvOm9hdXRoLWJvdW5j
ZXNAaWV0Zi5vcmddIE9OIEJFSEFMRiANCj4gT0YgSnVzdGluIFJpY2hlcg0KPiAgU0VOVDogVHVl
c2RheSwgQXVndXN0IDEzLCAyMDEzIDY6NTkgQU0NCj4gIFRPOiBHZW9yZ2UgRmxldGNoZXINCj4g
IENDOiBtaWtlQGdsdXUub3JnOyBvYXV0aEBpZXRmLm9yZw0KPiAgU1VCSkVDVDogUmU6IFtPQVVU
SC1XR10gT1ggbmVlZHMgRHluYW1pYyBSZWdpc3RyYXRpb246IHBsZWFzZSBkb24ndCANCj4gcmVt
b3ZlIQ0KPg0KPiArMQ0KPg0KPiBPbiAwOC8xMy8yMDEzIDA5OjM0IEFNLCBHZW9yZ2UgRmxldGNo
ZXIgd3JvdGU6DQo+DQo+PiBJIGtub3cgSSB3YXNuJ3QgYXQgdGhlIElFVEYgbWVldGluZyBidXQg
SSdtIGNvbmZ1c2VkIHJlZ2FyZGluZyBhbGwgDQo+PiB0aGlzIHRhbGsgb2YgImxhY2sgb2YgY29u
c2Vuc3VzIi4gSXQgc2VlbXMgdG8gbWUgdGhlcmUgaXMgYSBsb3Qgb2YgDQo+PiBjb25zZW5zdXMg
cmVnYXJkaW5nIHRoZSBleGlzdGluZyBzcGVjIChnaXZlbiBhbGwgdGhlIGN1cnJlbnQgDQo+PiBp
bXBsZW1lbnRhdGlvbnMpLiBDb3VwbGUgdGhhdCB3aXRoIHRoZSBmYWN0IHRoYXQgdGhlIGN1cnJl
bnQgc3BlYyANCj4+IGRvZXNuJ3QgZXhjbHVkZSB0aGUgYWRkaXRpb25hbCB1c2UgY2FzZXMgdGhh
dCB5b3UndmUgcmFpc2VkLCBJIGRvbid0IA0KPj4gc2VlIHdoeSB3ZSBkb24ndCBlc3RhYmxpc2gg
dGhlIGN1cnJlbnQgc3BlYyBhcyB0aGUgY29yZSBkb2N1bWVudCBhbmQgDQo+PiB0aGVuIGRldmVs
b3AgcHJvZmlsZXMgZm9yIHRoZSBhZGRpdGlvbmFsIHVzZSBjYXNlcy4gSXQgaXMgdW5saWtlbHkg
DQo+PiB0aGF0IHRoZXJlIGlzIGdvaW5nIHRvIGJlIGEgdHJ1ZSBzaW5nbGUgc29sdXRpb24gYmVj
YXVzZSB0byBjb3ZlciBhbGwgDQo+PiB0aGUgdXNlIGNhc2VzIGl0IHdpbGwgaGF2ZSB0byBiZSBz
byBmbGV4aWJsZSB0aGF0IHByb2ZpbGVzIHdpbGwgYXJpc2UgDQo+PiByZWdhcmRsZXNzLiBJbiB0
aGF0IGNhc2UsIGxldCdzIGJ1aWxkIG9mZiB0aGUgc29saWQgY29yZSB0aGF0IHdlIGhhdmUgDQo+
PiBhbmQgYWRkIHRoZXNlIGFkZGl0aW9uYWwgcHJvZmlsZXMgcHJvdmlkaW5nIGEgd2luLXdpbiBm
b3IgDQo+PiBpbXBsZW1lbnRlcnMuDQo+Pg0KPj4gTXkgMiBjZW50czopDQo+Pg0KPj4gVGhhbmtz
LA0KPj4gR2VvcmdlDQo+Pg0KPj4gT24gOC8xMi8xMyA3OjU1IFBNLCBQaGlsIEh1bnQgd3JvdGU6
DQo+Pg0KPj4+IEkgZG9uJ3QgdGhpbmsgdGhlcmUgaXMgYSBjYWxsIHRvIHN0b3Agd29yay4gSG93
ZXZlciB0aGVyZSBpcyBhIGxhY2sgDQo+Pj4gb2YgY29uc2Vuc3VzIG9uIHRoZSBjdXJyZW50IGRy
YWZ0IG1vdmluZyBmb3J3YXJkLg0KPj4+DQo+Pj4gSSB0b28gd2FudCBhIHNpbmdsZSwgc2ltcGxl
IHNvbHV0aW9uLg0KPj4+DQo+Pj4gUGhpbA0KPj4+DQo+Pj4gT24gMjAxMy0wOC0wOCwgYXQgMTM6
MjIsIG1pa2VAZ2x1dS5vcmcgd3JvdGU6DQo+Pj4NCj4+Pj4gT0F1dGggV0csDQo+Pj4+DQo+Pj4+
IEFzIHNvbWUgb2YgeW91IG1heSBrbm93LCB0aGUgT1ggb3BlbiBzb3VyY2UgcHJvamVjdCBwcm92
aWRlcyBhbiANCj4+Pj4gaW1wbGVtZW50YXRpb24gb2YgRW50ZXJwcmlzZSBVTUEsIHdoaWNoIGVu
YWJsZXMgb3JnYW5pemF0aW9ucyB0byANCj4+Pj4gY29udHJvbCB3aGljaCBwZW9wbGUgYW5kIGNs
aWVudHMgY2FuIGFjY2VzcyB3ZWIgcmVzb3VyY2VzLg0KPj4+Pg0KPj4+PiBJIHJhcmVseSB3ZWln
aCBpbiwgYmVjYXVzZSB5b3UgYWxsIGFyZSBkb2luZyBzdWNoIGdyZWF0IGpvYi4gDQo+Pj4+IEhv
d2V2ZXIsIEkgd2FzIHF1aXRlIGRpc3RyZXNzZWQgdG8gbGVhcm4gYWJvdXQgdGhlIHN1Z2dlc3Rp
b24gdG8gDQo+Pj4+IHN0b3Agd29yayBvbiB0aGUgZHluYW1pYyBjbGllbnQgcmVnaXN0cmF0aW9u
IHNwZWMuIFRoaXMgcHJvcG9zZWQgDQo+Pj4+IGNoYW5nZSB3b3VsZCBoYXZlIGEgbmVnYXRpdmUg
aW1wYWN0IG9uIE9YLCBhbmQgdGhlIHZhcmllZCBhZG9wdGVycyANCj4+Pj4gb2Ygb3VyIHNvZnR3
YXJlIGZyb20gYXJvdW5kIHRoZSB3b3JsZC4NCj4+Pj4NCj4+Pj4gTm8gc3RhbmRhcmQgZm9yIGR5
bmFtaWMgY2xpZW50IHJlZ2lzdHJhdGlvbiB3b3VsZCBtYWtlIE9YIGxlc3MgDQo+Pj4+ICJzdGFu
ZGFyZCIgYnkgY3JlYXRpbmcgYSBiaWdnZXIgZGVsdGEgYmV0d2VlbiBVTUEgYW5kIG90aGVyIE9B
dXRoMiANCj4+Pj4gaW1wbGVtZW50YXRpb25zLiBBcyBPWCBhbHNvIGltcGxlbWVudHMgdGhlIE9w
ZW5JRCBDb25uZWN0IE9QIA0KPj4+PiBlbmRwb2ludHMsIGFuZCBkcm9wcGluZyB0aGlzIGVmZm9y
dCB3b3VsZCBhbHNvIG1ha2VzIGEgY29udmVyZ2VuY2UgDQo+Pj4+IHBhdGggZm9yIGNsaWVudCBy
ZWdpc3RyYXRpb24gbGVzcyBsaWtlbHkuDQo+Pj4+DQo+Pj4+IFBsZWFzZSBsZWF2ZSBkeW5hbWlj
IGNsaWVudCByZWdpc3RyYXRpb24hDQo+Pj4+DQo+Pj4+IFRoYW5rcyBmb3IgYWxsIHlvdXIgZ3Jl
YXQgd29yayENCj4+Pj4NCj4+Pj4gLSBNaWtlIFNjaHdhcnR6DQo+Pj4+DQo+Pj4+IEZvdW5kZXIg
LyBDRU8NCj4+Pj4NCj4+Pj4gR2x1dQ0KPj4+Pg0KPj4+PiBodHRwOi8vZ2x1dS5vcmcgWzFdDQo+
Pj4+DQo+Pj4+IFBTOiBIZWxwIHVzIGNyb3dkIGZ1bmQgb3BlbiBzb3VyY2UgT0F1dGgyIHBsdWdp
bnMgZm9yIEFwYWNoZSBIVFRQRA0KPj4+PiA6IGh0dHA6Ly93d3cuZ2x1dS5jby91bWEtYXBhY2hl
IFsyXQ0KPj4+Pg0KPj4+PiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fXw0KPj4+Pg0KPj4+PiBPQXV0aCBtYWlsaW5nIGxpc3QNCj4+Pj4NCj4+Pj4gT0F1dGhA
aWV0Zi5vcmcNCj4+Pj4NCj4+Pj4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5m
by9vYXV0aCBbM10NCj4+Pg0KPj4+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fDQo+Pj4NCj4+PiBPQXV0aCBtYWlsaW5nIGxpc3QNCj4+Pg0KPj4+IE9BdXRo
QGlldGYub3JnDQo+Pj4NCj4+PiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv
L29hdXRoIFszXQ0KPj4NCj4+IC0tDQo+PiBbNF0NCj4+DQo+PiBfX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPj4NCj4+IE9BdXRoIG1haWxpbmcgbGlzdA0K
Pj4NCj4+IE9BdXRoQGlldGYub3JnDQo+Pg0KPj4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1h
bi9saXN0aW5mby9vYXV0aCBbM10NCj4NCj4NCj4NCj4gTGlua3M6DQo+IC0tLS0tLQ0KPiBbMV0g
aHR0cDovL2dsdXUub3JnDQo+IFsyXSBodHRwOi8vd3d3LmdsdXUuY28vdW1hLWFwYWNoZQ0KPiBb
M10gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0aA0KPiBbNF0gaHR0
cDovL2Nvbm5lY3QubWUvZ2ZmbGV0Y2gNCj4gWzVdIGh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9y
Zy9kb2MvZHJhZnQtaWV0Zi1vYXV0aC1keW4tcmVnLw0KDQo=

From tonynad@microsoft.com  Tue Aug 13 07:39:14 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C14E121F9D9B for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:39:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.299
X-Spam-Level: 
X-Spam-Status: No, score=-3.299 tagged_above=-999 required=5 tests=[AWL=0.300,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FmdBdH+SRc3n for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:39:07 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0203.outbound.protection.outlook.com [207.46.163.203]) by ietfa.amsl.com (Postfix) with ESMTP id 6B4CF21E812E for <oauth@ietf.org>; Tue, 13 Aug 2013 07:39:06 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 13 Aug 2013 14:39:00 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.176]) with mapi id 15.00.0745.000; Tue, 13 Aug 2013 14:38:59 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] A Proposal for Dynamic Registration
Thread-Index: AQHOkusVub8uV8Fzs026F8FprsDzrJmRWGUAgABMxQCAAEydgIAADVMAgADNE4CAAHMVYA==
Date: Tue, 13 Aug 2013 14:38:59 +0000
Message-ID: <99291d0fdd4742ef9e7ae01aa3eea8b5@BY2PR03MB189.namprd03.prod.outlook.com>
References: <52016822.2090703@mitre.org> <5208AC1A.5060606@mnt.se> <5208EC80.3060707@mitre.org> <0C7A9772-5D04-4CF6-8723-42AEF0877B43@oracle.com> <520937F2.5060700@mitre.org> <5209E3F9.9090402@gmail.com>
In-Reply-To: <5209E3F9.9090402@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0937FB07C5
x-forefront-antispam-report: SFV:NSPM; SFS:(13464003)(57704003)(199002)(189002)(51704005)(377454003)(479174003)(24454002)(377424004)(51444003)(51856001)(50986001)(63696002)(65816001)(59766001)(74366001)(77982001)(76786001)(19580405001)(19580385001)(83072001)(19580395003)(83322001)(76576001)(33646001)(76796001)(46102001)(47976001)(47736001)(80022001)(49866001)(79102001)(4396001)(561944002)(74316001)(81542001)(69226001)(74876001)(16406001)(15974865002)(53806001)(54356001)(56816003)(77096001)(80976001)(74706001)(74502001)(31966008)(54316002)(74662001)(47446002)(81686001)(81342001)(76482001)(56776001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e0:ed43::3
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB189.namprd03.prod.outlook.com
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:39:14 -0000

so the CRUD operations are not an overlap, the provisioning aspects are not=
 an overlap, Interesting view

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of S=
ergey Beryozkin
Sent: Tuesday, August 13, 2013 12:45 AM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration

For whatever it is worth, let me add my 2c, I've briefly looked through the=
 latest Dynamic Registration Draft, and also briefly looked at SCIM - inter=
esting specification, did not know it even exists :-).

IMHO these are 2 rather different texts, SCIM looks very useful, look forwa=
rd to understanding it better :-), but it appears to be at a higher level t=
han Dyn Reg Draft is - the latter is centric around a specific use case as =
far as I can see and the whole language of the latter is about addressing t=
his specific use case. Appears to me SCIM and DynReq of OAuth2 Clients text=
s complement each other as opposed to 'compete'=20
with each other, and they intersect simply because they use some similar te=
rminology. I may be repeating some of what is said below.

Re the use of assertions: I'd like to think that getting the assertions flo=
wing in OAuth2 applications is useful only when we have a task of integrati=
ng with existing IDPs or some other involved scenarios. Using them as the c=
entral pieces of the protocol will raise the complexity bar.

Apologies for not commenting inline - the above is just the comments after =
a brief overview of the documents :-)

Cheers, Sergey

On 12/08/13 22:30, Justin Richer wrote:
> I think you're misunderstanding what I'm saying with regard to the=20
> various protocols -- the different registration systems weren't=20
> incompatible for any deep seated assumptions or different data models.
> They were incompatible because of different names, different formats,=20
> different things being used to do the same thing. Small, stupid=20
> differences that none of the groups were particularly tied to at the=20
> time, but getting them all to agree to call something "foo" and not=20
> "bar" is where the draft that we have came in. Now you're suggesting=20
> that we go back to all these groups and say "well we know we told you=20
> to use 'foo' for this field, but now instead we're going to change it=20
> to 'bar', except that 'bar' isn't exactly 'bar', it's more like 'baz',=20
> and you need to throw out half your use cases". Ridiculous, is it not?
>
> All of your questions about what's required or not for supporting=20
> dynamic client registration have been brought up and discussed in the=20
> history of the document in its various forms over the past couple years.
> It started out as a one-way registration, no CRUD ops or lifecycle=20
> management. Then people started to use it and realized that we needed=20
> those things, so we've added them. Once we were in that direction, we=20
> realized we were doing CRUD-like operations but weren't being RESTful=20
> where it made sense to be, so now it's a JSON-based RESTful API. We=20
> used to force client secrets to be used (even by public clients using=20
> things like the implicit or assertion flows) to access this API, but=20
> then we realized we could eat our own dogfood and use OAuth tokens,=20
> and that's where we got the registration access token. We used to have=20
> registration be an open POST only, but then there were very real use=20
> cases, real deployments, and real extension mechanisms that could be=20
> enabled by having the initial registration optionally be protected as=20
> an OAuth2 protected resource as well, so that's where we got the=20
> initial access token. We originally had a fixed set of client=20
> parameters, but groups quickly wanted to add more, so we made that=20
> extensible. We originally had simple string values, but people wanted=20
> to be able to have localized text as well, so that was added.
>
> All of these are visible in the document history, particularly if you=20
> look at it across the IETF, UMA, and OpenID specs as a whole. You make=20
> it sound as if we simply waved our hands and grabbed a bunch of=20
> features out of thin air and implemented them, and that's absolutely=20
> not the case. Everything in that draft is the result of lots of=20
> discussion, implementation, and deployment. Do I need to mention again=20
> that people are actively running this code today?
>
> Also, I don't intend to disparage the SCIM protocol -- it's a great=20
> protocol for what it does, and in user and group provisioning it's=20
> exactly what I look toward. We're looking to potentially deploy it on=20
> some of my projects as well, so I'm certainly not against it. However,=20
> I'm not one to see it as a silver bullet for solving all RESTful API=20
> problems in the world, and that's exactly what I see it being=20
> positioned as here. Every function in the Dyn Reg spec that you claim "du=
plicates"
> SCIM are actually just things that it gets from being RESTful. So in=20
> other words, the similarities are from similar genetics, not from=20
> direct competition. Quite frankly, I think that what's happening here=20
> is that by taking the SCIM-hammer in hand you're seeing OAuth Dyn Reg as =
a nail.
> Also, I still think that you're ignoring the cost of implementing SCIM=20
> for people who aren't already doing so, especially when compared to=20
> the cost of implementing another (smaller, simpler, fit-to-purpose)=20
> RESTful API.
>
> As to the direct assertions, I'm interested in seeing where it goes,=20
> but I don't yet (today) see how it can work in practice. And in any=20
> case it needs a lot more work. Take the code flow, for example -- how=20
> does the client present the assertion to the authorization endpoint?=20
> And what does it use for client_id (a required parameter)? Also, to=20
> the question that I asked at the IETF meeting, what about the case=20
> where you've got hundreds of thousands of auth servers protecting the=20
> same kind of API -- where does a client go to get its assertion then?
>
> As to the "dynamic" nature of the clients, it's the *relationship*=20
> that's dynamic. You're once again conflating the code that executes=20
> with the instance of the code as seen by a particular authorization serve=
r.
> Also, in my own personal experience, there are things that change for=20
> a given piece of code depending on its deployment circumstances -- the=20
> redirect_uris for a web client, for instance, are going to be=20
> different depending on *where* that client software is served from.
>
> Judging by our past conversations, I think that your model of what=20
> makes up a client and what makes up an auth server is valid, but=20
> limited, and this is continuing to color your view of what this=20
> protocol needs. I'd rather have something that works across the many=20
> ways that OAuth is being used today and can be used in the future.
>
>   -- Justin
>
> On 08/12/2013 02:43 PM, Phil Hunt wrote:
>> Inline...
>>
>> Phil
>>
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>
>>
>>
>>
>>
>> On 2013-08-12, at 4:09 PM, Justin Richer <jricher@mitre.org> wrote:
>>
>>> I think it's very important that we put *some* stake in the ground=20
>>> for the likes of OIDC, BB+, UMA, and the other higher-level=20
>>> protocols and systems that are looking toward us for Dyn Reg now.=20
>>> They weren't, previously -- all of these had mutually incompatible=20
>>> registration systems, but the work we've done so far with Dyn Reg=20
>>> has made a system that everyone can use. If we don't declare a=20
>>> baseline, and do so soon, then I fully believe that these groups=20
>>> will either fracture unnecessarily, or they'll ignore the IETF. Or both=
.
>> [PH] Your position here indicates to me that there is not a lot of=20
>> natural consensus between OIDC, BB+, UMA and others. If these groups=20
>> are aligning solely because of moral pressure to have a single=20
>> standard -- which you seem to imply by the need to "put a stake in=20
>> the ground", it suggests the technical proposal is not right yet.
>>
>> Despite your disparaging of SCIM, I don't think that's the issue.
>> Whether SCIM or custom API, the Dyn Reg model places too much=20
>> complexity solely on the client to registration endpoint relationship.
>>
>> For example, the information content of what the client is asserting=20
>> is *not* dynamic - only the act of registration is. The client app is=20
>> for the most part, "fixed", coded in a particular way for use with a=20
>> specific set of APIs. Dyn Reg (and the SCIM variant) go well beyond=20
>> just issuing a client_id and exchange all oauth protocol information=20
>> on the assumption any value might change.  This is a very complex=20
>> approach.
>>
>> Then there is the issue of needing full CRUD support, I have not=20
>> bought into the need for apps to be able to update registration.  Why=20
>> would they do this?  We do we need de-registration, wouldn't=20
>> Torsten's revocation draft suffice?
>>
>> The reason I think the assertion model might be a better path, is=20
>> that it assumes a larger multi-party flow which moves complexity away=20
>> from the registration endpoint to the point that in most cases a=20
>> simple cert swap is all that is needed from the clients perspective.
>>
>> When Tony and I put forward the SCIM variant, we thought that might=20
>> be a compromise.  Still after putting it forward, I now feel the same=20
>> way about it as I do the Dyn Reg draft.  What is useful from it, is=20
>> the notion of defining a software statement which can be used to=20
>> simplify the registration process greatly.
>>
>>> I'll leave it to the chairs to decide if this gets tagged=20
>>> "experimental" or "standards", but I think that we're doing the=20
>>> world a disservice by not shipping what we have.
>>>
>>> -- Justin
>>>
>>> On 08/12/2013 05:34 AM, Leif Johansson wrote:
>>>> On 08/06/2013 11:18 PM, Justin Richer wrote:
>>>>
>>>> <snip>
>>>>>   - OAuth Dynamic Registration
>>>>>   - SCIM-based OAuth Dynamic Registration
>>>>>   - Software Statements for OAuth Dynamic Registration
>>>>>
>>>> This thread makes me think we should break out the EXPERIMENTAL
>>>> track: spin two or more proposed solutions as EXPERIMENTAL. Let the=20
>>>> various groups do what they're gona do (which they'll do anyway)=20
>>>> and the the chips fall where they may.
>>>>
>>>> Tony is right in interpreting the discussions in Berlin as quite=20
>>>> fractured.
>>>> Pushing for standards track seems premature.
>>>>
>>>> OTOH the transition from EXPERIMENTAL to STANDARDS TRACK can be as=20
>>>> quick as a couple of I-Ds describing the outcome of the=20
>>>> implementation and deployment work that will happen anyway (as you=20
>>>> so correctly observe) after which the WG decides how to move=20
>>>> forward.
>>>>
>>>> Since bb+ and openidc will do dynreg anyway the document track=20
>>>> doesn't really matter which means the usual "vendors won't=20
>>>> implement unless its a real RFC"-argument doesn't apply here anyway.
>>>>
>>>>          Cheers Leif
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


From gffletch@aol.com  Tue Aug 13 07:40:14 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFDEE21F8E70 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.298
X-Spam-Level: 
X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w8XwMgh+yWXF for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:40:10 -0700 (PDT)
Received: from omr-d01.mx.aol.com (omr-d01.mx.aol.com [205.188.252.208]) by ietfa.amsl.com (Postfix) with ESMTP id 44EE521F9ED4 for <oauth@ietf.org>; Tue, 13 Aug 2013 07:40:10 -0700 (PDT)
Received: from mtaout-db06.r1000.mx.aol.com (mtaout-db06.r1000.mx.aol.com [172.29.51.198]) by omr-d01.mx.aol.com (Outbound Mail Relay) with ESMTP id D25BE70057A63; Tue, 13 Aug 2013 10:40:09 -0400 (EDT)
Received: from ping-audit-10-181-176-212-20120320.ops.aol.com (ping-audit-10-181-176-212-20120320.ops.aol.com [10.181.176.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db06.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 642D4E00008F; Tue, 13 Aug 2013 10:40:09 -0400 (EDT)
Message-ID: <520A4549.5040206@aol.com>
Date: Tue, 13 Aug 2013 10:40:09 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> " <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>" <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------030205070400020007010303"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/92916
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1376404809; bh=Rrf+folapzi09f8FJ9gxWqymDwcaGvEMo+ZKY7jLg3Y=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=CjCVMryIpsDPQWf8ocTZcPPlfx8d7Y+cc9xnyhX4JByns87/YSmHSvpUwRxo0AxkD Dcf18OwPvZy9oNDoKS0AWgwzRZr9xjF1sdNQOPX+KP/sA+mOhZl7l+L4oeLuKRqheR pNPnfb4od7sfjnBTgM4ZqiVwl1cLTvBD/m7naQC0=
x-aol-sid: 3039ac1d33c6520a45490ff8
X-AOL-IP: 10.181.176.212
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:40:14 -0000

This is a multi-part message in MIME format.
--------------030205070400020007010303
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi Tony,

Could you please explain a little more?

For issue 1:
* Which "secret" are you referring to? OAuth2 by default allows for an 
optional client_secret. I'm not sure why this would cause management 
issues? Or are you referring to the "Registration Access Token"?
* Why is a separate endpoint an issue? Any client is going to be talking 
to more than just the /authorize and /token endpoints anyway so I'm 
confused regarding the extra complexity?

For issue 2:
* What specifically do you mean by "multi-tenant"? Is this one server 
acting on behalf of multiple tenants and so appearing as multiple 
Authorization Servers?

Thanks,
George

On 8/13/13 10:34 AM, Anthony Nadalin wrote:
> So, (1) Management of the secret causes us management issues, yet another endpoint to manage, there may be ways around this issue with assertions. (2) The schema/data model are not useable as defined. Internationalization is an issue. Multi-tenant issues, this also goes back to schema/data model.
>
>
> -----Original Message-----
> From: mike@gluu.org [mailto:mike@gluu.org]
> Sent: Tuesday, August 13, 2013 7:22 AM
> To: Anthony Nadalin
> Cc: Justin Richer; George Fletcher; oauth@ietf.org
> Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
>
> Anthony,
>
> As I mentioned, we are using it as part of the OX UMA implementation.
> Can you be more specific?
>     1) What parts of it would cause add'l management?
>     2) What parts do not meet your requirements that could not be satisfied with a
>        supplemental profile?
>
> - Mike
>
>
>
> On 2013-08-13 09:15, Anthony Nadalin wrote:
>> Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in
>> production (of some sort) ? We have no plans to implement as it does
>> not meet our requirements/use cases and causes additional management
>> and thus I believe would not serve as a valid core document to expand
>> upon.
>>
>> FROM: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] ON BEHALF
>> OF Justin Richer
>>   SENT: Tuesday, August 13, 2013 6:59 AM
>>   TO: George Fletcher
>>   CC: mike@gluu.org; oauth@ietf.org
>>   SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't
>> remove!
>>
>> +1
>>
>> On 08/13/2013 09:34 AM, George Fletcher wrote:
>>
>>> I know I wasn't at the IETF meeting but I'm confused regarding all
>>> this talk of "lack of consensus". It seems to me there is a lot of
>>> consensus regarding the existing spec (given all the current
>>> implementations). Couple that with the fact that the current spec
>>> doesn't exclude the additional use cases that you've raised, I don't
>>> see why we don't establish the current spec as the core document and
>>> then develop profiles for the additional use cases. It is unlikely
>>> that there is going to be a true single solution because to cover all
>>> the use cases it will have to be so flexible that profiles will arise
>>> regardless. In that case, let's build off the solid core that we have
>>> and add these additional profiles providing a win-win for
>>> implementers.
>>>
>>> My 2 cents:)
>>>
>>> Thanks,
>>> George
>>>
>>> On 8/12/13 7:55 PM, Phil Hunt wrote:
>>>
>>>> I don't think there is a call to stop work. However there is a lack
>>>> of consensus on the current draft moving forward.
>>>>
>>>> I too want a single, simple solution.
>>>>
>>>> Phil
>>>>
>>>> On 2013-08-08, at 13:22, mike@gluu.org wrote:
>>>>
>>>>> OAuth WG,
>>>>>
>>>>> As some of you may know, the OX open source project provides an
>>>>> implementation of Enterprise UMA, which enables organizations to
>>>>> control which people and clients can access web resources.
>>>>>
>>>>> I rarely weigh in, because you all are doing such great job.
>>>>> However, I was quite distressed to learn about the suggestion to
>>>>> stop work on the dynamic client registration spec. This proposed
>>>>> change would have a negative impact on OX, and the varied adopters
>>>>> of our software from around the world.
>>>>>
>>>>> No standard for dynamic client registration would make OX less
>>>>> "standard" by creating a bigger delta between UMA and other OAuth2
>>>>> implementations. As OX also implements the OpenID Connect OP
>>>>> endpoints, and dropping this effort would also makes a convergence
>>>>> path for client registration less likely.
>>>>>
>>>>> Please leave dynamic client registration!
>>>>>
>>>>> Thanks for all your great work!
>>>>>
>>>>> - Mike Schwartz
>>>>>
>>>>> Founder / CEO
>>>>>
>>>>> Gluu
>>>>>
>>>>> http://gluu.org [1]
>>>>>
>>>>> PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD
>>>>> : http://www.gluu.co/uma-apache [2]
>>>>>
>>>>> _______________________________________________
>>>>>
>>>>> OAuth mailing list
>>>>>
>>>>> OAuth@ietf.org
>>>>>
>>>>> https://www.ietf.org/mailman/listinfo/oauth [3]
>>>> _______________________________________________
>>>>
>>>> OAuth mailing list
>>>>
>>>> OAuth@ietf.org
>>>>
>>>> https://www.ietf.org/mailman/listinfo/oauth [3]
>>> --
>>> [4]
>>>
>>> _______________________________________________
>>>
>>> OAuth mailing list
>>>
>>> OAuth@ietf.org
>>>
>>> https://www.ietf.org/mailman/listinfo/oauth [3]
>>
>>
>> Links:
>> ------
>> [1] http://gluu.org
>> [2] http://www.gluu.co/uma-apache
>> [3] https://www.ietf.org/mailman/listinfo/oauth
>> [4] http://connect.me/gffletch
>> [5] http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/

-- 
George Fletcher <http://connect.me/gffletch>

--------------030205070400020007010303
Content-Type: multipart/related;
 boundary="------------000301010109040001090301"


--------------000301010109040001090301
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">Hi Tony,<br>
      <br>
      Could you please explain a little more? <br>
      <br>
      For issue 1:<br>
      * Which "secret" are you referring to? OAuth2 by default allows
      for an optional client_secret. I'm not sure why this would cause
      management issues? Or are you referring to the "Registration
      Access Token"?<br>
      * Why is a separate endpoint an issue? Any client is going to be
      talking to more than just the /authorize and /token endpoints
      anyway so I'm confused regarding the extra complexity?<br>
      <br>
      For issue 2:<br>
      * What specifically do you mean by "multi-tenant"? Is this one
      server acting on behalf of multiple tenants and so appearing as
      multiple Authorization Servers? <br>
      <br>
      Thanks,<br>
      George</font><br>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <br>
    <div class="moz-cite-prefix">On 8/13/13 10:34 AM, Anthony Nadalin
      wrote:<br>
    </div>
    <blockquote
cite="mid:a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com"
      type="cite">
      <pre wrap="">So, (1) Management of the secret causes us management issues, yet another endpoint to manage, there may be ways around this issue with assertions. (2) The schema/data model are not useable as defined. Internationalization is an issue. Multi-tenant issues, this also goes back to schema/data model.


-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a> [<a class="moz-txt-link-freetext" href="mailto:mike@gluu.org">mailto:mike@gluu.org</a>] 
Sent: Tuesday, August 13, 2013 7:22 AM
To: Anthony Nadalin
Cc: Justin Richer; George Fletcher; <a class="moz-txt-link-abbreviated" href="mailto:oauth@ietf.org">oauth@ietf.org</a>
Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!

Anthony,

As I mentioned, we are using it as part of the OX UMA implementation. 
Can you be more specific?
   1) What parts of it would cause add'l management?
   2) What parts do not meet your requirements that could not be satisfied with a
      supplemental profile?

- Mike



On 2013-08-13 09:15, Anthony Nadalin wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in 
production (of some sort) ? We have no plans to implement as it does 
not meet our requirements/use cases and causes additional management 
and thus I believe would not serve as a valid core document to expand 
upon.

FROM: <a class="moz-txt-link-abbreviated" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a class="moz-txt-link-freetext" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] ON BEHALF 
OF Justin Richer
 SENT: Tuesday, August 13, 2013 6:59 AM
 TO: George Fletcher
 CC: <a class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a>; <a class="moz-txt-link-abbreviated" href="mailto:oauth@ietf.org">oauth@ietf.org</a>
 SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't 
remove!

+1

On 08/13/2013 09:34 AM, George Fletcher wrote:

</pre>
        <blockquote type="cite">
          <pre wrap="">I know I wasn't at the IETF meeting but I'm confused regarding all 
this talk of "lack of consensus". It seems to me there is a lot of 
consensus regarding the existing spec (given all the current 
implementations). Couple that with the fact that the current spec 
doesn't exclude the additional use cases that you've raised, I don't 
see why we don't establish the current spec as the core document and 
then develop profiles for the additional use cases. It is unlikely 
that there is going to be a true single solution because to cover all 
the use cases it will have to be so flexible that profiles will arise 
regardless. In that case, let's build off the solid core that we have 
and add these additional profiles providing a win-win for 
implementers.

My 2 cents:)

Thanks,
George

On 8/12/13 7:55 PM, Phil Hunt wrote:

</pre>
          <blockquote type="cite">
            <pre wrap="">I don't think there is a call to stop work. However there is a lack 
of consensus on the current draft moving forward.

I too want a single, simple solution.

Phil

On 2013-08-08, at 13:22, <a class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a> wrote:

</pre>
            <blockquote type="cite">
              <pre wrap="">OAuth WG,

As some of you may know, the OX open source project provides an 
implementation of Enterprise UMA, which enables organizations to 
control which people and clients can access web resources.

I rarely weigh in, because you all are doing such great job. 
However, I was quite distressed to learn about the suggestion to 
stop work on the dynamic client registration spec. This proposed 
change would have a negative impact on OX, and the varied adopters 
of our software from around the world.

No standard for dynamic client registration would make OX less 
"standard" by creating a bigger delta between UMA and other OAuth2 
implementations. As OX also implements the OpenID Connect OP 
endpoints, and dropping this effort would also makes a convergence 
path for client registration less likely.

Please leave dynamic client registration!

Thanks for all your great work!

- Mike Schwartz

Founder / CEO

Gluu

<a class="moz-txt-link-freetext" href="http://gluu.org">http://gluu.org</a> [1]

PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD
: <a class="moz-txt-link-freetext" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a> [2]

_______________________________________________

OAuth mailing list

<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>

<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]
</pre>
            </blockquote>
            <pre wrap="">
_______________________________________________

OAuth mailing list

<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>

<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]
</pre>
          </blockquote>
          <pre wrap="">
--
[4]

_______________________________________________

OAuth mailing list

<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>

<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]
</pre>
        </blockquote>
        <pre wrap="">


Links:
------
[1] <a class="moz-txt-link-freetext" href="http://gluu.org">http://gluu.org</a>
[2] <a class="moz-txt-link-freetext" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a>
[3] <a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
[4] <a class="moz-txt-link-freetext" href="http://connect.me/gffletch">http://connect.me/gffletch</a>
[5] <a class="moz-txt-link-freetext" href="http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/">http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/</a>
</pre>
      </blockquote>
      <pre wrap="">
</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part1.01010906.03090908@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------000301010109040001090301
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part1.01010906.03090908@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///YO+84K4o1fz/V3SdOTgw55yA5o0Ql5yRRkCgoQQEBlRwUFQlK
lowElZwFBJGcc84MDMwwOZzQXfX7Y5cP+9ldf/d60fXe3Xn+mTndVdXv+616+7ynurp7nzPD
WAeqs/zOGg75x+ctn3sPRG+Kzha1GnL3yf5TjmKQ40m2H7Ingj/T/458F5I9yfUT10PEgohP
I86DsIskW2fQymrvyolgnbdWmidB2VRT2ygwV1rV/cEguoinYjroW7VfNA/46/o+liVAL2sU
lxXA09W/QJ0C1VvYxTYwFlBd9gLe8dcxu4P5kbe89xxkLvIZ1gjwLLISKQypb3vH+7uDzXQO
cQ2F/PPzF8hzCGrdraiV/QJKdi05v8gs0OMDWtjPg2uAPZfrXyARPJB2IO1AGjiXO5c7l0NF
VVFVVHBm0ZlFZxZB8ufJnyd/Dg0aNGjQoMHLH+9/Gxs3bty4cSO0atWqVatWf7U1WWSRRRZZ
/NEcO3bs2LFjoPfu3bt3797jxj2/qeL3sunAgfFfVQKP3V8lcyOIetqhgGtwmwfDrl+BkyGX
bx5fB1HTg2WhJKi3svbIV3PDE/W4xcPB8LDJo0Z3S8CzeUlzMiMhfkh6ubi+YNwWOxJi4OGN
x/Pj1oJ8PfNZZh/INzvvrfx5wV+cMYYb9IFykGc22PM608LugjysVwvUQATqdvNz0KReyD0D
uC/eZwVQWewxLfB/c23k8fKQ3OrQrp+vQnKZde9u3wEJw25uexoCPg/fhNcGrbG7VZ5hYK+U
6+OiuyC0Y/XiZe/CUy0x5f4vcOGdveaOZnAn837eRx9A0gDjk4D7EDIzQDrPgJpsVje3QeLe
1L5JtSD1VMb7afWBCfoVMRCMUO2WuAWOQfYfjGEgOolL5hHQzqstchn42/vftHQwS1qXzSag
vlKj1RKwfrWumX2A7ehSgHhTe5OfQGnqkqwK7FI/EwvygjwsC4M0lUvlA2uKEuoNMJOsdWYv
UNXUA3kTbPuN4qIGqFfFz+oyqPOqnvCAWmq1tN4GaZcrZThIN+XoAuyUbeUxsJTMJVeBTFab
1GpQkWoSu0Bml+NlQ5DV1AH5AOQxGWPuA5VLvKvnhKdvxs1IPQYJ7RM+fLYFfI39nTNvgXXM
DPfHQNSvUfej80FspycLY11gX+RY7xgEtpy2Zs4QeLD8Qfu7Fmgr9VriDKQXyKziWwOnj59b
f3YaxBeMPxlfC4zi9pXGUgiIDyju7ARPc8fHJ1WH4++fLne2KcTPeVY/9nvIdjNb+7BiYFzS
L7kSgFhth/YY9PwUk/3AGiEXm0OBGP2a9i1kVvOM9p0H64w50PoF4pekzEmNB1+RzDrehxD4
oeUU1yC4Z7aQ8NF/dbj/baKORh2NOvriec2HZx+efXg2yE1yk9wErya9mvRqEjjyO/I78v/V
1v7zUbx48eLF/4QlIFlkkUUWWfxzEBMTExMT8wcs1Tj+7YnggwLurs3X5HwZcAy1UsuOgbA3
A9uGJcDTCZ4Hl85C+CqfFtYe7u29N/POfkj+xns71YITM+7uffAq5EpwXAmzQeENkc3LXoYn
+tPq6QvAEeMclLwdLpV42v54MJT4uPDhktUhdGAuX8FfwTPH+CJoDshA9Y62FvSpooJ1BDIK
XdS29wTb0oj+BTeDUSX4XthV8Bx+XPumB7yX75aLDQFxwIgMjIOAIrV99atCsD9bZq7N4JwQ
3iWsGySuOrTtfFGQo8NGh1yDx5rMm7AUbu08Xv9wPDwcfC/kXgrED8PSj4E7yr3XKYFlYq4w
Ib1NWtXUW5AWnRGS9gC09+1farPBOce53dYT1EdWjHoKvi7WFG8gMJjdPAM6y97iDVC3ZHGz
PmhDxOvMAKuf+re1ubOM3FoFEKOs2/I9cAxxFBFzQaap2noCZKSkp5kStAz9SyxQk2moXQc5
1LohT4J4n1PaDdBWiMXMBX9+b7KMA+sq5SkB7OGq+T74a8jDqhEYSXyrtQU+ZqUqBdLPOlUL
xFfyiDgFYrp4QhiIBHLJEqAeqiK8CqoUAzgGWjmzqegNRrAt1PoS5DFVS82GtIh0zGMQu/JJ
+ScrwO10LbF3Anrd+lX/AZyD3E3creH2Z3dz3zsHPsPXV5YDzwXP/NQPIe2HtNqRb8KTe4mH
EjVI+CL1y6QVwJqUIcYCuFMiZvZ9B5Q7+IooshVi9j+YlrEL4oISCybWAdEwYY05DLSW+kR1
BPQm2oeOIDDu23aqC5DPG/00xwaQXZll5QMjRgw3PgJnHeOgKAypZvJXSVNA+9B90PUmnEq9
2u72E7i3/H6pRxOhD6VSCv/V0f53EPBawGsBr0ErWtEK/sM//05ucvMP/LDOIossssgii/9N
vHTi7OniqOHT4O4n8d2exkJ455B+RwbCrTH3r2WaUOZ45O16kfCT72SLtQXB19j6WX4PeckT
XLAeZA8xfo4AGjar2L9ZV6iztp63wU9w7/C9ireDwXvYezVjEHhIym3VBX8vc4/3QzAvqLE+
E7R7tjtBVYCy1hbzAxB5xEfeV8EXfpPr0+BZ+pqZWzIgsn6n3D3zgXNWwfwVXeDYWqCGOw30
C/Ya+mTgiFbGuAf+gQlFHyVAWo6TnY+NAeNV+w+pCqyfclzN2RPu3jgz7+x2eFDhYoXz+eFp
vsyZ3p9AfekKDnwCjhb27/SvIaNcRou0h/CsXup3Sb+A75RZyPoVxJfiZ70e+GI82X0fgNna
v9oqCf4FsqhaAmq7ShYrQEUoyQRQPpUp+4HIFB0JBZGgd1JjQXRgiVgFjk6O9/QgELVlfuqD
0mSYVQTss9y3tNNgtvGusCqBzGXetWLAiDEKikqgVqke1kmgj7gqPgbrdZWgroC5yKwmF4Ea
yGA6ghishxvZQdZU45QAbZdaJiaA+lF8qT4AVVOOldWBmezlfRCJIo94AljiB/ElmAtkiuwC
egJD9CogG/oa+38C3bCVZDDoyUZbYyskDkzOlt4fTlc9N/vyRcg/L+/VVCeofuqivQ0865Rw
PyEf2Kraxun7Ibhw0CdB+cG31b9DAalp6SVSkiHdn9Yj7RBYk9WnrALPfm9IamH4tcHRRqkz
QHylXtPHgtpPcb04aBW16Vo2uNX7zpWYy0BdMUFlgpzAJetreJrjSc3YHFBI5G4S3RaC3w/6
IHojiGJ6eaMaYJpXZWdIDY7Ln/A+8JPYr+8F/5u+Z/7nTxkY8leHeRZZZJFFFllk8Ufw8onz
WvkxoZA++lmYJxlsVmKm8yw4mgTMCa0Kj4JEw/N+sL0S/bbZBDKd1g/P3oe0FU9soTHwTnKb
iAEfQWBL+9aALiAmMVtOg0K9C7Ys7oX4uylTHrnh9OXUxO3fQciP/omVu0F0Mb2M/XXwJvrW
m6kglhpOxydg9WOJ5QZ9ZnCvoAwIXVHznWq7wHmgTIPaMSAqS7u/Kqiucr95GeT3/pKMAt/r
T6pcGQvJTbaM2hQEvs5JB83sEDS/yobajeGxK31MSgrc958aemQcxP6QcDmxGmSUEo+0NhD8
natkQHZQIeYjqwGknkiLSF0E3nPWUTkI1Aoeimsg3PKK/B5UI5FIB5BBah5vAnNVOXKBaqOu
q/4garCLyyBeoy0eUB+qn5UJLJIjCQR5iVlqGnhvmYPNNDAeiLJaEIge4hWcwBdmNrMGSJt1
W60HdVGW4RKIEO2+VgRUX3VUrQO6Ul7LCdZNlUO2BtZRWT0CvZ3orQkQ8aKnWgeytQqgI1iV
rWTrCKAorn4EfbKWQ38X5Keqg5wI6nu1QU0A8bVoIrKBbY/oyBkw+tua8C5QFMlcMD+VFbgK
3vLeNGs8qDuyv6oLopD4XqsG13ffrPEwFkyPNcDKDvpIo5l+HLRUrYh2ABJsSQuT34Lctpyz
olpCYpXkZ0l5wOwoI1RH8B32/uRPBC1TL6O3BF+Eb7D3JNBafiymgXZDO61vACPQENpG0MaL
aqwCcUHPo0tQTVWsWA9PNz9bk34ZXF/YFz/LD/YRtiHuM+A44YgPyQXKbkRrvcCb4t2c2Roy
a6aMSN4I1nZ3Tnt14Afi/uogzyKLLLLIIoss/hheOnFO+eRZ44wxkP2UrU2pMtA3tHncsE5g
vx22wF8bflp8ttjqGeDv6u7kuQAB+5yh6S3g+1aHh80YB91Kuku9fx88OzLWiyNwtOeWxL02
cF8LmB9pgFlb22pNgsKDw08VOg8P5ySviC0JUcVDZj48B4GusPbRMSCbyRHWItC+FwMch8E2
Iefigu+CNj2oUVg6MEIrpQSoK759/rqgKmk/GfsBj7FKPQN/xr30q4vAN/PplKRDoI/OkVKs
JvjSws8GeeHawF8O7FsHD5fc2XprEDytauaXRcGY5ZoS1B70j+mjDkHypfTMlD2QdsZTwTME
bB0dUt8D5nmztLUPNLuWIk6C6shqmQj+H/2brE+A3UwRD0BPMOrr74IsZhU3R4E50SxvhoHm
0PppocBiNVzMAnldFpTrwL9Pfay2g0+p5VigubRocQb4jnPiF5Br5C25GcRoFSHKgD/RN8o8
CLQR5cUOoIo4qNqClahWylygD9GTtO3AKTFcVQXZzHrHqgiqvuqKBnKJtdLKA3ouo4exGdQ6
tV8K0GqKyWwFI7dRX78OapiKVl1A3yUuMx30942ZfALmm9aHaiCwSuUnEKwWVl0rDrQfDUPb
DdRiltwMZj95ShmgxRpztNxghim/3AFMNQ+rOmBGmU/kKrjb4V7A02fALW29egRiqfaGjAb7
FftF/XXw3/D7vMXA2me9JReAvkdvbiwBFaZCJCC+tzpqg0AuFsOoB3oPMtUWkB+pPsYHoO7K
x0qH2K/jRyRVheCooIoBiyH7B+FvOpyg5eKi/T3QO4ns4gPwp6cvS5sORmf71cDxf3V4Z5FF
FllkkUUWfyQvnTgXHxL9cfUtMEB1aDUiGgKCw4q5PoX4AU8OPysIaXnjCgZdhqvd7125XRSe
PHka8Og2aKvthSPywVbbsZJ7+oN7sv5dwBBI+sI/5n4EPG7ka33zCKR/lxaVMRFS0tKOPlkN
Qcm+9QGTIU/fXK9lbwJhVaOt3Bng3ZzZ2dcTeEpPpwf04ZH7ChhA/cyvnu0E7bi134oGs6w2
XJQDbbe6w2mgiizl8YMxKCQ5IAl0PXpWYE+IuFzjiwrt4VmAJ0+6DR6cOP3TyU4Q2zfF78kF
me+JpUYwOCrJcdZ9yDiRcSTNhKTMjLEpS8HXUo62eoDe20xSJqjlag1zwV/KHyvfAv8oy2Ol
g/YVYfoSIJ27NARru3+ptQ/kU5lobgZjrHZMfw9ETm2YmAr+ymZnsxSIH6klyoB4IB8qJ6j+
Iln0Ayu7GqmGgRjDIHUdVCXexgPqjOhAO9BHiFAEyPxyu1oM6o62gvv82/NHvwexWWsljoHY
IiZTANR5856KBeqrdtQBw2f8YISDWKfZRXGgJlPVFRBVRVERArKPLC1bgJjN62oZWOOpz3Lw
7/cYqjPI0uqcygv2FcZyrQDIX+RI8T2QWzWhEqhlYhz1Qd1Xc1Q40E8VlCdBXFQ/UhpUdjlI
7Qf5Fqf5Cvzz5S6rHugrjT5GJChkb9kV5Otqt9UY1Dcyr7oB6jPVVuUH9ataZc4ErZ+YKucA
4/VuxlmwlbNV0gDq/Ns7c83q5lNfd3Ast2/U80DmMe/nYjDEvPK0e1w7CLjlfCXAC4HSnRC+
FnxJYrwIB1nUH+c9DvLXzP3aFaANbf/qIM8iiyyyyCKLLP4YXjpxzq/yNMw1F471Ppd2sBns
v37CsTcvPByV+FlMCLhWR9RInAzBnUN/dLWGRO3RCN9MCOzmHuYMhdTcni8fvgapP8ijqUCe
1kH9Qi5A8KchGZVSIXBntgxXLhAunigHVB5bdnXz03DddiXfiZuQ70GxyYXKAW/bdjvaAnXN
Ep5pYCSFRGf/FtRUxwJWg5LWOrM2iMrimpYK2m013GoBqqSSrvvgqFTwrdINIGJBtshCFgQM
y76j8JdwftLKbxeNgccxdz++txsSx1gleQOsLSKT6eBdnjkqfSSY4dpoaoM33d/UWgjyB5nA
aFD35PtyKchGMkquAmuC6qQ2gFVBRsv2IN7QqqhLwGLGUQJkP1VcPgW1gW9EZ5DJPFXRIIqr
yqwGoshLQ1CBVFS5gYJiCj+AeJsSqjqoVDlAJQF7xHgegdZDZRIHXBY9RDSoTyiqfQqyLXYz
E9RE+T61gRIMEqvAOmSGqZOgf62XEWGgP7K9qt0AtVF1FnHAIDVM9Qe204xJoApKp9oGtNAi
1CqQp63q8i6oXNZB0Q1ENuMtLQnsFexRwgF8Zj+i3QOttrlTfQDWND6X+UFNls+MVcARevEl
UIu8MgKstvKO+g7Q1V4jEsQmbCI3yF6qgjkI1Gh8zALKyiQrL4iPhd3ID+Z88yEdQCspQkRB
EJXoI98AkVflln1AjuSWuA7WNFnBagOijGmqKJC6vCa6gTXdHKQqgO810QMbaGuNulp2eJaU
EJQ5BJ7WCYp8lgjuKc549xawPxKz3Ach4z2xROYH3+7Mn7wh/x4kV14+UK9du3bt2rX/iVNC
FllkkUUWWfzvpVixYsWKFfvH67904rw/z6W1W5fB/TMJC5MHgbuYvacxF8x71j7ZHUTOpPl2
C7JFRTwJqQKeT7I5H9WB7F19+UqUg8c5UyfHvgkBt+yR9kNwe+3TV6wlEDQnuWqsAba3jDmm
CwyHW2S8Db5dt/qqtXB1+QX3xg6QbWyuVLMpVD1T++SATyCjVKY9czjoDr2U2wWiqXtsjp7A
QxWjaoNWm0gGgNwvbCIHqBgSZDCIdcav0aHg7B593z4YUro9GHvnFTjb/kCBg5Xg2aeZEb4k
yFjFHDEN3Dscoe4QMPOIH0QIpJfzXMgMBP8Cc6FcDuJNka4dAS1Oz2P0B/mmOcW3C7RTso1M
Ai1OL6vlB9lM3la/AnmowQXFXdIAAIAASURBVAgQmvCJa8BMNVX9ADgozXugpCqtjoD4XFTX
PgbVS3VXrcCobxtv1AFrvhwoXwc5UzaSX4JeQ2QTUaBd0a5qbUE+kmHqIcjmVGAD2FJtbzuK
g1nVymXmAWlZk2Qb4E3lZCRIJduppwBMktlBS9Gq6ztB+1g/px8Cq6DVxeoBeglRVPwIKpfM
tCqDWqsecwqQek1xEvhU2OgPKoOKJIKa5yslAVnaek3uAJUgOujLgEv8rJaCOq7eUAOACrRT
y0BdtEoTDOJbkcMsDaK3pmkngWrqmrYO5B55QtYFcot4vgYxirrWVuAtlSR/BP8rzJKvgNit
lurZgb2UkIdB7NDfsmaBGmKMNhaDVc7qJ74HvbFmqECQS1Wklgp0E4W5C7bloppWH/xlzbGW
AxLWJg5OqwBRncOcaTYI7OvGfg+E3ZxGbjAPm1WFF+jGw3+GQM8iiyyyyCKLLF4e7WUb8Kzx
7YzzQhlHPodsBeUalOuQ2hxy/JK3ovgFYuMyL/iGw7UBN0fGZoOAlp7rRhCoY8G9nx2Hgk2K
FytcBeJiMyqqziBLcjHjM4hflHbq+vfw5Epqx3vvQ0L5jI2PjsGZ8+d67S8NAQMjKxRuBkc5
+9qu6pC6Ifbd24NAszsm2gaA9YnKZj4CuYeGzmpAA94WeYBqNFb7gIo05H3QqsrlYgzImtyQ
XwEzmeYPhztJR1ccjYeYlneDHtghfrhvsXoPjE8ct931IWR7wOuBY0Bfqn2rXQUZogzugj3F
kdcxFrQG2mn9NsjFcoP1DWjrtO+1xWBEGcWMkqAN1Dpr+0DkwsZ9ENfETvEhaG9ob2kfgsir
l9RdYMtlK20/Beq+OqVeA1tZW1kjPzgPOQ87z4G9h6253QeO2o5TzlRwHXP2dY0CbYW22RgA
+mt6faMrGBcNU78HYrsoQEXQdmvv6KvBZXN848wJ7u+d1xxlwDnLfsWeH+yP9BG2o6CNV2hv
AlusInIWiPpyuloMtuz6Bn0sKEltToIVr2ZzFeRnfMxaUHdklDwEIo1a1AarkZld5QfZzptT
xYPcZ32knQdVSx2jCYh6wqnVABawm3eAUswXT0F8LT7SU0HEiECxBZjHAlYAHeimLoKoLl4R
FqjxsoRqA9IuS2ntQNM1m70n2DKM9e4joKrJndpVsJ6aFdgBTORHfRQwU66iBlhrzSoyBixh
pkgbsE89UM3BKurfb94F61t/tNwK5g1rhNkb4vs+m5FWHhLvJsekNQfaKad3IBgfaG+xA6y6
MrtZ6a8O7yyyyCKLLLLI4o/kpWecXcOdJ51jIGWDd2pqM8iZwRvu7hAwXj0234AcMWFNnSkQ
dc4YFDwf8raNsGv34OYPKaueLIQ87zqrVHwPSs0ptypPPNyr+ODauTuQdiRFBowGA9uXtoKg
X7N1TQ0D7aD3R8cMCPspWAtZDrF3kkpkNIQdtXfXnh0JHVd2Pj+tEKTfU/uMpqC1FQlqEKjc
4pb6BshGgtYN2C46qnYgq9BR9QNtt9beSAB/46TzyRXhon6i19GSED80PSp9MaT71XBtOrh7
u9oERIG2Qz22DoN/rPewtyDgEuPEBtDOiLc0AVqyVlvGgDnHd8m8BNpYcUnzgGhlVNRrAT1V
J/E1iDUkWx+CcrJPNQfq0UMcBPm+shED0i0rqVagfa0t078FXdPdekMQSkjtMFi65bGGgtZD
36LNBbFR7NeOgj7UZhm/gNwjK8gjYI6zGphXwJipj9MXgLVEpsszwCRVlF1gG6/X0lJA3NdS
tJqgNda6abXAumh2Uj6gKpNUOnBTLGMKiClisDgHxkxHWz0QrAeeW77TIPea2c0coFXTArQq
QKr8XCSALCfyiuogZqry/ASqot5Lvw9Gdv17wwUqXaXIAkBBlotoMC5qo43Xge4CVQj4SozQ
R4OYxcfUB+HQBqmuIB7yRNwD0VufJwqC/ZSjbFAwqBU4RU3Q59FZawD41by0U+D/yjcy8xbI
r6zGmgRGyE/kQ9A2qfNsBxxigGoJMlSuMaeAvlbvbKSCOKyKaKXBtd811LkEtLVGc8dVSJ2c
XtQ6Br6F/lZWKOgt9WCxE1SscvoXAR3+6hDPIossssgiiyz+KF56xvlpj7jozPVgD3NMdfaC
cBEZV6ANeJxafPJpsHWnlBoD5hr74swjEBvn/SyxAGT0zyiUuR3OV3y89qdrcL32w4/O14OU
hGcNVGWwxbvGOq+D2xV+NHAx8IN5Qj8OqovVy7oOd4resD8Ih9QKief0XvBor3XqTgpcX3F7
6MJF4L7ivGhvBPJTGloeYAln9X3AWXFbSSCbWsrXwDLZQf4I9tm2ukYGPB1xtealc3C/y623
b70Dz+J9v5rBoMLENJsBjhDHM70leNb5avjOQ0Yd0/BtAllAnZd28C33VfYfAmuKtdt0gnHY
ds8+H/xLzOrWOlDKOiYXg6OVrax2F7SDRnfDAbqh1zFOgm2srbmtEThK2N6zhQHnOKdeA8pQ
TnUCBvEuDUFsF9tYA6quymvdAM93mSMznoG/hz/U9zb4S5uPrH5gWlZBaxPoOfXSeiZoF8VJ
bRpo74krnAWlMVFeAnFGG6flBz5Wq9RgIJ2yfAxikZbJWVBbRDQfgLHU2GQcAnOCnC43gN5c
LRW1wTHcXt4xGfRWxg17HdAjDbf+NahKqqSoC8omJ8ilIGOYQgHQ5zJY18C4r7WyBYFYTWnt
U5CJ0k4LsLZbD2QI+Pv7u5nrwbZM7DBKgG2RFmA7DfYd9vfdd0F+JpurkiDLmFvkTvANyryS
9hX43sm4lVoZMuqmN0wZDtYr/sVmdQioH6SHZkKOq7niihaDsDXhS/OdAkeXgP4Ra8EdGto0
Wx+I3BU1Jd9XEPp5ZJc8hcDVP2RcZH8IqhU2MEdLyLY/en5OB9g+da0ILQn+7uZ6vQLYvhBL
rQVgdBG1jI//6vD+/QyvN7ze8HrQYW+HvR32vtg+rdC0QtMK/dXW/d+hUqVKlSr9jisW/7n8
X9VfL3vcl/X7r/Lvn0X/f1X+2fv9z+LvHU9Z/HPx0olznmPZOtovQs4FuSNCYiAmM+F64q9w
33dvROY+eNoq/bGnIyTc8QQmTIMHnZ6e1s6AUdfq7GoImV+r2WnNwFvFPGrlgYy8/rKOviBu
pBRKrgnaQJ6lNAQr1pilj4OMeBkkZ0DmCdktZQ6Yq4ztdxrBg7bPbFYeWNxz65QfDsO5Jr8G
LY0H12XniYDeYC5RBb3fA9lVGxEOKkKVEz1ArBAV9FygRlv5vbfh5vhTlU8tgPhuiQ+SykFq
N99jTLDdcl5wzQc9SlzSukDGtMz6Ge+B95y6IoeCyivixHqwTbTNM1LAmKI3s00BfYM+XFsB
9ur2KGMHyNvqO7kb5I9qjmwDRgejs/4G6NX12no90MZpH2mTQKSJ+6wEDnOfb0B8K1aIqiCj
ZDG1AcTborv2AdgrGw0dTnCeczxwDQFtqLbG+BxksqrHLtAi9W6aAZpPJOhrwGpmvSM1MN7V
G+kNwJFq15yFwJhnuI2ZIDK1O1o1EI0FYglwBItPwF7QqGyMBEK5RApolcWrojhQT20kAHS7
mKK/CcZIfbFeGVSGrCl6ghrOejkHqIpbfQrGr0ai1gxEC3GXRSCXWsXUdFDL5WN1AEQsE8RU
IFlc0NqAvk+/Z68Avj3+sr5LIMdZm60Q8M7POJL2GPw/+/f5J4NcKGeo70CcEj2FBPWT6ml9
C5QSNWkJWi6jjlENrCLSoR5D0NmgeoF+yPY0R7/chSHPuTyDi9yHPHVyfVToK8j7au6eeUdC
vhXZk7P/CvlP5uwaGQjZ94Yuc6VD6ELHdiM/hFx2v+NsBkZN7aLWC7ROYrjWHvQobZPW7a8O
79/Pzyk/p/ycAmuur7m+5vqL7evC1oWtC/urrcvitzj81uG3Dr/14vNf1V8ve9z/7Mc/G7/l
3z+L/v+q/LP3+59F1jj51+SlE2fzqi3dMx+uNb/95K4dzk67uvjqFoh+NXetwKKQeUplPH0E
cScTyrmqgnZDhDk2Qdyy9G7yJCQOTC4UvAX8LawOEbvB0TfsveRbkFHd3yttCTzbfT9XugbJ
h55O8I4HOda6rBaBJyBzil4TnqYldUluBbGdEyrEjINrhWMeJ70Ly07tbTk5GWIcV3vvmwTO
3M72QQ1A5pFFze4gVotdqi1ot40PtcXguRW3MbYY3L1x6fClZ5DYPnO2NwHS6ltTmA/2mq4v
HH3B97G/qHUGMuf6FmRGg1mDCqSBtUhut4aB0MRFWoA8JJtLQHRjDTfA2G30N5aDbYDRx1Ag
n8rq6iaYb5hNza1gZbfCrWag6qgGagDI+fI7uQbUYjlYbgX1rqrHtyAKCp9oDSzgLdYCH3Ne
pgMLxFpVDVjMl+YQEDnZZhnAbfWY/SC6ad9o2UFfot/S24C2SJ+h/wC2+caPxlegvlXbqA78
qBaLcqBZTNLOg/BQXmwDRqtMDoAqJseqK6Av09ppg4Hv0bQbYE2Wi601IDqLQZoGoofoqV8A
fMSIV8G2xLbTaARaDi1BewvsF+zn7b+CeoDbSgJxmaqqJahw+Zl1HMwwM8U8B2q1fKAag/8H
a6i/PKQv8k4z54C5xBpDMOhP9TXGeMBAiDfA38L/prkN/DP986yDoKorp7UOzJ7mHv91yPgl
o3XK9xBb5/Hpe20hYX78oJjZkNE5tWXcI5Cp/tJpmyA9V3rb5COQ0iglb3InSHen38j4ADzv
e3P670JqsfS+mWGQ6kmrlToaks+m9UxLAf9xq4VvKzja6TPkpT8uUH9K+Cnhp4QXM8Gt87bO
2zovtJzQckLLCbBpzKYxm8a8KJ+UlJSUlAQjR44cOXIkNNnUZFOTTS/Kj3pj1Buj3nhRbkzM
mJgxMS/q96/Sv0r/Kv91e99TfU/1PQVdu3bt2rUrXHn1yqtXXn2xv3fv3r1794ZJkyZNmjTp
xfYtj7Y82vIIPmnySZNPmsDOnTt37twJ7dq1a9eu3Qt/mjVr1qxZM1hyfsn5Jef/qw7PZ2JW
XF5xecVl6JTaKbVTKqSlpaWlpcGQIUOGDBkCzXM2z9k8JwxcPHDxwMUv/Pxb/NF2xeeNzxuf
FwboA/QBOrRq1apVq1Yv9l9afmn5peW/bc+UZ1OeTXkGLba12NZiG8wpO6fsnLL/tVyNZTWW
1Vj22/31e/X5vXb/1nF/L8/9eG7P8ysgDRo0aNCgwYvxO/f43ONzj7+o94/2//N+m+Wd5Z3l
fdH+vHnz5s2b9/f797f0n7h94vaJ22Hr1q1bt259sd86bh23jkPjB40fNH4Az3Y/2/1s99+v
1++N8//s9+zDsw/PPvyiXreS3Up2KwkPsz3M9jDbn6/ry/b7n6XTy54H/tb2vzde/t74z+J/
lpdOnP0lrZjgCeCPT3DaBkJAhPSFtIVs591Efw0loqM2RN4BV7YAW1J/SL2r9X/SGIwV9ooJ
04C7aUPjDfBWNHultgCSxBcZHrBmBVZJPgeBG50+1xMIiNbr24cCFcyNnq3g2BnUyzMKfB/5
ytueQUyTmCvaSfB8mDnbUxOMeiHNI3+CRdU33Bk2A1JnxfS7fBSMEY73Au6DjDL7+Q8Ah4wh
WggkNLxT+nZleHDvUfDDfZCYlBnprwbWU62qfgRsmfYTtn7gSfP19j6BjPH+Mt4WICoKj5gG
qoB1QT4GSzMbmCVBNqed3AmqjPWBvAMkyYbyXdCGiJtCA9FMfSxWgiwkXTIfcJDj6k2Ql+QF
qxqIoaKnAPQ4PVPEgmZRmzagnlqFrNfAOm4m+g6B+Uyuki1B5VZ+lRcYqgqwHFwNHIYzHuwb
bR1t4WDPY1P2SLC3s5Wy1wVRTD5TlYHXVSnmg95XH6i3AXFH+0IsBC1Bq6KNBr2nFq5tB74j
mJsgB8rbMhhoTi56gTyvNqtFwA/iAvuAJDGFWmBgeOwFwXjbqOxwgqORwxGQCa7PXXFBtcDl
dfUNvgiuBu4tQQ3A8bG9uHsLBNcO3BdWHIJaBN8Jbw7WeCvCugfyPFfZBUHLQqaEzwCjg6OS
cxeo0tzmR/AHmp3MaLCOWcWkF2ScrKVqgics43J6D/B/4gvNtIPZ0Zsvow94NqXeTOoMT1yx
kx9dgrvv3Vl0wwl3Pn8w4N5JiGkTNz9pGqR0927wl4Dk5d5jpEDMoMS+mdUgbn9ma38kJLZO
TzEPQ3x48lvenyDzkK+ttQu029hkoz8uUCfknpB7Qm6Y3ml6p+mdYMP9Dfc33If5fef3nd8X
DnQ50OVAlxflp+6eunvqboi6H3U/6j5sfbT10dZHsPHBxgcbH0DOcTnH5RwHn3X4rMNnHWBC
rgm5JuR6UX9BxQUVF1T87e3V7dXt1e1wcv7J+Sfng2+2b7ZvNsTHx8fHx8O5xecWn1v8ot7p
/qf7n+4PNS7UuFDjAqy+vvr66uvQp0KfCn0qvPBn6fml55eeh7kn5p6Ye+Jv67Jq5aqVq1a+
+EJ+/gX1PFGvvar2qtqr4Ktfvvrlq1/+dnt/tF2fFf6s8GeF4dUrr1559Qps3Lhx48aN8O6S
d5e8uwS+LPZlsS//P09LqVunbp26dWBx1cVVF1eFFStXrFyx8v8zTn6jv36vPr/X7t867j/K
84QhNDQ0NDT0RSKzIWpD1IYoSO2U2im104vyL9v/lUVlUVnAojOLziw6A8tqLqu5rObv9++3
yjVq1KhRo0awu8DuArsLvNh/9OjRo0ePQvEuxbsU7wIRb0S8EfHG36/T743z/0xkw8iGkQ1h
e8vtLbe3hHpr6q2ptwam/Tzt52k///m6vmy//1k6/VHngd/i7x1Pvzf+s/if4aUTZ+dE/1v+
nRC+MHhtQAuIdAXvtPUArYhcbVWF5BVWumsfGM3lDdUQQkcbuyJygWOhY4V1CjwntTyxm8BX
3r85KRl8qel5giIg36ng/jlSwVlN3TKbgO1m2jw9HlwnrYKOCmCb7Ppe3YOIJzkm2stCZGRE
ZXM45PSGzw4oARnH4m2aHWLaeqZmHoFV19Z1+LAfkJSukmqDmGcb5m4FxlZVk1YQe+JB0+vF
4VmxxFZpHkh6am6Rh0HPZhNGfxDjRRVtJqQXynyc2hm8y8xU3zQQI6wW8jvApK5YAXwnh4gq
oA/lfe0NUOeYZp4CK7f8zIwDq6Plt34EFjCayiCbyS5qNWgOLVULB+1D8TorwNbbeFe8Cmo6
e7VyoBc0Ttj6gbikjdQjwLoh8zIViCZJ7QXRXjTSagFDxUR9Ilj11Dx6gPpKTsEJ1nrzY/8P
oD0Vm8QW0AfoH+sVgS405jqIHqKD6Ab6ct2rXwS6i2B2gDZXr673A+5qScIGYra4RgvQ1nGc
haCb+iyOgLFW26FdBHFVVRRDwGhj/9o4C9FTczXKPwJyXM7RqogbgiaE3I/MD6FrItOyNYAo
b/Zf8tWCqNw5S+UNhtBz2cpFF4Do5jmiCowG53n3+LB0iP46x8xCHUFbYrj0j8Habc7yTgRz
pD/WlCA/sQ6bn4H81Nrm3wNqlbVPngW5jqlaeRAFSZZDwUy3gs3G4C4XfD10L9hHOwa6WoPV
WFW3akP6rdRdyefA955nRUZFkNPkF9YqsO207XaMB1crd52wOeBc4igVkgPkG6Kd6x6kjzIP
OH6AtLW+7EwDFaK9pw/+4wL1+RfQmC1jtozZAkuXLl26dCnExsbGxsbCl198+cWXX7wof7jH
4R6He0Cvo72O9joK2jvaO9o7IBaKhWIh9JjdY3aP2XDorUNvHfoHLpE+T4BPLTi14NQCuDz4
8uDLg6GyVlmrrIFxzjhnnIOEqQlTE6bCGe2MdkaDatWqVatWDRZXW1xtcTUI/z78+/DvYe2I
tSPWjoA5J+acmHMC5Fw5V8797eO3b9e+Xft2L/x6vsSk5baW21pue1GuTVybuDZxcGzOsTnH
5vxtv/5ou54nRv/ZrppLay6tuRTm9JzTc07P327vecISGRkZGRkJ/p7+nv7/T/nf4vfq87J2
vyzPL90/n/E2DMMwjBe6Pk9o/lH//ovO/Sr1q9QPojZEbYja8I/r/FtUnF9xfsX5cPvD2x/e
/hBSPk/5POVz2DZ+2/ht46HF4xaPWzz+B3R6yThvnqN5juY5/oNe8W3i28TD6X6n+53u9z+v
6+/t9z9Lp5c9D/xR/FHxn8Ufy0s/VcMxzjirVYS0A95gWxuQIUaw3QueGeZjKx0Mp2Nb+hhQ
O8wjagaISvKa5xtwF8DGWIgdaN109gHHYGNv5kJwjNe+ti+A1PXJIwgGedTbKn0bWJO1du4c
EDQyZ2VHIqReSasYUB2e/Ox5nN4fQu45V+nfQ0gjjgUcBOeFnMOS48DTLqVHUByc7Boz/tEy
KNV5d7vFVeDV4g2b9t0I4j3dL0ZATN7rU+5FQ6InM8PzKngvmhvMguAqF/ihqxTI02qQGg6e
YZ5Ezy3gHhvFEbAqq8nWFKC3Gqc9ALlZnVbzQYzge5YDe3Cq9aC2yuWqPfBUNFFrQOzWfGIp
GP2Mxsb7IOfImSoMdGW0Nt4B+bFMlztBDBBuURr0lfo6rQ3Io/KoOgiMUbspCtpIduufgZZb
aJofjNPGM1EfzGfmaPMBiOJ6ET0VtAxRSXwF2lTtJ/EUeCzc+kXgfTGAJ6ALo6KRF7TblrBO
AD+qx0SC2qvlUvdAVFX99QEgSooQcRi0A1QiP6g5RIkWIO4Kv80Dgd+G3Ag5A87jASp4C5i5
zWPWdUh+N3ndk7PAWis+vSp4v06vHD8FhE3P5XwE6pC8YHYGc7pZzDcZ9IF6zqTxEDQ5cKdz
IHjbZg7IdEJq1ZT3E/uDPOUr558BVmkzyjsc1OtUlW+CGi+maMuBs2K0dgXEzzxRVcAMsd4R
YeD4wZ0YIsExz/1F8CjIeDODOBuYZ60Qf20IuxfsyZYAoZ+G9cwRCeITvQB9QJQycF4Go7qt
kqs8qAxVmoZgpBtljEtgFJYzMt8A85rv7YyzYHa0NIYC6/+YQJ1ebHqx6cXg2q1rt67dgvND
zw89PxQW/7r418W/AkMYwhCYxSxmAaqCqqAqgLHT2Gns/K/tiVPilDgF8oF8IB8AXehCl7/f
njJHyhwpcwSub7u+7fo2OFn6ZOmTpaH8lvJbym8B+wn7CfsJ2NV2V9tdbSFoRdCKoBUQdjns
cthleK/GezXeqwFRO6N2Ru18MbNSq1atWrVqwWY2s/n/c3znZedl5+UXn+PyxeWLywd1t9fd
Xnc7UIlKVALs2LGDmCqmiql/26/nl6T/KLusudZcay7ItrKt/G/eIfn8h09+8pP/v2nPtsS2
xLbkJQbOP6jPy9r9sojT4rQ4DTSlKU3/m/3/Pn4JJ5zwl+//P0rn3+J5olZvRr0Z9WbA5jc3
v7n5TTi7+Ozis4thwicTPpnwye9v94+Oc22htlBb+KLd/2ldf2+//1k6DZFD5BD5j58HnvP8
Stw/yp89LrP4x3jpGedEd+rrVneQY/UIXw/wv2N2JgUeb4obnvk5mNPThZ4HwmrohyNvQnRE
yM00N+gx1nGxCLLtCWwSMhmyNY14X8wEWz1bvfgBEBUVvsdWEtxvBWVz9IPAjxyN2QTxc9IP
Jx4FM1uwL3kJRA3JPTVTQcQrIYvcJUDb5BzFl5BWOLkbk8DzxBvsfxd8+13XMtvBmpDj3df2
gJ2lt4QtWgzeVx+vuhMEj5rfcz3MCcmdfSH+IpCxzfpUjgO9ua2b7Wvw9zQL+neDZ5Qv0zcc
VEmG6rOAVXTVqoJ0qFlyBKi+JKn+oALVCXULrHoyTq0DJmgPtbYgftY3a++DWkBpPgCtLfNE
XRBz1VNug1nEPG4eBzlUBak7oM6qX9RBsFZZ0+QCwE0GCuRJuV/uBNVb9ZZvgz5Rn60NA62t
1lE0BH20Pl77BrTvxALxFuhP9Bh9M2g7tZ3aVNCmi0miCNgq2AbZPgOjjbZJLwxGKX2aEQ+G
23jNqAdGupFoKwf2GvZLjl1gW28UtgeDmipiRU6w53YE2Q0IaBB8P+gc2Ac5dzrzgWoip8ov
Ia3Qs8Wxp4Be/pnplUG7JnIbhYFJ6pL2APQLnPANAK2ammeNA9t1rbdWHOw9bM90HQJmBDvD
TkJ4vciz2ZZBvugCQ4s9hejWeX4oDOQpXej6K6GQ93ThORWqQc6pBd4t+yHkulJwVtlZkOPr
vN+U+BnyVCqUUr4iFDCKzK+wCvT69gKh1SDwSviQbF4oUvWVIa8egrDsOYNLXAfXwvBnkekQ
EBbcN6wEiNeNNrYSYN1nNR+AvtRYrm8DFZLeLm4PpOVP+OLhF5DZNX1I5nawqlsLVMAfF6gd
Pu/weYfPX8yAtE9sn9g+ET689eGtD2/BuW/PfXvu2xfln68ZXDZo2aBlg0D1UX1Unxd/lyxd
snTJ0hdfBH8vz+s/nwkqkV4ivUQ6/Njwx4Y/NoTysrwsL1/MsC2vtbzW8lpQ/UL1C9UvvGjn
7NmzZ8+ehYHnBp4beO7FkoAH2R5ke5DtPxywAhX4O2aYco3PNT7XeFhec3nN5TXh5MmTJ0+e
hM1NNzfd3BRGjRw1ctTIv93OH23X8xmj/7wG/YQ6oU4o+CT7J9k/yf7HjZPf6q/fq8/L2v38
uM+J2RyzOebvyTT+nZqDag6qOejFmlbTNE3TfDHTt0AsEAvEi/J/VP//Xl1/b7nnSzbmWHOs
ORbUu1HvRr0bYJw3zhv/zZrZv6Xby8b5lsdbHm/5DzPd66PWR62PggonK5yscPJ/Xtff2+9/
lk7/6HnAdt523nb+xZK1U/1O9TvV7/ePk9/L742vLF6Ol1+qcSU6JrEy2N911X8WDWKpMM0P
Ie0D7/DkkmDP9N21rYWi7ULm5RwOxVLDfIXXQ1Bsjp729eBJSV8jj4I4lvZLSGcQE0RGQH14
siz9kZUGvjeTqtjXQ1jX8JWOvhBUOedc7yhIvPisemYZoHVSA/c0SH+q5/PPh/TU9N7O0uD8
RfiCN0BEVKTI1gIC3OoLx3lIOupf8SQ//Fr1ety+YrBr084bB5ZCzOiUUp4ckF7N28C/FaRN
5JN3wKhtvG60Am8ns5JfA39Zq57/UzBLqy1qJljDzS/lcZCNVQajQN6UE0kBfwdrvCVBXVb5
2ApWa6u39S74VvgO+46DGqjmq49AbBPPxIcgJ8t5VjGQuVUfuQ98hX07/XvBdJmrzQZg9jV3
+4eA+Zb5k382UJWJFAbLrc5bESCvqhFqM1h31TjmghymfqQDsJpDKiewkomMAoE4LZ4CDanD
M7AKmI/NFcAHapzcBFqi1kdEgzZRe6QdAu0N7ouFoLUQc/RzoDc1mtvqg1M4xwakg+MbV4ng
dkA/Ldn5GWjhYqxRFbwT0vOmDQA5nR99NlAV9HtaOgilee3zwPhBvytqg7FZtxvfgauke0/I
Ogg4Hro2m4LwT6O25e4HIbmCPggbDgFRAT8HfQ6unoGlgltD6HtR83MOgpDKEYNyVITwbdne
zmOHyC+yF8m7CcJfyfZurrWQLWfOhfkdkF3L3S1PZXAMd9SznQH3r44tWn+Izpbtg9zfQsB4
9xT3Tghs43bb74OejcosBGuUFOo1EO+zTq6EkGmBJ+znwL5CvKHugHzXGGk/Bq6BkU1z2sCW
O2hWrvogJoqhAeYfF6hvHXrr0FuHoHf53uV7l4fWca3jWsfB4OWDlw9eDh9//PHHH/+Hx9+N
jhgdMToC7n1076N7H0HLVi1btWz14u/zE+3zm2L+FiUOljhY4iB06dqla5euL7bXuFjjYo2L
L2aKcsTkiMkRAxVOVDhR4QTE5Y3LG5f3xdKO5zy/uej5zYQ9/T39Pf1wQp6QJ+SL483oPqP7
jO5/275x48aNGzcOJu6YuGPijhc38wyrN6zesHqQr22+tvna/u12/mi7Rr8++vXRr8P+/fv3
79//4uaqLzp90emLTi9uVvqj+c/99Xv1+Uft/q1x0mV6l+ldpv/99j9vP6F9QvuE9tA4W+Ns
jbO9GPc5tuTYkmPLH9//v1fX31uu5MGSB0seBKfT6XQ6//YSjb+l28vG+e3Xb79++/UXNyfu
zr87/+78MCJkRMiIkP85Xf/Rfv+zdPpHzwPdSnQr0a0E9JrTa06vOXDEf8R/xP/y4+lv8Xvj
K4uXQ/zbWjalqlatWrVq1d/fQM9XxtwoswMqhBbeWqUheOLNk75f4PjRqw8Pn4WQte5BAR9B
9orBVXM/BvlE22F7C549fPJG7Em4Ov9O2eTGEPVV9kO2y1D2YvSb+Y7DvZbPenv9ENya2nIA
xLUxJqQMgwBH+FCzDWgXrapqPjxakVzBWxfCeos9ueeBvJ82LuMARE/N8VFEEgRfsm/NvApJ
5dJdHi/4Nxi7k6ZBgfPh5ar1haJ3wz0NXLDpzKK+i5bA2Qr3y949D5nvqs72RZDzaO5xBRIh
LSH9++Qf4cHUR43u7QCriChs3AZ50HKo7oBGQXUBREcusQRklJKyBKid6pjqASK/aCU6gjwk
d8stoOXTh2jVQVstzurzQV21PlCPAZfopx6BfIdPxSSQB+Ql6xhon+OhGVBZrRGtQNTQToqR
ILzaNUywFTNwNgFxRyymL2gfa7HqImh9td36etBi9A2OiWD8atzSB4ARaVx1dAU1mQJyHaiL
KlN5wHnQedZ9F+yGI5u7PegPtVJ6edCy6UPsx8CWZn/fkQO0ROOR3g2sXeItNoFWSdyx7QOu
yCh5DbyxntfSZwJbmWC9A66+zu7OJyBXWMd8bcD82DMy8wswqhmb7UNAVLZtsX8MYrq+wj4b
1DxW6G+BtGROuRLUYRFpaCAeaEu1HSC3yb3mPPAsybyf2gm0QLarFFD1CNa6gj9WNtPLQeb4
1HyJp8A7wJ+Z+S6E9w6vHvkeBE4PTIv8BLyzvQGZpcA8Jh9njAfbEm2TvhNshVwjwuuDN8Hb
wbcSQj9wYcwHbTdf+8dAUp1UX9rnoK+z3w+6D3phrSkJoP3EObMQ5K2ULdkRCIuci88sPPBX
h3kWWfy19OjRo0ePHi/W5v9f4/mM6Rn9jH5Gf/EDZHXQ6qDVQb9d78/S7fkVheczyP/q/F8f
X//X/f+f4tixY8eOHfsD1jg/+SqpoO6Ho1/fynnlKKhtvnupoyFyYMDn7iDQzKBftWMQ/9R+
PW4DnEo9FvfsFARWdR0Wh8DRVlXV20PEbMIixoNeJDCfHA8Fz7p12xl4eOz+vYRkMDfaJ6fn
huQBGd/4a4NRUB4MiAL3UF3ZvgFfYW+qWgHujaFDxD5IKySWPm4NT4KSLpslwLHV0S+wNASN
kHkDp0DlkUW3v/YQLC2pjWMyJOZJOZA6FjwfWJWs+qD9aFQXr4PYqh9TR8Br877hbw5WdXOJ
soGKM0pLAWqpHC9bgIpUudU5UFUZorKDPKb2qwTQL4lvdBuQm720AlVY3SEeeFv2Ej+BNUb9
aAmgDh4FcFU1Fl+BOiHCcYA2SNtPO9CixHv6QeCeuiISQQWpw3IJ0EZUEFXBekXllbnB1dtx
2h0O+hTjbV0H+1jnuwE3IXhuyOPImyB+Eu8pD2gjRH+bBtJudfetACmts/JXcNx02p3zwSji
GOZcAuqe6GRrCXqGPlIXYDuqbzDeADNZlvTVAOG1GvjeAFVDWdZroL1qBOo+CDga9FFAGshB
/jXWaCBBdvF1ByF4wDBwXAlsG+oHI7vR0ogEvZfxnfMeyF+tb9VwEEdFc3UFZBv2q4lgNjbf
tF4DedE8kVkC5EpvyYx9YG+oAqxL4LtthZEE3k/88818kKQlfJtYAtK/yvg5MQcYA2muPgZT
8/RM/wVkzRw3ZBdwlnUVc/rB3OOz1AYQlbSNag74f0jPkTwG1FT1tj4Mnu3w1kr3gFwqi5mt
QbxtP2nfAfYc1iTPj2CNMW+qJxCaN/DLwApg9MetXwGW/tWhnkUWfz3/17/Qt03YNmHbBJie
Pj19ejpMmT1l9pTZwAUucOG36/1f1+3v5f+6Tv/X/f+f5qUT57xPopdq70JyD8/h2N4Qsltf
4a4PEZ2NANdySLRl5E5rDN7RxgHzfSgti4YFWpBR2VqkBoCRov/onAyOp6mXbB+BrJLp8TeA
UBl6LvBTcGZ62lmTICBIfJlrNHjXOt97+hi856yZmYeAXf7GrjYg5jM4MRY8VczuxgUwNmhl
DA3ChkZ2CP8VPFfc5z1DQH6cONh1FiI/CbHnj4RfLh/utn8v+A4zhx1gdjK/kOPA9qO9tOgA
zBftCQX/FGuQGQ72UJcMmAG2i+6woCQwY/3D1FXgDC4RAs4JLqf7JDiGOy44y4Asat00+4J/
n6n8OUG7po/X+4FQ9Na+A+sbq5P5DmjntNdVBtiu2uOCaoG0i9uyErBKxYrvwZhra+BYATxT
hdgHVrg/p/cA6ENERassGEtsfntRMOKMavaCoH9o2G0GsFgT2odgK2wb624O8heUtQuMwdo2
4x0QXemlOoNeRZ+jh4H1jjxp5gU+4Y7WF8Q4sY6zwEZVWz0E1VL1NV8FowPn1W7QXfa3XRXB
SlLttfsgZukt9ONgvuOv7e8J6msSqQ7292zDHKXBtdf5pv0UeK+ac1VjkEtkqmkDNVh+bkWB
dlO0xQsigRtWMFivkK71BOuW1Ut2Ao6pV1UBCDwcEO5+BGquuVl+DrEn4pxxoyDB9WzQk27g
a+t9Ne02yF+tn2QLyDzlzy0fglzMXi0I4k/GtY0dCQGz3YNC8oGjkysi8CYkH039NCE/OF93
++3lQTzQJzjXgT/Vu99bFxxj9CBbF7D9bP6iHYOMRH+u9DngLhhYMmQZJM9O7ZYWAIGn9VDb
lL86vLPIIot/Bpo/bv64+WNoTnOa/9XGABvvb7y/8f5fbUUWWfxr8vLPcd6dGuHJBfm6ha/J
DgQWdZRw34O08nqKGQ76fPOmHg8RMUbBgDoQni/fWes9cFZ1ZtcaQWTzXDlzHoR43RaTVAKe
FHpS3H4ACt0ILlM2ErLp0UVDl0CEJ+iaV0JEJ0d6dC/QPqGPvTFwi9VqC/ifZbZXv4JjjG2u
0RfcBRxN9K/Au81Z6+l8SGgZd/XObnilRIFb5TeAGKMF0RgelIw9dWsA+D+UFywXyMvyNb4F
8YHWWEsGWVAWEL1Aize66o8htErkoagtEFUg+9ICgZCrW4EbRYMh5958FQubENYl24PcjSDA
ExYUvRQCv4l4L8ctCNajrudpDqEHoivld0GwGfVa3nchpFXE1zmXQWBoaMMoNwR1DduVfT0E
RYa2jz4AwWfCLkZVAle1oEthD8H1flCn8KMQVCRseLa94B4dMj26CNgXBFwOWw96Tler4Hog
ytk7B+QD+25nucDdoP9sT3HNBns9x7WAFaCPtXtcQUATx1z3LyDXanX0WaBV1ffZe4PWRn9o
s4HjXdt9xypwPnTGuXaD1U4elTlBTDSqGl+DqKn/pO0AI9aWU98MIk7EamHgnOY84x4HAa0D
sgemgtMdYAvpA+ptkcu2FbRBVi/5EIx7Io4EYJt8xaODL8ZbNLkpeLJn9k37BtJfS16QNBg8
nTM7pgeC9kBbqs0Cbbmx3T4arHlyiq8mRHUKPetaAtmLRBYNqwPau9pShwHOe86urs6Q/Ua+
wHx2yHY2z/E8H0Fo09CqoVshOCC4ZGA1sD103DEiILRRaIXwRxBZPrRndD2wW9oF+TMYRYyT
WjmQZzWfSAJrhhhoDgdHP3t9Yxkwno9oDubHojffg38oW8h6ZWoWWWTxT0jup7mf5n76V1uR
RRb/mrz0jLPtPfPz0DEg2yX8bGsBTzt6l2SuASMyzJNZDlILstvaDta+2C+8eyGssnu+kQSO
jfp3WiAkjVGH7qSBKyKkt3sPpB/0TElZDccXXTxxEjA+sE/Q+4Jrd3A9+oBnXGqy2RzMilTn
WwiID3ys1QFbA89hdyT4O2Xc82WAN3tYB6MJ2CZmBAe+DpE24xvVCYoVy52rWlNQgzNHaJlg
7JA/i1rgbWr2tfKBv6R6qN4FV0t9NI9AFWWlqgAU5JgxFozj9qXB74BVU67zPwX/wowhGedB
tVfN1AXQvjYG2/uBfsx+KzAX6Iv1Mq7FoA3U23hNUIPMC1YzEJVoarUD0ULPTw2wpenLAtyg
Vqvv/OVAVpV1ZGnQGgmbsRBkJqWthsBEUV/bD850Z58gGwiHWiuPgqX4gADgc1FKjgHjlX97
6oY+RUxUnYEnuL0WiHas0FeAuEy8ag1Ga9nK/A6k6UtJmwE01z6w3wGtsJ5kvAvWJDMnfpDt
aUpvYKIaoJoBDdQuEQHWOauJlQ2sauatzMFgNTY3Mxx8V/yPPZMhY2ZyYkI2cFxyfuXoAs4e
zgGu/RBghGyM7AUiWEwzJoPWV3b2jgI5XG0VBUGeVgPpA46JejZtP2RU9dby94NEe/L61HTA
E9TKNQVsl/Xv9HkQeCLoQOgFCNkVOT37GdBd7ifRg0G7Z0TTFPRXHENtVUCfbY1SgKovKqjJ
oM0yAm3xgKUPcA0Df1jmovQN4DmW0TLVAWGTgloGbQS9iF7K3gMyxni/yFgDVkdi9Z1gFjMt
PgW9kF7DKUBfYp9BCaCksdnoD8BL3PKRRRZZZJFFFln8M/HSifPj0wnfps6BO2P0vQkdQP8x
qBTvgbN7RsPALiDdnrfUz5C2wWfLTAbp8Tx1dobo8a67+dwQ/1la4tXzUKiW4y1nIciIMF41
ckPSWG9hqytYaak9MvZBUOk8vXwTwNXM+Z33MqQfODfBswX8Ne2lDBOiVwU9CxsA7tY0cq6F
iE76GvcBSHvg6x/bCmpvrOBteB0KbIsYWux7uOu88vBqdvC+q85KDaxoMdIqAdZyVphXQNWT
w4zdoAqpYaIh4BHBeiHQXrctctUE9baWz7gEjnKuWUHXwb/GX9A3FYxG9mjjVdCqi/tGY5Bl
zBqZDYBQYq2mwCcyTXwE2hW9negIxIiZRi8wfrU3dvUDa51KZCvYC9kn2TRQV80U6xqob632
3APDZ6wQy8H3rXkiIxbkLPXAMRSMaQxT34Jqbw3JrAH+KvK8vy/4xpnjPXlANNIOqm/AOdix
IbAveL705swYBXTVCtAQjM9405EAFDJy+AuCCLDeogfopp7DGA7WEMvrfxNkH/MV/w3QyzJD
XgFPz4zSac0heU1yrWd7wfu2d5qnOFhLzdc8BcCey9bJGAHead6LojykRyaP0EaC94p3bGZP
kD7NckwGmskB/l6Q2TgtJW0lBD0K/jVoETjuBRG+BxzLHNccFcAWbitgk2DuU9WsiuAq4hrg
/BCMRq63Au+AOV3tJy9E3shRz/4VeBdlbPe/B/7a/jjPDyBihNdfHrwdM+um1QI5nl/FYdB+
0A6ktgfvq5n1U+tAUKWwESE2cA8MnBJ4FNKLpDRPuwJiv5VqrgFjlbATCt4+XgcNwdcn83jy
DZA+PRuZEDRILx6Q4x8MqiyyyCKLLLLI4p+Sl06cnd3drdKagCPTWdz1PmQmmX3lLghp5GgY
UBYK7crfyF0Crud4cCnhGXgOZ3yt34G0Np7I2Otg3+z8XssJSXvTwo0fwWyWOcu6Aum3tNKZ
ucFVRC8V9CuIyw/WZzghpXPmE78B/ivmzsCD4HVa5TzZIG966Bbfbcj1VpVqYT+AdtrVIvF1
KNXXbF75HlRqUmx0x8bgrhBYOioOnIeUeT0G9HZneor7YC43h4inoO+SecVFsDqK0b6pIHOr
MrI/0EGtsvKCWiY3yetg+8xW1GgOvndlP6sM6I2c452JoG00GtneADFHzlFbQXQxc/iTwPzV
6iYvgNTUJPMU6BdVNtsAsP1q/85eFPzf+wdYE4B1Ypc2AMyDvjbmAtA6kF1bBVYf/6PkReAr
nVnU1wX0Lvoz90QQle1FtD0gK/vjvB+CGmcV9NcB6yoX5FLQ8qpMGQT2y7a19nHgsWUGpQeB
mdOsmbEHjLeNtbYo8K2xzqrPwbfZu81fCOzzDc0xFrTTWln9KFgLzbPePeAsbjuv7wRPYtrA
lGmQ1iW1RcI4kPPMRdZtMN/29c24CbpXSzRugixBQXEazLfNPZYTRAs11J8bMr582vixAY5o
9+qAe6DtYojwgxXjz/QnQ3yzZ88yt4K7g3+0FQbGTNurzlDQRmlbjKXg6OIYb3eCNUAsNoZD
ShXvRGskyDB1Ex/4Z5vj/dnBmGHfZDwAsdP6RKsGvk/8v5jXwTfQN8w3FryNMiun7gU9u7Hd
MRR0v5ZNNQPzfZ/yDYHHq55cexoK6WEpWlJrsBfVq6hC4FjjvBHYE2wNjY8C3OCtmnk18zMw
7uvdHIC2VR73VgFaACl/dZhnkUUWWWSRRRZ/BC+dOFvHzOW2shB10VXaKeFRUmo7/3owNOV0
tYbMdv6+cg9kfpo41yYg+ExwweB0uN03JtuD++Bvm5mmd4eggKBvzM6gdHlXHwnittU5aTbI
zfpY/SdI+OzRZK06RL8X9q1zCQTWybNcVgHtVupAdy8I6mCPSTPAX/BeWTkBOjVsVn1SHyj8
bb4adaaBL8QszKegF9AGWBEgDiZMDHoIbHt2wF8I7ANsle23wVqu31GPQbtgdTe6gdjFEHEI
5C052r8HMvemnoivCWaYr6YrFLS+WrweD/JH46GzCch7xjjHXFATrFdVMXAsdNZ3lgd7mD7V
/ilkFva0SzkMqjnDCAL/BWuHdQB0Yett5AXxpRzv6w2ynq+j9wLg0jvqo8CTkXY89QrIZtYN
8w7Y45wlVRL4/Gm3n9YAxxzna85HEDgluHtYb9D3aWVtK8Ecbd2yHOBr4FvjKQ76fVuS9hWI
ipyz9oA2x1jsuA7+VsqVeR6MBrTSOkFSs4RdsRlga6CnaMdBZpfXzfOQuYAVygbyNTnVKgT6
p3qqHgR046jWDUR3MRcTzJJylHUY9GDzhPgA/A3MeVZhkC3lFv9UkHHyrhgKMoYVYhRQjsZi
Jdgv2Lbb3wPrNgdVLPiHqrMo0AeLJto0UBkKVR1UjNqmZoOvhTfRPxtkey3W8oH9I/sxxx0w
Q311ZAp4F5uVkr4EEWuu91cFrZLeU9wF40vhNXKAMS2kZfh4cIeGeqP3Abfl+2oFqJHmNLMW
yOK+b61J4JrlXocE4aOa/yOgk/aLPR1oLpaJDRBUIOh2+Bfg3+O9bpWHlO7PnE+GA0l/dYhn
kUUWWWSRRRZ/FC99c6DR2HlR/QwpjaxxcX3BXOk77D0BidUTsmf2gAu+a8PTCkB6E8dmGsOz
O75Gj6ZAzhxh61VOyF4y4qq2GNKfuqdkXAN2slx1Ba2HHmK7C+HdbXv9k8HRSi8qx8LdV9NC
ky5C6pj0cNMF3i585S0PZe5HD6/3AAaWaffVmktQYELeQvWWQcYdz21/IPhy+19P/hYe3n74
2rklEN/qcq6YYZAtw/G5uzI4DP0r3QHaEO0Qt0HdEu2s4yBWa1u1WaAMGcs9UNus1uZsMEbo
q+33wb0t6FR0DAR+EvpJVEVw6QEZAQ3BftLts30EjuuOV/RyIFDutCvg+i5kX2gFCLweXCu8
DbjPuF5z5AdHmDHHrAT6UIT6BVJGJr/x7CCkVUrZkvAqaN/qj4wUMJuYs/wuyKycUvWJC+R2
s7H/NqjxIkYPBqudCpErwBxlvu05CXIaa9UNcFZ2nnTVBCOvrb59FxgHbD+5DoO6qH1newbq
Q5FkU+Dr5XnVNxbMBv5BvkqQliv1dvwp8DzOjEiJhozGnqlptUHdF6ZcCXK1uq7WgWgu1qsA
4CCtxXaQgVYbazXISVa43wTGmd19w8Ea6B9pOkA+lsv8rcG/x/+VtyuoMNlBXAVvRf9kX0Ow
D3WeCRwAxibtQ/v3wCPlJw/om42GRnfwHzd7mdPBF+Nbk/kRyIFWonkNZBU+pzrYfnGMcsWC
fsj+aVB5YJfzhO0+OCu6iwbWA/eC0AcRDyDgteAiUbnA0cuW4igGtvG2J45e4A30FbF+AeNd
rYXeEdw/uO8420JAoaA2YfEQUjvcHtkdAuJDXg1OAVsHZwvHQTB+Uq39JUBf6ahhG/5Xh/f/
Pp4/f/bPYlqhaYWmFfqrvfyf58/WNYssssjifwsvPePscThGp+yAyKDQ4kERkH7XX95qB2lx
3iqJ9yHlveTPfWuhtC13jULH4frbCcUzwiA6X9iuHPFg5BXfJK6HnPlC5wcmQOIBFa4tgMi+
Rv9oB/h6iv3pn4DtjG+hvTUYt/zekB8h/njKtcfNoMmXJaLK54IOV3tem3IUvF8Kw1YfvF97
EtNmgfiCZPEmJGc8Dn/SFPSZ6npIWdBWpea05kH2qjnuBKeD1lzckLlAX67fcawCNdTq5W8D
orS6Z74BzsGOe/aZIL4KPBLRDYJ+iZiTYwWIJnozezZQF7jHEdC6Cw9rwbXTcAYPhvQpSXMe
lYH0u8mvPLkDwSf0OVo38HW2VujzQA6RCf6eYO2Un1hzwWGz9XcbEGgGqbBR4L/k65T6CmhX
7OX10mB343UFgL7Q2mGvBrblgYkh98Ax3hFozwayl+m1okEVNQbYxoOx0LillwY53nzbFwHp
w9I/SakLLFf75ERIu588MDkBUoumhzx7CAF6wL2A3eC95OmSOQ0YJXda58B4bETzC+jperr+
Nfje9rXw/Qh6RU2T3UC7pZXTCoI2QIvSmoGoKWzSD7IjVcQ0wK0laQMBXa6Xr4AxRT9sewra
SGETbvBb/rMZr4DjA/eRwPvgCHLkCzgPegm9hrEeRGmhiVjQOhjNjH1AJ32Ftgtsd7iuRYF6
WysgPgJVynxkhoDoxy2ugi3OkaFL0LKJstkGg9XCap4eDNqb9jn6EbC9pYXpU8D6wXfKVwC8
pzwbMs4A36t1ZhEgntH+meC95mmW0Q7UDjH935+icdKsCdYjc5L2GOiv5VVJ4Hjg/sT2CkQ8
Ccod/TnQDPjkrw7zLP5e1oWtC1sXBiMYwYi/2pgsssgiiyz+6XjpGecA6e2fbRKEykB7viuQ
s3LwoZxNod61fKsqFYdGm2rfqXIUwoeH3RaZUPHTwntydwO1y2hg+SDwdsCn4TfgfuG0Gemt
ILlAZoCtFViVxIjMAqD9KNY4MyDb0tBi2RtA7kt6UOKr0ORM8c3lhsDbQf3OzWoEnjDVWdYC
65zvduZAMGYZic6DkDk+vUxKCLh6ORdpxyAx4UGRR2XAMdfutMdDicEV4ioKcLxtfC1eAaO0
2GirBaqVjKUzWHGiqf4FaNL4xbkctI3abXEV1CMrj+8mWAE+Z0Z3sH7xNEx9CuZ+T7u0uuDL
ldEqrSkoy8puWwruOQEyfDl4c2T0T78GmdkyniVbYH1uvqKOgtZGa2SvCN6L1seZH4Nx27HC
eADuQqG2yFRwnAi4HzQJgm6EJ0ffAld62HfRC8G22fHMZYKZbmpmH5DDrJPWIhBS3pafAhOs
clZ18Pk8az0jwT7AUcdWF4wzxmZbCgSNDd8U2R9y1s3tKvERBA0NuBn9AcivzVGZjcF6xfrR
Pw+8g3xh3gvg031Hva3A2mguNA+C9CtlVgT/CLO7fyKYgXKPBVg9qKsegJVpLvLNBPnIOuVb
BXq6tl18Bdo5fbutLRgF7EmBKyEoPKJGticQJiPfyZ0N7C2dM4OKgVjg/Mr9Pug57DkdycBJ
63PxLti78op9JKg8Il7/AdRE3HoR0O8YB2wHQJVX+8Q10A5Zhc2noMr4h/oNoLrV0PoF9PVa
OS0CSNbfcxYEfYr9okMH51r3wYCxENUn26zsNcA5wPVpSE4I7B3yU3R1CFkVciY6CrR4o5n7
KohzegHbN2A/5zgS0B7kamOUqyDYSjq/d7/2xwfsb80M/q3tX3b+svOXnV+8OvnzfZ/v+3zf
i1fMPn/O7KxSs0rNKvWi/s6dO3fu3Ant2rVr167di1fuNmvWrFmzZrDk/JLzS86/vD+zD88+
PPswNNnUZFOTTdCtZLeS3UrCw2wPsz3M9l/rTXk25dmUZ9BiW4ttLbbBnLJzys4p+2J/UlJS
UlLSi1f4Pm+35YSWE1pOeOH383JjYsbEjIl5Ub/vqb6n+p76/e3ExsbGxsa+eEVvq1atWrVq
9ULXv9VPKy6vuLziMnRK7ZTaKfUf1//P0jUtLS0tLQ2GDBkyZMiQF+Pp+SuKn+vw9/qXRRZZ
ZPGvxksnziH5Q35y54e0uLRfY1eA70z61fgOYJ4E/9cwZvBb6WuqQJ/2zbYNXAtR2YKCMzOg
cN9cDXMMhxzzjHeDjkD2pu429mUQkTdbV+sQPLZ8YfbLcP/1tGvxk0Ar7K14vT801ivb3qwD
3Tr302aXAq11SLlgAaKc/1O9NIiOeph+EcxLarR1CFSw7OO7B+kD/As90yHp7cdPY0dBvi/K
HXr1KQTMj8qXdwy4Um2rjWhwFjICbaFgdVOb5RzQXARYb4A+QQwQB8F7J6OR5xl4i3h2mQ9A
zZEX8ICpvOHedaAc5mv+GWDtND/zXQQjj1hn9Qd22mu6EsG46gwOtIEL92vBLuB1+1FtD9g3
u2q5DkBgVHBqeHlwnQzYFjoRHGOd0wNjwRajGomCYF7NvOmdDWK0UdXmB32nvaGrFtgIdISH
g/27wGJhv4J4V99o+xB8s+RKvTXYWrlTQsqB/Rf3vojh4LYHD8h5CAL3BhXNVhwCO4dVjCoL
7o5hY6PnQK5BBSeW/xCi0nLNKxgD4VuiR+YNhvCN0b/m/RYC3wyLz14bbCUc6YGhoKXZGgbM
gqCGIbujq0LY/Igauc+Dq2/gsmgDgm6HF87zHUR2zP1RyaUQWTBvxzI/QLjIHl7oc4jMHT2q
8F1wtgs4lG0SiPpaJb0M2OrrB0Qf0GYrt/ULWDusGhnlIfNeZpekd8D/YWaPlNnADLOOpytY
kb43M3KClluFyrpg1THXanlA5iHcNx9kG1XFpoGvmi+3FQ/+1b656b3A6u/zZU4ErZgqLhuA
mM9VvgGuCKneBF8Z71ZfMzA3++PNlaDySp+cBVqA9rH6Gsyi3h+s70G3EyBOgTufzaZi/+rw
fkH9EfVH1B/xItFaO2LtiLUjoOO0jtM6ToPFAxYPWDwAVq9ZvWb1mhf1Vl9ffX31dehToU+F
PhVgw/0N9zfch6Xnl55feh7mnph7Yu6Jl7cvsmFkw8iGsL3l9pbbW0K9NfXW1FsD036e9vO0
n/9r+bp16tapWwcWV11cdXFVWLFyxcoVK1/sn7p76u6puyHqftT9qPuw9dHWR1sfwcYHGx9s
fAA5x+Ucl3McfNbhsw6fdYAJuSbkmpDrRf0FFRdUXFDx97czLXla8rRkeOPOG3feuAMbN27c
uHEj5NmRZ0eeHX+/HqtWrlq5auXL6/9H6zpv3rx58+a9SIS3PNryaMsjqL2q9qraq+CrX776
5atf/n7/ssgiiyz+1XjppRpidfhP8UvAWcO2OawDZHyftMX3EByPmOcKgG0Tto6csR/kes/b
qaOgyL3sF+pOA3u6d4lvBNwxrV8vToJSl5wfv5oTMj4VvsQa8HPOE7UTCkCx6pEf5R8B3Vd2
7/hhfshxrMjqSg7w9fd/5v8WzO6+zeYi0G7rT9Uh0PIRrSeAucaf0xMKYriMs/wQuMK5Nvw1
KHy10revloDgnbncYWUhvWPcDO8kiGgWuiuoGhgN47/OGACqkXeN1wvqjlxNJdAuGMP1ISBm
Ze717IPMd1LrJ8wDn9/+tvsg2MoYj/kGPDLzS88aMJoY52znQI9XZ1V+kGOU12oIYquIFBvA
fGw28P0CNrvtnMMF1geeNamrwPwsPckaCsLU7xlrwD7Y+XbgXBDD9Cu2UqCnOqZrS8G8Zi72
DgCqWxesacA8ddMqCCJGizaWgHVNPdPHglZYO2yNBvEK99kD1m1zuzgLWqS9i8oF7NCO6FNB
zjILWtfAuGofYP8CAvLY1kV/Ce42Mi4qHbS3bUF6e8Dv+ybzHPhn+p6kvwcctyapd0D3GT3E
AFBzxHdaJbBN1saKFaB8aq51Gqz6ShMVAISpVwMVzAOtC5iNZUdKgdXGdHvfBkdx+yOtNHDR
6mGTYBW2PN7K4Lxo5DQUWO/b9zqbgLaDIAk437A1FrPBOiXPqwZgKjNKxoMsI+KtSNAmamts
o0GvZBRzhYEuxRXjPBghWj0zBcwS/ie+oSDW8oEeA0ZFPa9tAHjf8J6zuoAnwXfV0kFrrzWx
zQJLl8XUJmCK8ogLIGrqfucXIM7aXpO9IMCvNzd/AKdl764n/nuQdPyrwxzKflP2m7LfgFgo
FoqF/832DWKD2AD+Sv5K/krASU5yEhZXW1xtcTU43e90v9P9YG3S2qS1SXDtxLUT106AbCqb
yqZAL3rR6x+3r3mO5jma/4fH97WJbxPfJh6+HfPtmG/HAL/yK7++2P88cbNF2iJtkeBv5G/k
b/TC7sM9Dvc43AO2ZN+SfUt20L7TvtO+e1G/R6cenXp0gqZvNX2r6Vu/bdfvbUeVV+VVeZiQ
e0LuCbmB61znOjT8seGPDX+EyUxm8v9Hh/bt2rdr3w60y9pl7TIsPr74+OLj/7j+f7SuP6f8
nPJzCqw5tebUmlNAV7rSFdrEtYlrEweL5yyes3gO0IIWtPjb/mWRRRZZ/Kvx0onzTfvNtj4D
cicEd7DeBOcU7UP5DRxZ+7D46cNwoN2dTvs3Q5Fz4ctyjoESYwtfKrkJnvYk+PFKOFPv2vGn
30BuV45OZjrgSg/0+OGVUkXfKTwB3szVcdngxhBmyxFWIQW8G9InZfwEVprtmToKWgdx1ngP
1KdyhdUYtOJGfnqD1cGTmnEdmGI8tp8Cbbe2KmA3WKc9M558A/4vMj9wjIfIqzmD8nWHPKl5
vsk9Hk7Ku9Pjd4B2xGdprUF2kf1kGhgNbJUcn4HY6c/rXwh6hHOCrRnYmmvdRQLwgVpqAWIL
JbT7YBi2L50/gD7b1dH9DERds4tfgDZKDpMOEN96zIzXwF/Ae98zC6Qh3/QvAb/DXO4xwEjR
u2grwXwiY+QpsNV0tQ0oAVp5/aLRC1Qp2UN1BfOKMFRRUNWtsv6F4KzimKFFgmuCs5NzBKg4
pYsegF0Fy4HgGeCflbkfzDKepqI9aPXt1Z3DQTsururrwVjDm0wG+xlHnIoBsZk5MgqSWqe+
np4beGw9VcvBOGPE2/eAltPeTL8B1vueSZnnQG2Vm7ylIWO2uM1PoFvquJkbbNv03UZxEOfV
FJkL9MdUs9qDdkNVtUqDHqK/57oM7gxjpF4XxFTjrrUHVBOS9K4Q8kpwqdAE8OQxq3ABrChr
o7wN9mzOdcZsUPNUEetj8Lf1LSATvPH+Zd4vwOV0jDVagPhVSO0GmLv8G61+YBzU64gNoBd1
vO10grijCqlnILpplcRTCEhTxbWbEDYhYF/QCPB8bz6y9oBZRXq0D0EVNe+piqBf0CfL+WBE
OPY5KkDwAdsxfRTYlSNcVAPgnT8zgH2zfbN9s/92uf+cMP+t7c95fkk+amfUzqidL2Yka9Wq
VatWLdjMZjb/CX5pC7WF2kJQFVQFVeG/7rctsS2xLfnt+s/rGTuNncbO/8bvU+KUOAXygXwg
HwBd6EKXl29HzpVz5VzQ9+h79D3/odxpcVqc/tt+Oy87Lzv/Q0L5R+v/srrG5YvLF5cP6m6v
u73udqASlagE2LFjBzFVTBVT/37/ssgiiyz+1XjpxNn3ffLntiKQ+ZPRJMUE+ydiamg5cA6z
WljPIPjzgIX5R8KzotrPVghcqHLn1qU0yFEg8mLoVxBcO/qdwEbwdIkv6nIa1JpfvFKjdtC5
2OtpQxLBnjO4VMFY8K/NfJJxA7RLukuUACOn+k7vC6qXymPWBrmdR9avoF1hhjgNvmX+PZmx
4J4VHBt5F+KGPop4fAVs39jaWEFg7+qOc04AzWdr6qoBOZfnrZ5rK7h/tj+6/DOkXvB1dAwE
a5xaKFLB/dRe2FEZUvcnl0j+Bkj0TPNUBdvQkC9c6eAN8eYyC4KjjTPU3RQYI14nO3hnJld6
egscjZzfBe4FsV7kNj4B4yvbN87HIIbo3xr3wIEjzDkKuCG2iSogVlrvWrnB+sKs5h0PehEt
XI8FXx5fXTMfOJYatYxGoH9mtzskqDfU5/oqoJj11GwGqYOTjPhHwKvWT95+4N1r1lAXwfkw
8HRwChj3HV8EtgFbA5thbACjrH7NfglYLNeaoSAWqfW+L8D4hQhbO3AdMCrJEuBo7jwpzoP7
mvu+Xh70FBXjLwBqiP2wLsFXx/ujVQAy3VZBFQTO0e7rQUUg86S/I8ngX80X2n7wnjQ3mAHg
aKMX0TuBfkP/1vY6qPnaRLURXJmuPc4WIOaqRvprYJZXOf0NIWSfK5ctFxhN9K72aDBXyp6M
AnFLVNMsUDNtmaIP+O+YSwkH29e2r4w0kLVldfUdaONdp2wHwd/Zv85TDvSWxke6DuI1tVTl
BdlSLrciQWTXnukKtAJsMUpAQB4SlQWiKh/JVmCfz6fad+ALNxfJa+C9ID+3coLjnnZdfQbu
UfY89qr/HiSv/3EBaztvO287D/Hx8fHx8XCj341+N/oBy1jGsj/+BHH27NmzZ8/CxnMbz208
BxFXIq5EXIGjR48ePXr0PxSsQAUqAKc5zWmI2RyzOWYz5GqRq0WuFn/7OFseb3m85TF0ohOd
gPVR66PWR0GFkxVOVjj5++2usazGshrLYNmgZYOWDYIB+gB9gP5i/5KlS5YuWQq1NtfaXOu/
yTxVH9VH9fn97aTPT5+fPh92BO0I2hEEbWhDG2BX211td7UFJjGJSX++/n+WrrnG5xqfazxM
bj259eTWUHJmyZklZ8KjsY/GPhoLR0ceHXl0JLCLXez6/e1nkUUWWfyz89KJs/tacMHImZCr
R3Dx/MWhfLXoNwo0gLDTIT/5g+CYvLnhbjqcGh3X7vJRMH+Mruv+HsIt32hfCJRc6/vGlQIN
Njb9aObPUDqsyNs1QsCzSIx19wcxTHxq7w8qTsw3GwKa+oEMUK+ISgwH0UkN07qDHqlN08uB
maxaaengaueYGdgZku88OZj0EG6eOpfnSBIUH1xhVtWnoEcYDxwrQO0CcR1ybc3TJPcKCAhz
LnUeBC1H5gDPDGCq9ZOWArZYW4RjNthTnT+41oFV0jZS7wNmFWLFaQiwB34TPA7M7f4YXyOw
hpgD/UXBldsdE7Ia/MPMOKaD9qrxSO8BelVbHL1Ae1d+KeaAKKpt17aBlWydM2uAb5e3euYt
0O9pV4ytoE6pEPUjkGS004JBbRcTVR/wr/XFZjQDLmoJ2jGwZnpP+jqBqqRuirogdHtU4Efg
fuweYgsGVvCZlRfkIt84axH4zkufdQf8zbUA73mwDptPrMugzpk11Vcgc9JX3gNbnE0aFtjf
pqhoDWkjUyek3wWrnBXDFLC9p/+kWoEpuSwtCLwfMjnkCXhi/EO0BFCpmmWOguiCofNDrkCQ
z/G2VhRsG4yVWikQUaK0Vhv8p3wzzD6gjySb9gaIVfoJTUF6Vd9qcxDYRmp35WrQBuuV9Glg
lVad5Bnw3/RN8A4FKrNBLwr+Mb7Dpgkyh/9db3NwTHDMMFqDcMp7/ADaY1qqxWCtMzuYd8FR
1P6pEQJ6OzHSNhbM16w58idQn4mvZG8Qd1VXywD9rH7FWABqv75WCwPP1vTtntfAuq4Fq3Zg
/Wo8EpfAGGRP0ncCc/7YgO1WoluJbiWg15xec3rNgdof1P6g9gd/3gni+U1fvXv37t27N4Te
Cr0VegsqyAqygoQSB0scLHEQZsyfMX/GfBjCEIYAXaZ3md5lOuxvsb/F/r8jcb79+u3Xb78O
jR80ftD4AYTnD88fnh8+vfHpjU9v/H67R0eMjhgdAVM+mvLRlI+g5dWWV1tefbG/5OaSm0tu
fnFz33Oe+9PleJfjXY7DnIg5EXN+RztpNdJqpNWAj9Z/tP6j9fBdu+/afdcOGjRo0KBBA9Cr
6FX0Kn++/n+WruPGjRs3bhxM/HTipxM/Bc8GzwbPBnCtcK1wrYAPcn2Q64Ncv7/dLLLIIot/
FcS/zVwoVbVq1apVq/7+Bmrl7/tR3t5Q7ft8Zyv9BB/+0uXOgKdwPteNdy/MgaUltnVc2Q+0
K4HDHQ3g8da4BQ+fQvc6lWvU3g5tU5oXmfAreL/zd3LOBm19wHHHDrAtDrgTGA1ioByovGB5
1Oa0YaDtEcNdk0E1E8uMKNBO86a5G/hFPtJvAUn2fMZdSG4X1/9+JCTsfHLqWRewhpqdn+WD
XCMKvf5KELh/cDWI3A76DsdYvTfcKn/kvb1pMNE7sfycT+H6e7GPnn4O9iOOgsFnIHRhzm55
S0Faw8StsW+B9xtrpmoMNlvAueCuIIKsXf7NwCTp9uUFMYuPtbWgNdLL2+aAPK7FG0ng7hbW
NPsDsA5m1szoDSljE/M+OQoqyirk3wG288YKIy/YfnUEBzwE+TM1tEtgmd645FMgF9hKu8+B
MUjboBcAZZMN1WLQjxvf2N4B5vGhOAnSoXLKA2Ast690SdB+VNnNa+AtkpEnpRz4k319PZPB
mKvvdfYAUVwvIQJBlNNGywdgbNdTA4LB6G7fYi8EKkqW848DMUOOlffBM8r7kWchyCeqqOUG
85bvjK8OBN5093L8Ag4CroUA5nmrrv4MXMtdP9sdEDrYHWHrCmKhP4evNtjX2G7oH4LtTf0N
UR6ceW03tbqgd9XSCANfWX9x1Qcy4jzrMlPBOKuc1idg5rVCvTr4wvx7/FXBdtU4aXOB1Um+
Q0Ogg9jIXlAfWEF8BJzWhnIMqKGCzOIQMCRQD88AeVbUM14BvYJxw6HA08PzcUZ2kNvNHf5y
YF9sL6r7QHTUDmjVwPSJsWI+yG1mXa0PECLd/plgv+coo8+DyLXumMCZEPJa+HvO0TD0w09O
fnLprw7z/3l69OjRo0cPWLp06dKlS3+73PM1tSdPnjx58h+YAf1n4/ka4PLlypcrXw5Cb4fe
Dr0NCVMTpiZMffE0iV1Tdk3ZNeXPs+N/m65ZZJFFFn81x44dO3bs2B8w48wTERp2Fi5XutXv
dHmYUW/V7c8bQ2Yl80LgZUidYfMoDbT9ySOe1Ie3ZkS9UfUgtHql/I9j2kLyxaQn6T3BE/K0
3fUDkOtIjYD6XcHXz/rBXATaeJXfTAZNioX2niCStdpiIIj3VYJaAPJV8amxCJjKbHMtONyi
jq0ieCfpNzLjIbnjiZ+3n4b0QTvnnnsPoj8b22BcDKiYMr9E3QQ1neraPoi+lbdw/tWQp3TY
rrA6cKvJs3ZpR8Fr82ueiSALKlNEg/HYfsvlgIwzyfUSOoJtrau4ywT9oX5ZXwJWe5qLbmBr
Zay3PwZruvxArw7Mtn7wPwT/nvTYZ4vAN8ez11cZXGedb7nyg3jCY4cN5DnVVTYGFcYYuRJ8
3/ire14BMQFT3wBiE3G2zWDO9V/03+P/tfeecVIVa7/2tULn7unJkRwlB0mKJMkgOYmAimRR
QFBUQAElg4oBUIKAgCgiQZScUXLOOQ4Dk1PnXuH94Jl3PLh5tnvDPj7nOX19qV/VqlX3vdaa
6vn33XfVgmS9V+B5kIeJ+foqCBwKnlfCQRwgjhaPg3hY/E2/CeIAY7TRAWHznWfCFeAp7Zlg
ErBFumYeAv5J3tr+fhBI8Q9xdwUtVk90nwbPSm9qzg9gqWCdYPOAf61STR0C6kVtsvo5WGfb
LhtHg9TeGm90gPGyYbxkBflj2csSMK6V3tO/A27zmXoOXL0DjcW3QWojBKWh4P4uUAYnGPaJ
u7kDQjt/VNACxuOGs4bVECju/y74AwRbBz5Wp4P0rqYqI0A6Kp0SE8E203o+rCTIC8Q2Yn/w
9/Ed93UF9ybvYt/noHQWh0oSBHZ6iqoWMHc3fGt4EaQP/AP8TSFYWf3IOwhUP4O9lUH8VB5n
Wg6KrJYQBoPL7nJ6OoDprPFHcz9QfwzMDpQA6yBLJ3kPaOHCMvNkUH9V94srQb5gPSScAMEn
r5bn/N3T/O/jnwnm/6ns8+7z7vPCGcsZyxkLDKw4sOLAirCy3sp6K+tBjdgasTViH91OiBAh
QoT4e3hk4WxZYarhfh7Csv3PRQPJy+95gt9C9Lb4odpEMJ3TUjNPQxdXzDd1jkH7Le2OjPfB
rd2+oWkaWC+nf+P5BaKKVZ7/ZFHQ5mtLOQ1CCX2C3h/UMH1+dheQ7OKhcA+wgYvCRdCv6bfF
uYBT/SnQFaQ061Lbs3C7yo0jB6rC3WGTPpqwGky9f/sptRdoJf37pNsgfuJLUluBrBCQq8Md
cV+HHVlgmxM91fEllBer+kp3gf2zbz2fegACif5a/hcg+Iy/qPIBGPqah0fsB2F/zrKsl0Av
FzAGUkD/xfibZSvQTy8pvQvKcmWd/iooG5RI9wXAL+YLmRBYl70j1QlSX8MMgwVMGy0/R9QA
7yu+095lYLlkbWs9BGoZtb92FkzV+UxqCNImabn8C/C6eJW9oG1U31fXg5amug37QSjNTbUK
SC8K7ym5ENAC6doYELprN4MfQXSbsFhbEvguer/1fgf5Yq41ayPQVX06MBL0NH6U1oClqW29
8w4IZaWtYh/QdWWZbyn42/nXewaC1MLQyNgGHJXt3S2nQSiteeS+oO7TXlJKgdKCiuoc8J/3
X827C/qH2nrtO5CvGiZaO4BwQ/jZ9AIwkbNCAKy/WDcbAOW6Nl0cAtTUmzEbfJH++oFvQTsh
7BP6g2GP8aa1Efhb+Lv6hoB3i+eY9y5ktXF1zKkOpkkGm3QZDJfkMYZhkL3P1TowGiK2Oz60
usGx0b5fbApqB7GH4V3I3uFa6/0BTG4hPBgJwUmaRXgH9MNCgnwF5I3SWOlLMB029ZVnQeAH
X3/fNRCNQiRHILBI8QfXg+JRo5QjYG9kfE+OBvMV8zCnA6RT4lfyswCMQ/27p/l/X9bdXnd7
3e2/24vHx+D5g+cPng+ja4+uPbo2NLI2sjayQqWXKr1U6SWYtHHSxkkb//N+/E+7ryFChAjx
34VHFs5Pdg9vXGQA5NwQp4bFQvgsW2vHFnBWNnUJrodelbpHvjkYKlcu1b/n56BtismP3gnh
T5zzHdwOtoyYtAoOMD0bviDyHvgjgj8FB4DURjsfaAviVH26vADEuRw3HQS1vz5H/xiEKlgC
HcHYxfSueT14YlxqWgM49fknVz8qAeUWHOyaEQBbjSd2ltUg/GtDvbBYsNaoMKTMPlC8QUHJ
B2tm0SZF14L1mK2dyQVFrNG3ojMhvLH9RPgOcB1xJ+RtA3cr14+eZAjPjWmS0AeMJc2zrasg
0EStpIaBeYx5iDUK9L3CVv1TUJ8LXAvYwHLAUMHwHCgvyW/ZyoP5CWt6MBYootYLfAX+S/7j
3hpg7GF4Vv4YggODbZWmIPSWlsstwPCeNEJNB0Vig/ItiNN0l7AXDNXkeIsf9ASpk3YU6K23
9XYCIVLoJE8Bw6emWcbXwDjBcM6YBb5+rnvZGyBVvvdqSlUQ+xraGNeBbDdUMcWCyW6aYdwK
8ih5vbEHBMb6jnqGgpgqnTD+DJLbeM8UDYZWcl8xEuTZXFEugqGH+U3pJtBZP2LSwD9RGRQY
D5zS4qQeQEfxgv4aBJb79gcWg/iZXjfvMsS0Co80yyDeVB0MBsN02WvaA4YNRqyDwDsg0CNo
hWBrtWLwDsh1lVGiCIZ2Qh19BkhbjQkkgOJXB4jfg/6x9kMwGYQxYpKxOUS8FD0wpikEBvmn
qi+DfjzQU70DqihulmqBeanpiKkcWOeZP7ckgL5XXyrWBtMWw0JpKxhqCZWlVFAvK1cCSRA8
LmdTBoRbpt8sL4HX6t+vFAWryXCS5yF2Y8QTxiEQ0SK8T0Q5UIPBAUptYPffPcX/e1MkrUha
kbS/24vHR+x7se/FvgdLWMKSf9ShLnX5N1Li/lX+p93XECFChPjvwiML5zDkpLjF4BvtbJmf
BkVuFq8b7Aqd5z15Z2guJMwqnVkrGjz7hPHibRDLepe6z4DzTJke1aYCN8S5hq0QlPxxvq/A
sEvcaKoLwQr5ZW/uBbGNlaRWoKfwoTQAhM85FHgHeEOMl++Db5HH474N+4svffOb+WB9OefD
aAkS579jaKtDdv8L08+UA/RLde9GgrZfed/9GUgHLQvMRcBZJelYSRuYLxkqittAjnb0tLwL
5r6WpnY3GO5a5jpywe1x985cA7aqEUXiR4DxBfPUsKGQ0+X+sRu1gLe1NkIDMB+yLbf/ClpZ
dUfgI9BEJgglQLJQRdgOilldyHUIvqndV8uBHqsOVsKAu5TWSwNm4WvpJsjr9a1CNmhN9P3B
L0DwCSM1P0iz5V2WdLAsNR4TXwTfcx7R8z2II2iobAVxtTzEVgfU58Sh0nxQtcBEz28QGBu0
+9+BmM+Kdi5dF0ybpHeNX4EkczTgB6mh5lW+BqVxYIl7NUhDjO3UCAim+z9UN4J/nnes3whq
c/FD0QlhVR1YF4F+nvmsBk+q5yVfKqg1tLq+kmCrb/pRugPhaY7XwkqB4tXe8N8GeZDewFAT
pONChhAE603TAv0r8D3rXy56If3z3K3+XmBpZFyqvQPmzqKdM+CzBNJ950CP0XcJfcC8yhBj
fAvIEs+Ko0C/rlYxvg+Zh9N7pc0Fisgm4wxQ6gsdpCchPM0RbXofIny2slG7wRsMGH0HIfe4
J0G9BWJVYa53CchPit+F/QbeYd5j/hZg6m8ZJF8DpbywRDwNWQcygjm7IXx7WKTtPpg3iJs1
P5Q8WVwIN4F9rWOdIx7cce7qvjsAdPm7J3mIECFChAgR4vHwyML5bhPXAGN7iMhM6Ke2Bn9K
+vs3nwfvczmHMsdD/nGhpLcrmFZLdSx9QbnKZ/rHIOXrrZgFTFIbBKaCuFTsZRwJqq7sz6oJ
+lD1R/1rED4xvRUeD/rzGJQZwETtonYCTNON5cxr4VDng0sPZ8OxV0/2ytwBfTJenvtiGwib
/Wx2LROkr+z30YiW4FZcRTI7Q07+horLXwOH+Zl7z78Eposlt8evg5x62U3cReBO+dyXLQkQ
tyL+RsxCSG+b18A3FTzd8623doLnFbffXRvsQxy9nXfAOtV00zYb9IxgZ3cfUMOCu/T7YIg2
GR1Pgu4TnOJc0NcSr88B9WmlaOAKGHobJ8jHweCyDo0cBnoJ7SMxBbimzVMugRYIrnbvgOAw
/ynvZZB/NtQSR4M/y3fNMwT0if4EwQaBTVQw/QjW16yHnUXB3ttWRnwbtKB3v6sKWFLtZ7UN
4J6pyOYO4J7u6+k5B4aq8ufeDaA7g7HeOJCGSj20J8HuMA83twdmSJmWjZB7Qdjnrw4OUV5s
mgSBUcFBvA8+n6eH7yq4h+bvSd8FUTui4qw/grmpIVN8HzJj89a5voLcstnz8v0Q/rHzDXsU
qKLwrtgI1LXEiC+BwZK3XekBaotA0/zrYHrSetswGnJr5L6v3oFAl+AYfy3gc7EL+0E+IS83
vAPKufxxeSNAnmWoZJgHfKwt1XuB8Wnr95b94K8aiPIlguktSgS7gPhi8LjmBLmlXts/D8IG
GFfKGSBdtXQ2DoagQTlmeB+0ukIbtRoYArY14jYILlH76g3A11pJ8FYCc4oxRRwCvp75sTm/
QZnVJY7aJXgivfKYYj9AXnR2B/EY6PeF18K8f/f0DhEiRIgQIUI8Th5ZOFe+WqV5sTOQPP7s
GU9raPrj097eKyHhw1rmesuAEaayVh206soWToDwnbBI3AhsE7IMc0A3qJmBF0CYKpYVM0F/
22XIygPDWL2l9QgwW/xabAeB466S+RVBmCDMVYuA1io4gI1w+/KdCfJgaGJ4oUXDNIju8FTp
iingrnl/SsorIAg5O/P2Q/jJIidLJoApv+TzlY9C5pOfdl/SCRKksZ0HXoecyi5r8EUwfm2N
jp0BZaeW2l0qHG62vh+dVwVyZ+Um2ieD52heMH0RWL5x2IpXBkudsFERAhgGcTuvBYStdHSR
ZXD94j3sCYCjgu12WEWgprBfKgLy7ojqEZ9A4I4QY/wC1G3KIn8U+Crn7M4YDnp1vZ/yIpAg
XpEEkHZKE4UmIG4VokUniOPMomkomCvartvXgbOo0WJJA+ubljXmIhDId73pmgzqvMBW71eQ
8WT+MS0eXPUCc7QtoB+R4sXq4Djr/MxcFeTd4nvaDTDskIrqXYGd1AmYwF0uf4HSBdTW+kr9
CmiqYDBuA62Hpmq7wNRC3i6mQ0ljmVKJ90FurZ/RRsPV7il6fk+QMAyX4yFwVmurlYPAJf1t
BkLEC87fwsMha0NOI09xyPDmHs3PBstZ80RtESiXXB2VBqDbMOqxIB8zTpA/BT2LNEyg/qTO
UieCcZ/psMkJ2mxNUBqCoa9psjEBlE6qRasPwTTtR/0XsL5ozTbdheBO9ZgwBTIOZ7XK2AP2
sfa3HBfBeNQw1Pg+SNFyf/NF8IqePu47gKI7lE9B3aTfFtYBqqeiOxmC4VJAvAfmqoErucug
sqW4KToIUfctSx3JkDM6dVDgKjg7xdgd2cDYv3uKhwgRIkSIECEeF4++q8YYX/3b16DGpZKT
yhWFyjSLeb4iaIo1SuwIgbaZXbIbgviNeYMpGkSF95VkUOcKgxQbGGubc+wvgLpcrK8PB7Vd
7veeMhCso9+z9wPLcwlh+gbI75y3wV8EnFr4xfDZ4G0a+ClQD+qfaPxuWTMkdE5SI5qBX8kz
pPUAVc3tltMMjIlunVwQW8aWNn8Oho8jwmLbANdtE8MrQOBk7v3c8hA9OW5m/PMQu9X+sVoG
pOTYoZYosB8NOy6sA2P18HGxqeC6lF7kZmfwFvO2S9gIZrNldcQyEO3uV30OCC9v3GWeD7bx
wo9KI5CtanqqCMI54ZxUHbQ3vdPz3wP1G3W7ZAFxsTZFag3+e8IctTUox7Qa+kzQvw6s8seA
3MLS2vYrCLW0EooHdI9S370d1CLeDdJmEBOEycbtwBGhtO8r0ItqWe7fQKhn2GGbAOpa9cfA
YHCqlgZyMbCes163dQLrecNSvQFYX5Onh0WCOjo4zN8GgqcDk9RfwF477JCwBCIdprmGVyGv
d2CAOBMCz3obB1ZBiZKxi00SKPHKAuky5K53l/IdgiLRsW9Zw8HzomdqsCxkFdf6Ct1Bve1P
8/YG5XtXXsZ1KPq1daDaCFzrbbvD9kC6MW9RsCtoyUpVVz9w1LSIxuVgqG0oZ0wE9pPCKNB+
0mOE0hBUtDj9BATfVzLFAyDMFg6KZ8F22NJeLg0xg53DLDKYNXOSPR2UdcFkYRjoOlf8gD5E
9WheCGT5dvlKgLDfsFlJgfzRrui8YSD4dI/2Nvjrar+oCgi11MbKAvCeDvRRP4NS1xNOmMZC
+Nik+iWTIKh7u4plwfiqrZ/lGbC1ivwx7MLfPb1DhAgRIkSIEI8T8VEHkG7qjfJEePpsS62z
AlyxzTMsgjxnar877WHvpJ96r4wA9847Z5LXgGdkZnb2W6BUyI/LfwHSa5/cf2QlqE97vnSl
Qm7lnFdUQH3Kctb5HShHArsUKyj31auWPBCWytcFCZxb7JJxO8RnxLUOew38Ddxl3e+BeMox
JzYD9JKuQ9oaECdlVsn8BcQVhpFWH0jzwvo5j4DwrO2crTLou6S9higQcgMfuzpAaXPxjGK7
Ifxe5DdaXXBss6r+fHBanF1jnSDJxlzzcPBMz5qeMhbUOKmqaRJ4DwnDbO/C+XnJH2WPhbzh
/kitDph+du5Nug52k+2ryA6Q3SV/pA/wf+2elb8Xsltnpae0Bc9bntu5S0A9HRjqPgXm90xB
qTFYixrb0glM1UxWyxBQL+vHxYmgXAy+4K4I2ZdyyyZfh3yXe4FrGGTczUlQB0NKx8zueRUg
amFYtG0aWMqZ3jPsBf209qT3Iggn9BdFBzjmWzTzaxC20zE8fBIYYsxPWoaBGCPVdKyHnNJ5
n4urwPVyrtU/FZRTgQXuA+Dv7X3L/y74Xwh874oE6xYpW1Mg7uOwZyzzQPlRXauHg2ua/03P
FPBEqO21w2DTja/olUBL41nJDuJYNUKNBEN5oYM4D6JfdRoiskH+1LTe2hGsKdaPrdtAeoaR
8kjQFwpPEwTTK6IqDwNTKcOr0jwQukhJhEMgN3hdXQSB6/4VWhXQygfwS2AaLiewHkytxfcM
n4FxqfS6XAqEVsJ04zVwX8t7NdAC3FneZq5t4M+hpR4AyWncaKwKYntLacsKCL8ZNsC+E0od
LZVWtBRofeQM5wZIm5S3yTcL4l9K6hnlAdMZrb9Y9O+e3iFChAgRIkSIx8kjR5yLua2tG70K
iQ1LqrWNkGfK/D41ES5XPl7r8FzIuB6zXBwKP8/ce27t01Ai15RcbDE0mNMzvJsA7DaMN9iB
Ju592REQ3JKzPn0DmFxPLKtcDbI7piYd3gNSW72+5TwY9prerj4LAk2CmxQFGKBe0aeCfFLI
MXwJQjVhoHQRlGMpC9NvgdJP+tmSCuaEqLKxdhAqxJ9KNIDxm/DUsPYgXNWq6XXAkGyrb2oB
2V/Z6l2YAhmf59Y7thme+PWJ65Ht4P6B/L6BIeCoH/1NsTzIKnN3+dWG4Nvi6pX/LJifs5nD
3SB8Fcj3vAm5Pf3l9B9BG5bmcm+EsC+NnTQVIt+LHRmzFfR5WphWEcyTXY3zx0PUSuec8Dqg
n8Agvg7uLwI3vfch/6inXeAT8Bq8ZXy1QEiVBprbgnaHgYIIYm29vToY3IJvRb4RhPZUYwEk
9Ima65gATqfpVaERuIf7FmrbQHhX7CPsBst2Y0fpOvhLBdvq/SHnRHZe1kAIlFIuMge8nygJ
ru9Av6O94Z8J9s+Ms5TOELzo9weLg3dW4FMGQ3yD8JExJ+Bm/4zlma9Ddh/3PO1JCH6jFxe/
BMtM09hgFbCnGl+TywIj1G3Kh8AoY3epKuSv9FViHOQ28szx2cG4TIqSfoL4b8NrmCeCmCzu
lBqAMs3c1WQCY5XA7kBb0A4KG3gDxGFKslAK9Gyluj4RTG6TSHHwt/NN808BaZkwWUyBnF55
QfdWCFZVJ+n1IBirrVK+A8MG01GrFXxn/GnuY+B8yXk4YgEol5WA9gUo4/RNCiCu1WcafoFi
MeGnxKNQ+WpZQ4keYPnAUNY2AqTe8mZ7S4gsEZkZocDx5b/1vdQcqvP0dvb/3dM8RIgQIUKE
CPE4eOSI85OTms7t8hoEvGo3ZSFIJwwmiwyMivxK3gQ5nTwr8upAxjh5qrsshIUnLdArQ7BJ
xkfX0sH4TlSFqNHALO+xzGEQ/VxcMccNkOqapxiHQ1TlmJpPXIDoVfHPlu4PyknlR304CNFs
1GuD+IN+jtWgXxV8LAJtJ+gZoH+mlhPCgHW2Jo5NoNv8S7RXwDDIYDFsAslcYn74YmCjPlVc
BwHRc9fzKZTdXiQ++jPIn6Gn6E7wTM6alfElFHNGbhcrg2GTY2p0SzDXdESGXwf/xOxmaRVB
SNQ+NE4D83zbV7ZW4L3i7yb8DHlj9Q6yA3K8Qox5Bni/UMYL/UDbqnWSxoNhu3m7zQvaG9oo
NQ3cp9w33T1BOqtmBnZC4vMRMXYnFEuOvRLxHhiD2kK/BlJQPRpMB0d183zbN2DeaFxq6ACW
2YbD0i4w35MPG3rBjdZp2ZlHIWDTB6tfg62bdaqjNHgmuFv7wuHuKxlJmUshp6L7bN7H4HnO
VyN7Gnhne6LT64LyXbCfKx/cN71NtXCQYqST2gIoVj9mRXQanIu48WJ6JCQ3yw7z9Yfs3u6h
3rkgzNUVdT04TVJDcTXEzrU1FDuCsNbYWCoNWRZXLSkfAiuCP6rvQkxUeGvLOrAtNB8wWICg
/qq2AdLPZkl5DSF7Zu47bhv4anmt3s/Aty3fn/8deDa5W+V2Bel5PvV9CKrBlyGeAj1b7yS3
h+yzroX+tpA5zlXM2xbSruU0zMmF7NGusZ5lkH04t2VOZzCeMXqZA8Zy4mZhF4SttD1t/ATC
F9ojbFvAEDTkMAOS9hVPid4OCbfie8VHgnOtKcJ2D4peLnOh7FcQrOMZrpngmu+4+WLjv3t6
hwgRIkSIECEeJ48ccXaciA5PrAXa6/pSEkHUjZGGk5D+Ws6P2c+BW7tjuW+DWiMq3Kl+Eyp/
U21pkzGgHDfNle+C1FA7pFtAre3Lc/8IHBC60hL4Xl3uLgPa/fxfvG1ALB/ZLvEuSFODq5Tr
oP0qrmIrUEp8CR0Cn6ot/K+AaVRgQOAWqO2VY9Ii0HNN+fYRIGzwDJAnAfdB2g7G1Um14yoC
PyjJwc8g0C6j0d2ikDfA0S0tC8q3rGl8sh6cPXLuwHw/1OtQ9esKL4K9q74wdjn8ttK3oWhf
yDl8d8jFMuAdkfda6kqwtI94JfIwSEOCb/o/BS1JGaSNB22c8XJMVch7Uq+v/gDKO/5G7lZg
uK5+p+0H9wveQ56yYOtqXeg4DmFzhabSIbB+ZOho+AWkHczVDkCJQwmzooaA+6hfUJaAd0r+
spwWUGRK3LGYSHBV9DnV2iDWlT+SLVCkjf2LYrdANOj4VPBO91x2LQPXfW9q7hbwHfUu8/rA
vNV0wuQEZgt7TR+D/aJ1fZgNLINlp/AGWOZI1ZVFYJpg/MRqhKvT7l5zzQT3fC3HPxAsuwxv
ma5DzKawiqaFkDIxdfi9cIiZ7+hrfR7sLW0dnNXhXPDOxPvPgukDU7R9BDieM8w0lwfZoCS6
B4HWXUsT90CyKXeU0hL0ZHVd4CZo1XjO2A1ymqjDgimgib6uyirQ2igX3FvANU3+Vs8A0S7U
0HtDRDCmVvw7EJykNCQL5AjxvnoeHGmWT8RToOfqg/UkMK6Xd2lPQdhts4UioO4J3vL3BvN2
+54IE+jfB7boXSD857hS9hiIvlBmX/m14M3WdFM/iElPKBXbAiKMiWtjUuBIwpohv9ngxtr7
r9wJA7r+PRM7JycnJyfnz2/wK3gVdnh4eHh4+N/jW4gQIUKECPF/K48snPXLQpK+EFSbu27+
WMhS7s+8Egslp6k2S2UoP6ma/Ex/SCpSbdPTz4D2Y2yLpHIg3gjc8CeCeFUPExaA671bbU8N
BWt6nK9qBdBdnsH5rwMfegZm1wHuRX6bWA30S2ITPRP0+sI9ZJD26WnC96DXpkTwJPg+8ke4
+0Kw1vWVyVtBW6D1pxfk9JfteS+A49Sd7y/OAN+mY72PVQPLk0/sLHkOzFWqa2UOgn7fVyds
Ejz5ZpHPLF7wj2i28fY1qFSh4nvtoqDlp/UG+2pD6qnpT37XFU4t8oyI94Lnk8wrd0+A3NiS
7ngTTFPNx8J/Bf+d/F+yN4Fncs6R7I/A4DfZjW1BKC7ME3qD57BeQv4ELM8a3eEVwLdCXcJe
yGklLRFbgj8quI0+ELPR8ZxNAJPJXMH2PuS3d+V67kIw0jzZ1BycC6xPW09CXP2IznIa+Jr5
p+rjwEVefu4VkF4WbuofgPS5vZRhHNium9s5PwbfWH8Ty0Cgs/JJsBqIMQbdeA2yu3m2KT9A
cEFAEKYAO+WRYmU4+/HNpLR0CF6R47VPwWE0bTSVBT5V6maUh7ud0seKvcD+pOUbkxdIE9O8
AmSYsn42L4Lw38KnxQyHeGNEinUU5Mo5NfPuQ8AdqKC/ABljcu+4PgP/WvWEehmiV4b9am4K
JtH0vv462N4IDhIPQobGUXkfyPGSGnEJYvaGHTfFgamcvFjNgkDbQD1xB3ifZZtaHqSeRsGg
g7RZO2qpAXoVvXHwJ1A3aN302ZC/1FNFdYD0imm3cSHk9XDt840CxwnzJsP3kLg28VjsdhAq
iAesS0Ftp1aXL4L9SNzW+EsQHOde7H4bDvoPeI6Z4GSNm81u6H/fxG7cuHHjxo0LBXQBBUL6
5MmTJ0+e/Pv8CxEiRIj/KbhcbrffDzNnLlz4229w+fLNm9nZ/zl75cqVKBERAW+91b9//fpg
t9tsJtMf/fH7g0GYNm337gsX4PLlrCyf7z/pT2Sk2QzvvNO4cYUKYLebTAZD4XGfT9M0Dfbs
yczMy4PcXEVRlP+cP06nLMsyNGoUFRUWBmazKIqPnF9RyKPvqrHNvcG9Bnz5nks5i8FWO3xV
3HAo2qxt0bqVQJvKOf0wBMspb6mpoM/zqb5bQH8xXG8HqjH4ptsI5oiIV6Jqg1yr6IIKlUCa
aW8Q1gT0bbaoiHGgaapdeBv03sIPtAZhLueFWNAq0oMfwLRWcDhmgtrAZotYDxGb61RPrAOn
jtxt4gvA8TqxX1y6BD3GSlm3IuD+pgr63Y8g8WrJt4tFgO0t08sJr4BU1vx5+McgobcLfAjN
X28WGFMJ9M/0bPqB8G7iEd6CLrVaxF/sCDcHr2l3egXkRLoP5lQA1/tZTe5lQrgYV67o+2Aq
a4sKWwze3vnHs3dBcLa3hXYIhHbiPnaA8JvhU9EO4q3gJMs3oDjlqsaPwLPN3F9OAOl7/2fe
3uDPU19kBeQvcHfI/QjMp1RH3rOQPSzjzv2fgHnmbyIGArODbZUNII6SF6rTwPy9ZZVpPQgj
6CyfAD0/6PSdhrA+pjtSPdCMksPWGpR0McOcAJ5ozzilOrg7ew3e+sAqbYivH4hthCPWLRCe
G3nLbgD3E3nbcxzgve/5OncjJJhiDNHvQGZuRvUrvSGsa/jiEtXBucgxNu5tyL7r7xE4B4Gc
nDfVs5Dxli8rZRaYt1q+Nn0DWSfyf/PdBm8nX5y/BBTJSpgTeQYM+w21rJ8DL6hdfDEQccL5
jLkJqBMDLfMGQmqsO8LdDTI1YYU8CPSPSNM+Aq0PpWkGpm8NbmMSqAeFZ/UjEPxF+0ibC/6J
wc+1X0F5UnnN2wukytpnQi3Qh9HWK4JjjbWEfBJKVirmKqtB5IDoi1G1wfBR4CUtHSJ+jnHF
7ATTbXGJ6IQDB9euPrYMfj190XX5Y0hLUAzalf/cB8PD2L179+7du+HUqVOnTp2CGzdu3Lhx
o/B4yZIlS5YsWdivQGCHCBEiRIh/j2nTvvpqzx7IzMzLCwahbNnSpaOjQRAEQRAenx1d13Vd
h7S0jAyXq9DupEkjR7ZoUdhv0qRt286eBa9X0wQBnn66WLHIyN/9eZzX/bs3cONGZqbLVWh3
2rTnnqtRo7Dfjh0ZGTk5YLVKkiRB9epOp90Oj9cb0P9XsOruXa/X7y+027ZtbGxk5OOz88jC
2VPeVTz7KTBeMM43zwEpN2xSxD7wunztvcVAKKbdFlJBXSlvZQIIT4it9LEgxRNm2Aj6NvVt
zwtgbFP8h0rnwHjEtt1xDdQ6/Mx1IJYhYlEwmPQ+gacg+IzgZyNwUG8q5oLuEw7rd4B21FXD
QbwZ2GMoBtYKjV+v/Trkn80qsSUbcsom7wp0hrzm7PLsBnVG6SNFq8FvHS6f25sBLfaGnSz/
AvjC046aj8L9j29bMhUw1jMsyRoJ2d1TFt8/AdkL7w+6kgKn+t96PjkarO87moT9Cp7n+Lp8
J/ANv3ng2CbIH529N70dhN2KiozdBMaGFnOgLgRd/uK5L4I0QOwkDAd7H2tkWFtgpsFiHAHG
Z+VkcTI4c8X52jkwlDTedhyCuzfyJulx4O/i/s7/AmSd0gcZ8kBpYMyJ1qHI3LBSxo8gc0LW
Ys9IkOZzS8+BPLfnF90C/tJqQ78Z5JLyEiEdfBW00tqzILcSw3LfgHtazjn3HpBEY01HJTDW
NviNjcE0xVDZ8TxYj3PDtw/8971fZqWCepIZuhVMw8zbtDBQjqvvalWhyLNxlctNh4gGkXG2
M+B93n1Bngt5KdkXvZ3B3VubEOgKjpr2c5bj4GsaTNbKgq+PupXOEPd67ILo02Cda21nKQJ3
HfcmZnsgOCQ40HsMOKp/GlwJOQbf2oAbhC/ll6yNIbhYu009MH9u+cq4AowH5GzpOChjtQix
CyjG4H1fMbDNMowUVoNlkeyQy4D8k7Qy4grkbgycDnYF+1TjZrEjlB9etEFcKhQbWGx6sftg
+F64K70BcZFRwyOuQXRE1KLo7nDpjd9KXP4B1rXfVHq3E5Lv+su5c0HuIm6zv/m/JsnWx/vh
8F9RvXr16tWrF9Znz549e/bsf94vRIgQIUL8e5w7d+VKVhYkJCQlhYfDzZv37uXl/efs2e0W
i8FQaPdBzpxJScnNhTJl4uPDw+HAgdu3MzL+c/7Ex9tsZnOh3QdJTw8EFAVKlbLbDQa4cMHr
9f4HXxAWESFJsgzp6b8L6MfNIwvnlNevGq+/BH5r6p2sSVD9Rre1XTIgEOkvF3wJ9JOyme9A
Oqud4CgILYVBwnzQE8VTvA36Rf2cvwmIpcRo+QvQfhHuyEnAVa1fsBkILwgLBQ8EpwividNA
vKjdFRsBccJJRQdhhL5fPAJaGA7ZCnwtfB0sC2oFz4vKN1B2VOLrVT+BW6rPu/dDyIiQD+Tv
hCSTdtXRCVKeU7+Vv4CsWvdfvrcbPnG8df2TpXDTlGYIvg9R40xT82aDflD53DUaMmPdC72v
gPdL+/riNSChV9GfSyQCc8PaODdD+t3o3GKHwHcgvWtyHPjOGJ817wFHmPOtsNsg3OJLvQSY
s8X5QQnCgwZdvQr6u+pVlwuc3YwviqXBvEsKD0bD1bbJL+acBH8nLc/aANT9DJDcoHehljYC
5J+FbvpZSE3NDQvsBltTRwVze5CHyNUsA8FX05vpfQ+cmXJfVQIxyEvCdTCWk7vbToM53Bxh
jgXjPPsWbwYIRWjNDRC3CcnCE6AW1T4I/gC2ZXK6dA3MLxpLR88E39P+LrnVQOhAK+Nh8OcE
n1DmgH+765n8HAg2N621esBt9MzKnQz6fOEt5UMo7ot4WagJRrcQJU2EbLN3vnYPYrs7d1jy
wXnSlK6dgJwS+Yvze4NH1b7QPUA86YZPQMumL83BfNFWxZoDlpcMTxuOgtpcP6L2ADVW3SZ0
A7WffkS8AfJaSQ/WAVN/c0M5ABHrnZ86OoNvua+EfBk8H/lr+yuD7YjBLk2G4pvjzjrPQ5yx
2PLib4BeVPjIEgT7QbGH8RSUeL+0Jak1uIPZNz0zYPNzv2zYdwPudM+9daMuWIrzsS8elE91
hGjgmf/ch8M/oiB3efHixYsXL4a+ffv27du38HhBeyjHOUSIECEeD4qiaaoKubm/p2w8+njB
oM8HPp/b/cdUO7s9PDw+vtBOgd0HCQQCgWAQbt/OyXG5CttTU0+dOnCgsB4XV63aU089ur8F
dgrs/vl6VFXXISNDUf7R8R07tmw5ehT27Ttw4MYNaNDgqadKloSmTVu2rFXrX/enwE6B3cfN
I2d9ZAfUJhkTISNIh7z2IH8nKNJ1EHrou7QYoCSrOAbCZGGVsAVI1/cKh0H4SFgm1IBAkath
v5pA2Zmdl7MbxBtyshwELUroKb4B+la8QlkQbgtf0BsYI1TTrgGdGSZUAl2ksl4dhPFCS6EY
iMuJYQb4FeEdfR0UnVjmy8YXoXlS7ZldWoP9GXP5hFpweXOGfL4smM2Wk85s2Jd88OkDFeDm
RYv5zlsQsFpreXeAvVW5L8ucgurVn3uvTQ6UblK9bL0hMLzMwNrdu0MDR0U99kOIe49VeXPB
Oj+2eZGVIAfCf47qBN69Oc+mlgZPH09L33tgbGqvEdYJtExdlI+Bt493tncKGJ+U7wTzwYfv
E89PcD7hxmv3v4NkS/p3GbfAl+0d4y4N0j2jxfgLmP3WV2zdgVOCT+oP0jmD17gXlIFahmE3
5A1wV/VZwbTY/JxxIYRbwupYv4HoSmE1wlqA+bgYqRwChgT9rr4Qdsd8lqch4evIT8KTIfaG
LWCvB0kf2Xo5loJREFvYcyCwRZkdCIf8b3OfyU+ClEP3v0yeBqpDfTk4C/LDlHDfi3D9aOaU
kwtBbiDc8s0GdumXck+D57fAskBpuHck80amFQxfSFGBnWB/wlpSehNSjBnFXfPANcV7O7AD
/JV81X0/gPdz/+agC5T7rBLmg1Saz3QZjLHGnfJ4sFewx5hagq28+Xvb+yDXNGaKIgS76nvF
TMj8KC9LuwNX5tx8OT0RMjZm6kgXlQAANJlJREFUl8i8AsoO5QfvzxDzTfTz1mWQsKd4/cTr
IH4nDzO1Bt+OQBXtA3A0jm8T1w3yJrjShFdgy73NR45Ew+Ffr3x9oSuk783bk9YZXPWyut5v
B4FR3hn3f3z8E/avUrAI8K+2Pyq1atWqVavWPy+77+i+o/uOv+++PG66TOkypcuUwut72H0p
6PffhZWOlY6Vjr/+3ArKy6Muj7o86u/2vpApmVMyp2TCVwO/GvjVwH/9/Pye+T3ze8JTxqeM
TxkLr/NO6zut77T+u6/uv+/fT4j/HVVVFFUFVVVVTfv3S7/f5/N4YMqUYcOaNoX16+fNGzSo
sPzzeb/bfZBAwO8PBCAQCAYVpbDcv/+jj956q7B88Pijl7/bfZBgUNMANO13GftgeeDAqVOZ
mWA2R0UlJRXWH9b/r5YFdh83jxxxluuWscbOAHNGxPcRn4K+gycZB3pTevIqCDu1uEAiqN/q
t/U3QeggvmlYDeKzQhkpCcSDQi/DcpB22mNjl4L6jv4jCSB6eVKpAEJznpXMoB/Qx9EY9EYY
eRmIQRBagtBdeEp/Heig19FPg57BarE3iD+LmuUAKAflYsFPoahWVG90C8TVMtJlyMwUx1y+
BdddqWnXf4KL6dfPeOtA+e+bptR/Ds5+/FPXEwMhfHDxzo4UqBBTdmnlzfD8sZ43Xq4E1q22
YqY2sKvbzjLfFYOme2Jv54+DsBPHc7WNcLZS4PXSdyDrQ+2wMhn8CzOKpMwHY19pZtFyII+y
PxkRDf6PA7PyPoQcf97KvFngKRecJXSB7IO+u3oWmI4ZPjE0A8O3wrpgRRB7K0c9AgTDfW45
GczTLD+b2kBwRuAlvxVyDuW9kH0ObEUscyzjQKmvWSxnwHXJV0T6EIyl5eLGkxAw6nO0I6Cc
Dw73XgbbFMOntm3g7Zi/OjgNAl/722VdA/cHys3LRkg9lbY/YyVIv8hNuQSGZcJ0y1jwrfeJ
UjfQV0kx5nBgkVg1PwjuQKBb1kkQazPT/ivklc8fkRcDZ+/feM9dAkodTBgTrULsGet+RxKk
PJv2VP5+8PUgKzAeLLUZI68Bc1k5lWwIX+GsYl4IwgphnukYKHvFi9JSkPca1kvvgRofvCv+
ArkR+W9nZwK1iJbag3Wo9Zi1EsTODeuktwI1N9DHtAoMnczdjU9AkWkRa8P3QuTNYlL8fJA3
Weo6roFayzeU0RDzdYIl6jzIqq1vuA4HXvj110s1YG/S0Xannof0RmwI/gzal8bZ0TL4nqbn
3U9A6CQ1lyoB9/4T0/bhFOQs79mzZ8+ePX8+XpBz16hRo0aNGhXmOj8uolpEtYhqAa+99tpr
r7325+OOy47Ljsv/Z+/J38n4n8b/NP4nsNvtdrv97/amkHr16tWrVw/GLx2/dPzSwvaJ7Se2
n9j+4c8xfkX8ivgVf7f3haxpuablmpZQvHPxzsU7wyAGMehfOH/79u3bt2+HYNVg1WDVwvYt
XbZ02dIF+tOf/n/3RYb4b4+iFAjZAsn27zFt2htvNG8OpUsXKxYd/efjD45fYPdBAgGvNxiE
QMBq/a8W4QUCv6dQKIrX63YXtsuyxWKzga6rqqJAMOh25+f/3m61gigaDH9cjPig3QcJBn9f
HKiqhXnIf0SWLRaH48/1h/X/qxTYfdw8snDOst5NTH4Z4kdGbC37IQifqAl6FjCU17AAfj1X
ugDiOvFZ4XMgyCdSLGhfaK20fiC1Kjqy3GIQD1iHxuwFIVId6t8L2nr9hnwaGC2OZTEIFn29
PgL0FJyYQSiJm1pALf0jwQD6FUrqNuCebtR/BL0l57T+IHWW60qJoNRXv1B+Bem+YZp1Jzyx
O650o14Qmav/EnYSooMlD5u3w+rTi7M2x0PpjpVOR7qhRm71Q6bGkBx2N+5cZUhskHZM2w5R
b9jL2DtD2erhKy1vgNBBa5X4HKQskFMufQL3Eu0bnM+CXpvwcj+Aa+m9FedkyLNn/pLsh4gZ
UQuT1oM+2zrb4YOcqsGeWg1QR/scaSfB0EoeLn4HsWsji0c/D4bOpKjjIXV/VqM7FcFZ01kx
8hnQivpPSgfBGR2mh88G+w7LbWkHuH71/OoZCYHWviP5e0C4bOhqjAPS9T7+++DO8d7xzgDL
WNML8j5QRyiTfG7w3PHlu4uALy/YKtML2ibjDn9vkNcb2tqng2eE5+mcZ0DMNc+R2oN1sXkP
J0FuJLyrnwYRfZztKYiPiImpegTyp7jb5FyFIneimsZdB+lrcVl6f0jc7IwOmwxZ5TOXeL+H
u19nkvMLlH4p4Un7JgjGCfnB2iBOMs+yTAJlDt35GOwJTFN8YFomntIvgsEldpSrQeauvOYZ
KyAm0Z5gmAbxF6Pfjf0ZzG+bv5GPQUr9zF6eCnBzfGrLe8Oh3AtllhU5B45NRd6JKQWGBcbu
tpPg7ZR/LfgyRDeILRG7F8KWxc6Jbgw33j7X9q4fDr9+IuNkdbh/Ua+mHwF1lPxZ9DVgZiAm
5SAY51pnyjfB1MFSIuH5xz9h/xkFEeUCAT1x4sSJEycWHh8/fvz48eOhRIkSJUqUePz2CwRi
u8R2ie0S/0GHRBJJBG2eNk+bB4vqLqq7qC6sW7du3bp1kJGRkZGRAdHR0dHR0dCxY8eOHTtC
v0P9DvU7BOIQcYg4pDASVyCYfhzz45gfxxRG5m6tubXm1ho4evTo0aNHC80XnBcfHx8fHw+W
ZZZllmXgKu8q7yoPIy+OvDjyIjSPbB7ZPBKUqkpVpSrMyJ2ROyMXNhbdWHRjUShTpkyZMmXA
28nbydsJWMMa1vz5cgtyzIumFU0rmgZNljRZ0mTJ4/OjhlZDq6HB7Va3W91uBXd/uvvT3Z/+
fN0PUnJbyW0lt0FJSlLyD+0TmcjE/+o5vsVbvFXof7HJxSYXmwx1F9VdVHcRZHXN6prVFXbM
2DFjx4y//nyurbq26toqmF56eunppeHs2bNnz54tNFv+hfIvlH8Bhp8bfm74Ofh8/+f7P//D
i4UKxhuRNiJtRNrDc/sfZGPaxrSNaVD+k/KflP8EjEuMS4xL/iCca/av2b8mcJzjHH/0v6PP
/J/5P/PDpvRN6ZvSweVyuVwuqPllzS9rfgkTJ0ycMHECRN+Ovh19u9Cef79/v38/9JjRY0aP
GZA3K29W3iwYdnbY2WFnoXVs69jWsY9vXj3suU7vPr379O6P/3Pj/3YU5XeBqSiPJtTKlPnf
BXOnTiNHrl79z+0+SCDg9xdEgv8Yka5SZfDgSZMK65GRFSvWrg3x8T7fH3Ogb9zIzs7MBIPB
48nJgVq1ypYtWhQuXrxz58YNyMuzWqOjwWh0OCIi/mz3QYLB3wX/w75WyLLZbDb/uX369GnT
Nmx4+PXXrVurVpEi0LBh06Z/XIz4oN3HzSOnahjyA87gbYioZloaNhqCJagivA56Q+ED4RkQ
lokrDRuApwSflAmsFHZjAvoon3omgDY8t1XaOKCidls8DbTjbWEZCE3FAboHkGmhfw6IZBED
GAQzEpBKPrdAb0NnPRmE6kI13QF8RxvlW9AFbVhAAr0vM429QZonOKWWoPZVznlPQkQJh7XC
VahQtdT4tjPBd1v+wdAUzGLZdrb+0Nvx/KT2LcDRzDs6ciAE7t4fnrsfXMK5Q6nJEDbXcDt8
JxRfGhWM7wH6YHmAVAScI4quNPWHqJG2Knl2iBprXyQlg3lw/M7y28C43zDRshI8jbIcdyVQ
O3kv+F0QNjPsGWdzcLSOPV3kAsTVjr4emwpx8dGxMZMgyud0xuhQpn/RiDJnIfJn25mwvRC9
z9HHUAlMO/SRnk9Aaup7K2sTlEiJGiTvAWdPQ1llOths0he+jWBYQwVXEli/NpY2NwbfQK89
WAKyv81U074A737PDr8GmLVExwowxWtHq2gQftLUv1QYWJsYblr6A3dVu3kBOPaY9hbPh+wW
7mD6CAg8r8+gKGQ1Se3pVsDwlv5KWDPwfO9Lzm8KpVNjjxafB7b35bSIveBu4f/cdxTilkcm
WW+AfbdpoWkHJJSP7BgRD0mNwotavwBfy/yzQTs4NlhUcQwYW+kfKyUgo8r9V273h8BPgc2p
gyA3ybssoytc+T6twqnecDHxTkTyUsg9kHfWUxwqHqt4tkgilOxaRij5HZgOmF52KuAu5tmp
/QDWY47K4c0hnNh3o3Ph3vVb32aVhqNPHss+dRtulMrf5zkMvoa6V+wP3vHeDbmvgesL1920
JDBkWe5FLwPPNH2j+cvHN1ELto+bMGHChAkTHt6vQDg/rF+BkL558+bNmzcfPk7B+f/qtnUF
AuZhP/VvKrqp6KaisOzCsgvLLhT+xF5ud7nd5XbDzNyZuTNzC+sFx1eMXDFyxcjHdz9TP0z9
MPVD6Dq169SuUyFnR86OnB0wc9fMXTN3FfZb+szSZ5Y+A2ti1sSsiYEWN1rcaHGj8Kf9tA/T
Pkz78OF2cnfm7szdCfnl8svll/v3/Vi2fNnyZcsL/Wg5puWYlmOg3Kxys8rNKhTM/6dJTk5O
Tk4uFO7PDH9m+DPD//Vxpm6dunXqVjg+6Pig44Ng0sZJGydthOndpneb3g2S45LjkuMKI+KT
J02eNPkPAiBhQ8KGhA3wbot3W7zb4p/bu594P/F+IpyofaL2idqFArd5RPOI5hFwo/mN5jea
w9WrV69evfrwcf7q8/va8LXhawN86/jW8a0DmjiaOJo4YErxKcWnFIeLFy9evHgRPq38aeVP
Kz/cTscPO37Y8cP/4u/kMc2rx/Vc/1/h303VyMvLyrp3r7B8kAeP/9VUjWDQ7/f7fxfOv0ee
fy/PnPnyy3HjCsuC9u+/HzOmX7/C8uWX69UrWxY2b5406dVX4dNPBw/u1g22bJk8+bXXoE6d
uDiL5c/jF9h9kEDg91xjVf19H44HS0kymczmP5c2W1JSmTIPL0+evHrV73/4uAV2HzePLJyN
C80Zxicgop/zQGQsaG/okxQPCPlCmJAKpGHSGwPb9SrCMhDeFz+RJoHwsX9m7qegXsqrmxcG
4pfCPPNeUAcIGfoqEOro3zAbqKyPFiJB91ASAZAQAPQ8MvCBMIc5QiPQVyAJc0HPUmd4JRC7
eq94XwZe9vh96wATn2spINQQqpIFYgPpTabD/e+zaqTfA3H3taeupsN4S89Vw9+AqscqNmx3
Fao3qPt8247QNuuF5l0HgGFCxY+SIuDn73e23bEatnfcm3V6ExhPBedoeVCpqSMiohEkOPRE
77tQOmCKyX0SKjwde9nYAcJKxPcvK4C017LP0Qv8m7NeSTsDgRGui+6+YEyWLc5yoLcxmaLO
QNqGvEFaVbhbNXemvwlkbnOVVTtA6vbMgx4R0hdlD3EvgnutMrbkfAvm4+bqkguE24E0bQTI
3ZmqDofobOtLQhWI+c76pbkmOM7JNrUsWM+YXjcmQCBWeY2G4Buu3shNhVwxuOdEFKS9mlPr
3BnI2hHsc2kkuGr7v/HEgXSHHQYZPO2CYd6vgAhpoOEeePr4jTmVIH97cH/yAkgfkHPs5izI
+CDnG+89yFjrMqa9C4bnwq87+kOY4MiO3gKOjqZvsEO4IeywsSIILyrTTRMg/0J+ovcZMJ6Q
zihe4CnRTkdQe4l221rQPjc39w8BoZNtYE4y5F4KFk/vBpcb3nNei4f0KO+ZexehyOjS3cJn
QbHDxdqV6QeCIiRYB4KnWH7xYDpY4hxDwl4F5+rYO7FVIP2zZGfePjgTd+SbUwLcfD73YG44
qPUMIw2ngG6aX+gOrBaaCXVAei4itWg8KBtkZ4IAQpY4UvgL/8D/KgX7MRcI34KI0YP7NP8z
ClIzHsx1LhinYNwCO//q+AUCZvXq1atXr/5z2eBCgwsNLsD26dunb59eeN64cePGjRsHDVc0
XNFwBYxdM3bN2D9EcB/s/6gU6VCkQ5EOhRG8gshh1tSsqVlTC/vt6bWn155ehfXhy4YvG74M
Bh0ddHTQUYi4HnE94vp/3o8HU2qGmYeZh5nhtcWvLX5tMYS9FfZW2FuP7/78VZzPOp91Pguf
+z/3f+6Hdvfa3Wv3b6QnFVx3ATNnzZw1cxZsy96WvS0bhpmGmYaZYJl5mXmZGeJT4lPiUwr7
GxcbFxsXQ1ybuDZxbf65vc1TNk/Z/Iec4WbNmjVr1gyavt307aZvF7Zv6bql65b/4iVGf/X5
7ft136/7fi2sF6TANLnS5EqTK7DwxMITC09A7969e/fu/Wc7SROTJiZNhJ75PfN75hfayZuZ
NzNvZmG/xzWvHtdz/X+FB1M1/mq5Y8eSJa+/Xlg+yIPHHzz/4akav+/jXBBxfjDyXNjvH7d3
7Pj00zVqgMNhsfyjSHCvXg0aVKv25/EL7D5IYcT59/qDZUHE+V8tn3uuSZNKlR4+7n8q4vzI
qRrFP4/qW+xLMNw0H7U6QFupZ2vlQUjghn4bdKveQ9gMYiLTlEbAKGGe9TvwP5UzO+86BI57
JedhMBoMvaXeIHZTLweXAmv1cHkjsFzso/tA+ESfSz7o+/UL/AbCAKE7y0CN0ttriSD10EoJ
V8E/KP8tvwBCitfluwuCLpczzQeprWmdtgaEZ2RRbgX6Qu2IOgYMG3zfe+OgsfNJf6caEHHd
dqt0IvgjAtm+QWDvGTOi+ChwGIVGJRtDtK+ER/kZIr2Rb4Q/AXv67Rmx/UNYlXrpQGYliJ3h
baBfgNIXwifbOoAxQdzti4YiPcJFtRmsfUKrTB4csxnqlh4M2u6s/nfWQfDDvPXpe4G31D56
H7BUD2sacQC0hfI64XMIPBvopW0Bz/280ek5EIzyh+V3BHsNc2tpKES9bFPNm8B+1nDAWg68
n+hN9XCIrhex2DAVIgeFJ4XnQtrXGT94l4JtqPyFew2YNsqZ0j5IK5YlpO6AxHei+sf3hPQd
/uExwyF9kb/hlUFgj7I2dIwFfaL0rlmF9DUe7dY6EBbnxcknIOy45bu4oiD9bP3JswFsFR3t
nPNA7Kn8GPkZGH8T7xiTQZtOCffPcKvh3UkZ5cD/ii/dtRqKNo1dbC8FN/emVdVfAE+isip9
IBTJiWgt94PgHOVL8yHwtPI+G4yA7PuegdosiCpr/7bIOXC/EhxMabDFmOYbx0DJLrHbyp+A
IreLflzqEIS/FjEyYQkE2ganSo3BUztQ0e8E57GIzpFx4LgcUymyC2Q/lb7FtRRunj4Vd349
3HFkv5E6CLQZxijncGCe+pLwJmg9WO8/C2JFU9NwEwjTtSPBSNCe9lfMPgDS/aDujgVKPZ6J
+mBqxfr169evX18YEf6r+zEX5DY/SME4BeM+zO4/o0DAlBhTYkyJMf9FRy9e/rAdkXBMOCYc
A1rQghYgHBeOC3/4aVwboA3QBvx5mAfb1cPqYfXwP/dTHCwOFgf/ob5AXCAu+HM/fYA+QB8A
WLFi/YOfBRzjGMeAbnSj21+/T/+qH8FqwWrBaoV1abA0WBoMgl2wC3aQxkhjpDH/3N7jJmxl
2MqwlSCOEceI/8D+X30+HyR9kPRBEnT8suOXHb+Ew88dfu7wc3Co36F+h/rBxqSNSRuTYNn0
ZdOXTYdVrGLVv+NwTWpSEzbO3Dhz4x8EZ8EXxgcpSNkYWnNozaH/IGXjrz6/ghSKP/X7X6kv
/wypjlRHqvPP7TzIvzuv/tlzDfG/U5iq8Y+F7OO088fxH5aqEQz6fH9cHPgwHnZ8+fJDhy5f
hmXLjhy5cQPef79162rVoFu3WrXKlIE6dcqXL1Hi9/OPHfuz3T/b+d8jzg/ysFSNiRO7di1e
/OH+37mTl5efDx7PPx73v23E2XzU3UBuBoZq9JKKAuhzuQ1cFyoLV0H0y6/Kt0FFmKqvBUYI
h/QjoL7nmyVdBH8LqVbcpyAOkRagAGW1s8wHfbjwLjeA8/pKPQr0dLxEAntwcR70HnpdvgLD
QOmg/B0YmhtnGauCdMiRFFsPktf7JxmLwqXFmWP0eZAz019MGAbST2I72oOyUdkV2AlhRRKK
l/sRnPaYEkW7gO9Hxee5D8JnYkcGg/KmmulbCsH6wSW+kaCd9L2hzoPEvvEVaxyGjmvqSE9X
goafVakYmQfhw0rWNdQDZY1xkP8jKGmJ2RkZC+Wjy9UPOwHVdaszpyY8Mdooaa0gXIkJK74M
JMKbFmsNahP/jZx64E7IOZIyCbik1WQaOE84f40aA3HjkvwlciHpbtHXSg4Dp99WObI0CNcN
s+QK4NwfMz8yCA6TZZrpG0jdm9Yx5yqc2X6xXNqHkLvZFxZYDra+9laR2WD/yibZOkC1PiW2
Fl8MZXtHxheLBoOd9v5FUCw/+lDJX6DCkPDsBm9D0Uv2xkW/AdtVi8XSAMokljxfpRVE2sJf
jjoOkZOcpvjJIE+TpMjy4O2hHvMqoIzU7bl7wCSaZ5p7QsRa+/OEQ+JH8RvD9oEq4rZWh+g3
on9xfAtPnilXNvEsOCNsHzkHgDRViJJbgc1pSbb0AavH9rLRCmILUwfzYYi7HZ5Q4iso26N4
RjkZKhyoWL9Wc7Anh/2Q9Cvk9nRP1fMhZ5jPpNwHa92onKhaYJoY9XlUHuTqd/vnVoVbZ4+9
cOIEpB7I6nf9MKiR5mqWVNBfkmKM50FT9FV6WxBKCl9QBLivbvc1AMXmX+e6D0pl9Rn3dVCs
PKvsfnwTtUDAFi9evPgfP0gK/uE/+Grtv0rBeQ8KhwI7/6lc6KbfN/2+6feF9Q83fbjpw02w
r8K+CvsqwKRJkyb9MRevebPmzZo3K6wX5OCmbkzdmLoRVjVd1XRVU7g7/u74u+Mfn5/1h9Uf
Vn9YYX32i7NfnP0izBfmC/MFyO6W3S373xDM/yp1TtQ5UedEYf2zA58d+OwAzD0y98jcI//n
/Pir/KvP5w3bG7Y3bIU5zjWO1DhS4wgMqTOkzpA6YH3D+ob1jT9HWIUFwgJhQWGucEGKwcO4
4rzivOKE629ff/v624XjP/jLSEFEOGV8yviU8XD2m7PfnP3m378f9ZfWX1r/D4swP9738b6P
98HOHjt77OwBr8x9Ze4rc2Hl5ZWXVz7C4tlHnVch/j0KUyf+tYhzs2aDB3/7bWH5IA8e//M4
/1ioB4O/bwv34K4XD/Kw9t27r1xJTS08vnjxgQNXrjz8/IKywO6f+xUsDvzHKRWy/HtqxoPl
3r3Xr6ekwPnzbrfX++cyP//3/Zofnqrx33RxoO23qPHxC0HvLNU1XAJxOeN5D5SUwO7gy+B/
wrvKUxVMLzmxfwbGYsJY/QycnXMtN7MfOBuX6FWiHRjHMksbAb4PhA7ifBB+4RfdD/rbHNeS
QZwl9JIOg1CVjcJq0M9Sm7LgetWVl3MNVs9ac3aDBfxfqObI7VB921PtG24DvYjhLrtA6i2n
yWdBjNG2KSVBGyCeMLwMvEht4QsIPhW4oZ8FMSC1YzuwXu9BJggreVOcCswVS6gvAkW0obIV
gr1JE98E8fukt6uVhCqHxfft66Hka6b5pz+FrNIRqTmjQbyQd9RrA/HjpHee8ELlcZX3Bi9A
0uq0NNd0OFUiy6+sgzNzxcv2t+FOBXOzEndAu5m3M20M+LtmNk8dCFpR+yLnVrC/G7YoTAHT
L5bmpiQQP7Z/bT8DWlDpGmgOadtzYoQB4C7mPa/mgnuW/rxhJ4ixcin1BjBcW6RHw51X005n
+IBN6qsGJ4S3dBa3nAHleemMfz+U3hbWr/hzICca5kUWhbwzbq93MeizhK3+d8C8RRscvhNo
pzVlEJimyJ3Er8F4ibaRaWDob+ufcxG8P3ilrIuQacztxpegjg9MTj4PZUvHxlUIgnOitC/h
JbCtC5+FH5TK7lMuCe6PSlbdYyHtZVeq2wLmF82q6TSIzYWd6hFwpJmn2nqDs3xkg7B5YB/v
MISvBPMH9tmWSuDP95cSdoPrfdeQgADSO6a3TREQpcYtjl0C5m7mnYYxkD/59supn0D6mpsD
rpogr1mudqsMeDEaIj4DdTjjjK+BPk2bo/7+9zdEvQD6Hf2QXhm0UcTpVYBIIUtdB6KdGONb
wDO01qv/r0nS6fFN2ILc44L9mXNzc3NzcwvrBeXDIsv/bNeNB+38p3jR+6L3RS8E9IAe0GHd
qHWj1o2CURmjMkZlQMytmFsxt2BwscHFBheD3sHewd5/+EAeaRtpG2mD2ebZ5tlm+G70d6O/
Gw0xt2Nux9yGNNJIewx+9q3at2rfqnD/ufvP3X8OtkzeMnnLZCi2u9juYrshamrU1KipkLk1
c2vmf/BFNwP1gfpAHe6Nvjf63mjYkLIhZUMKVI6sHFk5sjBFoUCo/t38q8+nQMDOXDlz5cyV
MMo2yjbKBuoh9ZB6qHAx5qjio4qP+sMXx87pndM7p8NPPX/q+VPPwkWDD1vEVrCokvOc5zy0
fb/t+23f/3OqSMFiuy/4gi+ALVO2TNkyBSp/W/nbyt/yL9O/f//+/fuDa7Zrtms2bN69effm
3bDx1sZbG29BnUCdQJ1A4eLHf5dHnVch/j1U9fdXSD9MyP774/7X4xXYfZBgMBAIBECSft81
42EU7KrxIBcu3L37xxerPFh/2PkFdv/sz++R34clTthsdrvFAn6/ovyxx/btBw8mJ4OmBYOp
qX8+74knSpQwm6F69Sef/EcBngK7jxvh4MGDBw8e1PW6devWrVv3Xx/Ag7tRdi3gsuGkvQcI
WXygVQWtQeDLwCHwx3p6ev1gM0bMjVwI6mX9TX8/OD9ta9Tx3lAqqu7YGtfB+krEccMQUM+r
mXoJ4Kjq0rcB2/SV6isg9DE8aSgP10vcTT63HIpvjq1dph4o/ZSOejzsydjrOlIDXL+5LWoU
0NbxQ9FeUCqztL/Ir1DhXsI6QzJYu1uLsh/UCmor8R5InYUJnASlgrrZtwfEgNBLPgrCq1Jl
8VPQ39I6SfuANeLHWhD0ZxGERBD366LyDgRquirmdQZjiqG9ugDU59xTM14H7auMFzO/A8kd
NTO8G/juZG687wB9avr09NdB2iXrrARfqnTHmwZZJa7vzEmH1df2lLzfCo6PyP5ZSofAEt+E
rM8hkOlplT0VhOryaMtlCH8jrG7kJnC85dxg3ggmh+FV/R4wWO0VkMFXyb3e9y34swPbg5+B
sky/qI2AQFzgqi8d/IPdlpwDYHZZ1lmHQmR21Ovhb4Lvjmecrwd4i3myXL9AZrWsnNSmoM4U
Nrpug9ZJeNFSFFzdAtuz0yEsz7FSrAqBNM824QPIbejJdfeB8mkJE4p+BvIFMdpSBW5GZNy8
exQM9eTtlpchek24GtcJovaYz5vKgLZHH6N0h7tD7ozwbQPNZxzCOnBMckpWAcwvySusNyE2
N2GDTYHIllHFozPBMMR8LewcaO8ruw1vgDvVVUHJB1+muiE4EixK+LnwY+BcFjEn/B6IlbRf
DDvAFX0/53438K/IHnQnFbx+5YvcqZAdcL8VPAB52/Qx4T1ALyPOMx+D4CRmSc+C/77yHq9C
8OVgr2A7CB5QvvefBmVWsKvvHLBAveedDlJlfYm/DxxL3ffJhlOPf+IWCNuC3QMKBPS/i9Pp
dDqdMGLEiBEjRvznhXOIf42CXwZS2qW0S2kH7RPaJ7RPKMxtfmHPC3te2FNY39hhY4eNHf5u
r0OE+H+DKlXatJkxA6pWrVWrQoV/f5wVKz74oF27wnqvXu+//1/tKnH69NGjFy7AmTMbN44e
XdgeE9Ot27RpYDIVK5aQUNienPzRRy+9VFgvUmTUqKVLH97+IP+sn99/+/a9e5Ce/sMP77xT
2D506NGjN25A5cqJiVbrn8dNS7t/32CAEyfu3ftXvngEAvn5WVnQrl3Dhk7nn4+fPZuS4vHA
nDm1apUs+dfHfRiHDh06dOjQY4g4a6r3J99AMHxrbG45Alp77SO9C8jljN8aaoC8xKSYk0AN
00dqPwBLvOsDk8DxhWO/bRcYv7R8ZegL4mapnmgC8QnhovAMaB14Xv0RpBg5w/AapOZlf56S
D9dfvz7/0BYo3j6+e3wzyPzSU8czBFwu0yTTC1Ds+7ILKhWFQBHPm3jg1qz7L7qHQqInor/9
JliP2MsZskGvrQ1lOHBcb6mfB3GysEAMgLBE7Cp/CXpR/UttGmgD+dGXBVRS16kjQVosnrCM
Bv2IOMR4D+TPHeuiokELqB2DTtA7G2ao34OywFLN1RLkDpY7ce+BOTyqoflzoE9sUpn+wFRH
+9ipYLknmeUYiFxc41PfEXj9dM13z30Hvy3bc+HEz7Buzv6y6tdw71XTaWcJUA7ldU3fB9kH
Mqvcfw98eZ6NlsUQsS38ZmRDCD/tLGe3gaVV1C1LPuj19SXqINA3KL7AaghU9U8wbQf3CEsD
w2kwnZfjpCGQeTF7ke8H8D2j7A6+A/J548TgMchZ4uuXPQys7c17LJPBHmVZZ7sHpsOWjv7W
IK8xTNC2gPtOXphnNoQXi5wdXgLy6wSM/iOQszK/S05fEA5Lo8RNYPzSMMnwIlwed7PxtRyw
vWo9ZOgIzi3hTYwBiB5T7GKR9RA1IywqojlE3A73O7qCaZbJ5dTBUN623T4BgobgSmkEuCfm
/ux/EvLX+S8G24BktuYYxkPEsdircRJYdlgPOUygvJR30bcPMrLv3L41HDLW3K16YT0EE/Sm
efNA+1h/W3gP8kt4qmkrwNVLlfNqQjBbK6IthUB19Tt9FCjb9M76E6DuV/qrmyFQI/hGMAr0
idpWdTroJ9X+wfqgBoPN/O89+kR9GAXCtkDoFgjoAoF169atW7duPfz8glSMgkWCBeOE3ij4
35OCbed2rdi1YtcKGMAABgDMZCYzC7dreyPzjcw3Mv9ub0OE+H8LTfs9Mpyfn5WVnw8mk9X6
j/Y5/lcJBP5xzrDf7/H4/YV2HyQY/P3Nebqel+dygSj+40V+/2oKx8P6aZrX6/OBovzjNwP6
/b/7mZ3t8SgKOJ0Wi/wH9Vm6dHS01/v7/tBhYXDhQmamIMB/HS+Hp58uWTIh4fdItsdT2J6b
6/UqSqHdx80jC2dlqjtf/xkMDcJXiPGgLg1sVGuB/1P9q+AyMDY2NSMW5HZyY0MSeA8Fv/a3
APG8sESbA4Zl5m6Gt+H+uPu3b64DZbvyW+AHMCF9rfcBx1Hb8IiDkP9UTs88P9hfMV+LHAem
Mub19sEQHWHfbI4E12pXkTMaXFmZ0jF3ESRVjJoVnQa2HZYX1IaQ8m3a3kBZKNYkoojpFKjN
BT9FQBmrlAoeBmGK2EFsAhRlgRAOwnbuy9+DbhM92RNAqENNsRoQpbjUZ0C563LnPAWGpvbm
RdqBWkW4p14C2eW4Hl8TDGft4fFVQHtGOeLKBrW972B+RTA2MDeI+QXUHYbVtmdA/UJ7UZdA
s8ovmg+DrUaFYw3fhTblKvR7uh+Un1y2+oZvYH6PH78+XA8ub7XKpU+Cr5K7RcYq8A7Ov5Yb
B4EdaRvvDgP3V3mbzRPBuciRHx0DYclhK00HwXbZ+pL5O3C+E/ahQ4Ho89G11TQInPWucT8D
BsWWlFcegruV/mIZUJJ8mr4J5E9K5RfrAnn9ct/0aWBqZnjdXB2ku+qasFTwGDy1AvPBvt8y
UCgNCT9FVoo5DXYMzyROhbSZxrYpL0HYLvsB22SI3he2KmY3uLoWfcvbDwyfGq+xGxwpEVbb
ALBcM7vCvwZjY9lsHwrBgLZdegoCRYMmYiEnJ/1L33MQ/EbNYStovxm7mzuB5WvnaMs7YK8W
sTayDUjF/AdxQ27jm8fTN4C7Y9b95L6gnFUWpH8Etu72RdpX4N+iXLHMB1+5wJ5AT7CLlhLa
IZDWB+d5ioL/A6WiXgb0hnJF8kG5rfVXnaA/ZYrnA1D66yb9adCOaZs0EYRLgsEYAEVUVsqP
8JPrX6VA6BYI6Qe3kSvYx7WAglzm6tWrV69e/T/vX4jHQ7VXqr1S7RVYylKWAgxjGMMeddQQ
IUI8Dp54onTpyEi4cyclJSMD4uMTE6OjH5+ALqBAMN+//7udArsPUqlS8eKRkXD69K1bmZkg
ik5nWBiEhw8Z8tVXf+7/sPZ/1k/XvV6vFzQtNzcvD6pWLV48KurP5zmdRqMs//5q7kAAEhN/
T6AID7dYJAmyskRRkqB4caczLw/q1UtKstlAkgRB/C9W4t269bvd/Hxdl2XIyfF6VRVSUnJz
A4FCu4+bR07VuNfo4js3tkDU+iemFRsFwXRvV7UkKJlqXHAMmPoaWxuOgy4rbr8Nckfv7nEo
DPI+1b+Wq0GRy89Wq98esr053nsNwb9cGaGMBVO2cYVYHc6+fjnxtxTIvaS+mv8ilC0ds7x0
D0hUo9ZUyoXTXS+4jufBuffuBi5cgotn7p6W6kLVNyp92Po5qDupcmaxsfDEsegNQmsQShm6
iMVA3Khv0VeCPk1rod4GPVVsL6SB2FMobmgKQqq4R28Dqabs65cGQXp336c3ykHkiMiOYS+D
9onLnT0NIiwmV6X3wTnH8XL5BuDvqFX0XADeF2RRBmEXKfLLIH6pRQZHgDJL/0VrD6IuVjO8
DiTpMVoqCF/r8/TToKbrjYREoBL7pGiwfWmpKjeBVc5Z/T6+C+s6HDXe6Ad6om1m9EXwTPU1
DTYAdb2nZO5voF/0zs67BqKsnQosBeu7cp40C8y77N3t+eCwOCzWzyFslPUF82kwzzSbDDIY
Rslj1GdB+40UzQCBMupHig/0k1pppRdo87TTwZ4QNClPqxp4q/teC4wF4Xs5WWgD0lwhXqwF
0gxhvnAJtPlaK0EAk8f0nnEPaBuFltqvYKoq1je+AIZ888/WJ0GLYI1wDrQpwcZiKviq+Fpo
FcC111csEITgmODWYAaoDaSFwpsgxRqP2I6DcaIlwpgPMWXD6lmAIv64IbZLcCd4//WMXyBf
yamY/iVk10lNvNgNcvPTvIGZoB5jU/A3kOOV9loJEE3i96ZGwGqjWY4E+QNxnVQU9Ld5W3ob
ApPUcrwD+sfk6+MBgSbCSdAThV/FlcD74hbpK9Bl7ZReG7Q3hRviTtAzxHPyDPip5y+jf9j2
+CduiBAhQoT470FWVk6OywV9+7799jffwPnzV66kPY5FFg+hYsWyZWNjYfHi6dNffBEiI8PD
//hm0vT03FyXC557buzYBQvg5MkrV/7RPtGPi+rVy5ZNSICff548ecAAiIlxOv/oT3b277Hj
998/cyY5GdLSfo88/6eIjbVaZRk++KBKlSJFICLi8Qjox5aqIU9wfGdcC8GZOfXyPaC/lP1t
zi4QJrpT3FbQx5abV7o1qGU8/TzLwVV887nf3oJw8/NvdcwHYZ8lUTgOiZONLxUdBNlDPFXz
7HAi47h2YBZYyhmNzhfAu8+2Rr8F0TuspRIag+FtY/mIerAjbVfEnb5wb5Tw491u4ImU1gVv
wNZju87/cAH8XQP0+AZKJzVdX7wBWNym8/QBdb/2mugF4ZR4V5gD4mhhj9QFtFw+CCSCPJ8G
5jPgqZPnzxoIl1df6XO8NCiH9ZmGr0BfYBqp+SHmVGRU8kWotL3IF/4SEJNsbZq0C7CIQw1e
0FeIaI2BKcJmMQwEaG1sC8IHeg21Iujr6M0GYLuwVJgMYoRwm2KgzaarEoSgphTRDoJQKZCb
r4O4IaPZdUCeoM1V3wO5n7mHfQNoz4WXjLoEyq9h1SKvgvpyQHD9AIGB/s35nUGJCY7TakFw
Q9aMrIuQ48qqL3cCU0PjB+LbYLaYdlg6gamyYaSpDIgRpnnSBpBuSLJ8EKR6hvLWnWDcIzcT
O4HBHLaXICDzrJYCgo9J4hIQwnRJ3wBac/0W5UAZrqdq/UAtr0SxEPJbKmV5Cfxrc/r54sDX
NzhNESEoBksqF0A9yl7OgrzGlGyeB8al1pW26WDsbG5kPQjxY+zLjUuhZrfys6PXQM3var1Y
ZRbEf1biculpsPmdrZ9+UwpSX8+bcrMM1GhUy9+hPazetObeL8NA3+x9xVAKmn9XtXbDdLgS
f7ZzRjk49u2x8ucrwp2FWZFZ48DfRhmqdAfLeNMy88sgHzO8YhgAWiW1iP4OqLW1RcoJ0L8R
BonfgthS7yU6Qbus39UMoB3X96ljgJ7/uQ+HECFChAjx91MgXNev/+qrV1/9u70pFK6HDn3x
xRtv/N3eFArXzz//x4v4/m/jkYWz5StlaqAtBJffzLu3Hojyt/JWBa2+r0jgeTDuFtqXWgM4
3Z+6fwG2BK4Hl4Dp49iosOpgWM4MeSNkvulZmyHA8fXHR+77FBJnG7fFvwnuZHNLdwSEpwmj
HEkQtym+ZPGX4dSpa4vSRBBPhw1Nmg/6wsw1KU4oWqTCyKodIKXm9X5X5sKF+Vd91zLgyJYS
nSIT4dnulWbbX4bgquAy/xSQt5kiLc+Aelhb70sB4ZQwx1QU6K+XFSLA8L5lsmkXxJasqJUF
kg+f8l4ZAaV3S5Hx34P9kjvK0gGupW7evSoe7HPLpFVvD8I6oYtUAvTbrJc7gWFU0e1le4D8
dkx2yadB3643Zh6wUuhDNugL9PPoICQzhqMg1tJjhNJgaKwnqu+D8I22WO0B7q9dT2beB/kV
Zbe3DIhdzbsdG0COteyPjAFjnuVC1CUQa1rm2H4C0y9OT4QA2jTXwKw48KHEaXMh+J5+T8sB
7ZBeXNPB1dK71nscxBfdgfzLoEjqLv0i0FL3cAaEVcIZcQoYF/CEcB70nWI/+oH+irBQcIPQ
mMVCIuhf8bO4GvQpwgLCQBuoP6PsAz1ceFcsC/qrQlH5Lghrpe1yK5BOGo4ZDoJ8MqxR+C2w
zLDMsP0CZodxjfkgxGdaPdpOqNm8eB2LHaq3rVO1Wn2I311OrimBslA4Z46B4El9Njuh8TsN
Pd0ngKuIK9jkHYh8OfHVMl9AjKXXgnJ7wL7AUbasDM5L4X2LvwsVM2vNuDsASmyt0ePccPjB
s/zWhtsQeDc/55wXkrukfpNdCdQ+4gzJBUaHWbMeBUOStMTwFchmaYFYH+iJS+wG+io1QTsD
2mDluP4ZAOVp8ndP8xAhQoQIESLE4+CRhbO0QT4inQbd42ho+wmETbFpcWNA6MwFIROoLAfk
ZuBffif++g2Qu0e/EjEO5PdiI+O+BW9Y8H5+Dcgbm5d8bwjU2FqlXr0FEDMwYmaCDQ6kn2+6
YSxExNh6xU4BvaN83fAGnBt8vMaOXWCcbe1QfDEUn21bVCEGam8rd/UpG1xoFNWnFCC0URdp
T0O1jHLeKAH8Y93PpL8LwpveplmtQVslq7biIC63DrT5QW9iyDP+CNIl80YxBlIGn5CvVoaU
s7nvXugItvkJH5iyIDI1ummJ2VDhvSr+1sPAa65U/W4A9OSs2veKgH/+vW43fgS9hPvdnGqg
ShEVHGvB8ExkQkwe8IQwwlkdOMsAZR7obTjHWOAUyXwPWmvhJz4A/8eBznoL8OcHNuACbZB8
19ANfLeDCz3LAIPvsGc7CHm5qzJ/BVO+Kfu+Dayt7ePCA1BsS7Gk6BToFNO/YYuqcD/93u3s
F+D2ymsJd/Ph9sCMoe4+kPmZp2RwOuSfDCwQ6oInRz+nnAShnRqlj4agU0VLAM8JNV3rBTwh
TNDXgx4j7GEesJYPyAQxVhwuPgVitOF9w48gbJCiDCtAXmdoZ2wE0iw5Q54M8iiD1/geGEqI
b8rLgYl04xkwxKjWYDpoMzIa368BzxZv07l0S3j6mfZ0KgW+d8V20TfB/1VwvC8G9MPil/4W
IMZJl8VuID1vDrcthOgxckVLPujjqGZeDEnFiu5tNgGCJmW6shUCmYHLgeNgfM+229wKgufV
oeEd4OlXanSs6oeEOeEZxV6B5IOebfoLsP3clk/2uiFlTubrd3eB12w4K68Hi6B8bToOpu9N
tYwbQDwk7hOPghxpeFL+ffucUMw5RIgQIUKE+B/CI+c4hwgRIkSIECFChAjxP5mCHOdHfnNg
iBAhQoQIESJEiBD/LxASziFChAgRIkSIECFC/AVCwjlEiBAhQoQIESJEiL9ASDiHCBEiRIgQ
IUKECPEXCAnnECFChAgRIkSIECH+Av//dnQFqwVDhAgRIkSIECFChAjxZ/4/obLWe3CTKPsA
AAAASUVORK5CYII=
--------------000301010109040001090301--

--------------030205070400020007010303--

From tonynad@microsoft.com  Tue Aug 13 07:45:28 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70EC221F9B52 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:45:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.949
X-Spam-Level: 
X-Spam-Status: No, score=-2.949 tagged_above=-999 required=5 tests=[AWL=-0.351, BAYES_00=-2.599, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a03Wdvp5o6Uj for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:45:24 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 84B0921F90A7 for <oauth@ietf.org>; Tue, 13 Aug 2013 07:45:23 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 13 Aug 2013 14:15:12 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.176]) with mapi id 15.00.0745.000; Tue, 13 Aug 2013 14:15:12 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>, George Fletcher <gffletch@aol.com>
Thread-Topic: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
Thread-Index: AQHOlScLf934cBBLpkeg6cyc2g+rW5mSRG2AgADk0ACAAAcFgIAAArgw
Date: Tue, 13 Aug 2013 14:15:11 +0000
Message-ID: <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>	<520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org>
In-Reply-To: <520A3BAD.1050703@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0937FB07C5
x-forefront-antispam-report: SFV:NSPM; SFS:(164054003)(69224002)(55885003)(377424004)(377454003)(479174003)(24454002)(189002)(199002)(17760045001)(69226001)(74876001)(54356001)(16406001)(53806001)(74316001)(15975445003)(49866001)(4396001)(79102001)(81542001)(31966008)(54316002)(74502001)(81686001)(81342001)(76482001)(56776001)(16601075003)(47446002)(74662001)(77096001)(80976001)(56816003)(74706001)(80022001)(65816001)(16236675002)(77982001)(59766001)(74366001)(51856001)(19300405004)(15395725003)(50986001)(63696002)(46102001)(47976001)(15202345003)(47736001)(19580405001)(19580385001)(83072001)(19580395003)(76786001)(76796001)(33646001)(83322001)(76576001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: multipart/related; boundary="_004_7a9ce33274304311a64057bb305be011BY2PR03MB189namprd03pro_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e0:ed43::3
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB189.namprd03.prod.outlook.com
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:45:29 -0000

--_004_7a9ce33274304311a64057bb305be011BY2PR03MB189namprd03pro_
Content-Type: multipart/alternative;
	boundary="_000_7a9ce33274304311a64057bb305be011BY2PR03MB189namprd03pro_"

--_000_7a9ce33274304311a64057bb305be011BY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Who has implemented draft-ietf-oauth-dyn-reg-14<http://datatracker.ietf.org=
/doc/draft-ietf-oauth-dyn-reg/> and is in production (of some sort) ? We ha=
ve no plans to implement as it does not meet our requirements/use cases and=
 causes additional management and thus I believe would not serve as a valid=
 core document to expand upon.

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of J=
ustin Richer
Sent: Tuesday, August 13, 2013 6:59 AM
To: George Fletcher
Cc: mike@gluu.org; oauth@ietf.org
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!

+1
On 08/13/2013 09:34 AM, George Fletcher wrote:
I know I wasn't at the IETF meeting but I'm confused regarding all this tal=
k of "lack of consensus". It seems to me there is a lot of consensus regard=
ing the existing spec (given all the current implementations). Couple that =
with the fact that the current spec doesn't exclude the additional use case=
s that you've raised, I don't see why we don't establish the current spec a=
s the core document and then develop profiles for the additional use cases.=
 It is unlikely that there is going to be a true single solution because to=
 cover all the use cases it will have to be so flexible that profiles will =
arise regardless. In that case, let's build off the solid core that we have=
 and add these additional profiles providing a win-win for implementers.

My 2 cents:)

Thanks,
George
On 8/12/13 7:55 PM, Phil Hunt wrote:

I don't think there is a call to stop work. However there is a lack of cons=
ensus on the current draft moving forward.



I too want a single, simple solution.



Phil



On 2013-08-08, at 13:22, mike@gluu.org<mailto:mike@gluu.org> wrote:



OAuth WG,



As some of you may know, the OX open source project provides an implementat=
ion of Enterprise UMA, which enables organizations to control which people =
and clients can access web resources.



I rarely weigh in, because you all are doing such great job. However, I was=
 quite distressed to learn about the suggestion to stop work on the dynamic=
 client registration spec. This proposed change would have a negative impac=
t on OX, and the varied adopters of our software from around the world.



No standard for dynamic client registration would make OX less "standard" b=
y creating a bigger delta between UMA and other OAuth2 implementations. As =
OX also implements the OpenID Connect OP endpoints, and dropping this effor=
t would also makes a convergence path for client registration less likely.



Please leave dynamic client registration!



Thanks for all your great work!



- Mike Schwartz

Founder / CEO

Gluu

http://gluu.org



PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD : http:/=
/www.gluu.co/uma-apache



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





--
[George              Fletcher]<http://connect.me/gffletch>




_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth


--_000_7a9ce33274304311a64057bb305be011BY2PR03MB189namprd03pro_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=3D"white" lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#44546A">Who has implemented
</span><span style=3D"font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;=
sans-serif&quot;;color:#44546A"><a href=3D"http://datatracker.ietf.org/doc/=
draft-ietf-oauth-dyn-reg/"><span style=3D"color:#44546A">draft-ietf-oauth-d=
yn-reg-14</span></a> and is in production (of some sort) ?
 We have no plans to implement as it does not meet our requirements/use cas=
es and causes additional management and thus I believe would not serve as a=
 valid core document to expand upon.</span><span style=3D"font-size:10.0pt;=
font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">
</span><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quo=
t;sans-serif&quot;;color:#44546A"><o:p></o:p></span></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D"><o:p>&nbsp;</o:p></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><sp=
an style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-ser=
if&quot;;color:windowtext"> oauth-bounces@ietf.org [mailto:oauth-bounces@ie=
tf.org]
<b>On Behalf Of </b>Justin Richer<br>
<b>Sent:</b> Tuesday, August 13, 2013 6:59 AM<br>
<b>To:</b> George Fletcher<br>
<b>Cc:</b> mike@gluu.org; oauth@ietf.org<br>
<b>Subject:</b> Re: [OAUTH-WG] OX needs Dynamic Registration: please don't =
remove!<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">&#43;1<o:p></o:p></p>
<div>
<p class=3D"MsoNormal">On 08/13/2013 09:34 AM, George Fletcher wrote:<o:p><=
/o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D"font-f=
amily:&quot;Helvetica&quot;,&quot;sans-serif&quot;">I know I wasn't at the =
IETF meeting but I'm confused regarding all this talk of &quot;lack of cons=
ensus&quot;. It seems to me there is a lot of consensus regarding the
 existing spec (given all the current implementations). Couple that with th=
e fact that the current spec doesn't exclude the additional use cases that =
you've raised, I don't see why we don't establish the current spec as the c=
ore document and then develop profiles
 for the additional use cases. It is unlikely that there is going to be a t=
rue single solution because to cover all the use cases it will have to be s=
o flexible that profiles will arise regardless. In that case, let's build o=
ff the solid core that we have and
 add these additional profiles providing a win-win for implementers.<br>
<br>
My 2 cents:)<br>
<br>
Thanks,<br>
George</span><o:p></o:p></p>
<div>
<p class=3D"MsoNormal">On 8/12/13 7:55 PM, Phil Hunt wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>I don't think there is a call to stop work. However there is a lack of=
 consensus on the current draft moving forward. <o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>I too want a single, simple solution. <o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Phil<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 2013-08-08, at 13:22, <a href=3D"mailto:mike@gluu.org">mike@gluu.or=
g</a> wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>OAuth WG,<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>As some of you may know, the OX open source project provides an implem=
entation of Enterprise UMA, which enables organizations to control which pe=
ople and clients can access web resources.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>I rarely weigh in, because you all are doing such great job. However, =
I was quite distressed to learn about the suggestion to stop work on the dy=
namic client registration spec. This proposed change would have a negative =
impact on OX, and the varied adopters of our software from around the world=
.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>No standard for dynamic client registration would make OX less &quot;s=
tandard&quot; by creating a bigger delta between UMA and other OAuth2 imple=
mentations. As OX also implements the OpenID Connect OP endpoints, and drop=
ping this effort would also makes a convergence path for client registratio=
n less likely.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Please leave dynamic client registration!<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Thanks for all your great work!<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>- Mike Schwartz<o:p></o:p></pre>
<pre>Founder / CEO<o:p></o:p></pre>
<pre>Gluu<o:p></o:p></pre>
<pre><a href=3D"http://gluu.org">http://gluu.org</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD : <=
a href=3D"http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a><=
o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
</blockquote>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">-- <br>
<a href=3D"http://connect.me/gffletch" title=3D"View full card on Connect.M=
e"><span style=3D"text-decoration:none"><img border=3D"0" width=3D"359" hei=
ght=3D"113" id=3D"_x0000_i1025" src=3D"cid:image001.png@01CE97F4.D88FA4F0" =
alt=3D"George
            Fletcher"></span></a><o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>

--_000_7a9ce33274304311a64057bb305be011BY2PR03MB189namprd03pro_--

--_004_7a9ce33274304311a64057bb305be011BY2PR03MB189namprd03pro_
Content-Type: image/png; name="image001.png"
Content-Description: image001.png
Content-Disposition: inline; filename="image001.png"; size=80840;
	creation-date="Tue, 13 Aug 2013 14:15:11 GMT";
	modification-date="Tue, 13 Aug 2013 14:15:11 GMT"
Content-ID: <image001.png@01CE97F4.D88FA4F0>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAACXBI
WXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAkENxCggWC
J0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T/OrUqdPSpUuX
Ll26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5fvnz58mWQ/+yCuLm5
ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85ubm5ubm5ubm5uv4M7cXZz
c3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0X5zFHWFAjKWodQOI0pauqeXB
VvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6SzA9TFcjH9a5AO5f6c8RU4O1rTsoaA
8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs
5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfmz94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzM
zIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxgO5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj
10swe3lGee8EYeKpsSLoVxg3ywdA/dJVX/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoW
F0FqjJkgELm4cAEg/R8fpMJ/TEl4DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpN
aTKrYWNwTpKXSJGg7RGz8ATf557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg
9TZ4Vk4vsD9M8FDuwsOYN6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uo
u/QGsHazT9AtgtTwpMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwP
FxvHfP7LLrB+q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNX
e3mkrx8k30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3Z
F7Dpt4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2JHAM
yzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi6UpzfAJ6
p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJjKkeNq8NII10
1LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZaqls00D+UBkn7oI2
QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLNCvf2qwf9LO27NT0I9Q9U
SC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ETY6UVYG7k/SZiFChhSim7DkLe
+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUCy0Oh9oHdiqwGZ7ajaFEJss5l5/IU
7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVjBuj2SyNe1wWvHXJ157fwpkbSwafr4Wa5
+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7L
yYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6nP9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6Zcq
Z0HdaYm3VgKuyN8bZoM819BeNw+UicpQ9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGp
lH6yxyBQvxSfuayglY1v8Kg6aIn2W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRw
fWpvYP8c1AiluagLhoX6lnoPMGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH
8iUCwLFdHqP1B/MYD7M5BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9
AtoJ66a0LwGDfEUfBdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1
SAPoJ3/CfEATqdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH
5TdDQrfUQ0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93
hJRvLAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZLfeDz
IeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpoR8yTwFYn
MyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOegayFG0ANcwdo1
pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1AamfHM9s0OJypqQr
oF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoTjgP5DWO974DugXRMXwa8
93qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaCpSngVdSriq432LOsK7O+A/ma
c5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoAW6TeSguwT87RW26DPlmvZh8Cbnuc
DSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dpJQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA
3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMUOAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25W
utkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4eDYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01K
HyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7XE6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQN
PlzXzNW8F/ik2LcaxkKZqFKehVdDTPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LW
lISLILZYN4Z/CaXqlM5fbiUEBQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQ
uep5WNoa4KDeLh2GzFIZJ42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAx
XQ4B+RN6SvNBVPbqYd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzT
BXn7gXzJ41LAV6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7
nToBRDn1c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8O
nKaWaAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRrXax/
cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5Do40O//L
7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn1WV4I6cG/1oT
guv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUIvwdx+9Iu30+Fgafa
ftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCvvrrLYGuSVcXzNZTyLHqs
6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ89NU5y0KDk0WCWkyHiCT/8bUt
YPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY6b/Tf6c/PGn0pNGTRqCuVFeqK6HI
V0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beqVq1atWrVf367yc0nN5/cHLrM7TK3y9y/
j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGCBQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZAC
Ik48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2cswWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbO
gRRmOOZZDfhE2W4qBtplx5dZPwHztGDxCcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6
KuNLy2IQA+1e9oYg9TfGKgkgqfZjrhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRN
lHqC1MeU69UbRIpor70AVwM11JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3s
AeNnuhzzRFBjnJXtIyB7R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775
I7fB0zWvIlO/h8KnCu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+
8gNQqug+FrPBuceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ
9mvzn65C6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvh
sWfAA/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vgWySo
Ulxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeTnU12Nslb
rnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7hUwPmR4yHZTh
ynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8R0+mXgi8gHSecwt4
iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEsAkEY5Eq6yiBVtfbKygGX
TItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCqlK6krBPRQN7osoFSTia8D9qPO
2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSDtELaqWsByjL5rLwQjPUMFY39QZQx
9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNXI3ANcQxXJPD0MdmMdnBtt2+17wHtiKug
8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyjv6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWt
bioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzogCosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau
4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPq
gOGRPi2sIKQXz55nngSnWycdsKZB4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3
DKkA5VMiB9ScD46T1j2uTZDZWXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUl
GLrmHnNMh2ptS3dvbAL7k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXC
pUnbLkHTOVW7fDAMfL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21j
bWNtmBk/M35mPDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsv
bG2wtcHWBuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTa
wFCLKetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t2ZBZ
NzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN+l9BF2II
MxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9fmWN7Afadpfd
rge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8dL0DaImVKLUFbJs6r
F0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+BJdJQqT9kVsk+kB4H5vPm
6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPfkPz7wDUtt6KvBA8+jL17PRiO
PL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4ttAbwbs6Y6seBdcZqmQmQPZU57Qn
Z+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IArhmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqB
b0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88noZt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTa
Er+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn379u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk
0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHj
G49vPL4xJLRLaJfQ7r8o4H/2dL/rCe/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZG
RkZGRt4t/Hd/H9Z7WO9hPeia3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/
j/tuf++t/v9L/LP1UK+oV9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MX
zV40ewELTyw8sfAE2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/
Hud3Y2SzgBCQ6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek
/iBV1Xf0BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3a
MJC2efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYKsJiD
iQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zOgu1Jeomk
vmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77zIWiad/miP4Or
G/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+vBkNwQb/V1oJgaOTZ
N1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8IYhPlLmSHgJ+8egZ8DV4
7FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbvBmVaVD1a8md4YXl9IWsopOS+
Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqXD0NGUuYCv+2woe3BjJ0FwN/Pv5N3
LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbHK4E50U/2XQrmGroN/g3+eLMSg8VgMRhu
/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N//37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlV
ZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmr
rOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfln7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKl
S5fmXUAUji0cWzgWZu6fuX/mfmAJS1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473
r9ZjS9EtRbcUhQKdC3Qu0Bli98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNM
qKJWUauo8LzG8xrPa8COqB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+
cHzh+MIBG9jAhvfwuf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiY
Wyh3MojrqskZAHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5c
W1cIpCLSckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1
ErxHBfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE2jpt
lfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cmLoVjU+9+
+H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUkioKpnu6Krhyc
Db6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBINym5luuEIeE7RN8zX
BXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HMkaJ9/NrDifrnQq4fgyPH
rnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28vEEtI39r3wZVlpYY2WoqpKS9
XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3TB8KzGS9GxU+FGGtK10fBcP76wxt7
TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sW
WxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8++OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jF
wS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLMCJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ
3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/
v9e/Wo8j84/MPzIf9kzZM2XPlL+Pu3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8
O+DbAXl3APR39Hf0d+DonKNzjs4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5q
f/+uz+0fnW9ubm5u73eMswy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwW
fcRnICVJaXJlYKC4J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4F
rTPl5J0graSHGAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtA
nNfGGAqAbNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+
wjTAYyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/qhXc
7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfGLrg39+Wm
mzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnGg+lUiF3qD4bZ
pklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetNqDKpegFDfXD0ZUqJ
IPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWCF0PrFa4Ksd7xJ3J7wdmE
xyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6wmk0zQDnJd007ThkdLJfSC8L
OQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBPwT8F/5S3fkpUSlRKFMQWii0UW+jv
46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1vebWdNsCZYE+DNwzcP3/xV4txwbMOxDccC
LWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96Us
Zel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7
bu27QFva0haKdivarWg3IIAAAvKGlLyv+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X
30ndQRSQ2oltoEXQWI4D6UutWG4CyCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJ
KHQgIqgvBwJFxQBtLkhrqMojIIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ
86IvWDc5TGIF2FYbfjaPBdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1
hm/BVMjnO/M3kJ7fGp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y
62dOg+yR2V+lPAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe
5vQHXWFb35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZ
DDzReW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3XlHvQ
dFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZWn1vyC8hd
a//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8/jKuxMN+4DHd
PM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1ph6gNnP1jzerdrfxS
50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODAAfj8888///zzv49vu2C7
YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1Xs3i8G+t8gQtc+Pu3fyuB0VZq
K7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqiCvCQh/zVhZJOp9Pp/sD/Ju+GZvzF
u1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKAOyJSagtSAF9rxUBuYa4QuB7EPrlQzglg
iSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0BcVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmN
L0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHNYBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVC
seyGDF1G9eS9oFslr5cmge6RctPgCZK/vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE
11y/BZQguaNyBOjjnOzsAYZhcpQ0GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWAr
ltIv+xho37rs9npgSpSumC6BYZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34E
SQsz59o9wXE6s3dOBGQ3TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu
+Qw2roCCXwXU97bAS5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8K
xkVy/brfAuOVdYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1
UHhQFyj+Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB
5QkYE02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv9N8J
bWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y1ns87vG4
x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrRqUVAa1rTGiLb
R7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7ie7QLqFdQrsEOHzk
8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7WV9atmzZsmXLvDsfHTp2
6NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgIso3vda1BDJFGeNQDZZthibIa
xGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXyaFHdNRu0hWov2QZyU/kzSQ/aeTFR
twGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPsBVkFYm+lloXkq0k56ZdB7et6bv8Vciam
RCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42xkC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCw
TRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaUGxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKp
ofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIVzDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw
+TDqUdwFiI1LePDmU8ieZ6yb9gWUK1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+W
PnPsA/9a3se9/cDxyLpZegG+gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ
8+PPPv0ZogYHBwbFQM+eTV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGV
fL7LrQanPzkxJa4PZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxM
u5Q1FXRlDGHaTvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMF
vA7rkmyTwdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU4
1AFmz549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+2/tv
77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vDi4AXAS/+
m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6TICFiQsTFybm
3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7OiQkw4SleArBXSwB2
SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/mQL29i/23/IEeUKAf6GP
QJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ9jh16KuTgCv/s9DvIG5/XGJS
N7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjrdzkyBTw7GL/2MYEUq8uiOTivaadz
z4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHdI11RuTlIt+RJuh9BOkZhqQVILcQpqQro
+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOK
sjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJLC9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUB
RRuajtc/BY19qt6sOg9el8tt9GgLbCl3ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1
rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8
QPC6UHpipAdkNc4ZFlscTP1MNyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSy
aul5EWPgeamXR9+eBc+l3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagb
VxFeTU9Wrd/CSzlrTY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJs
pVjYPXn35N2T4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWr
Vq+CZWWWlVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn
6mew9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BFLGIR
dD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBzmtP8z6/v
305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn+VH6AOjMLFc4
aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWIeF24b08wlAp/FZIB
omjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjqF6d7kgSZ89JfafnB8ZP6
vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxSGgmuFuQ4woFK9kDneJA76xvp
e4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCiXBZ1GUgdRFe5JmDUTNpMUDfZf7H+
BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJgnmjvwjYwjdFKG4qA3ub70FeAIKFndgiY
rOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJDA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5
v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HVFkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcM
n8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz
9YDnr97WSBMQXiTQW7sMUrrpCy8z+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj
1tNXHq2HjL4ppV/dgHr+dU+V+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D
/OzDIG1uRrXcBxBeQ3/JEg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrq
KnnL3z0cWOpsqbOlzsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny
5cuXL7/PHmcFgQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NY
rD4BqavmK6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+
16XOgmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQezb0L
1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxpmuCTDjkb
7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3wn+hXyzMOKmWU
+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5lxPeyXocCzeXbtXuB
Vjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1ztkHud87RNgucSLw29cxk
MD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi0TNIbpRd8Wl+yDhkXXW7EHjd
8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyLPx17C0pcL7s2Mh2c82xTZTPk+y7y
VpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8RcXpkE+a86oh02sO303IEDjAN08c7+4Byu
XDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujKoLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSm
E5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZF
G2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIiSDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXf
vsEyGKYVH1r2O3DNsn+duQR8plZ70LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQV
hvxJXt/4NwfdPkc3ezaYRkpvlY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21
mmB7dn3V/e2Qc+bl+YQvILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagt
Bi3M+VTzBDFYF6RcAyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeG
HATrCa2+cRk8/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060x
zl1gm+RcbWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRA
zAVHKfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2uV2eh
bEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2Pqy/YN3sE
uPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnzYMnZJWeXnIUL
ZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7v8W7Huc/njg77Lm2
5yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM6RFIA0WkmASupSzSHQC5
if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxWMIuAX6W14PGw6un6HmD2KtO5
RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/kOaH3AL1HMsMKeA9zXuPbxHwiDLm
9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIvczbkBj08/koHKXtfVkyMgWwv6yfWSuDs
LrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85pF/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu
2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZJuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwL
tpeW2pmPwX7csdGVDvot3JbPg17WtTBsAvm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ
8jhxGsQMUVKOBK2JmkE5cH6mfa0VAK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbg
DaBv6uvhHwN+zwNuBESBrpC5pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzj
dF2dbcF5X9aJySC3chTyPgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDV
K2es/AHo+5o2uYaBtaD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfz
z27ubm5ubm5ubn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYG
Ase0gdJaEAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3
Pr4AuvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169KA25
sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYflIyB3lyfK
ySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+Pm5czAFI35Hw
ItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K005ddvB50ib5S/A22d
iOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsukpqCFab2Ue6C1Ep+5WoE6
1l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB94lXLLwS8PzZWcqSA/0qPWf7N
4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaWGicbFoHrfo8nxawD6wmjVdsIRQoV
yw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSpy9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+
Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3Nzc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6
i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZLWfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjw
uFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/
A6Ki059kyD7meBS0D2xbs644q4KzZ2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHdd
BFfvl+dfW8FxOulE+jzQdmSZXR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2A
VZIqdwZmavdYAaKGKK41BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB16
3e3VfkgTbz9PaA/aBfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3k
pmauz+wAYmz6SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4n
LwK5rZLELdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NK
gq1KyoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfCU78X
Wc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30ODNeTQE+
FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVFXgPc/o+wrprJ
6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M2wvuKDcJtC6utTY/
YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7tW8l/OgTtCGjuFQbKD0o+
IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCOaHPpBZJReiFNAemo6EQEiMpa
rKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSMV0coNeHtitxtFh9IrBv/6sUZSFn1
+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ
6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GYGoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2i
ulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VHPxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3
HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvCnE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNfl
nxr4OWgbRYDTCdo110dmJ3j19KxJNOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWc
a5C2ECp+UO7rEmtAd9e0ukApuNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26
nJubm5ubm9sf84cTZ11X/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxh
xiSTE+SNAQEBd8G12eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWR
dWVWV1DCii+reR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4T
UhlVhjev4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yy
b9m3ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mDQK1m
q6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcElINSMWUc
iB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr2m5wNVF3qo1B
89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa5LvN2Bt8KvoIkwS5
6+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXKli6zr+ACyBydule6D46B
0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25FkosLuJrOAJ3nt9t7/gEnry+c+BO
FPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f34w8nzmfqXRh5aRTUKlf1ftXaIF+T
tokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWtyCvgWNC21XwLDRUMp6QvQ1qmebAFD59DU
IqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFFGlf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngt
C5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNwZonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykq
qOBbMN60ts+JAmVDaliaAXSRPq19H4DW2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDq
aP1ArYNBtw1c8X7H/IZCqtMZqUkQNyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPu
wPE+P4PTy7lZnQMpjeNmv5kG8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMG
GErrVymeoDdI56UgUCShowuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlx
QDQHpbFoQT6QhkgNpTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaX
xWEFe23HNNtAcJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a
5ZteDrJn5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7Hg
UlzF5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJnF8ct
Zyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1lGUAjtG5
lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5F4w7/BN0hcEV
YwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6Ac7PrG+dlECu1lcIC
0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXdfHJjHyQ2f8Or6aDE+ff0
bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEjhT6D4K35ksJXgW8B32yvE2C6
oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEiBAPQWPKXvweDRaeT84FusNSTXNAC
pa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppRnAJlq/yVFAV6p3RY2gZqKe0Jh8Auqcmu
H0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+iceCaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN
+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiwjbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT
8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5
b0qjN4WgHvWp+wfa17sf8MjJycnJyYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21t
tbXVYMiQIUOGDHn/XyBr1qxZs2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48s
PhlyStgm231AacgmMQvYQLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAE
skz3BHRbfBJNRsCXxpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJL
sL+ynklPA5q6XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1p
mL4YvIdYBmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5W
w7RIeJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpijxgO
ogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nRBJyh6lj1
ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3aVK0PSHNw0g9c
V8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq95g4Gb8h9qBuhrwXp
1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p3nkbNB+tnCsZXFfEWt0S
MFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7Krqw6MKiC+GnaT9N+2ka1K1Y
t2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75932BDKw4sOLAin/e9v9u4pq4Jq7B
7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiYGHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmv
rFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oP
qz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n
5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKl
AGA5ZTAB5UV7bTWIxdJiZSXgEvPUT0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWi
p+aAWiipb1JnEDfU07mV4HmT+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBic
fkr4r6C7qisinYfMXa5jaW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvh
wZSEt2908OzKNelqH3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUi
K12AgmdLTiqcAEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K
2sqnQCttufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2V
gpVcsH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC5Zay
xzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKqGgDWLrb9
rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuGrxu+bggFKECB
v1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98nvk98ocWUFlNaTIHo
BdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai2YtmeRcAVatWrVq16t9v
3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW/AMXIr/Xs53Pdj7bCY+2PNry
aAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZSQ6kB523nbedtcLny5cqXK4PHZo/N
HpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPnzZ1QhSpUAc4tP7f83HLotK/Tvk778tbf
Z99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gbm5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8
zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRcOEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPy
JhGt9QJuU5xVoJWQFureAI203S5P0HZLfowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJ
fgxMP3qVMa2DOoNqNazoAbViGrvq+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8Gz
snfFyBUgVin1AgIgc0VmYYsPZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28u
vhYGjh7Gox5HwBweeSz0A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGl
weuFYYrRCkoL7ay2FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos
87VHYPxA6SKPBr3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHX
IJA7aQ21aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtl
nfwY9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029Qf6M
dcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH3vLME5kn
Mk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g++efLGzkrclbk
LGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+LbjW7g6+Orgq4P/+XLY
bDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWpmgS6EboRuhEgVZWqSlWh
evXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbzlv/t5//up8etZ61nrWfBes56
znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZLzJYY2N5oe6PtjSC6SHSR6CJ56/3e
z+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPmTN7ydxcqJ4udLHayGDgcDofDAUeOHDly
5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf4
5pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UYCA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHs
FDkgDovnoiZwm8tcBOZI06TPQVzXamuvgRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66Cl
SB9JRpC3uRam+EDqhIM1Nv4KmvXSV/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m
4Nht1JsSwZnqmOb5LWgRprqGVmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEV
WJeZahnrQ+75gD7h6+Hu4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrt
WrTrNpRfWalFGaDksAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgF
jin2evbvQcnFiBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6Ec
yM+kadpkkPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlET
yQCqikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtbm1pe
gRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPwyFEGyxHv
r6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuXLl26dF4i90b/
Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R16hrfnv9Dvk65OuQ
DxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblTXqKlu627rbsNXXO75nbN
BQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avjV8ORzUc2H9kM9gv2C/YLEN42
vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a+zWG7LvZd7Pv5i2vu6nuprqb4OdD
Px/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfRLqJdBBzverzr8a7gGeMZ4xkDvTb02tBr
A0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V
/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcSDkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh
/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ
4vefJm5ubv8X+sM9zo7rhqfxFnjqGfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc8
5SnI30mXpRHgqOt47ewB9l3OUs56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLs
dCBI9dOzcquCNLx064ou8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQ
PzGd8lBB2aG7aooFZa/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5Lh
vuHN129qQszas/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61
zuJKP0P+nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiO
mHzk+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDrpclq
eTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1lzZaLDhV
McSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0xHjWtAU8lhMs
yoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+rLcVDDHG6R6ZoM2U
h5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEaRaOLRheN/v3x3vWAvqNd
1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+lQdXHlz5X+hpfje04t1Qj3cJ
a86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O9DkDgS8DXwa+hBPFThQ7USxviMVv
EWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//CcXvn3RjrSoMqDao0KO8Cixvc4AZUvFzx
csXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0MeLg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSX
k6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMW
zVs0//efV25ubn++P9zjXK51/u21JoFByA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIY
z2YqA/0Iog5wUVzmGmR6ZERkHYCAGYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqS
WSZZAWv92PD46+BMSAu03oTgi/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8a
eEy9sOVJU3hV8+X55FVgG0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4I
z18nPUyaAo/sl8ZfOAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSr
oifzfQuG2/odxqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbr
hB9U2V3RUm4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5
wDzDvxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pnAnER
sJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQWNw0BAzf
axmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh6XjilbfHwZEi
hCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD5v/rcSPaRbSLaAdP
5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8GcYk4xp0BcXFxcXBxwiEMc
4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN96FqdNXoqtFgqGuoa6gL3OMe
96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl98jukd0DfAr5FPIpBAxiEIMgZU7K
nJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33/i9W+M/j/+7hScpTnvLvL15IXEhcSByk
Pk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW43bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4d
AwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq
3396ubm5/Yn+cOIcXzf582fHoblHnah2Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB
9prN2ijQyqpZrr1AI9FX+w6kj0VFeQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkF
opv1qr04eJyqUK56Lug9wssUrQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXU
z+D8MfsrWyCkR2Yvdg0CGhu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCny
wgl4FnGv281sSBuqL6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLb
fltpV3eI35f4a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5w
wXI581otkJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CA
gWDoqq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADpE2mE
dAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqRA7LFuMBw
CfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcKPov8EHy+NNw2
LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgtdevWrVu3LkR7RXtF
e8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0wzTDNCOvhz04PDg8OBwu
tb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub9zbvbVCwYMGCBQvmDQ2oWKti
rYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9df3X91eTNzvGfy4tsKbKlyF9NR/hu
fykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967
sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2FC/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+Md
jXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3Orma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte
7nm55yVwkYtcfP/nl5ub2/8efzhxLl2uWKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4es
D61HpU5wc8a9PZcXQ1Bt35dhhSGm6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK
1WLBKamPXbNA/0Kki/3AKNmCFxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38
m/gDWrq+lMdQMAeUuFNiBPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJ
X3lO8ykFr6bf1l89Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3b
AuAa6fDRNoCjglpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4Orr
nKumg7maqb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbM
jxk7O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla665uC6
qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1pTof5HrK
Oe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEneez36Q7Xp9VZW
HghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1pwVILphZMLQgtY1vG
towF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMCPuIjPgJq6GroaujgXOFz
hc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG7t27d+/eDWK32C12Q1hYWFhY
GFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbGBsZ/vT71POp51POAs9Fno89Gw7aU
bSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJkDwneU7yHPAq4VXCqwTo4nXxuniwLLEs
sSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a99qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdp
gjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58lXbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iu
gscg81O/fXDnh4fPT46BWFesI60XFNEV3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRa
xtY91Lc4eId6tTPdAj+jz3P/guB/OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkq
gRqjTFfHgpClsvJi0Pmp30iPQO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utz
n4LjZe5EQyToEguUK2kFNb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars
3a0brVUgpVDGjNT2YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RR
UV/rBVKEVAt/0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5x
jjdqeTBE69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBN
QX4oHVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E2cFc
awyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4AsIq4i0d
QCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZGtydfIvkeZA9
hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgxGHItzJU7+wmo+rCM
UuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYwsI8tIuLjk4pKLSyDh64Sv
E76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8a06fPn369GlQe/bs2bNnz/Hj
Xz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3fzmyE8G8DzbzxUHt1jRHVssEL+bzp
04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7zhdEbwHzf9cr1MeScm+NerhzgK8RYzQlq
P3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzgsRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG
/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2YdU2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2
GcT31b7wewxBs/1M+0WQU/RK+i6IO5TUK74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/
BeWK3GGuAF8b34eGCnoR44beEORMOUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5
wNSlQ+YEY6oU8gPQ442Neg+QFeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlH
YK/ZyjwNhjSzmmvATJDb5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvY
z1/tAG8DXwfXPTBO66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJK
bld573q4cOby5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z
24QUBO26et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0
PAX/zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+9G8V
EgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX6stKKYvA
FmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLzXlN2dwPL8gx9
8mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31iaMeQzhC35sSuKwXA
HBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwvdEhpmVwh6R4kZ0oNSn4C
yhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllIrwPKIPE+s8DoLf9jbu4cLZtS
GsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD5mDjrnkOxBDOK3dBWSWW8j34cnkS
zGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyUVUHMNH8V50F8K14QAiKWrGZhkE9lfqqB
LEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/q
YbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7
IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZOkr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmj
wV5TOybyQZKeMDN+KiifO485PoTzSbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf
/vlPspGNP3FhnU466aSTTjr/m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPg
gPdc0w15wNvAOGL+CDnIHpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGcz
aoGvh37Q8znoV+U4rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydX
GQfYduau7EwG9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS
10pfyQUvc7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M
9Ba+dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZj4G0
AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMjqLEMUsuD
Wc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s49icYKlgGa8e
hcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNmgZgpq6vjQB6lkFoI
lDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4LNNWEAXVUlpFQNdvmR0g
KTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5gzmGYEgZ9SrEnQAWI85lvwS2
hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm6Dsa/JtZd/p1BDGZueZ0yNszT7NC
Hoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHezngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+
qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5
I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC41lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdB
OM2b5o8g64s42oIZIBfwIfC9LElWkC3lHdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2g
ngzaE1FCCQDRVbyHHfhGz6hXBtNi3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+
A7W16KkIEDGim9wIZgvpRzswyhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsu
gtbH0pD+QAFMvgf9S7M0t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKS
X/kZYi3xixM+gmyWiDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5
oG4BzV8TylZQJoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0
AE+iZ7urBbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3
iR7aHqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraTYJkY
sTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkSC1YBb3Lo
pQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2DwJLO5upHgT9
il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WHgGJTeivBwFI5TMwB
846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4IvzjtSPAS1FKbEHKC+OyVZg
xMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldtO8iN8qgpQKkiprATtGxaHfUO
yKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8pGnKfqAqc8ztoPc2z0sNlChtvpIN
9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpB
tYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6sfQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EOb
HZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8JfHd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cC
v8CQgo4vIabvi5Ov8kByjug8ATfgVpdHN+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/
8Y19nAGe1/e2+O1XSFmbHJ46CRKTk0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvd
DeqwsMO5NaCOa+arvaCcMY4amUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvA
Kz939hQLPDl74cC59hDVK9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91
kCvler4HX1FflPkR+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvo
RUH8RFVRHMQT86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/
eP/ojyC2K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL
+3IFGBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUafDUpv
Mc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6enwf8TWds
6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs43fNy8rHGcPTO
WduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFodkjaZp5KA7C0Cegdd
hcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0t+y3tQJq6YXd00GLD8qU
+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcyLMoYltcAv6GZ9+SbAVcmr/5h
yVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRfI2MxmJvMWEaBfGQOMZeDWd8MN9eA
MVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdM
ZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfq
d2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwGmce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W
0tZwYQO+sv6qPAKlhr5XfgbGdL42c4GcYr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlD
ltYHgByFlzlACTPeyAFijLBquUBfqD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1
XYaDqZq3RWcwvtUHyNLgrS66YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvM
XODd7zrgCfrPILn59oF6+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8v
xi5OGADOgtZu2vegPzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOe
gPsbXr5nLIOA+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIu
q2sYqDa1qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/B
pTY/5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTjU5Cm
LCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8CmYTSrMF
LEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxGR6MrqIVFAfET
yKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCdI3I5yDPyA9kXKE1r
uQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfwkYw3fwLfe8wx3wOxXy5X
MwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPIx0OwrBQVlTrgK6GPM2wQuyFu
YHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumkk0466aTz9ihv24B7vXdvtAeK23La
zOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8GvmvqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwA
ZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxyucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVq
m2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbKUI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7
GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPy
o7IUtHCtoFYElH5KB+UwiKxYeAzittgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB
/YT9pP0yWLtamli9YKthO29PAsdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6L
bZ49Apw/2m/bioN9jvWmNRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B
+RVj2ADygRlungCRTFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4T
o9UkEJHCX+wAFrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIv
zR5gEj+pI4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIe
JkQmNwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9+QEk
/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzPCymP5GGt
ESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoIxAxOCU9ZCik+
OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/Dso4cV1xg2iulVGr
At1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1qvVASGEqJ8FQDbcxGJSu
6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwxLwKTZQH2gWWCWlVJBPFYSVSq
gNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+L
WDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeVIhNo15RR2vtAF4HMC8wUw9VRIOYwhjog
bMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoCOih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkU
lG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMrxcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3U
QLEXZJS0+5YAbf/qEE8nnXTSSSeddN4Vb11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgq
x4K+3rrU9StERXu+issNqX1S87p2w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN
+ln1DMiORg/jDjwocNf6JBSSSsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J
+9IEMsrlfAesMNuaP4F1rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey
9wqk1tQ17zYwc8srphW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YD
VVNraufAMs7SxFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u
4CumPzN6g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnk
DpGJz0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wPwfzK
bCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh60OX5zwP
to5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNsYPnSsSq4CPi6
6JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/6t7936Fs2bJly77B
HYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDrA64PuA7Pxj0b92zcm8v/
Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1Ufiw/lh/DrFmzZs2aBbUCawXW
CoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xnvQYRi7JlCIqESFfsnbjj8Nj7aLjr
MLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5yY/CU108Z2SE1h6+ErReIu4l5E6qA0o9X
ifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NWryxGdljabefUTSfhcsPjActjwHHDftavJ+jL
ZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ778NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxc
VzpC6nRXndRPwXNZ3jQHg8whosVmsEyyLNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflm
S9Daah3UD0CtpNZQa4MyXhmtTAaRLB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2
xDEIlMHKeu1rMBNkbfaBEqZ2VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0
EIhlwK8YfAHWPFo5bQQQzHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWX
oB3X4pTGIJqKhywBc7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9
Nfk5+I74DvumgLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPl
g+yXsw/M/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1B
q6JcU3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z49/F
X34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atXr4bup7qf
6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvTby29tQMyVctW
1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV8mnCPUit5OuRvAxe
7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyRz+P7w4rzh5pNSYBI262e
hyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k9VcQ18Y11xMLyXWMqSwEaxXH
N7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2MQHRmfXcBW2/1kdbCZa+2seaBPOl
WUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5E2R/WZsfQOQRXtECWMRHbADGcMVMARaJ
DbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SWoCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk
5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COKcheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1
QcmixCofgfWq9Yr1OMgnOI14EDeoIJuBDDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZ
YwkE9aW6XpsAaAjxAfia+j7Ud4Fvtm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQ
ORdSOyQ1i34GZpKvWPI2SMma0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDh
UnK35ETwnTGaeneCrbU6y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj
4+NhxIgRI0aMgIbbGm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq
1KkT3Kx2s9rNamnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at
08bTuHHjxo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4
/4h33a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5BjcG
3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0FCxYsWLDg
H7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lTc03NNTUhV65c
uXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34z/eDv7X3m/rpu7Kr
vYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7pR/4ZTC9Qa0g4xUnmb6D
wpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF4sU3qW4w5viXT7gM/lvtXscL
8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a664CWu2gJmEHYEmlLQ+GzoKkOZG9
b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng08MQF+8K81UE46VSQf0VLC7rWUtvcCd7
e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxCa3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWY
eU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SBYlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY
5mYlOOraNHsMWLda2llCwZrdIq1hYG1tKWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK
1G5KqLIbWEsgv4HZz7xvBgJNyEoPMK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHzt
iA6oCg6Po1fgNXDUde4IqAu2MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa
2sra94Esxn1+Ap+/3l7PBMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjii
pjy7Dg8/fbDkrh0efP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOon
ISY04SPPAXCd8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8ef
O6bJT9s/bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIy
v7++krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDMX2b+
MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1YWmFphaUV
YNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K2gVFPyr6UdGP
3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKLSy7Ciiorqqyo8ub2
+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd2fn1Bc+aGmtqrKkBw2oN
qzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelHph/55/vB3/KmfvquKHex3MVy
F2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOavLn8v5q3Tpztk3wf+fZC6OLADX5N
IcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1awLbatMs6D+5ySPWobeEv5tscngDcpJXtA
Bsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadj
LIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnqbA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprR
IrQ+ICaI8spsSMnrep7UATwr9CTvdBDDjabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwaj
neEzfgIWMYpyYDY2O8p1oNiUJCUUlM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lA
JuLlIRBtRH2lKjBYTFIngVFbLqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSV
qke9BnQRgewB5Xu1ktobeKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQt
a/1cwyHLjSzN8zshYGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+Kc
EJICmb7LMjtvO1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEc
DHqKEag3AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZ
Mh/sy2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6AT6/
6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+hP4b+CBuG
bxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL6LRbe3/Eu+7X
60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7ett9/xN9WqB5tfrT5
0ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZvIf8neX0r/HWFXtM0TdPS
/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+HxK8Tv078GnZN2DVh1wRo+rzp
86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zXtzyPNsnSJEuTLGnLLWNaxrSMgQu9
L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOTjE8ywuKLiy8uvvj28v9s3vqtGrbx2iWl
DCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6rnAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHY
JijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAiopwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037H
wH41YmhCNLhbJ3YNiIZznSInPFsBRTvsb720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN
36LnAUdJ/88dRcG8IAfIYeAe6o5z3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id
5krZBngpGsr1IPYrXrEctN5aA20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPA
WLmfAqCMYL/6FSjZhKL4QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AV
WhktByj3DWGcBX6SzwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP
+MnAHaBn008bdyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU
/732fuBp5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4R
IWDb5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZfGXxl
MCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/xX8t/mvx
X+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0JuhNyATyt/WvnT
yhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2utRsoS1nKAlasWEFM
E9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rfljfVz9v2+4+YU2xOsTnF
wNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4TPCYYDjy4siLIy/SbuUOvD7w
+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/viu/+D1eJ1K1Z9WeVXsWbP9w+4fb
P4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqA
dQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAF
dsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXFOc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OE
mh1CKqsnw36DTBmCfkt2ghppnBFLIONB/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/Af
bWvANoiZn3Iy7hToGQO9CcsgfFC2aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6
oDNdNnSFvcV2hCxZCp5qz9c8CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvy
DgNZhMHqHGANnZQKYNrkHHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIW
iO/lS+6Dnl8/o58Bc7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6
oI5SJyjzQFkrFomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBS
tDhLSbBWtl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/Tw
zU4pB8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk1vIv
LL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAYj1nHZ6Au
11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yauTRx8fu/ze5/f
g8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxSOKVwCvxU76d6P9WD
UmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA60rC/89/Vgz/iKwTsk7I
OgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DPyrPyrIQvMn+R+YvM785Pfs9e
b6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t1xW61xdur/1vf679ufbnSrvV/aby
b8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nXUzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9
N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn
/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhy
IFb66ngzge+KT7f3hORdnmEJFgj5RD4MXwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2ml
VFAHEBNFamodeLE85ZkxDLTT8eWtmyG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGS
knr6fwcB/QK9cjbYOoYJ+0TwOqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/Cd
A9MicprrQauhva+NAfcPeh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykol
p9gJZguzp7Eb9JH6F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFA
xIlGQAUmMQiMn2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9f
Bcpn2njtV1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotx
WgVwT0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrltnUo
uIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9Z1kvg37e
PUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1LgRKtRCvRoK5U
V6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZwyx9R+FjhY4WPQccz
Hc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzROdKmdlCSkpRMe/jl9cOE
wfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKXk74E9xb3FvcWcKxyrHKsgs+y
fpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZmHpt57D8hcf5be42vNL7S+Er/uH7+
bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalELrla6WulqJbjKVa7+N+3lP5L/SP4j/7h8
k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrvaL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbk
GNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqdap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2
MGVortBcobngy7tf3v3yLsT2jO0Z2/Of7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJR
wahgwMicI3OOzAkR9SPqR7yB/L8a8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/A
mVO3np68BEEbnAP8RkPmMoEVsj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFH
zV719PggsAU1zL4Q3VKbmDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeI
h8Dr1p2uWxBfMsXh9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSp
bONzx0FybMqPCT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7
ME+Y+80doORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwY
AcKj3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN2+CJ
cldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWsUj8C0zAj
zNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZdx48fX0uV38I
7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9qCP7MgbYQlP185xsL
8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDTSSeddP4sryuQF9WL6kUV
vmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/qg1Pf3Yu4eQrkLu+jpFEQ1s/v
a2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQYS4hGSaAmt8/pzkB8lxyqpaL8PT0
40exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5PklwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG2
09bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8J
GJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNkZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj
5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqDEi4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44
Q0GdqnVXVbCOs/f3+w0Cvw96HvYbiAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M
5CPR3tIM1FR1hCrAckrdon0AeoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs
6O0CQvCEoWC76d8q2AdaZq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM
1Z4iqYfBWk/6GdfBe98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CX
cBS0+0A/6DXkFhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbq
v8kXEJzDf4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+I
t06cc7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0cLUEs
ZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4TzKfPaC3
178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc67M5zYBtmu2ov
DmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq7ptlgTUySvwI2veW
urZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWhfA6WfJZxziZg/oI09oE2
UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9BNpO99GqgteWK3A+qw9rdUQaM
eNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D55b+vWwA5jIzSbeAHGh+bYSD8pto
hQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3+nbza4g6G22PHgmxjlcDXnQGbytPteT7
YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQlBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7
RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkPzjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp
8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEP
BXWh/psaAxkitTx+NSE0Z85Lxqdgr2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZ
CgQvgwzugNseEzK0t6Vk6gHKF3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbR
tx7sh/cK575XaguIsUoADeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzY
ifAdEJ478/Lc/pC1c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/Zyqb
ywGBenj1HP0hqHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacg
IH/IsIyHwDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7
AoCGtu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24VvJGe
AgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnzhxUIqQlK
f2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/uHToMwgrFdwt
U22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeYHfwLP62bTjrppJPO
vwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtxu0pCUh72G7vBOBz1jecQ
hJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B2mfWiWovcOwPrM3H4B6flKA3
Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB/u9DmEWbJ9tDwYLZslZsBHKga7ji
Am2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT2jjQzliXB34CRhVzo+8l+BanDkq9ArKN
bCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4McoF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWV
BLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJId
gBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzdm5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN1
5T6RAYzLRkMjIxgV9XuugWA00LczDLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEo
pmtTQOlldvCMBHOY3CnygHlB9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCf
g69C0L6wbzNfBNXhfJFpICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF
3KdTmyXZIGRyQLOAraDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0
Vwd5Oumkk0466aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0
u1/aO0CmCY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZz
A1J+vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbSMSfg
DvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFrA0dvMDbK
OHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxBrsrgK29e8fUC
73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4iK6g6moWbRgYgwyP
70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3WrJb22nDwTPdcE6UgJSxh
uDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDoQbCtsN22lQZLqCW3xQT9sKxo
lAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV8EW7N4GIFB5fKfC0c9VKrgrmBI6L
k6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk3wRx1EjS14O2RlgJBs/HHhv1wPux60zC
XTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+OrouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3
X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHrdvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpw
HMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJd0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0L
jmrXAJyl/YuFR4P9hNTvRILa+mI38Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z
74DlK0sBrQl4+5u9jeKg1rdPsMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQF
y3HrWmsB8P3o62tMBDaKfUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZ
zhft+RzkeCOPryYYt7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tn
ly8vWBdqim0cKBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4l
TvsNzMLkERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygj
BLTZlmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDLy7xg
W2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omzcVpfaSkB
4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1cyWoXCPALmKd3
AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/ZAwLaWiOTNfDleVTC
nAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w9rWUs94HY6X6QD4H5arR
ResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/SntobgvlIG2/7HuREo5osCLbF9jr2
UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8PcGs7W3nuQo41HbqSHCnJp9Juglm
Y+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TDSgnLatBHGfcMG3jrete7C4H62BKvzARR
hsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqWumqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqk
BgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu
66dg3OeYjALfYHkJCepA0VCZDjJVIiuBjJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV6
2fgZIKL0zb4KoJRVu4mHoM0QHi0LaNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdi
gvBS0TcaaK/8Yk0BmogVYgsE5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7U
GtivySOQWN8YH90L9NXek56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvK
Ukh56ZyaehvYy0rZCZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2
E+hXvPXM9dch98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNl
kHKC+yDvidbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzT
axkNtju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs5xxV
QMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRMkNrAPS25
BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H53FzhawG+g76Z
nk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8WvJHe9a7RYPYz4vTb
YJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/MH54VbD0sibaCYJlgeWHr
AR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaYCJa29qa2Y6AdkC18hUFdbats
eUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgrsFZg2pe/Xn/Y5OnTp0+fPv2rtfb/
DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP9qvf8+f/7fyr4/VfxZbHWx5veQxTX019
NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbLQ79SsjUkRxvl40yI+TT221cbINsiS3LQGYiv
mFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1Ah
iDnz4nZyY3hvRpi14GfQ9la321NPgXNGmJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJ
EcYCyByfRQ/cBEoTcdesDOoj9YHtOcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8
wEUBGUFNsj2y/QqWLg63cwMEnA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgO
qSWTv0g8CFjkj+YZ8NcDqoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738c
ZA/dY2wCWUD0VbuCtlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7
Hzzvucu5FoK+y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2
lBe/AC2UeGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo
87XG2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt8JxP
mZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6nup/qfgr6
L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu6Do4+dHJj05+
BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk/q/6dzrvhrdOnP1M
T5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5DmbrDHKfVtfwgv99vy9D
78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUgrho0vFhoe8lB0D2g9+U59cEd
IjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9WHGzfW+3WGCg8sHR0GQG27tp34j3Q
iomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZN
bZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgwwvtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4Mwb
bAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbbXjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63Vv
cI8Aa19bTUst0C5q2y2JEDAudFtYH4iolc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX
9Z7yNAdjq75YPwamT0q9DPiG6118k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2t
QMttjfdfDQGhGSpnfAEhZtgn2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ
5CScan5QH2g/W34GWUoeFrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP
+Y2D8I8zzslcGex9HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFL
EfuPzurvLlDj4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwt
ckDjxo0bN24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNL
zC/x5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SHCn0r
9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/nz2/aTlRU
VFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJycDIMGDRo0aFCa
P7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6gA85ckBydfDxqFXgv
ptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDrH/ArZG7kbGldARlyZOxk
nIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgqGShAlPR9qRYD0U4NUa+Bfl2O
Mk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YYC44kyzotE9jzav6WYDA6y+3mfFAc
+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0bQdr06r5ZYOzVv/JeAy272Gj0AfZaqzji
QLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJoKXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMX
xCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRXt1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB
/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZY
CttS/INBSbbU85sDAfWC9meqACELM1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5
NO/XEJYt08h8D8He2u9Exskg6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZ
ek13JzDCvB+mRoCSTQabtcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUh
sy6IhdxiHnBTmPJD8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXq
tP3T9k/bD+GPwx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdf
WX5l+RX4/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvT
y2vKXSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zwww8/
hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xPmJ4AHzz4
4MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y82/EMaqypsabG
Gpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctbtoe0hdQf43d4n4Lt
GQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+ploEpH4pvHGV4UjE2Rqx
uaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvqS3kClJxkUmNBX++LcAeDGGZG
Gz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuoCFq9mO9S+4Ks71nv8YB8YK6jLChX
tWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY
2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJP
X6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORTThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHz
GLdBu2Xta/0G/LJbNmaaAc6WZnR4CijdLQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYp
C5YpyjixCqRXfm9cAKOOVERpAKGrFUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85
sF/TIjQJxhDrIXtDUPYQYAL2DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1
K6AFKbX1RNAL+154B4PYwGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF
9dm/AXHJUt3sAX4+tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/a
Hhp91OijRh/BkfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0Dawmz
hFnCwFffV99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnX
ZlybERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRpkqXJ
f3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4wx2o91O9
n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/v/480IlOdIKW
0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/WX9r5dUgW2xgW+ND
sE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8NF2vfPvNyHmRzZGmvpwCO
FH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ2opL2qcgvzRXGQ1AKaTloicY
bd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk7ALZk7LPyzYBzpkPv43ZA8qvXkNp
AWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4TC43ALGDwspj0DTLDPsmUOc62jlfgail
d/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59NX+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1Gta
D5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKlj
rWQfBsoZcUvdDNp6PmQKWC/aomUkiO3MN8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7su
g9xpbvMUg9S54j4HQDXkGT0bWHap+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0
h8ZBkA2JVztB0HuBRYNjwZ1dL89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1
BXFcmMpd0Pf5thq9QTum1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9
vOlWPgdZQH8ky4B6VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX
58V5MJ+YT8wnMMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/
OcXmFJtTDHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96t
OAzxG+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3XUwPU
g+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0Me0fH9/v
8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgFgV/7Lc41Al4V
UI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycPigNrRGDRPFHg2+B6
kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKjwh5C9OBnGZ7fBMs8S0sj
AKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFIAudLaz5bOUg6mlA4YR4Q557u
rgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb1/ofArFZZNO+AG2mZZ79OYhB6g/a
I7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3uraXnBNtyrapWH9SvrFabCfID+bW6Biho
vNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL22PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ
+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5
wXXO144E8K3jG+UoeM7pW3Q/sLVU86vtQb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQd
dmS1ZAWtodrJmgn01WY3RoK4JyoqBsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4Nvo
LglqM220qoKoLpfLHGA2M1caYSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/
NiLA9ki5I78C50hrdmuF/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7M
OTHnxBzYennr5a2XIcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53
ewMrWMGK3+/f67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwS
kNI1pWtKVwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3
q8usLrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JOgCkt
prSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZeTswT9hs
yNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xBUGSDd54jEepu
bTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FKF1DDlOlqSdATZHMl
BRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7LuzN4w2yrwC7Evtx8DJYur
r3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWOB323L9JbH4xBej9fAXBkc0YG
rQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6ZfDu81Ry3QP1kXJT2wnyvAySPwHx
WmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+iFgjVGu4/GpzPnYMsgcAqvjJygLnEO95Y
At4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIfgSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5V
D8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+ETHmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0
j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm
8fX3NAHbRNssrQUIu/mITaA8p5lcCsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZ
GqiX1JvaIpBH1Q1KCLh3pux2VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW7
1exW2vYi24tsL7I97WGlPSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2E
QQxiENC5cOfCnQtDj/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fk
PIQhSw6SDCTJIjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9
z3339aV+Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/q
qHXUOiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sBD36e
50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27cOJgwdcLU
CVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lTp06dOn99gGeT
+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpfkJwGLzes9XSDjdAx
r3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962TAL9BWGpHA3icV5UtgJ7
tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yrLU2iNoK0yTRW6gvXqh94Y4cT
JvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+uepsvSUYDLZTIT1AcKhbAj8CEzWr
vxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdfyBubXSz1IOjRaqnAJjCclpfJxcDwiynE
lgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4
gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GW
Nla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8
vwEYvzNckd4Bw4tSM6E6mIsZroqNQOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfq
gOGifNRgAbWbNojmQBdhHTtAH6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHu
ONA2KpsC1cD4lbGs5Aehq7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj
4M133j/6/rm/e5oHCfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F
/7T7GiTIfwKHDh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG
8Mqs6GZ19kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUb
CINBGK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1BcNK
yxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppfsSSBkMo9
kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzXV4H/UOC8EgZi
P3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTfIFcn0GL0BNdpcK/w
pOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvIH8seloBxrfS+/h1wm0/V
c+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8xX3fBb6HQEv/x+o0kN7TVGUY
SEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJgSQL/TndR1QLmLoZvDS+D9KGvn68x
BCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4afzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6
i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59nnwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SP
qR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUkL7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+
MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VBW6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L
84BQ9Ud/J5DSrEttz8HtyjeOHKgCd4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1t
d2SBbW7UFMfnUE6s4i3VEfbPuvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9
Z+Ovlq1AH72E9B4oy5V1+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8sl
ayvrIVBLq321s2CqxqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dG
gdBFuxn4CKKeD4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4F
X2vfend/kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQ
bgg/mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+B5NL
CAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HKEbA3ML4v
R4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZa2QtaGBtYG1g
hYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA209bSsQVCK5k6BtZD
94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+8MCPgX4gPa+d97cCcYo+
TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWPkqDswoOdMvxgq/7EzjIahH1l
qBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQmhDW0nwjbAc4jrvi8beBq4fzBnQxh
udGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KA
Impd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabncDAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X
2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPGLPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym
6catII+Q1xu7gn+096h7MIip0gnjTyC5jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+
scApLVbqCrQTL+ivg3+5d79/MYif6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0
VCsE7oBcRxkhimBoLdTWp4O01RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/
N/UOqKK4WaoJ5qWmI6ayYJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9a
XgGP1bdfKQpWk+EkL0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/H
vB/zPixhCUv+UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX
4meWyqwZBe59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4kt
QE9hgtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV8CJx
w8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE3tLuq2VB
j1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3BbfoXgniMOor
W0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7QKqveZSvQGnoX+Ja
DdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWbCmp1rY63BNieMf0g3YGw
NMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4nd6uvO1gaGJdq74K5g2jnDHgt
/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOAIrLJOB2UZ4S20pMQluaIMn0A4V5b
mcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8xXzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9
JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0AOv7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG
91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2
Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITM
ei67pgnSV/T5aFhzcCnOIpkdICd/Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3
I3oRpLfKq+edAu4u+dZbO8H9qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4V
QsV5oK8lTp8L6tNKUf8VMPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQU
R4Ivy3vNPQj08b54wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819
DgxV5DmeDaCHBmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71Vw
Dc7fk74LIndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUr
qM38jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLzalUw
+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY6PeF10M8
f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZqw5aNWULJ0D4
TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S+RVAGCfMU4uA1iLQ
j41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidLxIMpv8SLlY5C5pOzuyxp
D/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT7JPAfTQvkP4lWL522IpXAkvt
kBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy7vBq4Z+A/44QbfwM1G3Kl75I8FbK
2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bBYK5gu25fB6FFjRZLGljfsqwxFwF/vvMt
5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcq
HUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQwli6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnw
X9LfoT+EvxT6a1gYZG3IaeAuDhme3KP52WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/V
mep4MO4zHTaFgjZLE5T6YOhtmmSMB6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7
246LYDxqGGz8AKQoua/5InhEd0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooK
QOR9y1JHMuSMTB3gvwqh7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9Y
ATTFGim2A3+rzI7Z9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA
5YX4EH0D5HfI2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5
IDaPKWWeA4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFj
YlLBeSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hFPBuk
zSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6YH1dnhYS
AerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDEKQuly5C73lXS
ewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2h+yBdGPel4FOoCUr
VZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4KJ4F22FLG7kURA8MHWKR
wayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj8oaA4NXd2jvgq6P9rCog1FQb
KgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+CrUXEDyEX/u7pHSRIkCBBggR5nIiP
OoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqt
k/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUKyn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56
rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS
5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQTCpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZo
yBvqi9Bqg+mn0L2J18Fusn0R0RayO+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikg
NQRrUWMr2oOpqslqGQTqZf24OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJ
sk0FS1nT+4a9oJ/WnvRcBOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1y
rb4poJzyL3QdAF8Pz9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003
vqpXBC2N5yQ7iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8
BEwlDa9J80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPX
tbzX/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8PA8y
rkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWqQna71MTD
e0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSRfrKkgjk+skyM
HYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnniekRruH8gv7d/EDie
ifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlzujZCyOfG9poKEe/HDI/e
Cvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T8Bg8pb01QUiV+ptbgXaH/oII
Yi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jbBsJ7Yk9hN1i2G9tJ18FXMtBK7ws5
J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBFny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B
2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cpE4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx
34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0UNvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJh
kpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YNpqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D
8DMUiw47JR6FSlfLGJK6guVDQxnbMJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJ
EuRx8MgR5ycnNp7X8XXwe9TOyiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9d
Swfju5HlI0cCMz3HModA1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6
OVaDflXw8iVoO0HPAP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCiz
vUhc1KeQP11P0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9ha
gOeKr7PwE+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8J
CS+GR9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPnguulp
rIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs9cV2IKw1
NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcNvDU9Vs+n4N2W
78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc+jm5kD3SOdq9DLIP
5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHbIf5WXPe4CAhdawq33YOi
l0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LCEmqC9oa+lAQQdWOE4SSkv57z
Q/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukWUGt581w/AAeETjQHVqrLXaVBu5//
s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9VMI3w9/PfArWNckz6EvRcU759GAgb3P3k
icB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3ROy4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76Qv
ilkOv67wbijaG3IO3x10sTR4huW9nroCLG3CX404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D
8q6vgasFGK6r32n7wfWS55C7DNg6WRc5jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS
8EzOX5bTDIpMjj0WHQHOCt5QtRaIdeSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8
YN5qOmEKBWYJe00fg/2idX2IDSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26
DtGbQiqYFkHK+NSh98IgeoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5a
mrgHkk25I5TmoCer6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvG
vQuBiUp9skAOF++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8I
YT/FlrRHQ9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5
ObBkyZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIedKd7
YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8FbSFWl+6
Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrxgG9Yk423r0HF
8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W9gv47uT/nL0J3JNy
jmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8kYFt9ITojY4XbAKYTOby
tg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvPvQJSL+Gm/iFIc+wlDWPAdt3c
OvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBTHi5WgrMf30xMS4fAFTlOmw0Oo2mj
qQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwlhP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95
/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXF
ahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQK+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593
BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVaTb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7
YcOGDRs2LBTQBRQI6ZMnT548efLv8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QU
Hg5vv9237zPPgN1us5lMv/fH5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXH
vV5N0zTYsyczMy8PcnMVRVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMY
bLXCVsUOhaJNWhWtUxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8R
pBn2eiGNQN9miwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI
3UZePxyvHfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+q
Iuif6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQv9DV
NvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDUexpCepru
SHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2Rtz3HAZ777q9y
N0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72ZqXMBPNWy1emryHr
RP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88rz+kxrjCXZ0hUxO+kQeA
/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV1z3dQaqkfSrUBH0IrTwiONZY
k+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQOHBw7epjy+CX0xedlz+GtHjFoF35
930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJEiRKF/QoEdpAgQYIE+deYOvWLL/bsgczM
vLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sV
i4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX
4/H5Cu22ahUTExHx+Ow8snB2l3MWz34KjBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8IT
Ygt9NEhxhBg2gr5Nfcf9EhifL/59xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZz
QfcKh/U7QGvqqGEg3vTvMRQDa/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2
ZkCzvSEny70E3rC0o+ajcP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A
+wW+KtcevENvHji2CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiH
gfE5OVmcBKG54gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5Lmux
ezhIC7il50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaG
YJpsqOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6ztrYU
gbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoOymgtXOwI
ijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUvNq3YfTCsFO5K
b0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+TZOvj/XL4r6hWrVq1
atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+ffbsdovFYCi0+yBnzqSk
5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0GA1y44PF4/o0vCAsPlyRZhvT0
3wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6SdnMdyCd1U5wFITmwgBhAegJ4ine
Af2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKThdfFqSBe1O6KDYBY4aSigzBM3y8eAS0E
h2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEywuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMn
jrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEzxrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb
7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksIC
UXC1VfLLOSfB117Ls9YDdT/9JBfoHampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHre
h9BMubcqgRjgFeE6GMvKXWynwRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaX
jaWiZoD3aV/H3KogtKWF8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDo
EiKl8ZBt9izQ7kFMl9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPT
hqOgNtWPqF1BjVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdil
SVB8c+zZ0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFL
cT72xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz711KP7
W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2Cuw+bh45
6yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6+ItcDfnFBMrO
7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCMFZoLxUBcTjTTwacI
7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQefPlAebl60mO+8DX6rtaZn
B9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3WZU3D6wLYpoWWQGyP+ynyPbg
2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflOIB+8eD9x/wjn42+8fv87SLakf5dx
C7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hpr2UYdkNeP1cVrxVMi80vGBdBmCWktvVr
iKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgkLBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4w
yP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3
Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87Jntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfK
Y8Fe3h5tag62cuaVtg9ArmHMFEUIdNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrq
ResyiN9T/JmE6yB+Jw8xtQTvDn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyet
AzjrZnW63xr8IzzT7//w+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX
97D7UtDvP4UVjhWOFY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNT
xqeMhdd5p+Wdlnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/
PO83uw/i9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjI
xMTC+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX4Sn9
DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX06+f8dSG
cisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/KwaN98Tczh8D
ISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPzJkCOL29F3kxwlw3M
FDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Nguv8VnxVyDuW9lH0ObEUs
cy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs2zbwtMtfHZgK/q98rbOugetD
5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6RocxjwpVglPwAuv79z1kkQazHD/gvklcsf
lhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS5R8LllqMkteAuYycSjaEfRNa2bwIhG+E
+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnUJEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3
MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9gRkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHS
G7Ah8BNonxtnRcngfZpudz8Bob3UVKoI3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4
iGwW2SyyGbz++uuvv/76H487LjsuOy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp2
6dilhe3j24xvM77Nw59j3Ddx38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoE
qgSqFLZv6bil45aO0Je+9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9
nkAA/H6r9b9ahOf3/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPht
caCqFuYh/x5Ztlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDi
OvE5YQ4Q4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGY
QSiBi5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXCVlje
BKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZDi/kVAl0
06qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekghEaF6GGzwL7D
clvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHKRK8L3He8+a4i4M0L
tMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adBRB9jewriwqOjqxyB/Mmu
53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9Ev+kfRMEYoX8QC0QJ5pnWiaC
MpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gKcRej3ov5CczvmL+Wj0HKM5nd3eXh
5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qgF0TVi0mK2Qshy2LmRjWEG++ca3XXB4ff
OJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+SbYGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfH
jh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGHBBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyM
DIiKioqKioJ27dq1a9cO+hzqc6jPIRAHiYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49
Wmi+4Ly4uLi4uDiwLLMssywDZzlnOWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIb
i0Lp0qVLly4Nnvae9p72wBrWsOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7
490f7/74x+t+kBLbSmwrsQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpl
dYId03dM3zH9zz+fa6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87v
XixUMN6wtGFpw9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q
+9QHm9I3pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZ
eTNhyNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOmaFG4
ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2aNYsUgfr1
Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4pUxghbAbE9BT
me0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B/jwd9GQQqglVdQfw
Hc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB3tvy94bGYBbLtLb1hR6O
Fye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQB8r9pCIQOqzoClNfiBxuq5xn
h8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaEPBvaFBwtY04XuQCxtaKux6RCbFxU
TPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv04e5PQGrsfTtrEySlRA6Q90BoN0MZZRrY
bNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmfgWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgb
GW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hPpyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfb
B3Ja+F5wNfPN8R6F2OURidYbYN9tWmTaAfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oS
ZFS+/+rtvuD/0b85dQDkJnqWZXSCKyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34Hp
gKlXqAKuYu6d2vdgPeaoFNYUwoh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7
Ojg/c95NSwRDluVe1DJwT9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9X
t60rEDAP+6l/U9FNRTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1Amp
E1InQKcpnaZ0mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A2
4eF2cnfm7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdn
hz479Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58nD/7
/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6HdhP/ic/KY
5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjCsqB95cpRo/r0
KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC//7dcY1X9bR+OB0tJ
MpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGIGNDe1CcqbhDyhRAhFUjD
pDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6KhBq618zC6ikjxQiQHdTAgGQ
EAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWAiTlaCgjVhSpkgVhPeotpcH9lVvX0
eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW91LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmn
N4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzTMZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9z
XnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F
83FzNckJwm1/mjYM5C5MUYdCVLb1FaEyRH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKu
GNhzIhLSXsupee4MZO0I9Lw0HJy1fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk
98s5dnMmZHyY87XnHmSsdRrT3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8Hz
LBhPSGcUD/CUaKcdqN1Fu20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5h
M6HY4WKtS/cBQRHirf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDr
GoYbTgGdNZ/QBVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw
17lgnIJxC+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj
14z+XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W91v9C
elLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7fOzz/9ze
5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYLUmAaXWl0pdEV
WHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP67n+b+HBVI0/W+7Y
sWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs/ygS3L17vXpVq/5x/AK7
D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfDTfNRqwO0FXq2Vg6EeG7ot0G3
6l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APEzurlwFJgrR4mbwSWiz11Lwif6PPI
B32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjxOL13QdDlsqYFILUyrdPWgPCsLMotQF+k
HVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOw
p8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYWjPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9
sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVT
zZvAftZwwFoWPJ/ojfUwiKobvtgwBSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3
I/vGdYP0Hb6h0UMh/Utf/SsDwB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD
2Co4WofOB7Gb8kPEp2D8VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVV
en8okhPeUu4DgbnK5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVu
F/245CEIez18ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN
1AGgTTdGhg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+
/fr1hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGOAZ3p
TOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A/p99Ph8m
fpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/icA1qUAM2ztg4
Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5kH91Xv2z5xrk/6Yw
VeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBBy5ZVq0LnzjVrli4NtWuX
K5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3+x+P+x8bcTYfddWTm4ChKt2l
ogD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HXTKoZOxvEQdJCFKCMdpYFoA8V3uMG
cF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMVkA45EmPqQvJ630RjUbi0OHOUPh9yZviK
CUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71v
qvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JASdQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcG
PDHSKGktIEyJDim+DCTCGhdrCWoj342cuuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cY
AqE+W6WIUiBcN8yUy0Po/ugFEQFwmCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/Qub
ZGsLVXsmbS2+GMr0iIgrFgUGO218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUW
EGEL6xV5HCImhpriJoE8VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i
3oz62fEtPHmmbJmEsxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPK
ylD+QIVnajYFe3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1
QFaf64dBjTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gF
ArZ48eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71MiwQ
FggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2pq0wx7n6
kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n+juF4z/4y0hB
RDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h13qvzXp0HKy6vuLzi
ERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7XjzIw9p3775yJTW18Pji
xQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tcHs8fy/z83/Zrfniqxn/o4kDb
r5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8UjMWE0foZODv3Wm5mHwhtmNQ9qTUY
RzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3CatDPUosy4HzNmZdzDVbPXHN2gwV8n6nm
iO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsnnjD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROE
FbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7VElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/
Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5lHZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+G
bgX7eyFfhihg+tnS1JQI4sf2r+xnQAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/q
UXDntbTTGV5gk/qaIRTCmocWt5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUb
GLYTaK01ZgCYJsvtxa/AeIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf
/CtgWxc2Ex8olVynnBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEI
WwHmD+2zLBXBl+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9J
rnarNHgwGsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8k
af/4JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpppD0G
P3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9vw73Rt4b
eW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2kHipcjDmi+Iji
I373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRgsd1nfMZnwJbJWyZv
mQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf21/bX7j48V/lUedVkH8N
Vf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv/v7FKg/WH3Z+gd0/+vNb5Pdh
iRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmqVXvyyX8U4Cmw+7gRDh48ePDgQV2v
U6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+BL8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP
94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNXqK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt
9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+RX6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWz
dw+IfqG7fBSE16RK4mzQ39baS/uANeLHWgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A
7YuMlzO/A8kVOSOsM3jvZG687wB9Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8k
pYN/iXdc1hzwZ7pbZE8BoZo80nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7t
gU9BWaZf1IaBP9Z/1ZsOvoEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcI
G523QWsvvGwpCs7O/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqG
uvJ2Sy+IWhOmxraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI
5pHFozLBMMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O
4Psme8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/fuEc
5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+eenT4cqVWrW
LF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAyFSsWH1/Ynpz8
0UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVKCQlW6x/HTUu7f99g
gBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dhHDp06NChQ48h4qypnh+9
/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908Ex2eO/bZdYPzc8oWhN4ibpbqi
CcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxNXJe4JpD5ubu2exA4naaJppeg2Moy
CysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UNZihwXG+unwdxkrBQ9IOwROwkfw56Uf1z
bSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3
wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIWV5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1m
Oh2aBMqhvE7p+yD7QGbl+++DN8+90bIYwreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4
q/jGmbaDa5ilnuE0mM7LsdIgyLyY/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7
B6bDlna+liCvMYzTtoDrTl6IexaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ
8FoO2F6zHjK0g9AtYY2MfogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCN
z/3J9yTkr/NdDDwPktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fN
B+1j/R3hfchPclfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9Vp
oJ9U+waeATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XN
rm92fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAaarHI
v1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJwVqa48vWf
wFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbubHgH7o+5f/vm
OlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3mCHCudhY5o8GVFSnt
cr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMgTBbbio2AoiwUwkDYzn15
Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCdjutxNcBw1h4WVxm0Z5UjzmxQ
23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W/z14vmz5Pk/3gXKTylTb8DUs6PrD
V4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poib7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwd
hL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3UpfsTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGu
BtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8GO4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+
7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQNtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m
9mD5KnSk5V2wVw1fG/E8SMV8B3FBbsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+
Pf5uYBctSdohkNYH5ruLgu9DpYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EP
iqiskB/hJ9c/S4HQLRDSD24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzq
qEGCBHkcPPFEqVIREXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EU
Q0NDQiAsbNCgL774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRh
YRaLJEFWlihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfN
I6dq3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXTnS44
j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtAn6o1U2+D
niq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJWfEDCJ3r6FWu
HvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9vn4a1HS9gZAAVGSf
FAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr6Bc9s/KugShrp/xLwfqe
nCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5KiGcBfWv1I8YJ+UiuldAdtvnY6
0A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBrIQhgcpveN+4BbaPQXPsFTFXEZ4wv
gSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAwKrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZD
dJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMTLnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoA
rDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHu
BD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMD
ixdPm/byyxARERb2+zeTpqfn5jqd8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo
6O/9yc7+LXb8wQdnziQnQ1rab5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+
G/RXsr/N2QXCeFeKywr66LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQ
u0qeHU5kHNcOzARLWaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEb
sPXYrvPfXwBfJz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4
a+f5svrD5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNg
srBZDAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnPyO3B
VN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8p6WA4GWi
uASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLKBVCPspezIK8x
JZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUVNr+7dfbXJSH1jbzJ
N0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4rd74C3FmUFZE1BnzPK4OV
LmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ0C7rdzUDaMf1feoooNu/78sh
SJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1zpx/vIjv/zUeWThbvlCm+FtBYPnN
vHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XAEjB9HBMZUg0My5kub4TMt9xrMwQ4vv74
8H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8Fp05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUt
pNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72M
EA6GDyyTTLsgpkQFrQyQfPiU58owKLVbiohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZ
L7cHw4ii28t0Bfmd6OwST4O+XW/IfGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVc
XzmfzLwP8qvKbk9pEDuZdzs2gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA
+/o9LQe0Q3pxTQdnc89az3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLB
BUJDFgsJoH/BT+Jq0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay
3TLd9jOYHcY15oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIO
nEWcgUbvQkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/
vfyccx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4DcJerV
8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo7eTrhjfh
3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDfaNez6e+B8Jan
cVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8h6YsiEiNapw0C8q/
X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bER+cBTwjDQqsBZ+mnzAf9
ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZYPAedm8HIS93VeYvYMo3Zd+3
gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c7p8x2NUTMj91lwhMg/yT/oVCHXDn
6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gPrOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcg
rzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTv
e2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+
TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzac
ldeDRVC+Mh0H00pTTeMGEA+J+8SjIEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8
T6Ygx/mR3xwYJEiQIEGCBAkSJMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucg
QYIECRIkSJAgQf4EQeEcJEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIg
fwsAAAAASUVORK5CYII=

--_004_7a9ce33274304311a64057bb305be011BY2PR03MB189namprd03pro_--

From tonynad@microsoft.com  Tue Aug 13 07:46:38 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEACB21F9C7A for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:46:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.532
X-Spam-Level: 
X-Spam-Status: No, score=-2.532 tagged_above=-999 required=5 tests=[AWL=-0.534, BAYES_00=-2.599, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UzXPfadFV243 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:46:34 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0244.outbound.protection.outlook.com [207.46.163.244]) by ietfa.amsl.com (Postfix) with ESMTP id C72B721E812E for <oauth@ietf.org>; Tue, 13 Aug 2013 07:46:29 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 13 Aug 2013 14:46:27 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.176]) with mapi id 15.00.0745.000; Tue, 13 Aug 2013 14:46:27 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: George Fletcher <gffletch@aol.com>
Thread-Topic: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
Thread-Index: AQHOlScLf934cBBLpkeg6cyc2g+rW5mSRG2AgADk0ACAAAcFgIAAArgwgAADowCAAAGnEIAAA3KAgAAAraA=
Date: Tue, 13 Aug 2013 14:46:26 +0000
Message-ID: <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> " <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>" <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com>
In-Reply-To: <520A4549.5040206@aol.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0937FB07C5
x-forefront-antispam-report: SFV:NSPM; SFS:(377424004)(479174003)(69224002)(377454003)(164054003)(55885003)(199002)(24454002)(13464003)(189002)(50986001)(47976001)(76482001)(47736001)(83322001)(16406001)(19580395003)(54316002)(77982001)(59766001)(15395725003)(49866001)(4396001)(19580385001)(19300405004)(54356001)(53806001)(16236675002)(33646001)(83072001)(15975445003)(76576001)(15202345003)(76796001)(81686001)(76786001)(56816003)(65816001)(77096001)(80022001)(56776001)(19580405001)(63696002)(74366001)(74876001)(80976001)(74316001)(74502001)(46102001)(74662001)(17760045001)(47446002)(31966008)(79102001)(51856001)(69226001)(81342001)(16601075003)(81542001)(74706001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: multipart/related; boundary="_004_a64cf984cc42495f9d5d362dd2f9b980BY2PR03MB189namprd03pro_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e0:ed43::3
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB192.namprd03.prod.outlook.com
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:46:38 -0000

--_004_a64cf984cc42495f9d5d362dd2f9b980BY2PR03MB189namprd03pro_
Content-Type: multipart/alternative;
	boundary="_000_a64cf984cc42495f9d5d362dd2f9b980BY2PR03MB189namprd03pro_"

--_000_a64cf984cc42495f9d5d362dd2f9b980BY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

IzEsIGl0cyB5ZXQgYW5vdGhlciBlbmRwb2ludCB0byBoYXZlIHRvIG1hbmFnZSBzZWNyZXRzIGF0
LCB5ZXMgdGhpcyBpcyBhbiBPQXV0aCBpdGVtIGJ1dCBpdOKAmXMgZ3Jvd2luZyBvdXQgb2YgY29u
dHJvbCwgd2UgYXJlIHRyeWluZyB0byBtb3ZlIGF3YXkgZnJvbSBzZWNyZXRzIGFuZCBtYW5hZ2Vt
ZW50IG9mIHRoZXNlIGVuZHBvaW50cyBhcyB0aGlzIHdvdWxkIGJlIGp1c3QgYW5vdGhlciBvbmUg
d2UgaGF2ZSB0byBzdXBwb3J0LCBtb25pdG9yIGFuZCByZXBvcnQgb24NCiMyIHllcywgMSBwaHlz
aWNhbCBlbmRwb2ludCBhY3RpbmcgYXMgbXVsdGlwbGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXJzDQoN
CkZyb206IEdlb3JnZSBGbGV0Y2hlciBbbWFpbHRvOmdmZmxldGNoQGFvbC5jb21dDQpTZW50OiBU
dWVzZGF5LCBBdWd1c3QgMTMsIDIwMTMgNzo0MCBBTQ0KVG86IEFudGhvbnkgTmFkYWxpbg0KQ2M6
IG1pa2VAZ2x1dS5vcmc7IEp1c3RpbiBSaWNoZXI7IG9hdXRoQGlldGYub3JnDQpTdWJqZWN0OiBS
ZTogW09BVVRILVdHXSBPWCBuZWVkcyBEeW5hbWljIFJlZ2lzdHJhdGlvbjogcGxlYXNlIGRvbid0
IHJlbW92ZSENCg0KSGkgVG9ueSwNCg0KQ291bGQgeW91IHBsZWFzZSBleHBsYWluIGEgbGl0dGxl
IG1vcmU/DQoNCkZvciBpc3N1ZSAxOg0KKiBXaGljaCAic2VjcmV0IiBhcmUgeW91IHJlZmVycmlu
ZyB0bz8gT0F1dGgyIGJ5IGRlZmF1bHQgYWxsb3dzIGZvciBhbiBvcHRpb25hbCBjbGllbnRfc2Vj
cmV0LiBJJ20gbm90IHN1cmUgd2h5IHRoaXMgd291bGQgY2F1c2UgbWFuYWdlbWVudCBpc3N1ZXM/
IE9yIGFyZSB5b3UgcmVmZXJyaW5nIHRvIHRoZSAiUmVnaXN0cmF0aW9uIEFjY2VzcyBUb2tlbiI/
DQoqIFdoeSBpcyBhIHNlcGFyYXRlIGVuZHBvaW50IGFuIGlzc3VlPyBBbnkgY2xpZW50IGlzIGdv
aW5nIHRvIGJlIHRhbGtpbmcgdG8gbW9yZSB0aGFuIGp1c3QgdGhlIC9hdXRob3JpemUgYW5kIC90
b2tlbiBlbmRwb2ludHMgYW55d2F5IHNvIEknbSBjb25mdXNlZCByZWdhcmRpbmcgdGhlIGV4dHJh
IGNvbXBsZXhpdHk/DQoNCkZvciBpc3N1ZSAyOg0KKiBXaGF0IHNwZWNpZmljYWxseSBkbyB5b3Ug
bWVhbiBieSAibXVsdGktdGVuYW50Ij8gSXMgdGhpcyBvbmUgc2VydmVyIGFjdGluZyBvbiBiZWhh
bGYgb2YgbXVsdGlwbGUgdGVuYW50cyBhbmQgc28gYXBwZWFyaW5nIGFzIG11bHRpcGxlIEF1dGhv
cml6YXRpb24gU2VydmVycz8NCg0KVGhhbmtzLA0KR2VvcmdlDQpPbiA4LzEzLzEzIDEwOjM0IEFN
LCBBbnRob255IE5hZGFsaW4gd3JvdGU6DQoNClNvLCAoMSkgTWFuYWdlbWVudCBvZiB0aGUgc2Vj
cmV0IGNhdXNlcyB1cyBtYW5hZ2VtZW50IGlzc3VlcywgeWV0IGFub3RoZXIgZW5kcG9pbnQgdG8g
bWFuYWdlLCB0aGVyZSBtYXkgYmUgd2F5cyBhcm91bmQgdGhpcyBpc3N1ZSB3aXRoIGFzc2VydGlv
bnMuICgyKSBUaGUgc2NoZW1hL2RhdGEgbW9kZWwgYXJlIG5vdCB1c2VhYmxlIGFzIGRlZmluZWQu
IEludGVybmF0aW9uYWxpemF0aW9uIGlzIGFuIGlzc3VlLiBNdWx0aS10ZW5hbnQgaXNzdWVzLCB0
aGlzIGFsc28gZ29lcyBiYWNrIHRvIHNjaGVtYS9kYXRhIG1vZGVsLg0KDQoNCg0KDQoNCi0tLS0t
T3JpZ2luYWwgTWVzc2FnZS0tLS0tDQoNCkZyb206IG1pa2VAZ2x1dS5vcmc8bWFpbHRvOm1pa2VA
Z2x1dS5vcmc+IFttYWlsdG86bWlrZUBnbHV1Lm9yZ10NCg0KU2VudDogVHVlc2RheSwgQXVndXN0
IDEzLCAyMDEzIDc6MjIgQU0NCg0KVG86IEFudGhvbnkgTmFkYWxpbg0KDQpDYzogSnVzdGluIFJp
Y2hlcjsgR2VvcmdlIEZsZXRjaGVyOyBvYXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5v
cmc+DQoNClN1YmplY3Q6IFJFOiBbT0FVVEgtV0ddIE9YIG5lZWRzIER5bmFtaWMgUmVnaXN0cmF0
aW9uOiBwbGVhc2UgZG9uJ3QgcmVtb3ZlIQ0KDQoNCg0KQW50aG9ueSwNCg0KDQoNCkFzIEkgbWVu
dGlvbmVkLCB3ZSBhcmUgdXNpbmcgaXQgYXMgcGFydCBvZiB0aGUgT1ggVU1BIGltcGxlbWVudGF0
aW9uLg0KDQpDYW4geW91IGJlIG1vcmUgc3BlY2lmaWM/DQoNCiAgIDEpIFdoYXQgcGFydHMgb2Yg
aXQgd291bGQgY2F1c2UgYWRkJ2wgbWFuYWdlbWVudD8NCg0KICAgMikgV2hhdCBwYXJ0cyBkbyBu
b3QgbWVldCB5b3VyIHJlcXVpcmVtZW50cyB0aGF0IGNvdWxkIG5vdCBiZSBzYXRpc2ZpZWQgd2l0
aCBhDQoNCiAgICAgIHN1cHBsZW1lbnRhbCBwcm9maWxlPw0KDQoNCg0KLSBNaWtlDQoNCg0KDQoN
Cg0KDQoNCk9uIDIwMTMtMDgtMTMgMDk6MTUsIEFudGhvbnkgTmFkYWxpbiB3cm90ZToNCg0KV2hv
IGhhcyBpbXBsZW1lbnRlZCBkcmFmdC1pZXRmLW9hdXRoLWR5bi1yZWctMTQgWzVdIGFuZCBpcyBp
bg0KDQpwcm9kdWN0aW9uIChvZiBzb21lIHNvcnQpID8gV2UgaGF2ZSBubyBwbGFucyB0byBpbXBs
ZW1lbnQgYXMgaXQgZG9lcw0KDQpub3QgbWVldCBvdXIgcmVxdWlyZW1lbnRzL3VzZSBjYXNlcyBh
bmQgY2F1c2VzIGFkZGl0aW9uYWwgbWFuYWdlbWVudA0KDQphbmQgdGh1cyBJIGJlbGlldmUgd291
bGQgbm90IHNlcnZlIGFzIGEgdmFsaWQgY29yZSBkb2N1bWVudCB0byBleHBhbmQNCg0KdXBvbi4N
Cg0KDQoNCkZST006IG9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOm9hdXRoLWJvdW5jZXNA
aWV0Zi5vcmc+IFttYWlsdG86b2F1dGgtYm91bmNlc0BpZXRmLm9yZ10gT04gQkVIQUxGDQoNCk9G
IEp1c3RpbiBSaWNoZXINCg0KIFNFTlQ6IFR1ZXNkYXksIEF1Z3VzdCAxMywgMjAxMyA2OjU5IEFN
DQoNCiBUTzogR2VvcmdlIEZsZXRjaGVyDQoNCiBDQzogbWlrZUBnbHV1Lm9yZzxtYWlsdG86bWlr
ZUBnbHV1Lm9yZz47IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRmLm9yZz4NCg0KIFNV
QkpFQ1Q6IFJlOiBbT0FVVEgtV0ddIE9YIG5lZWRzIER5bmFtaWMgUmVnaXN0cmF0aW9uOiBwbGVh
c2UgZG9uJ3QNCg0KcmVtb3ZlIQ0KDQoNCg0KKzENCg0KDQoNCk9uIDA4LzEzLzIwMTMgMDk6MzQg
QU0sIEdlb3JnZSBGbGV0Y2hlciB3cm90ZToNCg0KDQoNCkkga25vdyBJIHdhc24ndCBhdCB0aGUg
SUVURiBtZWV0aW5nIGJ1dCBJJ20gY29uZnVzZWQgcmVnYXJkaW5nIGFsbA0KDQp0aGlzIHRhbGsg
b2YgImxhY2sgb2YgY29uc2Vuc3VzIi4gSXQgc2VlbXMgdG8gbWUgdGhlcmUgaXMgYSBsb3Qgb2YN
Cg0KY29uc2Vuc3VzIHJlZ2FyZGluZyB0aGUgZXhpc3Rpbmcgc3BlYyAoZ2l2ZW4gYWxsIHRoZSBj
dXJyZW50DQoNCmltcGxlbWVudGF0aW9ucykuIENvdXBsZSB0aGF0IHdpdGggdGhlIGZhY3QgdGhh
dCB0aGUgY3VycmVudCBzcGVjDQoNCmRvZXNuJ3QgZXhjbHVkZSB0aGUgYWRkaXRpb25hbCB1c2Ug
Y2FzZXMgdGhhdCB5b3UndmUgcmFpc2VkLCBJIGRvbid0DQoNCnNlZSB3aHkgd2UgZG9uJ3QgZXN0
YWJsaXNoIHRoZSBjdXJyZW50IHNwZWMgYXMgdGhlIGNvcmUgZG9jdW1lbnQgYW5kDQoNCnRoZW4g
ZGV2ZWxvcCBwcm9maWxlcyBmb3IgdGhlIGFkZGl0aW9uYWwgdXNlIGNhc2VzLiBJdCBpcyB1bmxp
a2VseQ0KDQp0aGF0IHRoZXJlIGlzIGdvaW5nIHRvIGJlIGEgdHJ1ZSBzaW5nbGUgc29sdXRpb24g
YmVjYXVzZSB0byBjb3ZlciBhbGwNCg0KdGhlIHVzZSBjYXNlcyBpdCB3aWxsIGhhdmUgdG8gYmUg
c28gZmxleGlibGUgdGhhdCBwcm9maWxlcyB3aWxsIGFyaXNlDQoNCnJlZ2FyZGxlc3MuIEluIHRo
YXQgY2FzZSwgbGV0J3MgYnVpbGQgb2ZmIHRoZSBzb2xpZCBjb3JlIHRoYXQgd2UgaGF2ZQ0KDQph
bmQgYWRkIHRoZXNlIGFkZGl0aW9uYWwgcHJvZmlsZXMgcHJvdmlkaW5nIGEgd2luLXdpbiBmb3IN
Cg0KaW1wbGVtZW50ZXJzLg0KDQoNCg0KTXkgMiBjZW50czopDQoNCg0KDQpUaGFua3MsDQoNCkdl
b3JnZQ0KDQoNCg0KT24gOC8xMi8xMyA3OjU1IFBNLCBQaGlsIEh1bnQgd3JvdGU6DQoNCg0KDQpJ
IGRvbid0IHRoaW5rIHRoZXJlIGlzIGEgY2FsbCB0byBzdG9wIHdvcmsuIEhvd2V2ZXIgdGhlcmUg
aXMgYSBsYWNrDQoNCm9mIGNvbnNlbnN1cyBvbiB0aGUgY3VycmVudCBkcmFmdCBtb3ZpbmcgZm9y
d2FyZC4NCg0KDQoNCkkgdG9vIHdhbnQgYSBzaW5nbGUsIHNpbXBsZSBzb2x1dGlvbi4NCg0KDQoN
ClBoaWwNCg0KDQoNCk9uIDIwMTMtMDgtMDgsIGF0IDEzOjIyLCBtaWtlQGdsdXUub3JnPG1haWx0
bzptaWtlQGdsdXUub3JnPiB3cm90ZToNCg0KDQoNCk9BdXRoIFdHLA0KDQoNCg0KQXMgc29tZSBv
ZiB5b3UgbWF5IGtub3csIHRoZSBPWCBvcGVuIHNvdXJjZSBwcm9qZWN0IHByb3ZpZGVzIGFuDQoN
CmltcGxlbWVudGF0aW9uIG9mIEVudGVycHJpc2UgVU1BLCB3aGljaCBlbmFibGVzIG9yZ2FuaXph
dGlvbnMgdG8NCg0KY29udHJvbCB3aGljaCBwZW9wbGUgYW5kIGNsaWVudHMgY2FuIGFjY2VzcyB3
ZWIgcmVzb3VyY2VzLg0KDQoNCg0KSSByYXJlbHkgd2VpZ2ggaW4sIGJlY2F1c2UgeW91IGFsbCBh
cmUgZG9pbmcgc3VjaCBncmVhdCBqb2IuDQoNCkhvd2V2ZXIsIEkgd2FzIHF1aXRlIGRpc3RyZXNz
ZWQgdG8gbGVhcm4gYWJvdXQgdGhlIHN1Z2dlc3Rpb24gdG8NCg0Kc3RvcCB3b3JrIG9uIHRoZSBk
eW5hbWljIGNsaWVudCByZWdpc3RyYXRpb24gc3BlYy4gVGhpcyBwcm9wb3NlZA0KDQpjaGFuZ2Ug
d291bGQgaGF2ZSBhIG5lZ2F0aXZlIGltcGFjdCBvbiBPWCwgYW5kIHRoZSB2YXJpZWQgYWRvcHRl
cnMNCg0Kb2Ygb3VyIHNvZnR3YXJlIGZyb20gYXJvdW5kIHRoZSB3b3JsZC4NCg0KDQoNCk5vIHN0
YW5kYXJkIGZvciBkeW5hbWljIGNsaWVudCByZWdpc3RyYXRpb24gd291bGQgbWFrZSBPWCBsZXNz
DQoNCiJzdGFuZGFyZCIgYnkgY3JlYXRpbmcgYSBiaWdnZXIgZGVsdGEgYmV0d2VlbiBVTUEgYW5k
IG90aGVyIE9BdXRoMg0KDQppbXBsZW1lbnRhdGlvbnMuIEFzIE9YIGFsc28gaW1wbGVtZW50cyB0
aGUgT3BlbklEIENvbm5lY3QgT1ANCg0KZW5kcG9pbnRzLCBhbmQgZHJvcHBpbmcgdGhpcyBlZmZv
cnQgd291bGQgYWxzbyBtYWtlcyBhIGNvbnZlcmdlbmNlDQoNCnBhdGggZm9yIGNsaWVudCByZWdp
c3RyYXRpb24gbGVzcyBsaWtlbHkuDQoNCg0KDQpQbGVhc2UgbGVhdmUgZHluYW1pYyBjbGllbnQg
cmVnaXN0cmF0aW9uIQ0KDQoNCg0KVGhhbmtzIGZvciBhbGwgeW91ciBncmVhdCB3b3JrIQ0KDQoN
Cg0KLSBNaWtlIFNjaHdhcnR6DQoNCg0KDQpGb3VuZGVyIC8gQ0VPDQoNCg0KDQpHbHV1DQoNCg0K
DQpodHRwOi8vZ2x1dS5vcmcgWzFdDQoNCg0KDQpQUzogSGVscCB1cyBjcm93ZCBmdW5kIG9wZW4g
c291cmNlIE9BdXRoMiBwbHVnaW5zIGZvciBBcGFjaGUgSFRUUEQNCg0KOiBodHRwOi8vd3d3Lmds
dXUuY28vdW1hLWFwYWNoZSBbMl0NCg0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fDQoNCg0KDQpPQXV0aCBtYWlsaW5nIGxpc3QNCg0KDQoNCk9BdXRo
QGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCg0KDQoNCmh0dHBzOi8vd3d3LmlldGYu
b3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGggWzNdDQoNCg0KDQpfX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KDQoNCg0KT0F1dGggbWFpbGluZyBsaXN0DQoN
Cg0KDQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQoNCg0KDQpodHRwczov
L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIFszXQ0KDQoNCg0KLS0NCg0KWzRd
DQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0K
DQoNCg0KT0F1dGggbWFpbGluZyBsaXN0DQoNCg0KDQpPQXV0aEBpZXRmLm9yZzxtYWlsdG86T0F1
dGhAaWV0Zi5vcmc+DQoNCg0KDQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv
L29hdXRoIFszXQ0KDQoNCg0KDQoNCg0KDQpMaW5rczoNCg0KLS0tLS0tDQoNClsxXSBodHRwOi8v
Z2x1dS5vcmcNCg0KWzJdIGh0dHA6Ly93d3cuZ2x1dS5jby91bWEtYXBhY2hlDQoNClszXSBodHRw
czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQoNCls0XSBodHRwOi8vY29u
bmVjdC5tZS9nZmZsZXRjaA0KDQpbNV0gaHR0cDovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9k
cmFmdC1pZXRmLW9hdXRoLWR5bi1yZWcvDQoNCg0KDQotLQ0KW0dlb3JnZSBGbGV0Y2hlcl08aHR0
cDovL2Nvbm5lY3QubWUvZ2ZmbGV0Y2g+DQo=

--_000_a64cf984cc42495f9d5d362dd2f9b980BY2PR03MB189namprd03pro_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPCEtLVtp
ZiAhbXNvXT48c3R5bGU+dlw6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7
YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0
I1ZNTCk7fQ0KLnNoYXBlIHtiZWhhdmlvcjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPjwh
W2VuZGlmXS0tPjxzdHlsZT48IS0tDQovKiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNl
DQoJe2ZvbnQtZmFtaWx5OkhlbHZldGljYTsNCglwYW5vc2UtMToyIDExIDYgNCAyIDIgMiAyIDIg
NDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0x
OjIgNCA1IDMgNSA0IDYgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJp
Ow0KCXBhbm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1m
YW1pbHk6Q29uc29sYXM7DQoJcGFub3NlLTE6MiAxMSA2IDkgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5
bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3Jt
YWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEy
LjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIiwic2VyaWYiOw0KCWNvbG9yOmJs
YWNrO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5
Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZpc2l0ZWQs
IHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNv
bG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0KCXttc28tc3R5
bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIi
Ow0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMC4w
cHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3IjsNCgljb2xvcjpibGFjazt9DQpzcGFuLkhU
TUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBD
aGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJl
Zm9ybWF0dGVkIjsNCglmb250LWZhbWlseTpDb25zb2xhczsNCgljb2xvcjpibGFjazt9DQpzcGFu
LkVtYWlsU3R5bGUxOQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZh
bWlseToiQ2FsaWJyaSIsInNhbnMtc2VyaWYiOw0KCWNvbG9yOiMxRjQ5N0Q7fQ0KLk1zb0NocERl
ZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9
DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGlu
IDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlv
bjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVs
dHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0t
W2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlk
bWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2Vu
ZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgYmdjb2xvcj0id2hpdGUiIGxhbmc9IkVOLVVTIiBsaW5r
PSJibHVlIiB2bGluaz0icHVycGxlIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls
eTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3
RCI+IzEsIGl0cyB5ZXQgYW5vdGhlciBlbmRwb2ludCB0byBoYXZlIHRvIG1hbmFnZSBzZWNyZXRz
IGF0LCB5ZXMgdGhpcyBpcyBhbiBPQXV0aCBpdGVtIGJ1dCBpdOKAmXMgZ3Jvd2luZyBvdXQgb2Yg
Y29udHJvbCwgd2UgYXJlIHRyeWluZyB0byBtb3ZlIGF3YXkgZnJvbSBzZWNyZXRzDQogYW5kIG1h
bmFnZW1lbnQgb2YgdGhlc2UgZW5kcG9pbnRzIGFzIHRoaXMgd291bGQgYmUganVzdCBhbm90aGVy
IG9uZSB3ZSBoYXZlIHRvIHN1cHBvcnQsIG1vbml0b3IgYW5kIHJlcG9ydCBvbjxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZx
dW90Oztjb2xvcjojMUY0OTdEIj4jMiB5ZXMsIDEgcGh5c2ljYWwgZW5kcG9pbnQgYWN0aW5nIGFz
IG11bHRpcGxlIGF1dGhvcml6YXRpb24gc2VydmVyczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxhIG5hbWU9Il9NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtz
YW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv
YT48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAj
RTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7
Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOndpbmRvd3RleHQiPkZy
b206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTom
cXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6d2luZG93dGV4
dCI+IEdlb3JnZSBGbGV0Y2hlciBbbWFpbHRvOmdmZmxldGNoQGFvbC5jb21dDQo8YnI+DQo8Yj5T
ZW50OjwvYj4gVHVlc2RheSwgQXVndXN0IDEzLCAyMDEzIDc6NDAgQU08YnI+DQo8Yj5Ubzo8L2I+
IEFudGhvbnkgTmFkYWxpbjxicj4NCjxiPkNjOjwvYj4gbWlrZUBnbHV1Lm9yZzsgSnVzdGluIFJp
Y2hlcjsgb2F1dGhAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtPQVVUSC1XR10g
T1ggbmVlZHMgRHluYW1pYyBSZWdpc3RyYXRpb246IHBsZWFzZSBkb24ndCByZW1vdmUhPG86cD48
L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1i
b3R0b206MTIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPkhpIFRvbnksPGJyPg0KPGJyPg0KQ291bGQgeW91
IHBsZWFzZSBleHBsYWluIGEgbGl0dGxlIG1vcmU/IDxicj4NCjxicj4NCkZvciBpc3N1ZSAxOjxi
cj4NCiogV2hpY2ggJnF1b3Q7c2VjcmV0JnF1b3Q7IGFyZSB5b3UgcmVmZXJyaW5nIHRvPyBPQXV0
aDIgYnkgZGVmYXVsdCBhbGxvd3MgZm9yIGFuIG9wdGlvbmFsIGNsaWVudF9zZWNyZXQuIEknbSBu
b3Qgc3VyZSB3aHkgdGhpcyB3b3VsZCBjYXVzZSBtYW5hZ2VtZW50IGlzc3Vlcz8gT3IgYXJlIHlv
dSByZWZlcnJpbmcgdG8gdGhlICZxdW90O1JlZ2lzdHJhdGlvbiBBY2Nlc3MgVG9rZW4mcXVvdDs/
PGJyPg0KKiBXaHkgaXMgYSBzZXBhcmF0ZSBlbmRwb2ludCBhbiBpc3N1ZT8gQW55IGNsaWVudCBp
cyBnb2luZyB0byBiZSB0YWxraW5nIHRvIG1vcmUgdGhhbiBqdXN0IHRoZSAvYXV0aG9yaXplIGFu
ZCAvdG9rZW4gZW5kcG9pbnRzIGFueXdheSBzbyBJJ20gY29uZnVzZWQgcmVnYXJkaW5nIHRoZSBl
eHRyYSBjb21wbGV4aXR5Pzxicj4NCjxicj4NCkZvciBpc3N1ZSAyOjxicj4NCiogV2hhdCBzcGVj
aWZpY2FsbHkgZG8geW91IG1lYW4gYnkgJnF1b3Q7bXVsdGktdGVuYW50JnF1b3Q7PyBJcyB0aGlz
IG9uZSBzZXJ2ZXIgYWN0aW5nIG9uIGJlaGFsZiBvZiBtdWx0aXBsZSB0ZW5hbnRzIGFuZCBzbyBh
cHBlYXJpbmcgYXMgbXVsdGlwbGUgQXV0aG9yaXphdGlvbiBTZXJ2ZXJzPw0KPGJyPg0KPGJyPg0K
VGhhbmtzLDxicj4NCkdlb3JnZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj5PbiA4LzEzLzEzIDEwOjM0IEFNLCBBbnRob255IE5hZGFsaW4gd3JvdGU6
PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUu
MHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHByZT5TbywgKDEpIE1hbmFnZW1lbnQgb2YgdGhl
IHNlY3JldCBjYXVzZXMgdXMgbWFuYWdlbWVudCBpc3N1ZXMsIHlldCBhbm90aGVyIGVuZHBvaW50
IHRvIG1hbmFnZSwgdGhlcmUgbWF5IGJlIHdheXMgYXJvdW5kIHRoaXMgaXNzdWUgd2l0aCBhc3Nl
cnRpb25zLiAoMikgVGhlIHNjaGVtYS9kYXRhIG1vZGVsIGFyZSBub3QgdXNlYWJsZSBhcyBkZWZp
bmVkLiBJbnRlcm5hdGlvbmFsaXphdGlvbiBpcyBhbiBpc3N1ZS4gTXVsdGktdGVuYW50IGlzc3Vl
cywgdGhpcyBhbHNvIGdvZXMgYmFjayB0byBzY2hlbWEvZGF0YSBtb2RlbC48bzpwPjwvbzpwPjwv
cHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpw
PjwvcHJlPg0KPHByZT4tLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTxvOnA+PC9vOnA+PC9wcmU+
DQo8cHJlPkZyb206IDxhIGhyZWY9Im1haWx0bzptaWtlQGdsdXUub3JnIj5taWtlQGdsdXUub3Jn
PC9hPiBbPGEgaHJlZj0ibWFpbHRvOm1pa2VAZ2x1dS5vcmciPm1haWx0bzptaWtlQGdsdXUub3Jn
PC9hPl0gPG86cD48L286cD48L3ByZT4NCjxwcmU+U2VudDogVHVlc2RheSwgQXVndXN0IDEzLCAy
MDEzIDc6MjIgQU08bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5UbzogQW50aG9ueSBOYWRhbGluPG86
cD48L286cD48L3ByZT4NCjxwcmU+Q2M6IEp1c3RpbiBSaWNoZXI7IEdlb3JnZSBGbGV0Y2hlcjsg
PGEgaHJlZj0ibWFpbHRvOm9hdXRoQGlldGYub3JnIj5vYXV0aEBpZXRmLm9yZzwvYT48bzpwPjwv
bzpwPjwvcHJlPg0KPHByZT5TdWJqZWN0OiBSRTogW09BVVRILVdHXSBPWCBuZWVkcyBEeW5hbWlj
IFJlZ2lzdHJhdGlvbjogcGxlYXNlIGRvbid0IHJlbW92ZSE8bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5BbnRob255LDxvOnA+PC9vOnA+PC9wcmU+
DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPkFzIEkgbWVudGlvbmVkLCB3ZSBh
cmUgdXNpbmcgaXQgYXMgcGFydCBvZiB0aGUgT1ggVU1BIGltcGxlbWVudGF0aW9uLiA8bzpwPjwv
bzpwPjwvcHJlPg0KPHByZT5DYW4geW91IGJlIG1vcmUgc3BlY2lmaWM/PG86cD48L286cD48L3By
ZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7IDEpIFdoYXQgcGFydHMgb2YgaXQgd291bGQgY2F1c2UgYWRk
J2wgbWFuYWdlbWVudD88bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4mbmJzcDsmbmJzcDsgMikgV2hh
dCBwYXJ0cyBkbyBub3QgbWVldCB5b3VyIHJlcXVpcmVtZW50cyB0aGF0IGNvdWxkIG5vdCBiZSBz
YXRpc2ZpZWQgd2l0aCBhPG86cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7IHN1cHBsZW1lbnRhbCBwcm9maWxlPzxvOnA+PC9vOnA+PC9wcmU+DQo8cHJl
PjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPi0gTWlrZTxvOnA+PC9vOnA+PC9wcmU+DQo8
cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+
DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPk9uIDIwMTMtMDgtMTMgMDk6MTUs
IEFudGhvbnkgTmFkYWxpbiB3cm90ZTo8bzpwPjwvbzpwPjwvcHJlPg0KPGJsb2NrcXVvdGUgc3R5
bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cHJlPldobyBoYXMg
aW1wbGVtZW50ZWQgZHJhZnQtaWV0Zi1vYXV0aC1keW4tcmVnLTE0IFs1XSBhbmQgaXMgaW4gPG86
cD48L286cD48L3ByZT4NCjxwcmU+cHJvZHVjdGlvbiAob2Ygc29tZSBzb3J0KSA/IFdlIGhhdmUg
bm8gcGxhbnMgdG8gaW1wbGVtZW50IGFzIGl0IGRvZXMgPG86cD48L286cD48L3ByZT4NCjxwcmU+
bm90IG1lZXQgb3VyIHJlcXVpcmVtZW50cy91c2UgY2FzZXMgYW5kIGNhdXNlcyBhZGRpdGlvbmFs
IG1hbmFnZW1lbnQgPG86cD48L286cD48L3ByZT4NCjxwcmU+YW5kIHRodXMgSSBiZWxpZXZlIHdv
dWxkIG5vdCBzZXJ2ZSBhcyBhIHZhbGlkIGNvcmUgZG9jdW1lbnQgdG8gZXhwYW5kIDxvOnA+PC9v
OnA+PC9wcmU+DQo8cHJlPnVwb24uPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8
L286cD48L3ByZT4NCjxwcmU+RlJPTTogPGEgaHJlZj0ibWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0
Zi5vcmciPm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8L2E+IFs8YSBocmVmPSJtYWlsdG86b2F1dGgt
Ym91bmNlc0BpZXRmLm9yZyI+bWFpbHRvOm9hdXRoLWJvdW5jZXNAaWV0Zi5vcmc8L2E+XSBPTiBC
RUhBTEYgPG86cD48L286cD48L3ByZT4NCjxwcmU+T0YgSnVzdGluIFJpY2hlcjxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPiBTRU5UOiBUdWVzZGF5LCBBdWd1c3QgMTMsIDIwMTMgNjo1OSBBTTxvOnA+
PC9vOnA+PC9wcmU+DQo8cHJlPiBUTzogR2VvcmdlIEZsZXRjaGVyPG86cD48L286cD48L3ByZT4N
CjxwcmU+IENDOiA8YSBocmVmPSJtYWlsdG86bWlrZUBnbHV1Lm9yZyI+bWlrZUBnbHV1Lm9yZzwv
YT47IDxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyI+b2F1dGhAaWV0Zi5vcmc8L2E+PG86
cD48L286cD48L3ByZT4NCjxwcmU+IFNVQkpFQ1Q6IFJlOiBbT0FVVEgtV0ddIE9YIG5lZWRzIER5
bmFtaWMgUmVnaXN0cmF0aW9uOiBwbGVhc2UgZG9uJ3QgPG86cD48L286cD48L3ByZT4NCjxwcmU+
cmVtb3ZlITxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8
cHJlPiYjNDM7MTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+
DQo8cHJlPk9uIDA4LzEzLzIwMTMgMDk6MzQgQU0sIEdlb3JnZSBGbGV0Y2hlciB3cm90ZTo8bzpw
PjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPGJsb2NrcXVvdGUg
c3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cHJlPkkga25v
dyBJIHdhc24ndCBhdCB0aGUgSUVURiBtZWV0aW5nIGJ1dCBJJ20gY29uZnVzZWQgcmVnYXJkaW5n
IGFsbCA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT50aGlzIHRhbGsgb2YgJnF1b3Q7bGFjayBvZiBj
b25zZW5zdXMmcXVvdDsuIEl0IHNlZW1zIHRvIG1lIHRoZXJlIGlzIGEgbG90IG9mIDxvOnA+PC9v
OnA+PC9wcmU+DQo8cHJlPmNvbnNlbnN1cyByZWdhcmRpbmcgdGhlIGV4aXN0aW5nIHNwZWMgKGdp
dmVuIGFsbCB0aGUgY3VycmVudCA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5pbXBsZW1lbnRhdGlv
bnMpLiBDb3VwbGUgdGhhdCB3aXRoIHRoZSBmYWN0IHRoYXQgdGhlIGN1cnJlbnQgc3BlYyA8bzpw
PjwvbzpwPjwvcHJlPg0KPHByZT5kb2Vzbid0IGV4Y2x1ZGUgdGhlIGFkZGl0aW9uYWwgdXNlIGNh
c2VzIHRoYXQgeW91J3ZlIHJhaXNlZCwgSSBkb24ndCA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5z
ZWUgd2h5IHdlIGRvbid0IGVzdGFibGlzaCB0aGUgY3VycmVudCBzcGVjIGFzIHRoZSBjb3JlIGRv
Y3VtZW50IGFuZCA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT50aGVuIGRldmVsb3AgcHJvZmlsZXMg
Zm9yIHRoZSBhZGRpdGlvbmFsIHVzZSBjYXNlcy4gSXQgaXMgdW5saWtlbHkgPG86cD48L286cD48
L3ByZT4NCjxwcmU+dGhhdCB0aGVyZSBpcyBnb2luZyB0byBiZSBhIHRydWUgc2luZ2xlIHNvbHV0
aW9uIGJlY2F1c2UgdG8gY292ZXIgYWxsIDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPnRoZSB1c2Ug
Y2FzZXMgaXQgd2lsbCBoYXZlIHRvIGJlIHNvIGZsZXhpYmxlIHRoYXQgcHJvZmlsZXMgd2lsbCBh
cmlzZSA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5yZWdhcmRsZXNzLiBJbiB0aGF0IGNhc2UsIGxl
dCdzIGJ1aWxkIG9mZiB0aGUgc29saWQgY29yZSB0aGF0IHdlIGhhdmUgPG86cD48L286cD48L3By
ZT4NCjxwcmU+YW5kIGFkZCB0aGVzZSBhZGRpdGlvbmFsIHByb2ZpbGVzIHByb3ZpZGluZyBhIHdp
bi13aW4gZm9yIDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPmltcGxlbWVudGVycy48bzpwPjwvbzpw
PjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5NeSAyIGNlbnRzOik8
bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5UaGFu
a3MsPG86cD48L286cD48L3ByZT4NCjxwcmU+R2VvcmdlPG86cD48L286cD48L3ByZT4NCjxwcmU+
PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+T24gOC8xMi8xMyA3OjU1IFBNLCBQaGlsIEh1
bnQgd3JvdGU6PG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4N
CjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQi
Pg0KPHByZT5JIGRvbid0IHRoaW5rIHRoZXJlIGlzIGEgY2FsbCB0byBzdG9wIHdvcmsuIEhvd2V2
ZXIgdGhlcmUgaXMgYSBsYWNrIDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPm9mIGNvbnNlbnN1cyBv
biB0aGUgY3VycmVudCBkcmFmdCBtb3ZpbmcgZm9yd2FyZC48bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5JIHRvbyB3YW50IGEgc2luZ2xlLCBzaW1w
bGUgc29sdXRpb24uPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3By
ZT4NCjxwcmU+UGhpbDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
cmU+DQo8cHJlPk9uIDIwMTMtMDgtMDgsIGF0IDEzOjIyLCA8YSBocmVmPSJtYWlsdG86bWlrZUBn
bHV1Lm9yZyI+bWlrZUBnbHV1Lm9yZzwvYT4gd3JvdGU6PG86cD48L286cD48L3ByZT4NCjxwcmU+
PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUu
MHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHByZT5PQXV0aCBXRyw8bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5BcyBzb21lIG9mIHlvdSBtYXkg
a25vdywgdGhlIE9YIG9wZW4gc291cmNlIHByb2plY3QgcHJvdmlkZXMgYW4gPG86cD48L286cD48
L3ByZT4NCjxwcmU+aW1wbGVtZW50YXRpb24gb2YgRW50ZXJwcmlzZSBVTUEsIHdoaWNoIGVuYWJs
ZXMgb3JnYW5pemF0aW9ucyB0byA8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5jb250cm9sIHdoaWNo
IHBlb3BsZSBhbmQgY2xpZW50cyBjYW4gYWNjZXNzIHdlYiByZXNvdXJjZXMuPG86cD48L286cD48
L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+SSByYXJlbHkgd2VpZ2gg
aW4sIGJlY2F1c2UgeW91IGFsbCBhcmUgZG9pbmcgc3VjaCBncmVhdCBqb2IuIDxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPkhvd2V2ZXIsIEkgd2FzIHF1aXRlIGRpc3RyZXNzZWQgdG8gbGVhcm4gYWJv
dXQgdGhlIHN1Z2dlc3Rpb24gdG8gPG86cD48L286cD48L3ByZT4NCjxwcmU+c3RvcCB3b3JrIG9u
IHRoZSBkeW5hbWljIGNsaWVudCByZWdpc3RyYXRpb24gc3BlYy4gVGhpcyBwcm9wb3NlZCA8bzpw
PjwvbzpwPjwvcHJlPg0KPHByZT5jaGFuZ2Ugd291bGQgaGF2ZSBhIG5lZ2F0aXZlIGltcGFjdCBv
biBPWCwgYW5kIHRoZSB2YXJpZWQgYWRvcHRlcnMgPG86cD48L286cD48L3ByZT4NCjxwcmU+b2Yg
b3VyIHNvZnR3YXJlIGZyb20gYXJvdW5kIHRoZSB3b3JsZC48bzpwPjwvbzpwPjwvcHJlPg0KPHBy
ZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5ObyBzdGFuZGFyZCBmb3IgZHluYW1pYyBj
bGllbnQgcmVnaXN0cmF0aW9uIHdvdWxkIG1ha2UgT1ggbGVzcyA8bzpwPjwvbzpwPjwvcHJlPg0K
PHByZT4mcXVvdDtzdGFuZGFyZCZxdW90OyBieSBjcmVhdGluZyBhIGJpZ2dlciBkZWx0YSBiZXR3
ZWVuIFVNQSBhbmQgb3RoZXIgT0F1dGgyIDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPmltcGxlbWVu
dGF0aW9ucy4gQXMgT1ggYWxzbyBpbXBsZW1lbnRzIHRoZSBPcGVuSUQgQ29ubmVjdCBPUCA8bzpw
PjwvbzpwPjwvcHJlPg0KPHByZT5lbmRwb2ludHMsIGFuZCBkcm9wcGluZyB0aGlzIGVmZm9ydCB3
b3VsZCBhbHNvIG1ha2VzIGEgY29udmVyZ2VuY2UgPG86cD48L286cD48L3ByZT4NCjxwcmU+cGF0
aCBmb3IgY2xpZW50IHJlZ2lzdHJhdGlvbiBsZXNzIGxpa2VseS48bzpwPjwvbzpwPjwvcHJlPg0K
PHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5QbGVhc2UgbGVhdmUgZHluYW1pYyBj
bGllbnQgcmVnaXN0cmF0aW9uITxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9v
OnA+PC9wcmU+DQo8cHJlPlRoYW5rcyBmb3IgYWxsIHlvdXIgZ3JlYXQgd29yayE8bzpwPjwvbzpw
PjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT4tIE1pa2UgU2Nod2Fy
dHo8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5G
b3VuZGVyIC8gQ0VPPG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3By
ZT4NCjxwcmU+R2x1dTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
cmU+DQo8cHJlPjxhIGhyZWY9Imh0dHA6Ly9nbHV1Lm9yZyI+aHR0cDovL2dsdXUub3JnPC9hPiBb
MV08bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5Q
UzogSGVscCB1cyBjcm93ZCBmdW5kIG9wZW4gc291cmNlIE9BdXRoMiBwbHVnaW5zIGZvciBBcGFj
aGUgSFRUUEQ8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT46IDxhIGhyZWY9Imh0dHA6Ly93d3cuZ2x1
dS5jby91bWEtYXBhY2hlIj5odHRwOi8vd3d3LmdsdXUuY28vdW1hLWFwYWNoZTwvYT4gWzJdPG86
cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+X19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT5PQXV0aCBtYWlsaW5nIGxpc3Q8
bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT48YSBo
cmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGlldGYub3JnPC9hPjxvOnA+PC9vOnA+
PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPjxhIGhyZWY9Imh0dHBz
Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiPmh0dHBzOi8vd3d3LmlldGYu
b3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+IFszXTxvOnA+PC9vOnA+PC9wcmU+DQo8L2Js
b2NrcXVvdGU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlPl9fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPG86cD48L286cD48L3ByZT4NCjxw
cmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+T0F1dGggbWFpbGluZyBsaXN0PG86cD48
L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+PGEgaHJlZj0i
bWFpbHRvOk9BdXRoQGlldGYub3JnIj5PQXV0aEBpZXRmLm9yZzwvYT48bzpwPjwvbzpwPjwvcHJl
Pg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT48YSBocmVmPSJodHRwczovL3d3
dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIj5odHRwczovL3d3dy5pZXRmLm9yZy9t
YWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPiBbM108bzpwPjwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1
b3RlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT4tLTxvOnA+PC9vOnA+PC9w
cmU+DQo8cHJlPls0XTxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
cmU+DQo8cHJlPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
PG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjxwcmU+T0F1
dGggbWFpbGluZyBsaXN0PG86cD48L286cD48L3ByZT4NCjxwcmU+PG86cD4mbmJzcDs8L286cD48
L3ByZT4NCjxwcmU+PGEgaHJlZj0ibWFpbHRvOk9BdXRoQGlldGYub3JnIj5PQXV0aEBpZXRmLm9y
ZzwvYT48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHBy
ZT48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIj5o
dHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPiBbM108bzpwPjwv
bzpwPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0K
PHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJl
Pg0KPHByZT5MaW5rczo8bzpwPjwvbzpwPjwvcHJlPg0KPHByZT4tLS0tLS08bzpwPjwvbzpwPjwv
cHJlPg0KPHByZT5bMV0gPGEgaHJlZj0iaHR0cDovL2dsdXUub3JnIj5odHRwOi8vZ2x1dS5vcmc8
L2E+PG86cD48L286cD48L3ByZT4NCjxwcmU+WzJdIDxhIGhyZWY9Imh0dHA6Ly93d3cuZ2x1dS5j
by91bWEtYXBhY2hlIj5odHRwOi8vd3d3LmdsdXUuY28vdW1hLWFwYWNoZTwvYT48bzpwPjwvbzpw
PjwvcHJlPg0KPHByZT5bM10gPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9s
aXN0aW5mby9vYXV0aCI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0
aDwvYT48bzpwPjwvbzpwPjwvcHJlPg0KPHByZT5bNF0gPGEgaHJlZj0iaHR0cDovL2Nvbm5lY3Qu
bWUvZ2ZmbGV0Y2giPmh0dHA6Ly9jb25uZWN0Lm1lL2dmZmxldGNoPC9hPjxvOnA+PC9vOnA+PC9w
cmU+DQo8cHJlPls1XSA8YSBocmVmPSJodHRwOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2Ry
YWZ0LWlldGYtb2F1dGgtZHluLXJlZy8iPmh0dHA6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2Mv
ZHJhZnQtaWV0Zi1vYXV0aC1keW4tcmVnLzwvYT48bzpwPjwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1
b3RlPg0KPHByZT48bzpwPiZuYnNwOzwvbzpwPjwvcHJlPg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+LS0gPGJyPg0KPGEgaHJlZj0iaHR0cDovL2Nvbm5lY3QubWUvZ2ZmbGV0Y2giIHRp
dGxlPSJWaWV3IGZ1bGwgY2FyZCBvbg0KICAgICAgICBDb25uZWN0Lk1lIj48c3BhbiBzdHlsZT0i
dGV4dC1kZWNvcmF0aW9uOm5vbmUiPjxpbWcgYm9yZGVyPSIwIiB3aWR0aD0iMzU5IiBoZWlnaHQ9
IjExMyIgaWQ9Il94MDAwMF9pMTAyNSIgc3JjPSJjaWQ6aW1hZ2UwMDEucG5nQDAxQ0U5N0Y5LjM1
NzZFQkMwIiBhbHQ9Ikdlb3JnZSBGbGV0Y2hlciI+PC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_a64cf984cc42495f9d5d362dd2f9b980BY2PR03MB189namprd03pro_--

--_004_a64cf984cc42495f9d5d362dd2f9b980BY2PR03MB189namprd03pro_
Content-Type: image/png; name="image001.png"
Content-Description: image001.png
Content-Disposition: inline; filename="image001.png"; size=79121;
	creation-date="Tue, 13 Aug 2013 14:46:26 GMT";
	modification-date="Tue, 13 Aug 2013 14:46:26 GMT"
Content-ID: <image001.png@01CE97F9.3576EBC0>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAACXBI
WXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAkENxCggWC
J0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T/OrUqdPSpUuX
Ll26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5fvnz58mWQ/+yCuLm5
ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85ubm5ubm5ubm5uv4M7cXZz
c3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0X5zFHWFAjKWodQOI0pauqeXB
VvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6SzA9TFcjH9a5AO5f6c8RU4O1rTsoaA
8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs
5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfmz94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzM
zIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxgO5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj
10swe3lGee8EYeKpsSLoVxg3ywdA/dJVX/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoW
F0FqjJkgELm4cAEg/R8fpMJ/TEl4DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpN
aTKrYWNwTpKXSJGg7RGz8ATf557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg
9TZ4Vk4vsD9M8FDuwsOYN6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uo
u/QGsHazT9AtgtTwpMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwP
FxvHfP7LLrB+q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNX
e3mkrx8k30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3Z
F7Dpt4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2JHAM
yzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi6UpzfAJ6
p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJjKkeNq8NII10
1LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZaqls00D+UBkn7oI2
QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLNCvf2qwf9LO27NT0I9Q9U
SC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ETY6UVYG7k/SZiFChhSim7DkLe
+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUCy0Oh9oHdiqwGZ7ajaFEJss5l5/IU
7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVjBuj2SyNe1wWvHXJ157fwpkbSwafr4Wa5
+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7L
yYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6nP9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6Zcq
Z0HdaYm3VgKuyN8bZoM819BeNw+UicpQ9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGp
lH6yxyBQvxSfuayglY1v8Kg6aIn2W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRw
fWpvYP8c1AiluagLhoX6lnoPMGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH
8iUCwLFdHqP1B/MYD7M5BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9
AtoJ66a0LwGDfEUfBdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1
SAPoJ3/CfEATqdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH
5TdDQrfUQ0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93
hJRvLAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZLfeDz
IeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpoR8yTwFYn
MyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOegayFG0ANcwdo1
pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1AamfHM9s0OJypqQr
oF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoTjgP5DWO974DugXRMXwa8
93qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaCpSngVdSriq432LOsK7O+A/ma
c5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoAW6TeSguwT87RW26DPlmvZh8Cbnuc
DSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dpJQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA
3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMUOAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25W
utkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4eDYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01K
HyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7XE6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQN
PlzXzNW8F/ik2LcaxkKZqFKehVdDTPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LW
lISLILZYN4Z/CaXqlM5fbiUEBQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQ
uep5WNoa4KDeLh2GzFIZJ42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAx
XQ4B+RN6SvNBVPbqYd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzT
BXn7gXzJ41LAV6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7
nToBRDn1c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8O
nKaWaAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRrXax/
cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5Do40O//L
7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn1WV4I6cG/1oT
guv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUIvwdx+9Iu30+Fgafa
ftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCvvrrLYGuSVcXzNZTyLHqs
6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ89NU5y0KDk0WCWkyHiCT/8bUt
YPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY6b/Tf6c/PGn0pNGTRqCuVFeqK6HI
V0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beqVq1atWrVf367yc0nN5/cHLrM7TK3y9y/
j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGCBQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZAC
Ik48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2cswWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbO
gRRmOOZZDfhE2W4qBtplx5dZPwHztGDxCcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6
KuNLy2IQA+1e9oYg9TfGKgkgqfZjrhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRN
lHqC1MeU69UbRIpor70AVwM11JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3s
AeNnuhzzRFBjnJXtIyB7R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775
I7fB0zWvIlO/h8KnCu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+
8gNQqug+FrPBuceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ
9mvzn65C6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvh
sWfAA/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vgWySo
Ulxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeTnU12Nslb
rnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7hUwPmR4yHZTh
ynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8R0+mXgi8gHSecwt4
iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEsAkEY5Eq6yiBVtfbKygGX
TItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCqlK6krBPRQN7osoFSTia8D9qPO
2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSDtELaqWsByjL5rLwQjPUMFY39QZQx
9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNXI3ANcQxXJPD0MdmMdnBtt2+17wHtiKug
8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyjv6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWt
bioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzogCosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau
4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPq
gOGRPi2sIKQXz55nngSnWycdsKZB4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3
DKkA5VMiB9ScD46T1j2uTZDZWXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUl
GLrmHnNMh2ptS3dvbAL7k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXC
pUnbLkHTOVW7fDAMfL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21j
bWNtmBk/M35mPDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsv
bG2wtcHWBuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTa
wFCLKetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t2ZBZ
NzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN+l9BF2II
MxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9fmWN7Afadpfd
rge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8dL0DaImVKLUFbJs6r
F0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+BJdJQqT9kVsk+kB4H5vPm
6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPfkPz7wDUtt6KvBA8+jL17PRiO
PL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4ttAbwbs6Y6seBdcZqmQmQPZU57Qn
Z+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IArhmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqB
b0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88noZt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTa
Er+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn379u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk
0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHj
G49vPL4xJLRLaJfQ7r8o4H/2dL/rCe/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZG
RkZGRt4t/Hd/H9Z7WO9hPeia3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/
j/tuf++t/v9L/LP1UK+oV9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MX
zV40ewELTyw8sfAE2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/
Hud3Y2SzgBCQ6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek
/iBV1Xf0BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3a
MJC2efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYKsJiD
iQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zOgu1Jeomk
vmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77zIWiad/miP4Or
G/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+vBkNwQb/V1oJgaOTZ
N1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8IYhPlLmSHgJ+8egZ8DV4
7FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbvBmVaVD1a8md4YXl9IWsopOS+
Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqXD0NGUuYCv+2woe3BjJ0FwN/Pv5N3
LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbHK4E50U/2XQrmGroN/g3+eLMSg8VgMRhu
/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N//37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlV
ZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmr
rOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfln7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKl
S5fmXUAUji0cWzgWZu6fuX/mfmAJS1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473
r9ZjS9EtRbcUhQKdC3Qu0Bli98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNM
qKJWUauo8LzG8xrPa8COqB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+
cHzh+MIBG9jAhvfwuf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiY
Wyh3MojrqskZAHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5c
W1cIpCLSckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1
ErxHBfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE2jpt
lfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cmLoVjU+9+
+H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUkioKpnu6Krhyc
Db6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBINym5luuEIeE7RN8zX
BXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HMkaJ9/NrDifrnQq4fgyPH
rnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28vEEtI39r3wZVlpYY2WoqpKS9
XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3TB8KzGS9GxU+FGGtK10fBcP76wxt7
TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sW
WxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8++OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jF
wS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLMCJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ
3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/
v9e/Wo8j84/MPzIf9kzZM2XPlL+Pu3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8
O+DbAXl3APR39Hf0d+DonKNzjs4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5q
f/+uz+0fnW9ubm5u73eMswy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwW
fcRnICVJaXJlYKC4J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4F
rTPl5J0graSHGAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtA
nNfGGAqAbNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+
wjTAYyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/qhXc
7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfGLrg39+Wm
mzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnGg+lUiF3qD4bZ
pklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetNqDKpegFDfXD0ZUqJ
IPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWCF0PrFa4Ksd7xJ3J7wdmE
xyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6wmk0zQDnJd007ThkdLJfSC8L
OQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBPwT8F/5S3fkpUSlRKFMQWii0UW+jv
46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1vebWdNsCZYE+DNwzcP3/xV4txwbMOxDccC
LWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96Us
Zel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7
bu27QFva0haKdivarWg3IIAAAvKGlLyv+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X
30ndQRSQ2oltoEXQWI4D6UutWG4CyCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJ
KHQgIqgvBwJFxQBtLkhrqMojIIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ
86IvWDc5TGIF2FYbfjaPBdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1
hm/BVMjnO/M3kJ7fGp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y
62dOg+yR2V+lPAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe
5vQHXWFb35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZ
DDzReW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3XlHvQ
dFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZWn1vyC8hd
a//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8/jKuxMN+4DHd
PM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1ph6gNnP1jzerdrfxS
50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODAAfj8888///zzv49vu2C7
YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1Xs3i8G+t8gQtc+Pu3fyuB0VZq
K7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqiCvCQh/zVhZJOp9Pp/sD/Ju+GZvzF
u1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKAOyJSagtSAF9rxUBuYa4QuB7EPrlQzglg
iSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0BcVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmN
L0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHNYBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVC
seyGDF1G9eS9oFslr5cmge6RctPgCZK/vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE
11y/BZQguaNyBOjjnOzsAYZhcpQ0GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWAr
ltIv+xho37rs9npgSpSumC6BYZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34E
SQsz59o9wXE6s3dOBGQ3TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu
+Qw2roCCXwXU97bAS5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8K
xkVy/brfAuOVdYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1
UHhQFyj+Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB
5QkYE02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv9N8J
bWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y1ns87vG4
x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrRqUVAa1rTGiLb
R7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7ie7QLqFdQrsEOHzk
8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7WV9atmzZsmXLvDsfHTp2
6NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgIso3vda1BDJFGeNQDZZthibIa
xGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXyaFHdNRu0hWov2QZyU/kzSQ/aeTFR
twGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPsBVkFYm+lloXkq0k56ZdB7et6bv8Vciam
RCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42xkC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCw
TRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaUGxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKp
ofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIVzDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw
+TDqUdwFiI1LePDmU8ieZ6yb9gWUK1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+W
PnPsA/9a3se9/cDxyLpZegG+gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ
8+PPPv0ZogYHBwbFQM+eTV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGV
fL7LrQanPzkxJa4PZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxM
u5Q1FXRlDGHaTvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMF
vA7rkmyTwdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU4
1AFmz549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+2/tv
77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vDi4AXAS/+
m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6TICFiQsTFybm
3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7OiQkw4SleArBXSwB2
SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/mQL29i/23/IEeUKAf6GP
QJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ9jh16KuTgCv/s9DvIG5/XGJS
N7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjrdzkyBTw7GL/2MYEUq8uiOTivaadz
z4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHdI11RuTlIt+RJuh9BOkZhqQVILcQpqQro
+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOK
sjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJLC9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUB
RRuajtc/BY19qt6sOg9el8tt9GgLbCl3ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1
rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8
QPC6UHpipAdkNc4ZFlscTP1MNyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSy
aul5EWPgeamXR9+eBc+l3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagb
VxFeTU9Wrd/CSzlrTY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJs
pVjYPXn35N2T4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWr
Vq+CZWWWlVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn
6mew9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BFLGIR
dD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBzmtP8z6/v
305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn+VH6AOjMLFc4
aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWIeF24b08wlAp/FZIB
omjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjqF6d7kgSZ89JfafnB8ZP6
vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxSGgmuFuQ4woFK9kDneJA76xvp
e4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCiXBZ1GUgdRFe5JmDUTNpMUDfZf7H+
BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJgnmjvwjYwjdFKG4qA3ub70FeAIKFndgiY
rOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJDA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5
v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HVFkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcM
n8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz
9YDnr97WSBMQXiTQW7sMUrrpCy8z+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj
1tNXHq2HjL4ppV/dgHr+dU+V+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D
/OzDIG1uRrXcBxBeQ3/JEg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrq
KnnL3z0cWOpsqbOlzsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny
5cuXL7/PHmcFgQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NY
rD4BqavmK6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+
16XOgmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQezb0L
1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxpmuCTDjkb
7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3wn+hXyzMOKmWU
+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5lxPeyXocCzeXbtXuB
Vjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1ztkHud87RNgucSLw29cxk
MD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi0TNIbpRd8Wl+yDhkXXW7EHjd
8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyLPx17C0pcL7s2Mh2c82xTZTPk+y7y
VpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8RcXpkE+a86oh02sO303IEDjAN08c7+4Byu
XDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujKoLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSm
E5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZF
G2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIiSDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXf
vsEyGKYVH1r2O3DNsn+duQR8plZ70LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQV
hvxJXt/4NwfdPkc3ezaYRkpvlY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21
mmB7dn3V/e2Qc+bl+YQvILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagt
Bi3M+VTzBDFYF6RcAyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeG
HATrCa2+cRk8/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060x
zl1gm+RcbWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRA
zAVHKfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2uV2eh
bEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2Pqy/YN3sE
uPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnzYMnZJWeXnIUL
ZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7v8W7Huc/njg77Lm2
5yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM6RFIA0WkmASupSzSHQC5
if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxWMIuAX6W14PGw6un6HmD2KtO5
RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/kOaH3AL1HMsMKeA9zXuPbxHwiDLm
9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIvczbkBj08/koHKXtfVkyMgWwv6yfWSuDs
LrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85pF/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu
2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZJuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwL
tpeW2pmPwX7csdGVDvot3JbPg17WtTBsAvm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ
8jhxGsQMUVKOBK2JmkE5cH6mfa0VAK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbg
DaBv6uvhHwN+zwNuBESBrpC5pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzj
dF2dbcF5X9aJySC3chTyPgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDV
K2es/AHo+5o2uYaBtaD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfz
z27ubm5ubm5ubn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYG
Ase0gdJaEAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3
Pr4AuvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169KA25
sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYflIyB3lyfK
ySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+Pm5czAFI35Hw
ItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K005ddvB50ib5S/A22d
iOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsukpqCFab2Ue6C1Ep+5WoE6
1l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB94lXLLwS8PzZWcqSA/0qPWf7N
4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaWGicbFoHrfo8nxawD6wmjVdsIRQoV
yw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSpy9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+
Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3Nzc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6
i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZLWfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjw
uFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/
A6Ki059kyD7meBS0D2xbs644q4KzZ2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHdd
BFfvl+dfW8FxOulE+jzQdmSZXR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2A
VZIqdwZmavdYAaKGKK41BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB16
3e3VfkgTbz9PaA/aBfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3k
pmauz+wAYmz6SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4n
LwK5rZLELdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NK
gq1KyoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfCU78X
Wc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30ODNeTQE+
FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVFXgPc/o+wrprJ
6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M2wvuKDcJtC6utTY/
YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7tW8l/OgTtCGjuFQbKD0o+
IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCOaHPpBZJReiFNAemo6EQEiMpa
rKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSMV0coNeHtitxtFh9IrBv/6sUZSFn1
+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ
6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GYGoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2i
ulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VHPxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3
HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvCnE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNfl
nxr4OWgbRYDTCdo110dmJ3j19KxJNOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWc
a5C2ECp+UO7rEmtAd9e0ukApuNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26
nJubm5ubm9sf84cTZ11X/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxh
xiSTE+SNAQEBd8G12eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWR
dWVWV1DCii+reR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4T
UhlVhjev4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yy
b9m3ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mDQK1m
q6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcElINSMWUc
iB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr2m5wNVF3qo1B
89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa5LvN2Bt8KvoIkwS5
6+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXKli6zr+ACyBydule6D46B
0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25FkosLuJrOAJ3nt9t7/gEnry+c+BO
FPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f34w8nzmfqXRh5aRTUKlf1ftXaIF+T
tokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWtyCvgWNC21XwLDRUMp6QvQ1qmebAFD59DU
IqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFFGlf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngt
C5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNwZonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykq
qOBbMN60ts+JAmVDaliaAXSRPq19H4DW2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDq
aP1ArYNBtw1c8X7H/IZCqtMZqUkQNyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPu
wPE+P4PTy7lZnQMpjeNmv5kG8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMG
GErrVymeoDdI56UgUCShowuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlx
QDQHpbFoQT6QhkgNpTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaX
xWEFe23HNNtAcJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a
5ZteDrJn5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7Hg
UlzF5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJnF8ct
Zyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1lGUAjtG5
lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5F4w7/BN0hcEV
YwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6Ac7PrG+dlECu1lcIC
0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXdfHJjHyQ2f8Or6aDE+ff0
bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEjhT6D4K35ksJXgW8B32yvE2C6
oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEiBAPQWPKXvweDRaeT84FusNSTXNAC
pa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppRnAJlq/yVFAV6p3RY2gZqKe0Jh8Auqcmu
H0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+iceCaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN
+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiwjbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT
8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5
b0qjN4WgHvWp+wfa17sf8MjJycnJyYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21t
tbXVYMiQIUOGDHn/XyBr1qxZs2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48s
PhlyStgm231AacgmMQvYQLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAE
skz3BHRbfBJNRsCXxpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJL
sL+ynklPA5q6XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1p
mL4YvIdYBmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5W
w7RIeJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpijxgO
ogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nRBJyh6lj1
ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3aVK0PSHNw0g9c
V8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq95g4Gb8h9qBuhrwXp
1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p3nkbNB+tnCsZXFfEWt0S
MFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7Krqw6MKiC+GnaT9N+2ka1K1Y
t2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75932BDKw4sOLAin/e9v9u4pq4Jq7B
7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiYGHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmv
rFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oP
qz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n
5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKl
AGA5ZTAB5UV7bTWIxdJiZSXgEvPUT0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWi
p+aAWiipb1JnEDfU07mV4HmT+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBic
fkr4r6C7qisinYfMXa5jaW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvh
wZSEt2908OzKNelqH3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUi
K12AgmdLTiqcAEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K
2sqnQCttufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2V
gpVcsH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC5Zay
xzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKqGgDWLrb9
rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuGrxu+bggFKECB
v1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98nvk98ocWUFlNaTIHo
BdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai2YtmeRcAVatWrVq16t9v
3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW/AMXIr/Xs53Pdj7bCY+2PNry
aAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZSQ6kB523nbedtcLny5cqXK4PHZo/N
HpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPnzZ1QhSpUAc4tP7f83HLotK/Tvk778tbf
Z99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gbm5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8
zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRcOEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPy
JhGt9QJuU5xVoJWQFureAI203S5P0HZLfowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJ
fgxMP3qVMa2DOoNqNazoAbViGrvq+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8Gz
snfFyBUgVin1AgIgc0VmYYsPZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28u
vhYGjh7Gox5HwBweeSz0A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGl
weuFYYrRCkoL7ay2FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos
87VHYPxA6SKPBr3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHX
IJA7aQ21aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtl
nfwY9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029Qf6M
dcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH3vLME5kn
Mk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g++efLGzkrclbk
LGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+LbjW7g6+Orgq4P/+XLY
bDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWpmgS6EboRuhEgVZWqSlWh
evXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbzlv/t5//up8etZ61nrWfBes56
znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZLzJYY2N5oe6PtjSC6SHSR6CJ56/3e
z+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPmTN7ydxcqJ4udLHayGDgcDofDAUeOHDly
5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf4
5pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UYCA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHs
FDkgDovnoiZwm8tcBOZI06TPQVzXamuvgRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66Cl
SB9JRpC3uRam+EDqhIM1Nv4KmvXSV/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m
4Nht1JsSwZnqmOb5LWgRprqGVmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEV
WJeZahnrQ+75gD7h6+Hu4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrt
WrTrNpRfWalFGaDksAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgF
jin2evbvQcnFiBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6Ec
yM+kadpkkPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlET
yQCqikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtbm1pe
gRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPwyFEGyxHv
r6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuXLl26dF4i90b/
Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R16hrfnv9Dvk65OuQ
DxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblTXqKlu627rbsNXXO75nbN
BQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avjV8ORzUc2H9kM9gv2C/YLEN42
vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a+zWG7LvZd7Pv5i2vu6nuprqb4OdD
Px/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfRLqJdBBzverzr8a7gGeMZ4xkDvTb02tBr
A0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V
/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcSDkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh
/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ
4vefJm5ubv8X+sM9zo7rhqfxFnjqGfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc8
5SnI30mXpRHgqOt47ewB9l3OUs56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLs
dCBI9dOzcquCNLx064ou8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQ
PzGd8lBB2aG7aooFZa/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5Lh
vuHN129qQszas/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61
zuJKP0P+nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiO
mHzk+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDrpclq
eTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1lzZaLDhV
McSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0xHjWtAU8lhMs
yoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+rLcVDDHG6R6ZoM2U
h5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEaRaOLRheN/v3x3vWAvqNd
1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+lQdXHlz5X+hpfje04t1Qj3cJ
a86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O9DkDgS8DXwa+hBPFThQ7USxviMVv
EWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//CcXvn3RjrSoMqDao0KO8Cixvc4AZUvFzx
csXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0MeLg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSX
k6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMW
zVs0//efV25ubn++P9zjXK51/u21JoFByA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIY
z2YqA/0Iog5wUVzmGmR6ZERkHYCAGYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqS
WSZZAWv92PD46+BMSAu03oTgi/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8a
eEy9sOVJU3hV8+X55FVgG0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4I
z18nPUyaAo/sl8ZfOAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSr
oifzfQuG2/odxqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbr
hB9U2V3RUm4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5
wDzDvxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pnAnER
sJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQWNw0BAzf
axmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh6XjilbfHwZEi
hCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD5v/rcSPaRbSLaAdP
5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8GcYk4xp0BcXFxcXBxwiEMc
4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN96FqdNXoqtFgqGuoa6gL3OMe
96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl98jukd0DfAr5FPIpBAxiEIMgZU7K
nJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33/i9W+M/j/+7hScpTnvLvL15IXEhcSByk
Pk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW43bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4d
AwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq
3396ubm5/Yn+cOIcXzf582fHoblHnah2Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB
9prN2ijQyqpZrr1AI9FX+w6kj0VFeQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkF
opv1qr04eJyqUK56Lug9wssUrQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXU
z+D8MfsrWyCkR2Yvdg0CGhu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCny
wgl4FnGv281sSBuqL6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLb
fltpV3eI35f4a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5w
wXI581otkJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CA
gWDoqq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADpE2mE
dAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqRA7LFuMBw
CfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcKPov8EHy+NNw2
LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgtdevWrVu3LkR7RXtF
e8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0wzTDNCOvhz04PDg8OBwu
tb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub9zbvbVCwYMGCBQvmDQ2oWKti
rYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9df3X91eTNzvGfy4tsKbKlyF9NR/hu
fykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967
sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2FC/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+Md
jXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3Orma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte
7nm55yVwkYtcfP/nl5ub2/8efzhxLl2uWKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4es
D61HpU5wc8a9PZcXQ1Bt35dhhSGm6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK
1WLBKamPXbNA/0Kki/3AKNmCFxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38
m/gDWrq+lMdQMAeUuFNiBPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJ
X3lO8ykFr6bf1l89Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3b
AuAa6fDRNoCjglpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4Orr
nKumg7maqb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbM
jxk7O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla665uC6
qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1pTof5HrK
Oe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEneez36Q7Xp9VZW
HghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1pwVILphZMLQgtY1vG
towF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMCPuIjPgJq6GroaujgXOFz
hc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG7t27d+/eDWK32C12Q1hYWFhY
GFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbGBsZ/vT71POp51POAs9Fno89Gw7aU
bSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJkDwneU7yHPAq4VXCqwTo4nXxuniwLLEs
sSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a99qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdp
gjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58lXbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iu
gscg81O/fXDnh4fPT46BWFesI60XFNEV3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRa
xtY91Lc4eId6tTPdAj+jz3P/guB/OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkq
gRqjTFfHgpClsvJi0Pmp30iPQO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utz
n4LjZe5EQyToEguUK2kFNb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars
3a0brVUgpVDGjNT2YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RR
UV/rBVKEVAt/0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5x
jjdqeTBE69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBN
QX4oHVPyg7bFFSnOAp2YI3Sg///YO+84K4o1fz/V3SdOTgw55yA5o0Ql5yRRkCgoQQEBlRwUFQlK
lowElZwFBJGcc84MDMwwOZzQXfX7Y5cP+9ldf/d60fXe3Xn+mTndVdXv+616+7ynurp7nzPDWAeq
s/zOGg75x+ctn3sPRG+Kzha1GnL3yf5TjmKQ40m2H7Ingj/T/458F5I9yfUT10PEgohPI86DsIsk
W2fQymrvyolgnbdWmidB2VRT2ygwV1rV/cEguoinYjroW7VfNA/46/o+liVAL2sUlxXA09W/QJ0C
1VvYxTYwFlBd9gLe8dcxu4P5kbe89xxkLvIZ1gjwLLISKQypb3vH+7uDzXQOcQ2F/PPzF8hzCGrd
raiV/QJKdi05v8gs0OMDWtjPg2uAPZfrXyARPJB2IO1AGjiXO5c7l0NFVVFVVHBm0ZlFZxZB8ufJ
nyd/Dg0aNGjQoMHLH+9/Gxs3bty4cSO0atWqVatWf7U1WWSRRRZZ/NEcO3bs2LFjoPfu3bt3797j
xj2/qeL3sunAgfFfVQKP3V8lcyOIetqhgGtwmwfDrl+BkyGXbx5fB1HTg2WhJKi3svbIV3PDE/W4
xcPB8LDJo0Z3S8CzeUlzMiMhfkh6ubi+YNwWOxJi4OGNx/Pj1oJ8PfNZZh/INzvvrfx5wV+cMYYb
9IFykGc22PM608LugjysVwvUQATqdvNz0KReyD0DuC/eZwVQWewxLfB/c23k8fKQ3OrQrp+vQnKZ
de9u3wEJw25uexoCPg/fhNcGrbG7VZ5hYK+U6+OiuyC0Y/XiZe/CUy0x5f4vcOGdveaOZnAn837e
Rx9A0gDjk4D7EDIzQDrPgJpsVje3QeLe1L5JtSD1VMb7afWBCfoVMRCMUO2WuAWOQfYfjGEgOolL
5hHQzqstchn42/vftHQwS1qXzSagvlKj1RKwfrWumX2A7ehSgHhTe5OfQGnqkqwK7FI/Ewvygjws
C4M0lUvlA2uKEuoNMJOsdWYvUNXUA3kTbPuN4qIGqFfFz+oyqPOqnvCAWmq1tN4GaZcrZThIN+Xo
AuyUbeUxsJTMJVeBTFab1GpQkWoSu0Bml+NlQ5DV1AH5AOQxGWPuA5VLvKvnhKdvxs1IPQYJ7RM+
fLYFfI39nTNvgXXMDPfHQNSvUfej80FspycLY11gX+RY7xgEtpy2Zs4QeLD8Qfu7Fmgr9VriDKQX
yKziWwOnj59bf3YaxBeMPxlfC4zi9pXGUgiIDyju7ARPc8fHJ1WH4++fLne2KcTPeVY/9nvIdjNb
+7BiYFzSL7kSgFhth/YY9PwUk/3AGiEXm0OBGP2a9i1kVvOM9p0H64w50PoF4pekzEmNB1+RzDre
hxD4oeUU1yC4Z7aQ8NF/dbj/baKORh2NOvriec2HZx+efXg2yE1yk9wErya9mvRqEjjyO/I78v/V
1v7zUbx48eLF/4QlIFlkkUUWWfxzEBMTExMT8wcs1Tj+7YnggwLurs3X5HwZcAy1UsuOgbA3A9uG
JcDTCZ4Hl85C+CqfFtYe7u29N/POfkj+xns71YITM+7uffAq5EpwXAmzQeENkc3LXoYn+tPq6QvA
EeMclLwdLpV42v54MJT4uPDhktUhdGAuX8FfwTPH+CJoDshA9Y62FvSpooJ1BDIKXdS29wTb0oj+
BTeDUSX4XthV8Bx+XPumB7yX75aLDQFxwIgMjIOAIrV99atCsD9bZq7N4JwQ3iWsGySuOrTtfFGQ
o8NGh1yDx5rMm7AUbu08Xv9wPDwcfC/kXgrED8PSj4E7yr3XKYFlYq4wIb1NWtXUW5AWnRGS9gC0
9+1farPBOce53dYT1EdWjHoKvi7WFG8gMJjdPAM6y97iDVC3ZHGzPmhDxOvMAKuf+re1ubOM3FoF
EKOs2/I9cAxxFBFzQaap2noCZKSkp5kStAz9SyxQk2moXQc51LohT4J4n1PaDdBWiMXMBX9+b7KM
A+sq5SkB7OGq+T74a8jDqhEYSXyrtQU+ZqUqBdLPOlULxFfyiDgFYrp4QhiIBHLJEqAeqiK8CqoU
AzgGWjmzqegNRrAt1PoS5DFVS82GtIh0zGMQu/JJ+ScrwO10LbF3Anrd+lX/AZyD3E3creH2Z3dz
3zsHPsPXV5YDzwXP/NQPIe2HtNqRb8KTe4mHEjVI+CL1y6QVwJqUIcYCuFMiZvZ9B5Q7+IooshVi
9j+YlrEL4oISCybWAdEwYY05DLSW+kR1BPQm2oeOIDDu23aqC5DPG/00xwaQXZll5QMjRgw3PgJn
HeOgKAypZvJXSVNA+9B90PUmnEq92u72E7i3/H6pRxOhD6VSCv/V0f53EPBawGsBr0ErWtEK/sM/
/05ucvMP/LDOIossssgii/9NvHTi7OniqOHT4O4n8d2exkJ455B+RwbCrTH3r2WaUOZ45O16kfCT
72SLtQXB19j6WX4PeckTXLAeZA8xfo4AGjar2L9ZV6iztp63wU9w7/C9ireDwXvYezVjEHhIym3V
BX8vc4/3QzAvqLE+E7R7tjtBVYCy1hbzAxB5xEfeV8EXfpPr0+BZ+pqZWzIgsn6n3D3zgXNWwfwV
XeDYWqCGOw30C/Ya+mTgiFbGuAf+gQlFHyVAWo6TnY+NAeNV+w+pCqyfclzN2RPu3jgz7+x2eFDh
YoXz+eFpvsyZ3p9AfekKDnwCjhb27/SvIaNcRou0h/CsXup3Sb+A75RZyPoVxJfiZ70e+GI82X0f
gNnav9oqCf4FsqhaAmq7ShYrQEUoyQRQPpUp+4HIFB0JBZGgd1JjQXRgiVgFjk6O9/QgELVlfuqD
0mSYVQTss9y3tNNgtvGusCqBzGXetWLAiDEKikqgVqke1kmgj7gqPgbrdZWgroC5yKwmF4EayGA6
ghishxvZQdZU45QAbZdaJiaA+lF8qT4AVVOOldWBmezlfRCJIo94AljiB/ElmAtkiuwCegJD9Cog
G/oa+38C3bCVZDDoyUZbYyskDkzOlt4fTlc9N/vyRcg/L+/VVCeofuqivQ0865RwPyEf2Kraxun7
Ibhw0CdB+cG31b9DAalp6SVSkiHdn9Yj7RBYk9WnrALPfm9IamH4tcHRRqkzQHylXtPHgtpPcb04
aBW16Vo2uNX7zpWYy0BdMUFlgpzAJetreJrjSc3YHFBI5G4S3RaC3w/6IHojiGJ6eaMaYJpXZWdI
DY7Ln/A+8JPYr+8F/5u+Z/7nTxkY8leHeRZZZJFFFllk8Ufw8onzWvkxoZA++lmYJxlsVmKm8yw4
mgTMCa0Kj4JEw/N+sL0S/bbZBDKd1g/P3oe0FU9soTHwTnKbiAEfQWBL+9aALiAmMVtOg0K9C7Ys
7oX4uylTHrnh9OXUxO3fQciP/omVu0F0Mb2M/XXwJvrWm6kglhpOxydg9WOJ5QZ9ZnCvoAwIXVHz
nWq7wHmgTIPaMSAqS7u/Kqiucr95GeT3/pKMAt/rT6pcGQvJTbaM2hQEvs5JB83sEDS/yobajeGx
K31MSgrc958aemQcxP6QcDmxGmSUEo+0NhD8natkQHZQIeYjqwGknkiLSF0E3nPWUTkI1Aoeimsg
3PKK/B5UI5FIB5BBah5vAnNVOXKBaqOuq/4garCLyyBeoy0eUB+qn5UJLJIjCQR5iVlqGnhvmYPN
NDAeiLJaEIge4hWcwBdmNrMGSJt1W60HdVGW4RKIEO2+VgRUX3VUrQO6Ul7LCdZNlUO2BtZRWT0C
vZ3orQkQ8aKnWgeytQqgI1iVrWTrCKAorn4EfbKWQ38X5Keqg5wI6nu1QU0A8bVoIrKBbY/oyBkw
+tua8C5QFMlcMD+VFbgK3vLeNGs8qDuyv6oLopD4XqsG13ffrPEwFkyPNcDKDvpIo5l+HLRUrYh2
ABJsSQuT34LctpyzolpCYpXkZ0l5wOwoI1RH8B32/uRPBC1TL6O3BF+Eb7D3JNBafiymgXZDO61v
ACPQENpG0MaLaqwCcUHPo0tQTVWsWA9PNz9bk34ZXF/YFz/LD/YRtiHuM+A44YgPyQXKbkRrvcCb
4t2c2Roya6aMSN4I1nZ3Tnt14Afi/uogzyKLLLLIIoss/hheOnFO+eRZ44wxkP2UrU2pMtA3tHnc
sE5gvx22wF8bflp8ttjqGeDv6u7kuQAB+5yh6S3g+1aHh80YB91Kuku9fx88OzLWiyNwtOeWxL02
cF8LmB9pgFlb22pNgsKDw08VOg8P5ySviC0JUcVDZj48B4GusPbRMSCbyRHWItC+FwMch8E2Iefi
gu+CNj2oUVg6MEIrpQSoK759/rqgKmk/GfsBj7FKPQN/xr30q4vAN/PplKRDoI/OkVKsJvjSws8G
eeHawF8O7FsHD5fc2XprEDytauaXRcGY5ZoS1B70j+mjDkHypfTMlD2QdsZTwTMEbB0dUt8D5nmz
tLUPNLuWIk6C6shqmQj+H/2brE+A3UwRD0BPMOrr74IsZhU3R4E50SxvhoHm0PppocBiNVzMAnld
FpTrwL9Pfay2g0+p5VigubRocQb4jnPiF5Br5C25GcRoFSHKgD/RN8o8CLQR5cUOoIo4qNqClahW
ylygD9GTtO3AKTFcVQXZzHrHqgiqvuqKBnKJtdLKA3ouo4exGdQ6tV8K0GqKyWwFI7dRX78OapiK
Vl1A3yUuMx30942ZfALmm9aHaiCwSuUnEKwWVl0rDrQfDUPbDdRiltwMZj95ShmgxRpztNxghim/
3AFMNQ+rOmBGmU/kKrjb4V7A02fALW29egRiqfaGjAb7FftF/XXw3/D7vMXA2me9JReAvkdvbiwB
FaZCJCC+tzpqg0AuFsOoB3oPMtUWkB+pPsYHoO7Kx0qH2K/jRyRVheCooIoBiyH7B+FvOpyg5eKi
/T3QO4ns4gPwp6cvS5sORmf71cDxf3V4Z5FFFllkkUUWfyQvnTgXHxL9cfUtMEB1aDUiGgKCw4q5
PoX4AU8OPysIaXnjCgZdhqvd7125XRSePHka8Og2aKvthSPywVbbsZJ7+oN7sv5dwBBI+sI/5n4E
PG7ka33zCKR/lxaVMRFS0tKOPlkNQcm+9QGTIU/fXK9lbwJhVaOt3Bng3ZzZ2dcTeEpPpwf04ZH7
ChhA/cyvnu0E7bi134oGs6w2XJQDbbe6w2mgiizl8YMxKCQ5IAl0PXpWYE+IuFzjiwrt4VmAJ0+6
DR6cOP3TyU4Q2zfF78kFme+JpUYwOCrJcdZ9yDiRcSTNhKTMjLEpS8HXUo62eoDe20xSJqjlag1z
wV/KHyvfAv8oy2Olg/YVYfoSIJ27NARru3+ptQ/kU5lobgZjrHZMfw9ETm2YmAr+ymZnsxSIH6kl
yoB4IB8qJ6j+Iln0Ayu7GqmGgRjDIHUdVCXexgPqjOhAO9BHiFAEyPxyu1oM6o62gvv82/NHvwex
WWsljoHYIiZTANR5856KBeqrdtQBw2f8YISDWKfZRXGgJlPVFRBVRVERArKPLC1bgJjN62oZWOOp
z3Lw7/cYqjPI0uqcygv2FcZyrQDIX+RI8T2QWzWhEqhlYhz1Qd1Xc1Q40E8VlCdBXFQ/UhpUdjlI
7Qf5Fqf5Cvzz5S6rHugrjT5GJChkb9kV5Otqt9UY1Dcyr7oB6jPVVuUH9ataZc4ErZ+YKucA4/Vu
xlmwlbNV0gDq/Ns7c83q5lNfd3Ast2/U80DmMe/nYjDEvPK0e1w7CLjlfCXAC4HSnRC+FnxJYrwI
B1nUH+c9DvLXzP3aFaANbf/qIM8iiyyyyCKLLP4YXjpxzq/yNMw1F471Ppd2sBnsv37CsTcvPByV
+FlMCLhWR9RInAzBnUN/dLWGRO3RCN9MCOzmHuYMhdTcni8fvgapP8ijqUCe1kH9Qi5A8KchGZVS
IXBntgxXLhAunigHVB5bdnXz03DddiXfiZuQ70GxyYXKAW/bdjvaAnXNEp5pYCSFRGf/FtRUxwJW
g5LWOrM2iMrimpYK2m013GoBqqSSrvvgqFTwrdINIGJBtshCFgQMy76j8JdwftLKbxeNgccxdz++
txsSx1gleQOsLSKT6eBdnjkqfSSY4dpoaoM33d/UWgjyB5nAaFD35PtyKchGMkquAmuC6qQ2gFVB
Rsv2IN7QqqhLwGLGUQJkP1VcPgW1gW9EZ5DJPFXRIIqryqwGoshLQ1CBVFS5gYJiCj+AeJsSqjqo
VDlAJQF7xHgegdZDZRIHXBY9RDSoTyiqfQqyLXYzE9RE+T61gRIMEqvAOmSGqZOgf62XEWGgP7K9
qt0AtVF1FnHAIDVM9Qe204xJoApKp9oGtNAi1CqQp63q8i6oXNZB0Q1ENuMtLQnsFexRwgF8Zj+i
3QOttrlTfQDWND6X+UFNls+MVcARevElUIu8MgKstvKO+g7Q1V4jEsQmbCI3yF6qgjkI1Gh8zALK
yiQrL4iPhd3ID+Z88yEdQCspQkRBEJXoI98AkVflln1AjuSWuA7WNFnBagOijGmqKJC6vCa6gTXd
HKQqgO810QMbaGuNulp2eJaUEJQ5BJ7WCYp8lgjuKc549xawPxKz3Ach4z2xROYH3+7Mn7wh/x4k
V14+UK9du3bt2rX/iVNCFllkkUUWWfzvpVixYsWKFfvH67904rw/z6W1W5fB/TMJC5MHgbuYvacx
F8x71j7ZHUTOpPl2C7JFRTwJqQKeT7I5H9WB7F19+UqUg8c5UyfHvgkBt+yR9kNwe+3TV6wlEDQn
uWqsAba3jDmmCwyHW2S8Db5dt/qqtXB1+QX3xg6QbWyuVLMpVD1T++SATyCjVKY9czjoDr2U2wWi
qXtsjp7AQxWjaoNWm0gGgNwvbCIHqBgSZDCIdcav0aHg7B593z4YUro9GHvnFTjb/kCBg5Xg2aeZ
Eb4kyFjFHDEN3Dscoe4QMPOIH0QIpJfzXMgMBP8Cc6FcDuJNka4dAS1Oz2P0B/mmOcW3C7RTso1M
Ai1OL6vlB9lM3la/AnmowQXFXdIAAIAASURBVAgQmvCJa8BMNVX9ADgozXugpCqtjoD4XFTXPgbV
S3VXrcCobxtv1AFrvhwoXwc5UzaSX4JeQ2QTUaBd0a5qbUE+kmHqIcjmVGAD2FJtbzuKg1nVymXm
AWlZk2Qb4E3lZCRIJduppwBMktlBS9Gq6ztB+1g/px8Cq6DVxeoBeglRVPwIKpfMtCqDWqsecwqQ
ek1xEvhU2OgPKoOKJIKa5yslAVnaek3uAJUgOujLgEv8rJaCOq7eUAOACrRTy0BdtEoTDOJbkcMs
DaK3pmkngWrqmrYO5B55QtYFcot4vgYxirrWVuAtlSR/BP8rzJKvgNitlurZgb2UkIdB7NDfsmaB
GmKMNhaDVc7qJ74HvbFmqECQS1Wklgp0E4W5C7bloppWH/xlzbGWAxLWJg5OqwBRncOcaTYI7OvG
fg+E3ZxGbjAPm1WFF+jGw3+GQM8iiyyyyCKLLF4e7WUb8Kzx7YzzQhlHPodsBeUalOuQ2hxy/JK3
ovgFYuMyL/iGw7UBN0fGZoOAlp7rRhCoY8G9nx2Hgk2KFytcBeJiMyqqziBLcjHjM4hflHbq+vfw
5Epqx3vvQ0L5jI2PjsGZ8+d67S8NAQMjKxRuBkc5+9qu6pC6Ifbd24NAszsm2gaA9YnKZj4CuYeG
zmpAA94WeYBqNFb7gIo05H3QqsrlYgzImtyQXwEzmeYPhztJR1ccjYeYlneDHtghfrhvsXoPjE8c
t931IWR7wOuBY0Bfqn2rXQUZogzugj3FkdcxFrQG2mn9NsjFcoP1DWjrtO+1xWBEGcWMkqAN1Dpr
+0DkwsZ9ENfETvEhaG9ob2kfgsirl9RdYMtlK20/Beq+OqVeA1tZW1kjPzgPOQ87z4G9h6253QeO
2o5TzlRwHXP2dY0CbYW22RgA+mt6faMrGBcNU78HYrsoQEXQdmvv6KvBZXN848wJ7u+d1xxlwDnL
fsWeH+yP9BG2o6CNV2hvAlusInIWiPpyuloMtuz6Bn0sKEltToIVr2ZzFeRnfMxaUHdklDwEIo1a
1AarkZld5QfZzptTxYPcZ32knQdVSx2jCYh6wqnVABawm3eAUswXT0F8LT7SU0HEiECxBZjHAlYA
HeimLoKoLl4RFqjxsoRqA9IuS2ntQNM1m70n2DKM9e4joKrJndpVsJ6aFdgBTORHfRQwU66iBlhr
zSoyBixhpkgbsE89UM3BKurfb94F61t/tNwK5g1rhNkb4vs+m5FWHhLvJsekNQfaKad3IBgfaG+x
A6y6MrtZ6a8O7yyyyCKLLLLI4o/kpWecXcOdJ51jIGWDd2pqM8iZwRvu7hAwXj0234AcMWFNnSkQ
dc4YFDwf8raNsGv34OYPKaueLIQ87zqrVHwPSs0ptypPPNyr+ODauTuQdiRFBowGA9uXtoKgX7N1
TQ0D7aD3R8cMCPspWAtZDrF3kkpkNIQdtXfXnh0JHVd2Pj+tEKTfU/uMpqC1FQlqEKjc4pb6BshG
gtYN2C46qnYgq9BR9QNtt9beSAB/46TzyRXhon6i19GSED80PSp9MaT71XBtOrh7u9oERIG2Qz22
DoN/rPewtyDgEuPEBtDOiLc0AVqyVlvGgDnHd8m8BNpYcUnzgGhlVNRrAT1VJ/E1iDUkWx+CcrJP
NQfq0UMcBPm+shED0i0rqVagfa0t078FXdPdekMQSkjtMFi65bGGgtZD36LNBbFR7NeOgj7UZhm/
gNwjK8gjYI6zGphXwJipj9MXgLVEpsszwCRVlF1gG6/X0lJA3NdStJqgNda6abXAumh2Uj6gKpNU
OnBTLGMKiClisDgHxkxHWz0QrAeeW77TIPea2c0coFXTArQqQKr8XCSALCfyiuogZqry/ASqot5L
vw9Gdv17wwUqXaXIAkBBlotoMC5qo43Xge4CVQj4SozQR4OYxcfUB+HQBqmuIB7yRNwD0VufJwqC
/ZSjbFAwqBU4RU3Q59FZawD41by0U+D/yjcy8xbIr6zGmgRGyE/kQ9A2qfNsBxxigGoJMlSuMaeA
vlbvbKSCOKyKaKXBtd811LkEtLVGc8dVSJ2cXtQ6Br6F/lZWKOgt9WCxE1SscvoXAR3+6hDPIoss
ssgiiyz+KF56xvlpj7jozPVgD3NMdfaCcBEZV6ANeJxafPJpsHWnlBoD5hr74swjEBvn/SyxAGT0
zyiUuR3OV3y89qdrcL32w4/O14OUhGcNVGWwxbvGOq+D2xV+NHAx8IN5Qj8OqovVy7oOd4resD8I
h9QKief0XvBor3XqTgpcX3F76MJF4L7ivGhvBPJTGloeYAln9X3AWXFbSSCbWsrXwDLZQf4I9tm2
ukYGPB1xtealc3C/y623b70Dz+J9v5rBoMLENJsBjhDHM70leNb5avjOQ0Yd0/BtAllAnZd28C33
VfYfAmuKtdt0gnHYds8+H/xLzOrWOlDKOiYXg6OVrax2F7SDRnfDAbqh1zFOgm2srbmtEThK2N6z
hQHnOKdeA8pQTnUCBvEuDUFsF9tYA6quymvdAM93mSMznoG/hz/U9zb4S5uPrH5gWlZBaxPoOfXS
eiZoF8VJbRpo74krnAWlMVFeAnFGG6flBz5Wq9RgIJ2yfAxikZbJWVBbRDQfgLHU2GQcAnOCnC43
gN5cLRW1wTHcXt4xGfRWxg17HdAjDbf+NahKqqSoC8omJ8ilIGOYQgHQ5zJY18C4r7WyBYFYTWnt
U5CJ0k4LsLZbD2QI+Pv7u5nrwbZM7DBKgG2RFmA7DfYd9vfdd0F+JpurkiDLmFvkTvANyryS9hX4
3sm4lVoZMuqmN0wZDtYr/sVmdQioH6SHZkKOq7niihaDsDXhS/OdAkeXgP4Ra8EdGto0Wx+I3BU1
Jd9XEPp5ZJc8hcDVP2RcZH8IqhU2MEdLyLY/en5OB9g+da0ILQn+7uZ6vQLYvhBLrQVgdBG1jI//
6vD+/QyvN7ze8HrQYW+HvR32vtg+rdC0QtMK/dXW/d+hUqVKlSr9jisW/7n8X9VfL3vcl/X7r/Lv
n0X/f1X+2fv9z+LvHU9Z/HPx0olznmPZOtovQs4FuSNCYiAmM+F64q9w33dvROY+eNoq/bGnIyTc
8QQmTIMHnZ6e1s6AUdfq7GoImV+r2WnNwFvFPGrlgYy8/rKOviBupBRKrgnaQJ6lNAQr1pilj4OM
eBkkZ0DmCdktZQ6Yq4ztdxrBg7bPbFYeWNxz65QfDsO5Jr8GLY0H12XniYDeYC5RBb3fA9lVGxEO
KkKVEz1ArBAV9FygRlv5vbfh5vhTlU8tgPhuiQ+SykFqN99jTLDdcl5wzQc9SlzSukDGtMz6Ge+B
95y6IoeCyivixHqwTbTNM1LAmKI3s00BfYM+XFsB9ur2KGMHyNvqO7kb5I9qjmwDRgejs/4G6NX1
2no90MZpH2mTQKSJ+6wEDnOfb0B8K1aIqiCjZDG1AcTborv2AdgrGw0dTnCeczxwDQFtqLbG+Bxk
sqrHLtAi9W6aAZpPJOhrwGpmvSM1MN7VG+kNwJFq15yFwJhnuI2ZIDK1O1o1EI0FYglwBItPwF7Q
qGyMBEK5RApolcWrojhQT20kAHS7mKK/CcZIfbFeGVSGrCl6ghrOejkHqIpbfQrGr0ai1gxEC3GX
RSCXWsXUdFDL5WN1AEQsE8RUIFlc0NqAvk+/Z68Avj3+sr5LIMdZm60Q8M7POJL2GPw/+/f5J4Nc
KGeo70CcEj2FBPWT6ml9C5QSNWkJWi6jjlENrCLSoR5D0NmgeoF+yPY0R7/chSHPuTyDi9yHPHVy
fVToK8j7au6eeUdCvhXZk7P/CvlP5uwaGQjZ94Yuc6VD6ELHdiM/hFx2v+NsBkZN7aLWC7ROYrjW
HvQobZPW7a8O79/Pzyk/p/ycAmuur7m+5vqL7evC1oWtC/urrcvitzj81uG3Dr/14vNf1V8ve9z/
7Mc/G7/l3z+L/v+q/LP3+59F1jj51+SlE2fzqi3dMx+uNb/95K4dzk67uvjqFoh+NXetwKKQeUpl
PH0EcScTyrmqgnZDhDk2Qdyy9G7yJCQOTC4UvAX8LawOEbvB0TfsveRbkFHd3yttCTzbfT9XugbJ
h55O8I4HOda6rBaBJyBzil4TnqYldUluBbGdEyrEjINrhWMeJ70Ly07tbTk5GWIcV3vvmwTO3M72
QQ1A5pFFze4gVotdqi1ot40PtcXguRW3MbYY3L1x6fClZ5DYPnO2NwHS6ltTmA/2mq4vHH3B97G/
qHUGMuf6FmRGg1mDCqSBtUhut4aB0MRFWoA8JJtLQHRjDTfA2G30N5aDbYDRx1Agn8rq6iaYb5hN
za1gZbfCrWag6qgGagDI+fI7uQbUYjlYbgX1rqrHtyAKCp9oDSzgLdYCH3NepgMLxFpVDVjMl+YQ
EDnZZhnAbfWY/SC6ad9o2UFfot/S24C2SJ+h/wC2+caPxlegvlXbqA78qBaLcqBZTNLOg/BQXmwD
RqtMDoAqJseqK6Av09ppg4Hv0bQbYE2Wi601IDqLQZoGoofoqV8AfMSIV8G2xLbTaARaDi1Bewvs
F+zn7b+CeoDbSgJxmaqqJahw+Zl1HMwwM8U8B2q1fKAag/8Ha6i/PKQv8k4z54C5xBpDMOhP9TXG
eMBAiDfA38L/prkN/DP986yDoKorp7UOzJ7mHv91yPglo3XK9xBb5/Hpe20hYX78oJjZkNE5tWXc
I5Cp/tJpmyA9V3rb5COQ0iglb3InSHen38j4ADzve3P670JqsfS+mWGQ6kmrlToaks+m9UxLAf9x
q4VvKzja6TPkpT8uUH9K+Cnhp4QXM8Gt87bO2zovtJzQckLLCbBpzKYxm8a8KJ+UlJSUlAQjR44c
OXIkNNnUZFOTTS/Kj3pj1Buj3nhRbkzMmJgxMS/q96/Sv0r/Kv91e99TfU/1PQVdu3bt2rUrXHn1
yqtXXn2xv3fv3r1794ZJkyZNmjTpxfYtj7Y82vIIPmnySZNPmsDOnTt37twJ7dq1a9eu3Qt/mjVr
1qxZM1hyfsn5Jef/qw7PZ2JWXF5xecVl6JTaKbVTKqSlpaWlpcGQIUOGDBkCzXM2z9k8JwxcPHDx
wMUv/Pxb/NF2xeeNzxufFwboA/QBOrRq1apVq1Yv9l9afmn5peW/bc+UZ1OeTXkGLba12NZiG8wp
O6fsnLL/tVyNZTWW1Vj22/31e/X5vXb/1nF/L8/9eG7P8ysgDRo0aNCgwYvxO/f43ONzj7+o94/2
//N+m+Wd5Z3lfdH+vHnz5s2b9/f797f0n7h94vaJ22Hr1q1bt259sd86bh23jkPjB40fNH4Az3Y/
2/1s99+v1++N8//s9+zDsw/PPvyiXreS3Up2KwkPsz3M9jDbn6/ry/b7n6XTy54H/tb2vzde/t74
z+J/lpdOnP0lrZjgCeCPT3DaBkJAhPSFtIVs591Efw0loqM2RN4BV7YAW1J/SL2r9X/SGIwV9ooJ
04C7aUPjDfBWNHultgCSxBcZHrBmBVZJPgeBG50+1xMIiNbr24cCFcyNnq3g2BnUyzMKfB/5ytue
QUyTmCvaSfB8mDnbUxOMeiHNI3+CRdU33Bk2A1JnxfS7fBSMEY73Au6DjDL7+Q8Ah4whWggkNLxT
+nZleHDvUfDDfZCYlBnprwbWU62qfgRsmfYTtn7gSfP19j6BjPH+Mt4WICoKj5gGqoB1QT4GSzMb
mCVBNqed3AmqjPWBvAMkyYbyXdCGiJtCA9FMfSxWgiwkXTIfcJDj6k2Ql+QFqxqIoaKnAPQ4PVPE
gmZRmzagnlqFrNfAOm4m+g6B+Uyuki1B5VZ+lRcYqgqwHFwNHIYzHuwbbR1t4WDPY1P2SLC3s5Wy
1wVRTD5TlYHXVSnmg95XH6i3AXFH+0IsBC1Bq6KNBr2nFq5tB74jmJsgB8rbMhhoTi56gTyvNqtF
wA/iAvuAJDGFWmBgeOwFwXjbqOxwgqORwxGQCa7PXXFBtcDldfUNvgiuBu4tQQ3A8bG9uHsLBNcO
3BdWHIJaBN8Jbw7WeCvCugfyPFfZBUHLQqaEzwCjg6OScxeo0tzmR/AHmp3MaLCOWcWkF2ScrKVq
gics43J6D/B/4gvNtIPZ0Zsvow94NqXeTOoMT1yxkx9dgrvv3Vl0wwl3Pn8w4N5JiGkTNz9pGqR0
927wl4Dk5d5jpEDMoMS+mdUgbn9ma38kJLZOTzEPQ3x48lvenyDzkK+ttQu029hkoz8uUCfknpB7
Qm6Y3ml6p+mdYMP9Dfc33If5fef3nd8XDnQ50OVAlxflp+6eunvqboi6H3U/6j5sfbT10dZHsPHB
xgcbH0DOcTnH5RwHn3X4rMNnHWBCrgm5JuR6UX9BxQUVF1T87e3V7dXt1e1wcv7J+Sfng2+2b7Zv
NsTHx8fHx8O5xecWn1v8ot7p/qf7n+4PNS7UuFDjAqy+vvr66uvQp0KfCn0qvPBn6fml55eeh7kn
5p6Ye+Jv67Jq5aqVq1a++EJ+/gX1PFGvvar2qtqr4Ktfvvrlq1/+dnt/tF2fFf6s8GeF4dUrr155
9Qps3Lhx48aN8O6Sd5e8uwS+LPZlsS//P09LqVunbp26dWBx1cVVF1eFFStXrFyx8v8zTn6jv36v
Pr/X7t867j/K84QhNDQ0NDT0RSKzIWpD1IYoSO2U2im104vyL9v/lUVlUVnAojOLziw6A8tqLqu5
rObv9++3yjVq1KhRo0awu8DuArsLvNh/9OjRo0ePQvEuxbsU7wIRb0S8EfHG36/T743z/0xkw8iG
kQ1he8vtLbe3hHpr6q2ptwam/Tzt52k///m6vmy//1k6/VHngd/i7x1Pvzf+s/if4aUTZ+dE/1v+
nRC+MHhtQAuIdAXvtPUArYhcbVWF5BVWumsfGM3lDdUQQkcbuyJygWOhY4V1CjwntTyxm8BX3r85
KRl8qel5giIg36ng/jlSwVlN3TKbgO1m2jw9HlwnrYKOCmCb7Ppe3YOIJzkm2stCZGREZXM45PSG
zw4oARnH4m2aHWLaeqZmHoFV19Z1+LAfkJSukmqDmGcb5m4FxlZVk1YQe+JB0+vF4VmxxFZpHkh6
am6Rh0HPZhNGfxDjRRVtJqQXynyc2hm8y8xU3zQQI6wW8jvApK5YAXwnh4gqoA/lfe0NUOeYZp4C
K7f8zIwDq6Plt34EFjCayiCbyS5qNWgOLVULB+1D8TorwNbbeFe8Cmo6e7VyoBc0Ttj6gbikjdQj
wLoh8zIViCZJ7QXRXjTSagFDxUR9Ilj11Dx6gPpKTsEJ1nrzY/8PoD0Vm8QW0AfoH+sVgS405jqI
HqKD6Ab6ct2rXwS6i2B2gDZXr673A+5qScIGYra4RgvQ1nGchaCb+iyOgLFW26FdBHFVVRRDwGhj
/9o4C9FTczXKPwJyXM7RqogbgiaE3I/MD6FrItOyNYAob/Zf8tWCqNw5S+UNhtBz2cpFF4Do5jmi
CowG53n3+LB0iP46x8xCHUFbYrj0j8Habc7yTgRzpD/WlCA/sQ6bn4H81Nrm3wNqlbVPngW5jqla
eRAFSZZDwUy3gs3G4C4XfD10L9hHOwa6WoPVWFW3akP6rdRdyefA955nRUZFkNPkF9YqsO207XaM
B1crd52wOeBc4igVkgPkG6Kd6x6kjzIPOH6AtLW+7EwDFaK9pw/+4wL1+RfQmC1jtozZAkuXLl26
dCnExsbGxsbCl198+cWXX7wof7jH4R6He0Cvo72O9joK2jvaO9o7IBaKhWIh9JjdY3aP2XDorUNv
HfoHLpE+T4BPLTi14NQCuDz48uDLg6GyVlmrrIFxzjhnnIOEqQlTE6bCGe2MdkaDatWqVatWDRZX
W1xtcTUI/z78+/DvYe2ItSPWjoA5J+acmHMC5Fw5V8797eO3b9e+Xft2L/x6vsSk5baW21pue1Gu
TVybuDZxcGzOsTnH5vxtv/5ou54nRv/ZrppLay6tuRTm9JzTc07P327vecISGRkZGRkJ/p7+nv7/
T/nf4vfq87J2vyzPL90/n/E2DMMwjBe6Pk9o/lH//ovO/Sr1q9QPojZEbYja8I/r/FtUnF9xfsX5
cPvD2x/e/hBSPk/5POVz2DZ+2/ht46HF4xaPWzz+B3R6yThvnqN5juY5/oNe8W3i28TD6X6n+53u
9z+v6+/t9z9Lp5c9D/xR/FHxn8Ufy0s/VcMxzjirVYS0A95gWxuQIUaw3QueGeZjKx0Mp2Nb+hhQ
O8wjagaISvKa5xtwF8DGWIgdaN109gHHYGNv5kJwjNe+ti+A1PXJIwgGedTbKn0bWJO1du4cEDQy
Z2VHIqReSasYUB2e/Ox5nN4fQu45V+nfQ0gjjgUcBOeFnMOS48DTLqVHUByc7Boz/tEyKNV5d7vF
VeDV4g2b9t0I4j3dL0ZATN7rU+5FQ6InM8PzKngvmhvMguAqF/ihqxTI02qQGg6eYZ5Ezy3gHhvF
EbAqq8nWFKC3Gqc9ALlZnVbzQYzge5YDe3Cq9aC2yuWqPfBUNFFrQOzWfGIpGP2Mxsb7IOfImSoM
dGW0Nt4B+bFMlztBDBBuURr0lfo6rQ3Io/KoOgiMUbspCtpIduufgZZbaJofjNPGM1EfzGfmaPMB
iOJ6ET0VtAxRSXwF2lTtJ/EUeCzc+kXgfTGAJ6ALo6KRF7TblrBOAD+qx0SC2qvlUvdAVFX99QEg
SooQcRi0A1QiP6g5RIkWIO4Kv80Dgd+G3Ag5A87jASp4C5i5zWPWdUh+N3ndk7PAWis+vSp4v06v
HD8FhE3P5XwE6pC8YHYGc7pZzDcZ9IF6zqTxEDQ5cKdzIHjbZg7IdEJq1ZT3E/uDPOUr558BVmkz
yjsc1OtUlW+CGi+maMuBs2K0dgXEzzxRVcAMsd4RYeD4wZ0YIsExz/1F8CjIeDODOBuYZ60Qf20I
uxfsyZYAoZ+G9cwRCeITvQB9QJQycF4Go7qtkqs8qAxVmoZgpBtljEtgFJYzMt8A85rv7YyzYHa0
NIYC6/+YQJ1ebHqx6cXg2q1rt67dgvNDzw89PxQW/7r418W/AkMYwhCYxSxmAaqCqqAqgLHT2Gns
/K/tiVPilDgF8oF8IB8AXehCl7/fnjJHyhwpcwSub7u+7fo2OFn6ZOmTpaH8lvJbym8B+wn7CfsJ
2NV2V9tdbSFoRdCKoBUQdjnscthleK/GezXeqwFRO6N2Ru18MbNSq1atWrVqwWY2s/n/c3znZedl
5+UXn+PyxeWLywd1t9fdXnc7UIlKVALs2LGDmCqmiql/26/nl6T/KLusudZcay7ItrKt/G/eIfn8
h09+8pP/v2nPtsS2xLbkJQbOP6jPy9r9sojT4rQ4DTSlKU3/m/3/Pn4JJ5zwl+//P0rn3+J5olZv
Rr0Z9WbA5jc3v7n5TTi7+Ozis4thwicTPpnwye9v94+Oc22htlBb+KLd/2ldf2+//1k6DZFD5BD5
j58HnvP8Stw/yp89LrP4x3jpGedEd+rrVneQY/UIXw/wv2N2JgUeb4obnvk5mNPThZ4HwmrohyNv
QnREyM00N+gx1nGxCLLtCWwSMhmyNY14X8wEWz1bvfgBEBUVvsdWEtxvBWVz9IPAjxyN2QTxc9IP
Jx4FM1uwL3kJRA3JPTVTQcQrIYvcJUDb5BzFl5BWOLkbk8DzxBvsfxd8+13XMtvBmpDj3df2gJ2l
t4QtWgzeVx+vuhMEj5rfcz3MCcmdfSH+IpCxzfpUjgO9ua2b7Wvw9zQL+neDZ5Qv0zccVEmG6rOA
VXTVqoJ0qFlyBKi+JKn+oALVCXULrHoyTq0DJmgPtbYgftY3a++DWkBpPgCtLfNEXRBz1VNug1nE
PG4eBzlUBak7oM6qX9RBsFZZ0+QCwE0GCuRJuV/uBNVb9ZZvgz5Rn60NA62t1lE0BH20Pl77BrTv
xALxFuhP9Bh9M2g7tZ3aVNCmi0miCNgq2AbZPgOjjbZJLwxGKX2aEQ+G23jNqAdGupFoKwf2GvZL
jl1gW28UtgeDmipiRU6w53YE2Q0IaBB8P+gc2Ac5dzrzgWoip8ovIa3Qs8Wxp4Be/pnplUG7JnIb
hYFJ6pL2APQLnPANAK2ammeNA9t1rbdWHOw9bM90HQJmBDvDTkJ4vciz2ZZBvugCQ4s9hejWeX4o
DOQpXej6K6GQ93ThORWqQc6pBd4t+yHkulJwVtlZkOPrvN+U+BnyVCqUUr4iFDCKzK+wCvT69gKh
1SDwSviQbF4oUvWVIa8egrDsOYNLXAfXwvBnkekQEBbcN6wEiNeNNrYSYN1nNR+AvtRYrm8DFZLe
Lm4PpOVP+OLhF5DZNX1I5nawqlsLVMAfF6gdPu/weYfPX8yAtE9sn9g+ET689eGtD2/BuW/PfXvu
2xfln68ZXDZo2aBlg0D1UX1Unxd/lyxdsnTJ0hdfBH8vz+s/nwkqkV4ivUQ6/Njwx4Y/NoTysrws
L1/MsC2vtbzW8lpQ/UL1C9UvvGjn7NmzZ8+ehYHnBp4beO7FkoAH2R5ke5DtPxywAhX4O2aYco3P
NT7XeFhec3nN5TXh5MmTJ0+ehM1NNzfd3BRGjRw1ctTIv93OH23X8xmj/7wG/YQ6oU4o+CT7J9k/
yf7HjZPf6q/fq8/L2v38uM+J2RyzOebvyTT+nZqDag6qOejFmlbTNE3TfDHTt0AsEAvEi/J/VP//
Xl1/b7nnSzbmWHOsORbUu1HvRr0bYJw3zhv/zZrZv6Xby8b5lsdbHm/5DzPd66PWR62PggonK5ys
cPJ/Xtff2+9/lk7/6HnAdt523nb+xZK1U/1O9TvV7/ePk9/L742vLF6Ol1+qcSU6JrEy2N911X8W
DWKpMM0PIe0D7/DkkmDP9N21rYWi7ULm5RwOxVLDfIXXQ1Bsjp729eBJSV8jj4I4lvZLSGcQE0RG
QH14siz9kZUGvjeTqtjXQ1jX8JWOvhBUOedc7yhIvPisemYZoHVSA/c0SH+q5/PPh/TU9N7O0uD8
RfiCN0BEVKTI1gIC3OoLx3lIOupf8SQ//Fr1ety+YrBr084bB5ZCzOiUUp4ckF7N28C/FaRN5JN3
wKhtvG60Am8ns5JfA39Zq57/UzBLqy1qJljDzS/lcZCNVQajQN6UE0kBfwdrvCVBXVb52ApWa6u3
9S74VvgO+46DGqjmq49AbBPPxIcgJ8t5VjGQuVUfuQ98hX07/XvBdJmrzQZg9jV3+4eA+Zb5k382
UJWJFAbLrc5bESCvqhFqM1h31TjmghymfqQDsJpDKiewkomMAoE4LZ4CDanDM7AKmI/NFcAHapzc
BFqi1kdEgzZRe6QdAu0N7ouFoLUQc/RzoDc1mtvqg1M4xwakg+MbV4ngdkA/Ldn5GWjhYqxRFbwT
0vOmDQA5nR99NlAV9HtaOgilee3zwPhBvytqg7FZtxvfgauke0/IOgg4Hro2m4LwT6O25e4HIbmC
PggbDgFRAT8HfQ6unoGlgltD6HtR83MOgpDKEYNyVITwbdnezmOHyC+yF8m7CcJfyfZurrWQLWfO
hfkdkF3L3S1PZXAMd9SznQH3r44tWn+Izpbtg9zfQsB49xT3Tghs43bb74OejcosBGuUFOo1EO+z
Tq6EkGmBJ+znwL5CvKHugHzXGGk/Bq6BkU1z2sCWO2hWrvogJoqhAeYfF6hvHXrr0FuHoHf53uV7
l4fWca3jWsfB4OWDlw9eDh9//PHHH/+Hx9+NjhgdMToC7n1076N7H0HLVi1btWz14u/zE+3zm2L+
FiUOljhY4iB06dqla5euL7bXuFjjYo2LL2aKcsTkiMkRAxVOVDhR4QTE5Y3LG5f3xdKO5zy/uej5
zYQ9/T39Pf1wQp6QJ+SL483oPqP7jO5/275x48aNGzcOJu6YuGPijhc38wyrN6zesHqQr22+tvna
/u12/mi7Rr8++vXRr8P+/fv379//4uaqLzp90emLTi9uVvqj+c/99Xv1+Uft/q1x0mV6l+ldpv/9
9j9vP6F9QvuE9tA4W+NsjbO9GPc5tuTYkmPLH9//v1fX31uu5MGSB0seBKfT6XQ6//YSjb+l28vG
+e3Xb79++/UXNyfuzr87/+78MCJkRMiIkP85Xf/Rfv+zdPpHzwPdSnQr0a0E9JrTa06vOXDEf8R/
xP/y4+lv8XvjK4uXQ/zbWjalqlatWrVq1d/fQM9XxtwoswMqhBbeWqUheOLNk75f4PjRqw8Pn4WQ
te5BAR9B9orBVXM/BvlE22F7C549fPJG7Em4Ov9O2eTGEPVV9kO2y1D2YvSb+Y7DvZbPenv9ENya
2nIAxLUxJqQMgwBH+FCzDWgXrapqPjxakVzBWxfCeos9ueeBvJ82LuMARE/N8VFEEgRfsm/NvApJ
5dJdHi/4Nxi7k6ZBgfPh5ar1haJ3wz0NXLDpzKK+i5bA2Qr3y949D5nvqs72RZDzaO5xBRIhLSH9
++Qf4cHUR43u7QCriChs3AZ50HKo7oBGQXUBREcusQRklJKyBKid6pjqASK/aCU6gjwkd8stoOXT
h2jVQVstzurzQV21PlCPAZfopx6BfIdPxSSQB+Ql6xhon+OhGVBZrRGtQNTQToqRILzaNUywFTNw
NgFxRyymL2gfa7HqImh9td36etBi9A2OiWD8atzSB4ARaVx1dAU1mQJyHaiLKlN5wHnQedZ9F+yG
I5u7PegPtVJ6edCy6UPsx8CWZn/fkQO0ROOR3g2sXeItNoFWSdyx7QOuyCh5DbyxntfSZwJbmWC9
A66+zu7OJyBXWMd8bcD82DMy8wswqhmb7UNAVLZtsX8MYrq+wj4b1DxW6G+BtGROuRLUYRFpaCAe
aEu1HSC3yb3mPPAsybyf2gm0QLarFFD1CNa6gj9WNtPLQeb41HyJp8A7wJ+Z+S6E9w6vHvkeBE4P
TIv8BLyzvQGZpcA8Jh9njAfbEm2TvhNshVwjwuuDN8HbwbcSQj9wYcwHbTdf+8dAUp1UX9rnoK+z
3w+6D3phrSkJoP3EObMQ5K2ULdkRCIuci88sPPBXh3kWWfy19OjRo0ePHi/W5v9f4/mM6Rn9jH5G
f/EDZHXQ6qDVQb9d78/S7fkVheczyP/q/F8fX//X/f+f4tixY8eOHfsD1jg/+SqpoO6Ho1/fynnl
KKhtvnupoyFyYMDn7iDQzKBftWMQ/9R+PW4DnEo9FvfsFARWdR0Wh8DRVlXV20PEbMIixoNeJDCf
HA8Fz7p12xl4eOz+vYRkMDfaJ6fnhuQBGd/4a4NRUB4MiAL3UF3ZvgFfYW+qWgHujaFDxD5IKySW
Pm4NT4KSLpslwLHV0S+wNASNkHkDp0DlkUW3v/YQLC2pjWMyJOZJOZA6FjwfWJWs+qD9aFQXr4PY
qh9TR8Br877hbw5WdXOJsoGKM0pLAWqpHC9bgIpUudU5UFUZorKDPKb2qwTQL4lvdBuQm720AlVY
3SEeeFv2Ej+BNUb9aAmgDh4FcFU1Fl+BOiHCcYA2SNtPO9CixHv6QeCeuiISQQWpw3IJ0EZUEFXB
ekXllbnB1dtx2h0O+hTjbV0H+1jnuwE3IXhuyOPImyB+Eu8pD2gjRH+bBtJudfetACmts/JXcNx0
2p3zwSjiGOZcAuqe6GRrCXqGPlIXYDuqbzDeADNZlvTVAOG1GvjeAFVDWdZroL1qBOo+CDga9FFA
GshB/jXWaCBBdvF1ByF4wDBwXAlsG+oHI7vR0ogEvZfxnfMeyF+tb9VwEEdFc3UFZBv2q4lgNjbf
tF4DedE8kVkC5EpvyYx9YG+oAqxL4LtthZEE3k/88818kKQlfJtYAtK/yvg5MQcYA2muPgZT8/RM
/wVkzRw3ZBdwlnUVc/rB3OOz1AYQlbSNag74f0jPkTwG1FT1tj4Mnu3w1kr3gFwqi5mtQbxtP2nf
AfYc1iTPj2CNMW+qJxCaN/DLwApg9MetXwGW/tWhnkUWfz3/17/Qt03YNmHbBJiePj19ejpMmT1l
9pTZwAUucOG36/1f1+3v5f+6Tv/X/f+f5qUT57xPopdq70JyD8/h2N4Qsltf4a4PEZ2NANdySLRl
5E5rDN7RxgHzfSgti4YFWpBR2VqkBoCRov/onAyOp6mXbB+BrJLp8TeAUBl6LvBTcGZ62lmTICBI
fJlrNHjXOt97+hi856yZmYeAXf7GrjYg5jM4MRY8VczuxgUwNmhlDA3ChkZ2CP8VPFfc5z1DQH6c
ONh1FiI/CbHnj4RfLh/utn8v+A4zhx1gdjK/kOPA9qO9tOgAzBftCQX/FGuQGQ72UJcMmAG2i+6w
oCQwY/3D1FXgDC4RAs4JLqf7JDiGOy44y4Asat00+4J/n6n8OUG7po/X+4FQ9Na+A+sbq5P5Dmjn
tNdVBtiu2uOCaoG0i9uyErBKxYrvwZhra+BYATxThdgHVrg/p/cA6ENERassGEtsfntRMOKMavaC
oH9o2G0GsFgT2odgK2wb624O8heUtQuMwdo24x0QXemlOoNeRZ+jh4H1jjxp5gU+4Y7WF8Q4sY6z
wEZVWz0E1VL1NV8FowPn1W7QXfa3XRXBSlLttfsgZukt9ONgvuOv7e8J6msSqQ7292zDHKXBtdf5
pv0UeK+ac1VjkEtkqmkDNVh+bkWBdlO0xQsigRtWMFivkK71BOuW1Ut2Ao6pV1UBCDwcEO5+BGqu
uVl+DrEn4pxxoyDB9WzQk27ga+t9Ne02yF+tn2QLyDzlzy0fglzMXi0I4k/GtY0dCQGz3YNC8oGj
kysi8CYkH039NCE/OF93++3lQTzQJzjXgT/Vu99bFxxj9CBbF7D9bP6iHYOMRH+u9DngLhhYMmQZ
JM9O7ZYWAIGn9VDblL86vLPIIot/Bpo/bv64+WNoTnOa/9XGABvvb7y/8f5fbUUWWfxr8vLPcd6d
GuHJBfm6ha/JDgQWdZRw34O08nqKGQ76fPOmHg8RMUbBgDoQni/fWes9cFZ1ZtcaQWTzXDlzHoR4
3RaTVAKeFHpS3H4ACt0ILlM2ErLp0UVDl0CEJ+iaV0JEJ0d6dC/QPqGPvTFwi9VqC/ifZbZXv4Jj
jG2u0RfcBRxN9K/Au81Z6+l8SGgZd/XObnilRIFb5TeAGKMF0RgelIw9dWsA+D+UFywXyMvyNb4F
8YHWWEsGWVAWEL1Aize66o8htErkoagtEFUg+9ICgZCrW4EbRYMh5958FQubENYl24PcjSDAExYU
vRQCv4l4L8ctCNajrudpDqEHoivld0GwGfVa3nchpFXE1zmXQWBoaMMoNwR1DduVfT0ERYa2jz4A
wWfCLkZVAle1oEthD8H1flCn8KMQVCRseLa94B4dMj26CNgXBFwOWw96Tler4Hogytk7B+QD+25n
ucDdoP9sT3HNBns9x7WAFaCPtXtcQUATx1z3LyDXanX0WaBV1ffZe4PWRn9os4HjXdt9xypwPnTG
uXaD1U4elTlBTDSqGl+DqKn/pO0AI9aWU98MIk7EamHgnOY84x4HAa0DsgemgtMdYAvpA+ptkcu2
FbRBVi/5EIx7Io4EYJt8xaODL8ZbNLkpeLJn9k37BtJfS16QNBg8nTM7pgeC9kBbqs0Cbbmx3T4a
rHlyiq8mRHUKPetaAtmLRBYNqwPau9pShwHOe86urs6Q/Ua+wHx2yHY2z/E8H0Fo09CqoVshOCC4
ZGA1sD103DEiILRRaIXwRxBZPrRndD2wW9oF+TMYRYyTWjmQZzWfSAJrhhhoDgdHP3t9Yxkwno9o
DubHojffg38oW8h6ZWoWWWTxT0jup7mf5n76V1uRRRb/mrz0jLPtPfPz0DEg2yX8bGsBTzt6l2Su
ASMyzJNZDlILstvaDta+2C+8eyGssnu+kQSOjfp3WiAkjVGH7qSBKyKkt3sPpB/0TElZDccXXTxx
EjA+sE/Q+4Jrd3A9+oBnXGqy2RzMilTnWwiID3ys1QFbA89hdyT4O2Xc82WAN3tYB6MJ2CZmBAe+
DpE24xvVCYoVy52rWlNQgzNHaJlg7JA/i1rgbWr2tfKBv6R6qN4FV0t9NI9AFWWlqgAU5JgxFozj
9qXB74BVU67zPwX/wowhGedBtVfN1AXQvjYG2/uBfsx+KzAX6Iv1Mq7FoA3U23hNUIPMC1YzEJVo
arUD0ULPTw2wpenLAtygVqvv/OVAVpV1ZGnQGgmbsRBkJqWthsBEUV/bD850Z58gGwiHWiuPgqX4
gADgc1FKjgHjlX976oY+RUxUnYEnuL0WiHas0FeAuEy8ag1Ga9nK/A6k6UtJmwE01z6w3wGtsJ5k
vAvWJDMnfpDtaUpvYKIaoJoBDdQuEQHWOauJlQ2sauatzMFgNTY3Mxx8V/yPPZMhY2ZyYkI2cFxy
fuXoAs4ezgGu/RBghGyM7AUiWEwzJoPWV3b2jgI5XG0VBUGeVgPpA46JejZtP2RU9dby94NEe/L6
1HTAE9TKNQVsl/Xv9HkQeCLoQOgFCNkVOT37GdBd7ifRg0G7Z0TTFPRXHENtVUCfbY1SgKovKqjJ
oM0yAm3xgKUPcA0Df1jmovQN4DmW0TLVAWGTgloGbQS9iF7K3gMyxni/yFgDVkdi9Z1gFjMtPgW9
kF7DKUBfYp9BCaCksdnoD8BL3PKRRRZZZJFFFln8M/HSifPj0wnfps6BO2P0vQkdQP8xqBTvgbN7
RsPALiDdnrfUz5C2wWfLTAbp8Tx1dobo8a67+dwQ/1la4tXzUKiW4y1nIciIMF41ckPSWG9hqytY
aak9MvZBUOk8vXwTwNXM+Z33MqQfODfBswX8Ne2lDBOiVwU9CxsA7tY0cq6FiE76GvcBSHvg6x/b
CmpvrOBteB0KbIsYWux7uOu88vBqdvC+q85KDaxoMdIqAdZyVphXQNWTw4zdoAqpYaIh4BHBeiHQ
XrctctUE9baWz7gEjnKuWUHXwb/GX9A3FYxG9mjjVdCqi/tGY5BlzBqZDYBQYq2mwCcyTXwE2hW9
negIxIiZRi8wfrU3dvUDa51KZCvYC9kn2TRQV80U6xqob6323APDZ6wQy8H3rXkiIxbkLPXAMRSM
aQxT34Jqbw3JrAH+KvK8vy/4xpnjPXlANNIOqm/AOdixIbAveL705swYBXTVCtAQjM9405EAFDJy
+AuCCLDeogfopp7DGA7WEMvrfxNkH/MV/w3QyzJDXgFPz4zSac0heU1yrWd7wfu2d5qnOFhLzdc8
BcCey9bJGAHead6LojykRyaP0EaC94p3bGZPkD7NckwGmskB/l6Q2TgtJW0lBD0K/jVoETjuBRG+
BxzLHNccFcAWbitgk2DuU9WsiuAq4hrg/BCMRq63Au+AOV3tJy9E3shRz/4VeBdlbPe/B/7a/jjP
DyBihNdfHrwdM+um1QI5nl/FYdB+0A6ktgfvq5n1U+tAUKWwESE2cA8MnBJ4FNKLpDRPuwJiv5Vq
rgFjlbATCt4+XgcNwdcn83jyDZA+PRuZEDRILx6Q4x8MqiyyyCKLLLLI4p+Sl06cnd3drdKagCPT
Wdz1PmQmmX3lLghp5GgYUBYK7crfyF0Crud4cCnhGXgOZ3yt34G0Np7I2Otg3+z8XssJSXvTwo0f
wWyWOcu6Aum3tNKZucFVRC8V9CuIyw/WZzghpXPmE78B/ivmzsCD4HVa5TzZIG966Bbfbcj1VpVq
YT+AdtrVIvF1KNXXbF75HlRqUmx0x8bgrhBYOioOnIeUeT0G9HZneor7YC43h4inoO+SecVFsDqK
0b6pIHOrMrI/0EGtsvKCWiY3yetg+8xW1GgOvndlP6sM6I2c452JoG00GtneADFHzlFbQXQxc/iT
wPzV6iYvgNTUJPMU6BdVNtsAsP1q/85eFPzf+wdYE4B1Ypc2AMyDvjbmAtA6kF1bBVYf/6PkReAr
nVnU1wX0Lvoz90QQle1FtD0gK/vjvB+CGmcV9NcB6yoX5FLQ8qpMGQT2y7a19nHgsWUGpQeBmdOs
mbEHjLeNtbYo8K2xzqrPwbfZu81fCOzzDc0xFrTTWln9KFgLzbPePeAsbjuv7wRPYtrAlGmQ1iW1
RcI4kPPMRdZtMN/29c24CbpXSzRugixBQXEazLfNPZYTRAs11J8bMr582vixAY5o9+qAe6DtYojw
gxXjz/QnQ3yzZ88yt4K7g3+0FQbGTNurzlDQRmlbjKXg6OIYb3eCNUAsNoZDShXvRGskyDB1Ex/4
Z5vj/dnBmGHfZDwAsdP6RKsGvk/8v5jXwTfQN8w3FryNMiun7gU9u7HdMRR0v5ZNNQPzfZ/yDYHH
q55cexoK6WEpWlJrsBfVq6hC4FjjvBHYE2wNjY8C3OCtmnk18zMw7uvdHIC2VR73VgFaACl/dZhn
kUUWWWSRRRZ/BC+dOFvHzOW2shB10VXaKeFRUmo7/3owNOV0tYbMdv6+cg9kfpo41yYg+ExwweB0
uN03JtuD++Bvm5mmd4eggKBvzM6gdHlXHwnittU5aTbIzfpY/SdI+OzRZK06RL8X9q1zCQTWybNc
VgHtVupAdy8I6mCPSTPAX/BeWTkBOjVsVn1SHyj8bb4adaaBL8QszKegF9AGWBEgDiZMDHoIbHt2
wF8I7ANsle23wVqu31GPQbtgdTe6gdjFEHEI5C052r8HMvemnoivCWaYr6YrFLS+WrweD/JH46Gz
Cch7xjjHXFATrFdVMXAsdNZ3lgd7mD7V/ilkFva0SzkMqjnDCAL/BWuHdQB0Yett5AXxpRzv6w2y
nq+j9wLg0jvqo8CTkXY89QrIZtYN8w7Y45wlVRL4/Gm3n9YAxxzna85HEDgluHtYb9D3aWVtK8Ec
bd2yHOBr4FvjKQ76fVuS9hWIipyz9oA2x1jsuA7+VsqVeR6MBrTSOkFSs4RdsRlga6CnaMdBZpfX
zfOQuYAVygbyNTnVKgT6p3qqHgR046jWDUR3MRcTzJJylHUY9GDzhPgA/A3MeVZhkC3lFv9UkHHy
rhgKMoYVYhRQjsZiJdgv2Lbb3wPrNgdVLPiHqrMo0AeLJto0UBkKVR1UjNqmZoOvhTfRPxtkey3W
8oH9I/sxxx0wQ311ZAp4F5uVkr4EEWuu91cFrZLeU9wF40vhNXKAMS2kZfh4cIeGeqP3Abfl+2oF
qJHmNLMWyOK+b61J4JrlXocE4aOa/yOgk/aLPR1oLpaJDRBUIOh2+Bfg3+O9bpWHlO7PnE+GA0l/
dYhnkUUWWWSRRRZ/FC99c6DR2HlR/QwpjaxxcX3BXOk77D0BidUTsmf2gAu+a8PTCkB6E8dmGsOz
O75Gj6ZAzhxh61VOyF4y4qq2GNKfuqdkXAN2slx1Ba2HHmK7C+HdbXv9k8HRSi8qx8LdV9NCky5C
6pj0cNMF3i585S0PZe5HD6/3AAaWaffVmktQYELeQvWWQcYdz21/IPhy+19P/hYe3n742rklEN/q
cq6YYZAtw/G5uzI4DP0r3QHaEO0Qt0HdEu2s4yBWa1u1WaAMGcs9UNus1uZsMEboq+33wb0t6FR0
DAR+EvpJVEVw6QEZAQ3BftLts30EjuuOV/RyIFDutCvg+i5kX2gFCLweXCu8DbjPuF5z5AdHmDHH
rAT6UIT6BVJGJr/x7CCkVUrZkvAqaN/qj4wUMJuYs/wuyKycUvWJC+R2s7H/NqjxIkYPBqudCpEr
wBxlvu05CXIaa9UNcFZ2nnTVBCOvrb59FxgHbD+5DoO6qH1newbqQ5FkU+Dr5XnVNxbMBv5BvkqQ
liv1dvwp8DzOjEiJhozGnqlptUHdF6ZcCXK1uq7WgWgu1qsA4CCtxXaQgVYbazXISVa43wTGmd19
w8Ea6B9pOkA+lsv8rcG/x/+VtyuoMNlBXAVvRf9kX0OwD3WeCRwAxibtQ/v3wCPlJw/om42GRnfw
Hzd7mdPBF+Nbk/kRyIFWonkNZBU+pzrYfnGMcsWCfsj+aVB5YJfzhO0+OCu6iwbWA/eC0AcRDyDg
teAiUbnA0cuW4igGtvG2J45e4A30FbF+AeNdrYXeEdw/uO8420JAoaA2YfEQUjvcHtkdAuJDXg1O
AVsHZwvHQTB+Uq39JUBf6ahhG/5Xh/f/Pp4/f/bPYlqhaYWmFfqrvfyf58/WNYssssjifwsvPePs
cThGp+yAyKDQ4kERkH7XX95qB2lx3iqJ9yHlveTPfWuhtC13jULH4frbCcUzwiA6X9iuHPFg5BXf
JK6HnPlC5wcmQOIBFa4tgMi+Rv9oB/h6iv3pn4DtjG+hvTUYt/zekB8h/njKtcfNoMmXJaLK54IO
V3tem3IUvF8Kw1YfvF97EtNmgfiCZPEmJGc8Dn/SFPSZ6npIWdBWpea05kH2qjnuBKeD1lzckLlA
X67fcawCNdTq5W8DorS6Z74BzsGOe/aZIL4KPBLRDYJ+iZiTYwWIJnozezZQF7jHEdC6Cw9rwbXT
cAYPhvQpSXMelYH0u8mvPLkDwSf0OVo38HW2VujzQA6RCf6eYO2Un1hzwWGz9XcbEGgGqbBR4L/k
65T6CmhX7OX10mB343UFgL7Q2mGvBrblgYkh98Ax3hFozwayl+m1okEVNQbYxoOx0LillwY53nzb
FwHpw9I/SakLLFf75ERIu588MDkBUoumhzx7CAF6wL2A3eC95OmSOQ0YJXda58B4bETzC+jperr+
Nfje9rXw/Qh6RU2T3UC7pZXTCoI2QIvSmoGoKWzSD7IjVcQ0wK0laQMBXa6Xr4AxRT9sewraSGET
bvBb/rMZr4DjA/eRwPvgCHLkCzgPegm9hrEeRGmhiVjQOhjNjH1AJ32Ftgtsd7iuRYF6WysgPgJV
ynxkhoDoxy2ugi3OkaFL0LKJstkGg9XCap4eDNqb9jn6EbC9pYXpU8D6wXfKVwC8pzwbMs4A36t1
ZhEgntH+meC95mmW0Q7UDjH935+icdKsCdYjc5L2GOiv5VVJ4Hjg/sT2CkQ8Ccod/TnQDPjkrw7z
LP5e1oWtC1sXBiMYwYi/2pgsssgiiyz+6XjpGecA6e2fbRKEykB7viuQs3LwoZxNod61fKsqFYdG
m2rfqXIUwoeH3RaZUPHTwntydwO1y2hg+SDwdsCn4TfgfuG0GemtILlAZoCtFViVxIjMAqD9KNY4
MyDb0tBi2RtA7kt6UOKr0ORM8c3lhsDbQf3OzWoEnjDVWdYC65zvduZAMGYZic6DkDk+vUxKCLh6
ORdpxyAx4UGRR2XAMdfutMdDicEV4ioKcLxtfC1eAaO02GirBaqVjKUzWHGiqf4FaNL4xbkctI3a
bXEV1CMrj+8mWAE+Z0Z3sH7xNEx9CuZ+T7u0uuDLldEqrSkoy8puWwruOQEyfDl4c2T0T78Gmdky
niVbYH1uvqKOgtZGa2SvCN6L1seZH4Nx27HCeADuQqG2yFRwnAi4HzQJgm6EJ0ffAld62HfRC8G2
2fHMZYKZbmpmH5DDrJPWIhBS3pafAhOsclZ18Pk8az0jwT7AUcdWF4wzxmZbCgSNDd8U2R9y1s3t
KvERBA0NuBn9AcivzVGZjcF6xfrRPw+8g3xh3gvg031Hva3A2mguNA+C9CtlVgT/CLO7fyKYgXKP
BVg9qKsegJVpLvLNBPnIOuVbBXq6tl18Bdo5fbutLRgF7EmBKyEoPKJGticQJiPfyZ0N7C2dM4OK
gVjg/Mr9Pug57DkdycBJ63PxLti78op9JKg8Il7/AdRE3HoR0O8YB2wHQJVX+8Q10A5Zhc2noMr4
h/oNoLrV0PoF9PVaOS0CSNbfcxYEfYr9okMH51r3wYCxENUn26zsNcA5wPVpSE4I7B3yU3R1CFkV
ciY6CrR4o5n7KohzegHbN2A/5zgS0B7kamOUqyDYSjq/d7/2xwfsb80M/q3tX3b+svOXnV+8Ovnz
fZ/v+3zfi1fMPn/O7KxSs0rNKvWi/s6dO3fu3Ant2rVr167di1fuNmvWrFmzZrDk/JLzS86/vD+z
D88+PPswNNnUZFOTTdCtZLeS3UrCw2wPsz3M9l/rTXk25dmUZ9BiW4ttLbbBnLJzys4p+2J/UlJS
UlLSi1f4Pm+35YSWE1pOeOH383JjYsbEjIl5Ub/vqb6n+p76/e3ExsbGxsa+eEVvq1atWrVq9ULX
v9VPKy6vuLziMnRK7ZTaKfUf1//P0jUtLS0tLQ2GDBkyZMiQF+Pp+SuKn+vw9/qXRRZZZPGvxksn
ziH5Q35y54e0uLRfY1eA70z61fgOYJ4E/9cwZvBb6WuqQJ/2zbYNXAtR2YKCMzOgcN9cDXMMhxzz
jHeDjkD2pu429mUQkTdbV+sQPLZ8YfbLcP/1tGvxk0Ar7K14vT801ivb3qwD3Tr302aXAq11SLlg
AaKc/1O9NIiOeph+EcxLarR1CFSw7OO7B+kD/As90yHp7cdPY0dBvi/KHXr1KQTMj8qXdwy4Um2r
jWhwFjICbaFgdVOb5RzQXARYb4A+QQwQB8F7J6OR5xl4i3h2mQ9AzZEX8ICpvOHedaAc5mv+GWDt
ND/zXQQjj1hn9Qd22mu6EsG46gwOtIEL92vBLuB1+1FtD9g3u2q5DkBgVHBqeHlwnQzYFjoRHGOd
0wNjwRajGomCYF7NvOmdDWK0UdXmB32nvaGrFtgIdISHg/27wGJhv4J4V99o+xB8s+RKvTXYWrlT
QsqB/Rf3vojh4LYHD8h5CAL3BhXNVhwCO4dVjCoL7o5hY6PnQK5BBSeW/xCi0nLNKxgD4VuiR+YN
hvCN0b/m/RYC3wyLz14bbCUc6YGhoKXZGgbMgqCGIbujq0LY/Igauc+Dq2/gsmgDgm6HF87zHUR2
zP1RyaUQWTBvxzI/QLjIHl7oc4jMHT2q8F1wtgs4lG0SiPpaJb0M2OrrB0Qf0GYrt/ULWDusGhnl
IfNeZpekd8D/YWaPlNnADLOOpytYkb43M3KClluFyrpg1THXanlA5iHcNx9kG1XFpoGvmi+3FQ/+
1b656b3A6u/zZU4ErZgqLhuAmM9VvgGuCKneBF8Z71ZfMzA3++PNlaDySp+cBVqA9rH6Gsyi3h+s
70G3EyBOgTufzaZi/+rwfkH9EfVH1B/xItFaO2LtiLUjoOO0jtM6ToPFAxYPWDwAVq9ZvWb1mhf1
Vl9ffX31dehToU+FPhVgw/0N9zfch6Xnl55feh7mnph7Yu6Jl7cvsmFkw8iGsL3l9pbbW0K9NfXW
1FsD036e9vO0n/9r+bp16tapWwcWV11cdXFVWLFyxcoVK1/sn7p76u6puyHqftT9qPuw9dHWR1sf
wcYHGx9sfAA5x+Ucl3McfNbhsw6fdYAJuSbkmpDrRf0FFRdUXFDx97czLXla8rRkeOPOG3feuAMb
N27cuHEj5NmRZ0eeHX+/HqtWrlq5auXL6/9H6zpv3rx58+a9SIS3PNryaMsjqL2q9qraq+CrX776
5atf/n7/ssgiiyz+1XjppRpidfhP8UvAWcO2OawDZHyftMX3EByPmOcKgG0Tto6csR/kes/bqaOg
yL3sF+pOA3u6d4lvBNwxrV8vToJSl5wfv5oTMj4VvsQa8HPOE7UTCkCx6pEf5R8B3Vd27/hhfshx
rMjqSg7w9fd/5v8WzO6+zeYi0G7rT9Uh0PIRrSeAucaf0xMKYriMs/wQuMK5Nvw1KHy10revloDg
nbncYWUhvWPcDO8kiGgWuiuoGhgN47/OGACqkXeN1wvqjlxNJdAuGMP1ISBmZe717IPMd1LrJ8wD
n9/+tvsg2MoYj/kGPDLzS88aMJoY52znQI9XZ1V+kGOU12oIYquIFBvAfGw28P0CNrvtnMMF1gee
NamrwPwsPckaCsLU7xlrwD7Y+XbgXBDD9Cu2UqCnOqZrS8G8Zi72DgCqWxesacA8ddMqCCJGizaW
gHVNPdPHglZYO2yNBvEK99kD1m1zuzgLWqS9i8oF7NCO6FNBzjILWtfAuGofYP8CAvLY1kV/Ce42
Mi4qHbS3bUF6e8Dv+ybzHPhn+p6kvwcctyapd0D3GT3EAFBzxHdaJbBN1saKFaB8aq51Gqz6ShMV
AISpVwMVzAOtC5iNZUdKgdXGdHvfBkdx+yOtNHDR6mGTYBW2PN7K4Lxo5DQUWO/b9zqbgLaDIAk4
37A1FrPBOiXPqwZgKjNKxoMsI+KtSNAmamtso0GvZBRzhYEuxRXjPBghWj0zBcwS/ie+oSDW8oEe
A0ZFPa9tAHjf8J6zuoAnwXfV0kFrrzWxzQJLl8XUJmCK8ogLIGrqfucXIM7aXpO9IMCvNzd/AKdl
764n/nuQdPyrwxzKflP2m7LfgFgoFoqF/832DWKD2AD+Sv5K/krASU5yEhZXW1xtcTU43e90v9P9
YG3S2qS1SXDtxLUT106AbCqbyqZAL3rR6x+3r3mO5jma/4fH97WJbxPfJh6+HfPtmG/HAL/yK7++
2P88cbNF2iJtkeBv5G/kb/TC7sM9Dvc43AO2ZN+SfUt20L7TvtO+e1G/R6cenXp0gqZvNX2r6Vu/
bdfvbUeVV+VVeZiQe0LuCbmB61znOjT8seGPDX+EyUxm8v9Hh/bt2rdr3w60y9pl7TIsPr74+OLj
/7j+f7SuP6f8nPJzCqw5tebUmlNAV7rSFdrEtYlrEweL5yyes3gO0IIWtPjb/mWRRRZZ/Kvx0onz
TfvNtj4DcicEd7DeBOcU7UP5DRxZ+7D46cNwoN2dTvs3Q5Fz4ctyjoESYwtfKrkJnvYk+PFKOFPv
2vGn30BuV45OZjrgSg/0+OGVUkXfKTwB3szVcdngxhBmyxFWIQW8G9InZfwEVprtmToKWgdx1ngP
1KdyhdUYtOJGfnqD1cGTmnEdmGI8tp8Cbbe2KmA3WKc9M558A/4vMj9wjIfIqzmD8nWHPKl5vsk9
Hk7Ku9Pjd4B2xGdprUF2kf1kGhgNbJUcn4HY6c/rXwh6hHOCrRnYmmvdRQLwgVpqAWILJbT7YBi2
L50/gD7b1dH9DERds4tfgDZKDpMOEN96zIzXwF/Ae98zC6Qh3/QvAb/DXO4xwEjRu2grwXwiY+Qp
sNV0tQ0oAVp5/aLRC1Qp2UN1BfOKMFRRUNWtsv6F4KzimKFFgmuCs5NzBKg4pYsegF0Fy4HgGeCf
lbkfzDKepqI9aPXt1Z3DQTsururrwVjDm0wG+xlHnIoBsZk5MgqSWqe+np4beGw9VcvBOGPE2/eA
ltPeTL8B1vueSZnnQG2Vm7ylIWO2uM1PoFvquJkbbNv03UZxEOfVFJkL9MdUs9qDdkNVtUqDHqK/
57oM7gxjpF4XxFTjrrUHVBOS9K4Q8kpwqdAE8OQxq3ABrChro7wN9mzOdcZsUPNUEetj8Lf1LSAT
vPH+Zd4vwOV0jDVagPhVSO0GmLv8G61+YBzU64gNoBd1vO10grijCqlnILpplcRTCEhTxbWbEDYh
YF/QCPB8bz6y9oBZRXq0D0EVNe+piqBf0CfL+WBEOPY5KkDwAdsxfRTYlSNcVAPgnT8zgH2zfbN9
s/92uf+cMP+t7c95fkk+amfUzqidL2Yka9WqVatWLdjMZjb/CX5pC7WF2kJQFVQFVeG/7rctsS2x
Lfnt+s/rGTuNncbO/8bvU+KUOAXygXwgHwBd6EKXl29HzpVz5VzQ9+h79D3/odxpcVqc/tt+Oy87
Lzv/Q0L5R+v/srrG5YvLF5cP6m6vu73udqASlagE2LFjBzFVTBVT/37/ssgiiyz+1XjpxNn3ffLn
tiKQ+ZPRJMUE+ydiamg5cA6zWljPIPjzgIX5R8KzotrPVghcqHLn1qU0yFEg8mLoVxBcO/qdwEbw
dIkv6nIa1JpfvFKjdtC52OtpQxLBnjO4VMFY8K/NfJJxA7RLukuUACOn+k7vC6qXymPWBrmdR9av
oF1hhjgNvmX+PZmx4J4VHBt5F+KGPop4fAVs39jaWEFg7+qOc04AzWdr6qoBOZfnrZ5rK7h/tj+6
/DOkXvB1dAwEa5xaKFLB/dRe2FEZUvcnl0j+Bkj0TPNUBdvQkC9c6eAN8eYyC4KjjTPU3RQYI14n
O3hnJld6egscjZzfBe4FsV7kNj4B4yvbN87HIIbo3xr3wIEjzDkKuCG2iSogVlrvWrnB+sKs5h0P
ehEtXI8FXx5fXTMfOJYatYxGoH9mtzskqDfU5/oqoJj11GwGqYOTjPhHwKvWT95+4N1r1lAXwfkw
8HRwChj3HV8EtgFbA5thbACjrH7NfglYLNeaoSAWqfW+L8D4hQhbO3AdMCrJEuBo7jwpzoP7mvu+
Xh70FBXjLwBqiP2wLsFXx/ujVQAy3VZBFQTO0e7rQUUg86S/I8ngX80X2n7wnjQ3mAHgaKMX0TuB
fkP/1vY6qPnaRLURXJmuPc4WIOaqRvprYJZXOf0NIWSfK5ctFxhN9K72aDBXyp6MAnFLVNMsUDNt
maIP+O+YSwkH29e2r4w0kLVldfUdaONdp2wHwd/Zv85TDvSWxke6DuI1tVTlBdlSLrciQWTXnukK
tAJsMUpAQB4SlQWiKh/JVmCfz6fad+ALNxfJa+C9ID+3coLjnnZdfQbuUfY89qr/HiSv/3EBaztv
O287D/Hx8fHx8XCj341+N/oBy1jGsj/+BHH27NmzZ8/CxnMbz208BxFXIq5EXIGjR48ePXr0PxSs
QAUqAKc5zWmI2RyzOWYz5GqRq0WuFn/7OFseb3m85TF0ohOdgPVR66PWR0GFkxVOVjj5++2usazG
shrLYNmgZYOWDYIB+gB9gP5i/5KlS5YuWQq1NtfaXOu/yTxVH9VH9fn97aTPT5+fPh92BO0I2hEE
bWhDG2BX211td7UFJjGJSX++/n+WrrnG5xqfazxMbj259eTWUHJmyZklZ8KjsY/GPhoLR0ceHXl0
JLCLXez6/e1nkUUWWfyz89KJs/tacMHImZCrR3Dx/MWhfLXoNwo0gLDTIT/5g+CYvLnhbjqcGh3X
7vJRMH+Mruv+HsIt32hfCJRc6/vGlQINNjb9aObPUDqsyNs1QsCzSIx19wcxTHxq7w8qTsw3GwKa
+oEMUK+ISgwH0UkN07qDHqlN08uBmaxaaengaueYGdgZku88OZj0EG6eOpfnSBIUH1xhVtWnoEcY
DxwrQO0CcR1ybc3TJPcKCAhzLnUeBC1H5gDPDGCq9ZOWArZYW4RjNthTnT+41oFV0jZS7wNmFWLF
aQiwB34TPA7M7f4YXyOwhpgD/UXBldsdE7Ia/MPMOKaD9qrxSO8BelVbHL1Ae1d+KeaAKKpt17aB
lWydM2uAb5e3euYt0O9pV4ytoE6pEPUjkGS004JBbRcTVR/wr/XFZjQDLmoJ2jGwZnpP+jqBqqRu
irogdHtU4EfgfuweYgsGVvCZlRfkIt84axH4zkufdQf8zbUA73mwDptPrMugzpk11Vcgc9JX3gNb
nE0aFtjfpqhoDWkjUyek3wWrnBXDFLC9p/+kWoEpuSwtCLwfMjnkCXhi/EO0BFCpmmWOguiCofND
rkCQz/G2VhRsG4yVWikQUaK0Vhv8p3wzzD6gjySb9gaIVfoJTUF6Vd9qcxDYRmp35WrQBuuV9Glg
lVad5Bnw3/RN8A4FKrNBLwr+Mb7Dpgkyh/9db3NwTHDMMFqDcMp7/ADaY1qqxWCtMzuYd8FR1P6p
EQJ6OzHSNhbM16w58idQn4mvZG8Qd1VXywD9rH7FWABqv75WCwPP1vTtntfAuq4Fq3Zg/Wo8EpfA
GGRP0ncCc/7YgO1WoluJbiWg15xec3rNgdof1P6g9gd/3gni+U1fvXv37t27N4TeCr0VegsqyAqy
goQSB0scLHEQZsyfMX/GfBjCEIYAXaZ3md5lOuxvsb/F/r8jcb79+u3Xb78OjR80ftD4AYTnD88f
nh8+vfHpjU9v/H67R0eMjhgdAVM+mvLRlI+g5dWWV1tefbG/5OaSm0tufnFz33Oe+9PleJfjXY7D
nIg5EXN+RztpNdJqpNWAj9Z/tP6j9fBdu+/afdcOGjRo0KBBA9Cr6FX0Kn++/n+WruPGjRs3bhxM
/HTipxM/Bc8GzwbPBnCtcK1wrYAPcn2Q64Ncv7/dLLLIIot/FcS/zVwoVbVq1apVq/7+Bmrl7/tR
3t5Q7ft8Zyv9BB/+0uXOgKdwPteNdy/MgaUltnVc2Q+0K4HDHQ3g8da4BQ+fQvc6lWvU3g5tU5oX
mfAreL/zd3LOBm19wHHHDrAtDrgTGA1ioByovGB51Oa0YaDtEcNdk0E1E8uMKNBO86a5G/hFPtJv
AUn2fMZdSG4X1/9+JCTsfHLqWRewhpqdn+WDXCMKvf5KELh/cDWI3A76DsdYvTfcKn/kvb1pMNE7
sfycT+H6e7GPnn4O9iOOgsFnIHRhzm55S0Faw8StsW+B9xtrpmoMNlvAueCuIIKsXf7NwCTp9uUF
MYuPtbWgNdLL2+aAPK7FG0ng7hbWNPsDsA5m1szoDSljE/M+OQoqyirk3wG288YKIy/YfnUEBzwE
+TM1tEtgmd645FMgF9hKu8+BMUjboBcAZZMN1WLQjxvf2N4B5vGhOAnSoXLKA2Ast690SdB+VNnN
a+AtkpEnpRz4k319PZPBmKvvdfYAUVwvIQJBlNNGywdgbNdTA4LB6G7fYi8EKkqW848DMUOOlffB
M8r7kWchyCeqqOUG85bvjK8OBN5093L8Ag4CroUA5nmrrv4MXMtdP9sdEDrYHWHrCmKhP4evNtjX
2G7oH4LtTf0NUR6ceW03tbqgd9XSCANfWX9x1Qcy4jzrMlPBOKuc1idg5rVCvTr4wvx7/FXBdtU4
aXOB1Um+Q0Ogg9jIXlAfWEF8BJzWhnIMqKGCzOIQMCRQD88AeVbUM14BvYJxw6HA08PzcUZ2kNvN
Hf5yYF9sL6r7QHTUDmjVwPSJsWI+yG1mXa0PECLd/plgv+coo8+DyLXumMCZEPJa+HvO0TD0w09O
fnLprw7z/3l69OjRo0cPWLp06dKlS3+73PM1tSdPnjx58h+YAf1n4/ka4PLlypcrXw5Cb4feDr0N
CVMTpiZMffE0iV1Tdk3ZNeXPs+N/m65ZZJFFFn81x44dO3bs2B8w48wTERp2Fi5XutXvdHmYUW/V
7c8bQ2Yl80LgZUidYfMoDbT9ySOe1Ie3ZkS9UfUgtHql/I9j2kLyxaQn6T3BE/K03fUDkOtIjYD6
XcHXz/rBXATaeJXfTAZNioX2niCStdpiIIj3VYJaAPJV8amxCJjKbHMtONyijq0ieCfpNzLjIbnj
iZ+3n4b0QTvnnnsPoj8b22BcDKiYMr9E3QQ1neraPoi+lbdw/tWQp3TYrrA6cKvJs3ZpR8Fr82ue
iSALKlNEg/HYfsvlgIwzyfUSOoJtrau4ywT9oX5ZXwJWe5qLbmBrZay3PwZruvxArw7Mtn7wPwT/
nvTYZ4vAN8ez11cZXGedb7nyg3jCY4cN5DnVVTYGFcYYuRJ83/ire14BMQFT3wBiE3G2zWDO9V/0
3+P/tfeecVIVa7/2tULn7unJkRwlB0mKJMkgOYmAimRRQFBUQAElg4oBUIKAgCgiQZScUXLOOQ4D
k1PnXuH94Jl3PLh5tnvDPj7nOX19qV/VqlX3vdaa6vn33XfVgmS9V+B5kIeJ+foqCBwKnlfCQRwg
jhaPg3hY/E2/CeIAY7TRAWHznWfCFeAp7ZlgErBFumYeAv5J3tr+fhBI8Q9xdwUtVk90nwbPSm9q
zg9gqWCdYPOAf61STR0C6kVtsvo5WGfbLhtHg9TeGm90gPGyYbxkBflj2csSMK6V3tO/A27zmXoO
XL0DjcW3QWojBKWh4P4uUAYnGPaJu7kDQjt/VNACxuOGs4bVECju/y74AwRbBz5Wp4P0rqYqI0A6
Kp0SE8E203o+rCTIC8Q2Yn/w9/Ed93UF9ybvYt/noHQWh0oSBHZ6iqoWMHc3fGt4EaQP/AP8TSFY
Wf3IOwhUP4O9lUH8VB5nWg6KrJYQBoPL7nJ6OoDprPFHcz9QfwzMDpQA6yBLJ3kPaOHCMvNkUH9V
94srQb5gPSScAMEnr5bn/N3T/O/jnwnm/6ns8+7z7vPCGcsZyxkLDKw4sOLAirCy3sp6K+tBjdga
sTViH91OiBAhQoT4e3hk4WxZYarhfh7Csv3PRQPJy+95gt9C9Lb4odpEMJ3TUjNPQxdXzDd1jkH7
Le2OjPfBrd2+oWkaWC+nf+P5BaKKVZ7/ZFHQ5mtLOQ1CCX2C3h/UMH1+dheQ7OKhcA+wgYvCRdCv
6bfFuYBT/SnQFaQ061Lbs3C7yo0jB6rC3WGTPpqwGky9f/sptRdoJf37pNsgfuJLUluBrBCQq8Md
cV+HHVlgmxM91fEllBer+kp3gf2zbz2fegACif5a/hcg+Iy/qPIBGPqah0fsB2F/zrKsl0AvFzAG
UkD/xfibZSvQTy8pvQvKcmWd/iooG5RI9wXAL+YLmRBYl70j1QlSX8MMgwVMGy0/R9QA7yu+095l
YLlkbWs9BGoZtb92FkzV+UxqCNImabn8C/C6eJW9oG1U31fXg5amug37QSjNTbUKSC8K7ym5ENAC
6doYELprN4MfQXSbsFhbEvguer/1fgf5Yq41ayPQVX06MBL0NH6U1oClqW298w4IZaWtYh/QdWWZ
byn42/nXewaC1MLQyNgGHJXt3S2nQSiteeS+oO7TXlJKgdKCiuoc8J/3X827C/qH2nrtO5CvGiZa
O4BwQ/jZ9AIwkbNCAKy/WDcbAOW6Nl0cAtTUmzEbfJH++oFvQTsh7BP6g2GP8aa1Efhb+Lv6hoB3
i+eY9y5ktXF1zKkOpkkGm3QZDJfkMYZhkL3P1TowGiK2Oz60usGx0b5fbApqB7GH4V3I3uFa6/0B
TG4hPBgJwUmaRXgH9MNCgnwF5I3SWOlLMB029ZVnQeAHX3/fNRCNQiRHILBI8QfXg+JRo5QjYG9k
fE+OBvMV8zCnA6RT4lfyswCMQ/27p/l/X9bdXnd73e2/24vHx+D5g+cPng+ja4+uPbo2NLI2sjay
QqWXKr1U6SWYtHHSxkkb//N+/E+7ryFChAjx34VHFs5Pdg9vXGQA5NwQp4bFQvgsW2vHFnBWNnUJ
rodelbpHvjkYKlcu1b/n56BtismP3gnhT5zzHdwOtoyYtAoOMD0bviDyHvgjgj8FB4DURjsfaAvi
VH26vADEuRw3HQS1vz5H/xiEKlgCHcHYxfSueT14YlxqWgM49fknVz8qAeUWHOyaEQBbjSd2ltUg
/GtDvbBYsNaoMKTMPlC8QUHJB2tm0SZF14L1mK2dyQVFrNG3ojMhvLH9RPgOcB1xJ+RtA3cr14+e
ZAjPjWmS0AeMJc2zrasg0EStpIaBeYx5iDUK9L3CVv1TUJ8LXAvYwHLAUMHwHCgvyW/ZyoP5CWt6
MBYootYLfAX+S/7j3hpg7GF4Vv4YggODbZWmIPSWlsstwPCeNEJNB0Vig/ItiNN0l7AXDNXkeIsf
9ASpk3YU6K239XYCIVLoJE8Bw6emWcbXwDjBcM6YBb5+rnvZGyBVvvdqSlUQ+xraGNeBbDdUMcWC
yW6aYdwK8ih5vbEHBMb6jnqGgpgqnTD+DJLbeM8UDYZWcl8xEuTZXFEugqGH+U3pJtBZP2LSwD9R
GRQYD5zS4qQeQEfxgv4aBJb79gcWg/iZXjfvMsS0Co80yyDeVB0MBsN02WvaA4YNRqyDwDsg0CNo
hWBrtWLwDsh1lVGiCIZ2Qh19BkhbjQkkgOJXB4jfg/6x9kMwGYQxYpKxOUS8FD0wpikEBvmnqi+D
fjzQU70DqihulmqBeanpiKkcWOeZP7ckgL5XXyrWBtMWw0JpKxhqCZWlVFAvK1cCSRA8LmdTBoRb
pt8sL4HX6t+vFAWryXCS5yF2Y8QTxiEQ0SK8T0Q5UIPBAUptYPffPcX/e1MkrUhakbS/24vHR+x7
se/FvgdLWMKSf9ShLnX5N1Li/lX+p93XECFChPjvwiML5zDkpLjF4BvtbJmfBkVuFq8b7Aqd5z15
Z2guJMwqnVkrGjz7hPHibRDLepe6z4DzTJke1aYCN8S5hq0QlPxxvq/AsEvcaKoLwQr5ZW/uBbGN
laRWoKfwoTQAhM85FHgHeEOMl++Db5HH474N+4svffOb+WB9OefDaAkS579jaKtDdv8L08+UA/RL
de9GgrZfed/9GUgHLQvMRcBZJelYSRuYLxkqittAjnb0tLwL5r6WpnY3GO5a5jpywe1x985cA7aq
EUXiR4DxBfPUsKGQ0+X+sRu1gLe1NkIDMB+yLbf/ClpZdUfgI9BEJgglQLJQRdgOilldyHUIvqnd
V8uBHqsOVsKAu5TWSwNm4WvpJsjr9a1CNmhN9P3BL0DwCSM1P0iz5V2WdLAsNR4TXwTfcx7R8z2I
I2iobAVxtTzEVgfU58Sh0nxQtcBEz28QGBu0+9+BmM+Kdi5dF0ybpHeNX4EkczTgB6mh5lW+BqVx
YIl7NUhDjO3UCAim+z9UN4J/nnes3whqc/FD0QlhVR1YF4F+nvmsBk+q5yVfKqg1tLq+kmCrb/pR
ugPhaY7XwkqB4tXe8N8GeZDewFATpONChhAE603TAv0r8D3rXy56If3z3K3+XmBpZFyqvQPmzqKd
M+CzBNJ950CP0XcJfcC8yhBjfAvIEs+Ko0C/rlYxvg+Zh9N7pc0Fisgm4wxQ6gsdpCchPM0RbXof
Iny2slG7wRsMGH0HIfe4J0G9BWJVYa53CchPit+F/QbeYd5j/hZg6m8ZJF8DpbywRDwNWQcygjm7
IXx7WKTtPpg3iJs1P5Q8WVwIN4F9rWOdIx7cce7qvjsAdPm7J3mIECFChAgR4vHwyML5bhPXAGN7
iMhM6Ke2Bn9K+vs3nwfvczmHMsdD/nGhpLcrmFZLdSx9QbnKZ/rHIOXrrZgFTFIbBKaCuFTsZRwJ
qq7sz6oJ+lD1R/1rED4xvRUeD/rzGJQZwETtonYCTNON5cxr4VDng0sPZ8OxV0/2ytwBfTJenvti
Gwib/Wx2LROkr+z30YiW4FZcRTI7Q07+horLXwOH+Zl7z78Eposlt8evg5x62U3cReBO+dyXLQkQ
tyL+RsxCSG+b18A3FTzd8623doLnFbffXRvsQxy9nXfAOtV00zYb9IxgZ3cfUMOCu/T7YIg2GR1P
gu4TnOJc0NcSr88B9WmlaOAKGHobJ8jHweCyDo0cBnoJ7SMxBbimzVMugRYIrnbvgOAw/ynvZZB/
NtQSR4M/y3fNMwT0if4EwQaBTVQw/QjW16yHnUXB3ttWRnwbtKB3v6sKWFLtZ7UN4J6pyOYO4J7u
6+k5B4aq8ufeDaA7g7HeOJCGSj20J8HuMA83twdmSJmWjZB7Qdjnrw4OUV5smgSBUcFBvA8+n6eH
7yq4h+bvSd8FUTui4qw/grmpIVN8HzJj89a5voLcstnz8v0Q/rHzDXsUqKLwrtgI1LXEiC+BwZK3
XekBaotA0/zrYHrSetswGnJr5L6v3oFAl+AYfy3gc7EL+0E+IS83vAPKufxxeSNAnmWoZJgHfKwt
1XuB8Wnr95b94K8aiPIlguktSgS7gPhi8LjmBLmlXts/D8IGGFfKGSBdtXQ2DoagQTlmeB+0ukIb
tRoYArY14jYILlH76g3A11pJ8FYCc4oxRRwCvp75sTm/QZnVJY7aJXgivfKYYj9AXnR2B/EY6PeF
18K8f/f0DhEiRIgQIUI8Th5ZOFe+WqV5sTOQPP7sGU9raPrj097eKyHhw1rmesuAEaayVh206soW
ToDwnbBI3AhsE7IMc0A3qJmBF0CYKpYVM0F/22XIygPDWL2l9QgwW/xabAeB466S+RVBmCDMVYuA
1io4gI1w+/KdCfJgaGJ4oUXDNIju8FTpiingrnl/SsorIAg5O/P2Q/jJIidLJoApv+TzlY9C5pOf
dl/SCRKksZ0HXoecyi5r8EUwfm2Njp0BZaeW2l0qHG62vh+dVwVyZ+Um2ieD52heMH0RWL5x2IpX
BkudsFERAhgGcTuvBYStdHSRZXD94j3sCYCjgu12WEWgprBfKgLy7ojqEZ9A4I4QY/wC1G3KIn8U
+Crn7M4YDnp1vZ/yIpAgXpEEkHZKE4UmIG4VokUniOPMomkomCvartvXgbOo0WJJA+ubljXmIhDI
d73pmgzqvMBW71eQ8WT+MS0eXPUCc7QtoB+R4sXq4Djr/MxcFeTd4nvaDTDskIrqXYGd1AmYwF0u
f4HSBdTW+kr9CmiqYDBuA62Hpmq7wNRC3i6mQ0ljmVKJ90FurZ/RRsPV7il6fk+QMAyX4yFwVmur
lYPAJf1tBkLEC87fwsMha0NOI09xyPDmHs3PBstZ80RtESiXXB2VBqDbMOqxIB8zTpA/BT2LNEyg
/qTOUieCcZ/psMkJ2mxNUBqCoa9psjEBlE6qRasPwTTtR/0XsL5ozTbdheBO9ZgwBTIOZ7XK2AP2
sfa3HBfBeNQw1Pg+SNFyf/NF8IqePu47gKI7lE9B3aTfFtYBqqeiOxmC4VJAvAfmqoErucugsqW4
KToIUfctSx3JkDM6dVDgKjg7xdgd2cDYv3uKhwgRIkSIECEeF4++q8YYX/3b16DGpZKTyhWFyjSL
eb4iaIo1SuwIgbaZXbIbgviNeYMpGkSF95VkUOcKgxQbGGubc+wvgLpcrK8PB7Vd7veeMhCso9+z
9wPLcwlh+gbI75y3wV8EnFr4xfDZ4G0a+ClQD+qfaPxuWTMkdE5SI5qBX8kzpPUAVc3tltMMjIlu
nVwQW8aWNn8Oho8jwmLbANdtE8MrQOBk7v3c8hA9OW5m/PMQu9X+sVoGpOTYoZYosB8NOy6sA2P1
8HGxqeC6lF7kZmfwFvO2S9gIZrNldcQyEO3uV30OCC9v3GWeD7bxwo9KI5CtanqqCMI54ZxUHbQ3
vdPz3wP1G3W7ZAFxsTZFag3+e8IctTUox7Qa+kzQvw6s8seA3MLS2vYrCLW0EooHdI9S370d1CLe
DdJmEBOEycbtwBGhtO8r0ItqWe7fQKhn2GGbAOpa9cfAYHCqlgZyMbCes163dQLrecNSvQFYX5On
h0WCOjo4zN8GgqcDk9RfwF477JCwBCIdprmGVyGvd2CAOBMCz3obB1ZBiZKxi00SKPHKAuky5K53
l/IdgiLRsW9Zw8HzomdqsCxkFdf6Ct1Bve1P8/YG5XtXXsZ1KPq1daDaCFzrbbvD9kC6MW9RsCto
yUpVVz9w1LSIxuVgqG0oZ0wE9pPCKNB+0mOE0hBUtDj9BATfVzLFAyDMFg6KZ8F22NJeLg0xg53D
LDKYNXOSPR2UdcFkYRjoOlf8gD5E9WheCGT5dvlKgLDfsFlJgfzRrui8YSD4dI/2Nvjrar+oCgi1
1MbKAvCeDvRRP4NS1xNOmMZC+Nik+iWTIKh7u4plwfiqrZ/lGbC1ivwx7MLfPb1DhAgRIkSIEI8T
8VEHkG7qjfJEePpsS62zAlyxzTMsgjxnar877WHvpJ96r4wA9847Z5LXgGdkZnb2W6BUyI/LfwHS
a5/cf2QlqE97vnSlQm7lnFdUQH3Kctb5HShHArsUKyj31auWPBCWytcFCZxb7JJxO8RnxLUOew38
Ddxl3e+BeMoxJzYD9JKuQ9oaECdlVsn8BcQVhpFWH0jzwvo5j4DwrO2crTLou6S9higQcgMfuzpA
aXPxjGK7Ifxe5DdaXXBss6r+fHBanF1jnSDJxlzzcPBMz5qeMhbUOKmqaRJ4DwnDbO/C+XnJH2WP
hbzh/kitDph+du5Nug52k+2ryA6Q3SV/pA/wf+2elb8Xsltnpae0Bc9bntu5S0A9HRjqPgXm90xB
qTFYixrb0glM1UxWyxBQL+vHxYmgXAy+4K4I2ZdyyyZfh3yXe4FrGGTczUlQB0NKx8zueRUgamFY
tG0aWMqZ3jPsBf209qT3Iggn9BdFBzjmWzTzaxC20zE8fBIYYsxPWoaBGCPVdKyHnNJ5n4urwPVy
rtU/FZRTgQXuA+Dv7X3L/y74Xwh874oE6xYpW1Mg7uOwZyzzQPlRXauHg2ua/03PFPBEqO21w2DT
ja/olUBL41nJDuJYNUKNBEN5oYM4D6JfdRoiskH+1LTe2hGsKdaPrdtAeoaR8kjQFwpPEwTTK6Iq
DwNTKcOr0jwQukhJhEMgN3hdXQSB6/4VWhXQygfwS2AaLiewHkytxfcMn4FxqfS6XAqEVsJ04zVw
X8t7NdAC3FneZq5t4M+hpR4AyWncaKwKYntLacsKCL8ZNsC+E0odLZVWtBRofeQM5wZIm5S3yTcL
4l9K6hnlAdMZrb9Y9O+e3iFChAgRIkSIx8kjR5yLua2tG70KiQ1LqrWNkGfK/D41ES5XPl7r8FzI
uB6zXBwKP8/ce27t01Ai15RcbDE0mNMzvJsA7DaMN9iBJu592REQ3JKzPn0DmFxPLKtcDbI7piYd
3gNSW72+5TwY9prerj4LAk2CmxQFGKBe0aeCfFLIMXwJQjVhoHQRlGMpC9NvgdJP+tmSCuaEqLKx
dhAqxJ9KNIDxm/DUsPYgXNWq6XXAkGyrb2oB2V/Z6l2YAhmf59Y7thme+PWJ65Ht4P6B/L6BIeCo
H/1NsTzIKnN3+dWG4Nvi6pX/LJifs5nD3SB8Fcj3vAm5Pf3l9B9BG5bmcm+EsC+NnTQVIt+LHRmz
FfR5WphWEcyTXY3zx0PUSuec8Dqgn8Agvg7uLwI3vfch/6inXeAT8Bq8ZXy1QEiVBprbgnaHgYII
Ym29vToY3IJvRb4RhPZUYwEk9Ima65gATqfpVaERuIf7FmrbQHhX7CPsBst2Y0fpOvhLBdvq/SHn
RHZe1kAIlFIuMge8nygJru9Av6O94Z8J9s+Ms5TOELzo9weLg3dW4FMGQ3yD8JExJ+Bm/4zlma9D
dh/3PO1JCH6jFxe/BMtM09hgFbCnGl+TywIj1G3Kh8AoY3epKuSv9FViHOQ28szx2cG4TIqSfoL4
b8NrmCeCmCzulBqAMs3c1WQCY5XA7kBb0A4KG3gDxGFKslAK9Gyluj4RTG6TSHHwt/NN808BaZkw
WUyBnF55QfdWCFZVJ+n1IBirrVK+A8MG01GrFXxn/GnuY+B8yXk4YgEol5WA9gUo4/RNCiCu1Wca
foFiMeGnxKNQ+WpZQ4keYPnAUNY2AqTe8mZ7S4gsEZkZocDx5b/1vdQcqvP0dvb/3dM8RIgQIUKE
CPE4eOSI85OTms7t8hoEvGo3ZSFIJwwmiwyMivxK3gQ5nTwr8upAxjh5qrsshIUnLdArQ7BJxkfX
0sH4TlSFqNHALO+xzGEQ/VxcMccNkOqapxiHQ1TlmJpPXIDoVfHPlu4PyknlR304CNFs1GuD+IN+
jtWgXxV8LAJtJ+gZoH+mlhPCgHW2Jo5NoNv8S7RXwDDIYDFsAslcYn74YmCjPlVcBwHRc9fzKZTd
XiQ++jPIn6Gn6E7wTM6alfElFHNGbhcrg2GTY2p0SzDXdESGXwf/xOxmaRVBSNQ+NE4D83zbV7ZW
4L3i7yb8DHlj9Q6yA3K8Qox5Bni/UMYL/UDbqnWSxoNhu3m7zQvaG9ooNQ3cp9w33T1BOqtmBnZC
4vMRMXYnFEuOvRLxHhiD2kK/BlJQPRpMB0d183zbN2DeaFxq6ACW2YbD0i4w35MPG3rBjdZp2ZlH
IWDTB6tfg62bdaqjNHgmuFv7wuHuKxlJmUshp6L7bN7H4HnOVyN7Gnhne6LT64LyXbCfKx/cN71N
tXCQYqST2gIoVj9mRXQanIu48WJ6JCQ3yw7z9Yfs3u6h3rkgzNUVdT04TVJDcTXEzrU1FDuCsNbY
WCoNWRZXLSkfAiuCP6rvQkxUeGvLOrAtNB8wWICg/qq2AdLPZkl5DSF7Zu47bhv4anmt3s/Aty3f
n/8deDa5W+V2Bel5PvV9CKrBlyGeAj1b7yS3h+yzroX+tpA5zlXM2xbSruU0zMmF7NGusZ5lkH04
t2VOZzCeMXqZA8Zy4mZhF4SttD1t/ATCF9ojbFvAEDTkMAOS9hVPid4OCbfie8VHgnOtKcJ2D4pe
LnOh7FcQrOMZrpngmu+4+WLjv3t6hwgRIkSIECEeJ48ccXaciA5PrAXa6/pSEkHUjZGGk5D+Ws6P
2c+BW7tjuW+DWiMq3Kl+Eyp/U21pkzGgHDfNle+C1FA7pFtAre3Lc/8IHBC60hL4Xl3uLgPa/fxf
vG1ALB/ZLvEuSFODq5TroP0qrmIrUEp8CR0Cn6ot/K+AaVRgQOAWqO2VY9Ii0HNN+fYRIGzwDJAn
AfdB2g7G1Um14yoCPyjJwc8g0C6j0d2ikDfA0S0tC8q3rGl8sh6cPXLuwHw/1OtQ9esKL4K9q74w
djn8ttK3oWhfyDl8d8jFMuAdkfda6kqwtI94JfIwSEOCb/o/BS1JGaSNB22c8XJMVch7Uq+v/gDK
O/5G7lZguK5+p+0H9wveQ56yYOtqXeg4DmFzhabSIbB+ZOho+AWkHczVDkCJQwmzooaA+6hfUJaA
d0r+spwWUGRK3LGYSHBV9DnV2iDWlT+SLVCkjf2LYrdANOj4VPBO91x2LQPXfW9q7hbwHfUu8/rA
vNV0wuQEZgt7TR+D/aJ1fZgNLINlp/AGWOZI1ZVFYJpg/MRqhKvT7l5zzQT3fC3HPxAsuwxvma5D
zKawiqaFkDIxdfi9cIiZ7+hrfR7sLW0dnNXhXPDOxPvPgukDU7R9BDieM8w0lwfZoCS6B4HWXUsT
90CyKXeU0hL0ZHVd4CZo1XjO2A1ymqjDgimgib6uyirQ2igX3FvANU3+Vs8A0S7U0HtDRDCmVvw7
EJykNCQL5AjxvnoeHGmWT8RToOfqg/UkMK6Xd2lPQdhts4UioO4J3vL3BvN2+54IE+jfB7boXSD8
57hS9hiIvlBmX/m14M3WdFM/iElPKBXbAiKMiWtjUuBIwpohv9ngxtr7r9wJA7r+PRM7JycnJyfn
z2/wK3gVdnh4eHh4+N/jW4gQIUKECPF/K48snPXLQpK+EFSbu27+WMhS7s+8Egslp6k2S2UoP6ma
/Ex/SCpSbdPTz4D2Y2yLpHIg3gjc8CeCeFUPExaA671bbU8NBWt6nK9qBdBdnsH5rwMfegZm1wHu
RX6bWA30S2ITPRP0+sI9ZJD26WnC96DXpkTwJPg+8ke4+0Kw1vWVyVtBW6D1pxfk9JfteS+A49Sd
7y/OAN+mY72PVQPLk0/sLHkOzFWqa2UOgn7fVydsEjz5ZpHPLF7wj2i28fY1qFSh4nvtoqDlp/UG
+2pD6qnpT37XFU4t8oyI94Lnk8wrd0+A3NiS7ngTTFPNx8J/Bf+d/F+yN4Fncs6R7I/A4DfZjW1B
KC7ME3qD57BeQv4ELM8a3eEVwLdCXcJeyGklLRFbgj8quI0+ELPR8ZxNAJPJXMH2PuS3d+V67kIw
0jzZ1BycC6xPW09CXP2IznIa+Jr5p+rjwEVefu4VkF4WbuofgPS5vZRhHNium9s5PwbfWH8Ty0Cg
s/JJsBqIMQbdeA2yu3m2KT9AcEFAEKYAO+WRYmU4+/HNpLR0CF6R47VPwWE0bTSVBT5V6maUh7ud
0seKvcD+pOUbkxdIE9O8AmSYsn42L4Lw38KnxQyHeGNEinUU5Mo5NfPuQ8AdqKC/ABljcu+4PgP/
WvWEehmiV4b9am4KJtH0vv462N4IDhIPQobGUXkfyPGSGnEJYvaGHTfFgamcvFjNgkDbQD1xB3if
ZZtaHqSeRsGgg7RZO2qpAXoVvXHwJ1A3aN302ZC/1FNFdYD0imm3cSHk9XDt840CxwnzJsP3kLg2
8VjsdhAqiAesS0Ftp1aXL4L9SNzW+EsQHOde7H4bDvoPeI6Z4GSNm81u6H/fxG7cuHHjxo0LBXQB
BUL65MmTJ0+e/Pv8CxEiRIj/KbhcbrffDzNnLlz4229w+fLNm9nZ/zl75cqVKBERAW+91b9//fpg
t9tsJtMf/fH7g0GYNm337gsX4PLlrCyf7z/pT2Sk2QzvvNO4cYUKYLebTAZD4XGfT9M0DfbsyczM
y4PcXEVRlP+cP06nLMsyNGoUFRUWBmazKIqPnF9RyKPvqrHNvcG9Bnz5nks5i8FWO3xV3HAo2qxt
0bqVQJvKOf0wBMspb6mpoM/zqb5bQH8xXG8HqjH4ptsI5oiIV6Jqg1yr6IIKlUCaaW8Q1gT0bbao
iHGgaapdeBv03sIPtAZhLueFWNAq0oMfwLRWcDhmgtrAZotYDxGb61RPrAOnjtxt4gvA8TqxX1y6
BD3GSlm3IuD+pgr63Y8g8WrJt4tFgO0t08sJr4BU1vx5+McgobcLfAjNX28WGFMJ9M/0bPqB8G7i
Ed6CLrVaxF/sCDcHr2l3egXkRLoP5lQA1/tZTe5lQrgYV67o+2Aqa4sKWwze3vnHs3dBcLa3hXYI
hHbiPnaA8JvhU9EO4q3gJMs3oDjlqsaPwLPN3F9OAOl7/2fe3uDPU19kBeQvcHfI/QjMp1RH3rOQ
PSzjzv2fgHnmbyIGArODbZUNII6SF6rTwPy9ZZVpPQgj6CyfAD0/6PSdhrA+pjtSPdCMksPWGpR0
McOcAJ5ozzilOrg7ew3e+sAqbYivH4hthCPWLRCeG3nLbgD3E3nbcxzgve/5OncjJJhiDNHvQGZu
RvUrvSGsa/jiEtXBucgxNu5tyL7r7xE4B4GcnDfVs5Dxli8rZRaYt1q+Nn0DWSfyf/PdBm8nX5y/
BBTJSpgTeQYM+w21rJ8DL6hdfDEQccL5jLkJqBMDLfMGQmqsO8LdDTI1YYU8CPSPSNM+Aq0PpWkG
pm8NbmMSqAeFZ/UjEPxF+0ibC/6Jwc+1X0F5UnnN2wukytpnQi3Qh9HWK4JjjbWEfBJKVirmKqtB
5IDoi1G1wfBR4CUtHSJ+jnHF7ATTbXGJ6IQDB9euPrYMfj190XX5Y0hLUAzalf/cB8PD2L179+7d
u+HUqVOnTp2CGzdu3Lhxo/B4yZIlS5YsWdivQGCHCBEiRIh/j2nTvvpqzx7IzMzLCwahbNnSpaOj
QRAEQRAenx1d13Vdh7S0jAyXq9DupEkjR7ZoUdhv0qRt286eBa9X0wQBnn66WLHIyN/9eZzX/bs3
cONGZqbLVWh32rTnnqtRo7Dfjh0ZGTk5YLVKkiRB9epOp90Oj9cb0P9XsOruXa/X7y+027ZtbGxk
5OOz88jC2VPeVTz7KTBeMM43zwEpN2xSxD7wunztvcVAKKbdFlJBXSlvZQIIT4it9LEgxRNm2Aj6
NvVtzwtgbFP8h0rnwHjEtt1xDdQ6/Mx1IJYhYlEwmPQ+gacg+IzgZyNwUG8q5oLuEw7rd4B21FXD
QbwZ2GMoBtYKjV+v/Trkn80qsSUbcsom7wp0hrzm7PLsBnVG6SNFq8FvHS6f25sBLfaGnSz/AvjC
046aj8L9j29bMhUw1jMsyRoJ2d1TFt8/AdkL7w+6kgKn+t96PjkarO87moT9Cp7n+Lp8J/ANv3ng
2CbIH529N70dhN2KiozdBMaGFnOgLgRd/uK5L4I0QOwkDAd7H2tkWFtgpsFiHAHGZ+VkcTI4c8X5
2jkwlDTedhyCuzfyJulx4O/i/s7/AmSd0gcZ8kBpYMyJ1qHI3LBSxo8gc0LWYs9IkOZzS8+BPLfn
F90C/tJqQ78Z5JLyEiEdfBW00tqzILcSw3LfgHtazjn3HpBEY01HJTDWNviNjcE0xVDZ8TxYj3PD
tw/8971fZqWCepIZuhVMw8zbtDBQjqvvalWhyLNxlctNh4gGkXG2M+B93n1Bngt5KdkXvZ3B3Vub
EOgKjpr2c5bj4GsaTNbKgq+PupXOEPd67ILo02Cda21nKQJ3HfcmZnsgOCQ40HsMOKp/GlwJOQbf
2oAbhC/ll6yNIbhYu009MH9u+cq4AowH5GzpOChjtQixCyjG4H1fMbDNMowUVoNlkeyQy4D8k7Qy
4grkbgycDnYF+1TjZrEjlB9etEFcKhQbWGx6sftg+F64K70BcZFRwyOuQXRE1KLo7nDpjd9KXP4B
1rXfVHq3E5Lv+su5c0HuIm6zv/m/JsnWx/vh8F9RvXr16tWrF9Znz549e/bsf94vRIgQIUL8e5w7
d+VKVhYkJCQlhYfDzZv37uXl/efs2e0Wi8FQaPdBzpxJScnNhTJl4uPDw+HAgdu3MzL+c/7Ex9ts
ZnOh3QdJTw8EFAVKlbLbDQa4cMHr9f4HXxAWESFJsgzp6b8L6MfNIwvnlNevGq+/BH5r6p2sSVD9
Rre1XTIgEOkvF3wJ9JOyme9AOqud4CgILYVBwnzQE8VTvA36Rf2cvwmIpcRo+QvQfhHuyEnAVa1f
sBkILwgLBQ8EpwividNAvKjdFRsBccJJRQdhhL5fPAJaGA7ZCnwtfB0sC2oFz4vKN1B2VOLrVT+B
W6rPu/dDyIiQD+TvhCSTdtXRCVKeU7+Vv4CsWvdfvrcbPnG8df2TpXDTlGYIvg9R40xT82aDflD5
3DUaMmPdC72vgPdL+/riNSChV9GfSyQCc8PaODdD+t3o3GKHwHcgvWtyHPjOGJ817wFHmPOtsNsg
3OJLvQSYs8X5QQnCgwZdvQr6u+pVlwuc3YwviqXBvEsKD0bD1bbJL+acBH8nLc/aANT9DJDcoHeh
ljYC5J+FbvpZSE3NDQvsBltTRwVze5CHyNUsA8FX05vpfQ+cmXJfVQIxyEvCdTCWk7vbToM53Bxh
jgXjPPsWbwYIRWjNDRC3CcnCE6AW1T4I/gC2ZXK6dA3MLxpLR88E39P+LrnVQOhAK+Nh8OcEn1Dm
gH+765n8HAg2N621esBt9MzKnQz6fOEt5UMo7ot4WagJRrcQJU2EbLN3vnYPYrs7d1jywXnSlK6d
gJwS+Yvze4NH1b7QPUA86YZPQMumL83BfNFWxZoDlpcMTxuOgtpcP6L2ADVW3SZ0A7WffkS8AfJa
SQ/WAVN/c0M5ABHrnZ86OoNvua+EfBk8H/lr+yuD7YjBLk2G4pvjzjrPQ5yx2PLib4BeVPjIEgT7
QbGH8RSUeL+0Jak1uIPZNz0zYPNzv2zYdwPudM+9daMuWIrzsS8elE91hGjgmf/ch8M/oiB3efHi
xYsXL4a+ffv27du38HhBeyjHOUSIECEeD4qiaaoKubm/p2w8+njBoM8HPp/b/cdUO7s9PDw+vtBO
gd0HCQQCgWAQbt/OyXG5CttTU0+dOnCgsB4XV63aU089ur8Fdgrs/vl6VFXXISNDUf7R8R07tmw5
ehT27Ttw4MYNaNDgqadKloSmTVu2rFXrX/enwE6B3cfNI2d9ZAfUJhkTISNIh7z2IH8nKNJ1EHro
u7QYoCSrOAbCZGGVsAVI1/cKh0H4SFgm1IBAkathv5pA2Zmdl7MbxBtyshwELUroKb4B+la8QlkQ
bgtf0BsYI1TTrgGdGSZUAl2ksl4dhPFCS6EYiMuJYQb4FeEdfR0UnVjmy8YXoXlS7ZldWoP9GXP5
hFpweXOGfL4smM2Wk85s2Jd88OkDFeDmRYv5zlsQsFpreXeAvVW5L8ucgurVn3uvTQ6UblK9bL0h
MLzMwNrdu0MDR0U99kOIe49VeXPBOj+2eZGVIAfCf47qBN69Oc+mlgZPH09L33tgbGqvEdYJtExd
lI+Bt493tncKGJ+U7wTzwYfvE89PcD7hxmv3v4NkS/p3GbfAl+0d4y4N0j2jxfgLmP3WV2zdgVOC
T+oP0jmD17gXlIFahmE35A1wV/VZwbTY/JxxIYRbwupYv4HoSmE1wlqA+bgYqRwChgT9rr4Qdsd8
lqch4evIT8KTIfaGLWCvB0kf2Xo5loJREFvYcyCwRZkdCIf8b3OfyU+ClEP3v0yeBqpDfTk4C/LD
lHDfi3D9aOaUkwtBbiDc8s0GdumXck+D57fAskBpuHck80amFQxfSFGBnWB/wlpSehNSjBnFXfPA
NcV7O7AD/JV81X0/gPdz/+agC5T7rBLmg1Saz3QZjLHGnfJ4sFewx5hagq28+Xvb+yDXNGaKIgS7
6nvFTMj8KC9LuwNX5tx8OT0RMjZm6kgXlQAANJlJREFUl8i8AsoO5QfvzxDzTfTz1mWQsKd4/cTr
IH4nDzO1Bt+OQBXtA3A0jm8T1w3yJrjShFdgy73NR45Ew+Ffr3x9oSuk783bk9YZXPWyut5vB4FR
3hn3f3z8E/avUrAI8K+2Pyq1atWqVavWPy+77+i+o/uOv+++PG66TOkypcuUwut72H0p6PffhZWO
lY6Vjr/+3ArKy6Muj7o86u/2vpApmVMyp2TCVwO/GvjVwH/9/Pye+T3ze8JTxqeMTxkLr/NO6zut
77T+u6/uv+/fT4j/HVVVFFUFVVVVTfv3S7/f5/N4YMqUYcOaNoX16+fNGzSosPzzeb/bfZBAwO8P
BCAQCAYVpbDcv/+jj956q7B88Pijl7/bfZBgUNMANO13GftgeeDAqVOZmWA2R0UlJRXWH9b/r5YF
dh83jxxxluuWscbOAHNGxPcRn4K+gycZB3pTevIqCDu1uEAiqN/qt/U3QeggvmlYDeKzQhkpCcSD
Qi/DcpB22mNjl4L6jv4jCSB6eVKpAEJznpXMoB/Qx9EY9EYYeRmIQRBagtBdeEp/Heig19FPg57B
arE3iD+LmuUAKAflYsFPoahWVG90C8TVMtJlyMwUx1y+BdddqWnXf4KL6dfPeOtA+e+bptR/Ds5+
/FPXEwMhfHDxzo4UqBBTdmnlzfD8sZ43Xq4E1q22YqY2sKvbzjLfFYOme2Jv54+DsBPHc7WNcLZS
4PXSdyDrQ+2wMhn8CzOKpMwHY19pZtFyII+yPxkRDf6PA7PyPoQcf97KvFngKRecJXSB7IO+u3oW
mI4ZPjE0A8O3wrpgRRB7K0c9AgTDfW45GczTLD+b2kBwRuAlvxVyDuW9kH0ObEUscyzjQKmvWSxn
wHXJV0T6EIyl5eLGkxAw6nO0I6CcDw73XgbbFMOntm3g7Zi/OjgNAl/722VdA/cHys3LRkg9lbY/
YyVIv8hNuQSGZcJ0y1jwrfeJUjfQV0kx5nBgkVg1PwjuQKBb1kkQazPT/ivklc8fkRcDZ+/feM9d
AkodTBgTrULsGet+RxKkPJv2VP5+8PUgKzAeLLUZI68Bc1k5lWwIX+GsYl4IwgphnukYKHvFi9JS
kPca1kvvgRofvCv+ArkR+W9nZwK1iJbag3Wo9Zi1EsTODeuktwI1N9DHtAoMnczdjU9AkWkRa8P3
QuTNYlL8fJA3Weo6roFayzeU0RDzdYIl6jzIqq1vuA4HXvj110s1YG/S0Xannof0RmwI/gzal8bZ
0TL4nqbn3U9A6CQ1lyoB9/4T0/bhFOQs79mzZ8+ePX8+XpBz16hRo0aNGhXmOj8uolpEtYhqAa+9
9tprr7325+OOy47Ljsv/Z+/J38n4n8b/NP4nsNvtdrv97/amkHr16tWrVw/GLx2/dPzSwvaJ7Se2
n9j+4c8xfkX8ivgVf7f3haxpuablmpZQvHPxzsU7wyAGMehfOH/79u3bt2+HYNVg1WDVwvYtXbZ0
2dIF+tOf/n/3RYb4b4+iFAjZAsn27zFt2htvNG8OpUsXKxYd/efjD45fYPdBAgGvNxiEQMBq/a8W
4QUCv6dQKIrX63YXtsuyxWKzga6rqqJAMOh25+f/3m61gigaDH9cjPig3QcJBn9fHKiqhXnIf0SW
LRaH48/1h/X/qxTYfdw8snDOst5NTH4Z4kdGbC37IQifqAl6FjCU17AAfj1XugDiOvFZ4XMgyCdS
LGhfaK20fiC1Kjqy3GIQD1iHxuwFIVId6t8L2nr9hnwaGC2OZTEIFn29PgL0FJyYQSiJm1pALf0j
wQD6FUrqNuCebtR/BL0l57T+IHWW60qJoNRXv1B+Bem+YZp1JzyxO650o14Qmav/EnYSooMlD5u3
w+rTi7M2x0PpjpVOR7qhRm71Q6bGkBx2N+5cZUhskHZM2w5Rb9jL2DtD2erhKy1vgNBBa5X4HKQs
kFMufQL3Eu0bnM+CXpvwcj+Aa+m9FedkyLNn/pLsh4gZUQuT1oM+2zrb4YOcqsGeWg1QR/scaSfB
0EoeLn4HsWsji0c/D4bOpKjjIXV/VqM7FcFZ01kx8hnQivpPSgfBGR2mh88G+w7LbWkHuH71/OoZ
CYHWviP5e0C4bOhqjAPS9T7+++DO8d7xzgDLWNML8j5QRyiTfG7w3PHlu4uALy/YKtML2ibjDn9v
kNcb2tqng2eE5+mcZ0DMNc+R2oN1sXkPJ0FuJLyrnwYRfZztKYiPiImpegTyp7jb5FyFIneimsZd
B+lrcVl6f0jc7IwOmwxZ5TOXeL+Hu19nkvMLlH4p4Un7JgjGCfnB2iBOMs+yTAJlDt35GOwJTFN8
YFomntIvgsEldpSrQeauvOYZKyAm0Z5gmAbxF6Pfjf0ZzG+bv5GPQUr9zF6eCnBzfGrLe8Oh3Atl
lhU5B45NRd6JKQWGBcbutpPg7ZR/LfgyRDeILRG7F8KWxc6Jbgw33j7X9q4fDr9+IuNkdbh/Ua+m
HwF1lPxZ9DVgZiAm5SAY51pnyjfB1MFSIuH5xz9h/xkFEeUCAT1x4sSJEycWHh8/fvz48eOhRIkS
JUqUePz2CwRiu8R2ie0S/0GHRBJJBG2eNk+bB4vqLqq7qC6sW7du3bp1kJGRkZGRAdHR0dHR0dCx
Y8eOHTtCv0P9DvU7BOIQcYg4pDASVyCYfhzz45gfxxRG5m6tubXm1ho4evTo0aNHC80XnBcfHx8f
Hw+WZZZllmXgKu8q7yoPIy+OvDjyIjSPbB7ZPBKUqkpVpSrMyJ2ROyMXNhbdWHRjUShTpkyZMmXA
28nbydsJWMMa1vz5cgtyzIumFU0rmgZNljRZ0mTJ4/OjhlZDq6HB7Va3W91uBXd/uvvT3Z/+fN0P
UnJbyW0lt0FJSlLyD+0TmcjE/+o5vsVbvFXof7HJxSYXmwx1F9VdVHcRZHXN6prVFXbM2DFjx4y/
/nyurbq26toqmF56eunppeHs2bNnz54tNFv+hfIvlH8Bhp8bfm74Ofh8/+f7P//Di4UKxhuRNiJt
RNrDc/sfZGPaxrSNaVD+k/KflP8EjEuMS4xL/iCca/av2b8mcJzjHH/0v6PP/J/5P/PDpvRN6ZvS
weVyuVwuqPllzS9rfgkTJ0ycMHECRN+Ovh19u9Cef79/v38/9JjRY0aPGZA3K29W3iwYdnbY2WFn
oXVs69jWsY9vXj3suU7vPr379O6P/3Pj/3YU5XeBqSiPJtTKlPnfBXOnTiNHrl79z+0+SCDg9xdE
gv8Yka5SZfDgSZMK65GRFSvWrg3x8T7fH3Ogb9zIzs7MBIPB48nJgVq1ypYtWhQuXrxz58YNyMuz
WqOjwWh0OCIi/mz3QYLB3wX/w75WyLLZbDb/uX369GnTNmx4+PXXrVurVpEi0LBh06Z/XIz4oN3H
zSOnahjyA87gbYioZloaNhqCJagivA56Q+ED4RkQlokrDRuApwSflAmsFHZjAvoon3omgDY8t1Xa
OKCidls8DbTjbWEZCE3FAboHkGmhfw6IZBEDGAQzEpBKPrdAb0NnPRmE6kI13QF8RxvlW9AFbVhA
Ar0vM429QZonOKWWoPZVznlPQkQJh7XCVahQtdT4tjPBd1v+wdAUzGLZdrb+0Nvx/KT2LcDRzDs6
ciAE7t4fnrsfXMK5Q6nJEDbXcDt8JxRfGhWM7wH6YHmAVAScI4quNPWHqJG2Knl2iBprXyQlg3lw
/M7y28C43zDRshI8jbIcdyVQO3kv+F0QNjPsGWdzcLSOPV3kAsTVjr4emwpx8dGxMZMgyud0xuhQ
pn/RiDJnIfJn25mwvRC9z9HHUAlMO/SRnk9Aaup7K2sTlEiJGiTvAWdPQ1llOths0he+jWBYQwVX
Eli/NpY2NwbfQK89WAKyv81U074A737PDr8GmLVExwowxWtHq2gQftLUv1QYWJsYblr6A3dVu3kB
OPaY9hbPh+wW7mD6CAg8r8+gKGQ1Se3pVsDwlv5KWDPwfO9Lzm8KpVNjjxafB7b35bSIveBu4f/c
dxTilkcmWW+AfbdpoWkHJJSP7BgRD0mNwotavwBfy/yzQTs4NlhUcQwYW+kfKyUgo8r9V273h8BP
gc2pgyA3ybssoytc+T6twqnecDHxTkTyUsg9kHfWUxwqHqt4tkgilOxaRij5HZgOmF52KuAu5tmp
/QDWY47K4c0hnNh3o3Ph3vVb32aVhqNPHss+dRtulMrf5zkMvoa6V+wP3vHeDbmvgesL1920JDBk
We5FLwPPNH2j+cvHN1ELto+bMGHChAkTHt6vQDg/rF+BkL558+bNmzcfPk7B+f/qtnUFAuZhP/Vv
Krqp6KaisOzCsgvLLhT+xF5ud7nd5XbDzNyZuTNzC+sFx1eMXDFyxcjHdz9TP0z9MPVD6Dq169Su
UyFnR86OnB0wc9fMXTN3FfZb+szSZ5Y+A2ti1sSsiYEWN1rcaHGj8Kf9tA/TPkz78OF2cnfm7szd
Cfnl8svll/v3/Vi2fNnyZcsL/Wg5puWYlmOg3Kxys8rNKhTM/6dJTk5OTk4uFO7PDH9m+DPD//Vx
pm6dunXqVjg+6Pig44Ng0sZJGydthOndpneb3g2S45LjkuMKI+KTJ02eNPkPAiBhQ8KGhA3wbot3
W7zb4p/bu594P/F+IpyofaL2idqFArd5RPOI5hFwo/mN5jeaw9WrV69evfrwcf7q8/va8LXhawN8
6/jW8a0DmjiaOJo4YErxKcWnFIeLFy9evHgRPq38aeVPKz/cTscPO37Y8cP/4u/kMc2rx/Vc/1/h
303VyMvLyrp3r7B8kAeP/9VUjWDQ7/f7fxfOv0eefy/PnPnyy3HjCsuC9u+/HzOmX7/C8uWX69Ur
WxY2b5406dVX4dNPBw/u1g22bJk8+bXXoE6duDiL5c/jF9h9kEDg91xjVf19H44HS0kymczmP5c2
W1JSmTIPL0+evHrV73/4uAV2HzePLJyNC80Zxicgop/zQGQsaG/okxQPCPlCmJAKpGHSGwPb9SrC
MhDeFz+RJoHwsX9m7qegXsqrmxcG4pfCPPNeUAcIGfoqEOro3zAbqKyPFiJB91ASAZAQAPQ8MvCB
MIc5QiPQVyAJc0HPUmd4JRC7eq94XwZe9vh96wATn2spINQQqpIFYgPpTabD/e+zaqTfA3H3taeu
psN4S89Vw9+AqscqNmx3Fao3qPt8247QNuuF5l0HgGFCxY+SIuDn73e23bEatnfcm3V6ExhPBedo
eVCpqSMiohEkOPRE77tQOmCKyX0SKjwde9nYAcJKxPcvK4C017LP0Qv8m7NeSTsDgRGui+6+YEyW
Lc5yoLcxmaLOQNqGvEFaVbhbNXemvwlkbnOVVTtA6vbMgx4R0hdlD3EvgnutMrbkfAvm4+bqkguE
24E0bQTI3ZmqDofobOtLQhWI+c76pbkmOM7JNrUsWM+YXjcmQCBWeY2G4Buu3shNhVwxuOdEFKS9
mlPr3BnI2hHsc2kkuGr7v/HEgXSHHQYZPO2CYd6vgAhpoOEeePr4jTmVIH97cH/yAkgfkHPs5izI
+CDnG+89yFjrMqa9C4bnwq87+kOY4MiO3gKOjqZvsEO4IeywsSIILyrTTRMg/0J+ovcZMJ6Qzihe
4CnRTkdQe4l221rQPjc39w8BoZNtYE4y5F4KFk/vBpcb3nNei4f0KO+ZexehyOjS3cJnQbHDxdqV
6QeCIiRYB4KnWH7xYDpY4hxDwl4F5+rYO7FVIP2zZGfePjgTd+SbUwLcfD73YG44qPUMIw2ngG6a
X+gOrBaaCXVAei4itWg8KBtkZ4IAQpY4UvgL/8D/KgX7MRcI34KI0YP7NP8zClIzHsx1LhinYNwC
O//q+AUCZvXq1atXr/5z2eBCgwsNLsD26dunb59eeN64cePGjRsHDVc0XNFwBYxdM3bN2D9EcB/s
/6gU6VCkQ5EOhRG8gshh1tSsqVlTC/vt6bWn155ehfXhy4YvG74MBh0ddHTQUYi4HnE94vp/3o8H
U2qGmYeZh5nhtcWvLX5tMYS9FfZW2FuP7/78VZzPOp91Pguf+z/3f+6Hdvfa3Wv3b6QnFVx3ATNn
zZw1cxZsy96WvS0bhpmGmYaZYJl5mXmZGeJT4lPiUwr7GxcbFxsXQ1ybuDZxbf65vc1TNk/Z/Iec
4WbNmjVr1gyavt307aZvF7Zv6bql65b/4iVGf/X57ft136/7fi2sF6TANLnS5EqTK7DwxMITC09A
7969e/fu/Wc7SROTJiZNhJ75PfN75hfayZuZNzNvZmG/xzWvHtdz/X+FB1M1/mq5Y8eSJa+/Xlg+
yIPHHzz/4akav+/jXBBxfjDyXNjvH7d37Pj00zVqgMNhsfyjSHCvXg0aVKv25/EL7D5IYcT59/qD
ZUHE+V8tn3uuSZNKlR4+7n8q4vzIqRrFP4/qW+xLMNw0H7U6QFupZ2vlQUjghn4bdKveQ9gMYiLT
lEbAKGGe9TvwP5UzO+86BI57JedhMBoMvaXeIHZTLweXAmv1cHkjsFzso/tA+ESfSz7o+/UL/AbC
AKE7y0CN0ttriSD10EoJV8E/KP8tvwBCitfluwuCLpczzQeprWmdtgaEZ2RRbgX6Qu2IOgYMG3zf
e+OgsfNJf6caEHHddqt0IvgjAtm+QWDvGTOi+ChwGIVGJRtDtK+ER/kZIr2Rb4Q/AXv67Rmx/UNY
lXrpQGYliJ3hbaBfgNIXwifbOoAxQdzti4YiPcJFtRmsfUKrTB4csxnqlh4M2u6s/nfWQfDDvPXp
e4G31D56H7BUD2sacQC0hfI64XMIPBvopW0Bz/280ek5EIzyh+V3BHsNc2tpKES9bFPNm8B+1nDA
Wg68n+hN9XCIrhex2DAVIgeFJ4XnQtrXGT94l4JtqPyFew2YNsqZ0j5IK5YlpO6AxHei+sf3hPQd
/uExwyF9kb/hlUFgj7I2dIwFfaL0rlmF9DUe7dY6EBbnxcknIOy45bu4oiD9bP3JswFsFR3tnPNA
7Kn8GPkZGH8T7xiTQZtOCffPcKvh3UkZ5cD/ii/dtRqKNo1dbC8FN/emVdVfAE+isip9IBTJiWgt
94PgHOVL8yHwtPI+G4yA7PuegdosiCpr/7bIOXC/EhxMabDFmOYbx0DJLrHbyp+AIreLflzqEIS/
FjEyYQkE2ganSo3BUztQ0e8E57GIzpFx4LgcUymyC2Q/lb7FtRRunj4Vd3493HFkv5E6CLQZxijn
cGCe+pLwJmg9WO8/C2JFU9NwEwjTtSPBSNCe9lfMPgDS/aDujgVKPZ6J+mBqxfr169evX18YEf6r
+zEX5DY/SME4BeM+zO4/o0DAlBhTYkyJMf9FRy9e/rAdkXBMOCYcA1rQghYgHBeOC3/4aVwboA3Q
Bvx5mAfb1cPqYfXwP/dTHCwOFgf/ob5AXCAu+HM/fYA+QB8AWLFi/YOfBRzjGMeAbnSj21+/T/+q
H8FqwWrBaoV1abA0WBoMgl2wC3aQxkhjpDH/3N7jJmxl2MqwlSCOEceI/8D+X30+HyR9kPRBEnT8
suOXHb+Ew88dfu7wc3Co36F+h/rBxqSNSRuTYNn0ZdOXTYdVrGLVv+NwTWpSEzbO3Dhz4x8EZ8EX
xgcpSNkYWnNozaH/IGXjrz6/ghSKP/X7X6kv/wypjlRHqvPP7TzIvzuv/tlzDfG/U5iq8Y+F7OO0
88fxH5aqEQz6fH9cHPgwHnZ8+fJDhy5fhmXLjhy5cQPef79162rVoFu3WrXKlIE6dcqXL1Hi9/OP
Hfuz3T/b+d8jzg/ysFSNiRO7di1e/OH+37mTl5efDx7PPx73v23E2XzU3UBuBoZq9JKKAuhzuQ1c
FyoLV0H0y6/Kt0FFmKqvBUYIh/QjoL7nmyVdBH8LqVbcpyAOkRagAGW1s8wHfbjwLjeA8/pKPQr0
dLxEAntwcR70HnpdvgLDQOmg/B0YmhtnGauCdMiRFFsPktf7JxmLwqXFmWP0eZAz019MGAbST2I7
2oOyUdkV2AlhRRKKl/sRnPaYEkW7gO9Hxee5D8JnYkcGg/KmmulbCsH6wSW+kaCd9L2hzoPEvvEV
axyGjmvqSE9XgoafVakYmQfhw0rWNdQDZY1xkP8jKGmJ2RkZC+Wjy9UPOwHVdaszpyY8Mdooaa0g
XIkJK74MJMKbFmsNahP/jZx64E7IOZIyCbik1WQaOE84f40aA3HjkvwlciHpbtHXSg4Dp99WObI0
CNcNs+QK4NwfMz8yCA6TZZrpG0jdm9Yx5yqc2X6xXNqHkLvZFxZYDra+9laR2WD/yibZOkC1PiW2
Fl8MZXtHxheLBoOd9v5FUCw/+lDJX6DCkPDsBm9D0Uv2xkW/AdtVi8XSAMokljxfpRVE2sJfjjoO
kZOcpvjJIE+TpMjy4O2hHvMqoIzU7bl7wCSaZ5p7QsRa+/OEQ+JH8RvD9oEq4rZWh+g3on9xfAtP
nilXNvEsOCNsHzkHgDRViJJbgc1pSbb0AavH9rLRCmILUwfzYYi7HZ5Q4iso26N4RjkZKhyoWL9W
c7Anh/2Q9Cvk9nRP1fMhZ5jPpNwHa92onKhaYJoY9XlUHuTqd/vnVoVbZ4+9cOIEpB7I6nf9MKiR
5mqWVNBfkmKM50FT9FV6WxBKCl9QBLivbvc1AMXmX+e6D0pl9Rn3dVCsPKvsfnwTtUDAFi9evPgf
P0gK/uE/+Grtv0rBeQ8KhwI7/6lc6KbfN/2+6feF9Q83fbjpw02wr8K+CvsqwKRJkyb9MRevebPm
zZo3K6wX5OCmbkzdmLoRVjVd1XRVU7g7/u74u+Mfn5/1h9UfVn9YYX32i7NfnP0izBfmC/MFyO6W
3S373xDM/yp1TtQ5UedEYf2zA58d+OwAzD0y98jcI//n/Pir/KvP5w3bG7Y3bIU5zjWO1DhS4wgM
qTOkzpA6YH3D+ob1jT9HWIUFwgJhQWGucEGKwcO44rzivOKE629ff/v624XjP/jLSEFEOGV8yviU
8XD2m7PfnP3m378f9ZfWX1r/D4swP9738b6P98HOHjt77OwBr8x9Ze4rc2Hl5ZWXVz7C4tlHnVch
/j0KUyf+tYhzs2aDB3/7bWH5IA8e//M4/1ioB4O/bwv34K4XD/Kw9t27r1xJTS08vnjxgQNXrjz8
/IKywO6f+xUsDvzHKRWy/HtqxoPl3r3Xr6ekwPnzbrfX++cyP//3/Zofnqrx33RxoO23qPHxC0Hv
LNU1XAJxOeN5D5SUwO7gy+B/wrvKUxVMLzmxfwbGYsJY/QycnXMtN7MfOBuX6FWiHRjHMksbAb4P
hA7ifBB+4RfdD/rbHNeSQZwl9JIOg1CVjcJq0M9Sm7LgetWVl3MNVs9ac3aDBfxfqObI7VB921Pt
G24DvYjhLrtA6i2nyWdBjNG2KSVBGyCeMLwMvEht4QsIPhW4oZ8FMSC1YzuwXu9BJggreVOcCswV
S6gvAkW0obIVgr1JE98E8fukt6uVhCqHxfft66Hka6b5pz+FrNIRqTmjQbyQd9RrA/HjpHee8ELl
cZX3Bi9A0uq0NNd0OFUiy6+sgzNzxcv2t+FOBXOzEndAu5m3M20M+LtmNk8dCFpR+yLnVrC/G7Yo
TAHTL5bmpiQQP7Z/bT8DWlDpGmgOadtzYoQB4C7mPa/mgnuW/rxhJ4ixcin1BjBcW6RHw51X005n
+IBN6qsGJ4S3dBa3nAHleemMfz+U3hbWr/hzICca5kUWhbwzbq93MeizhK3+d8C8RRscvhNopzVl
EJimyJ3Er8F4ibaRaWDob+ufcxG8P3ilrIuQacztxpegjg9MTj4PZUvHxlUIgnOitC/hJbCtC5+F
H5TK7lMuCe6PSlbdYyHtZVeq2wLmF82q6TSIzYWd6hFwpJmn2nqDs3xkg7B5YB/vMISvBPMH9tmW
SuDP95cSdoPrfdeQgADSO6a3TREQpcYtjl0C5m7mnYYxkD/59supn0D6mpsDrpogr1mudqsMeDEa
Ij4DdTjjjK+BPk2bo/7+9zdEvQD6Hf2QXhm0UcTpVYBIIUtdB6KdGONbwDO01qv/r0nS6fFN2ILc
44L9mXNzc3NzcwvrBeXDIsv/bNeNB+38p3jR+6L3RS8E9IAe0GHdqHWj1o2CURmjMkZlQMytmFsx
t2BwscHFBheD3sHewd5/+EAeaRtpG2mD2ebZ5tlm+G70d6O/Gw0xt2Nux9yGNNJIewx+9q3at2rf
qnD/ufvP3X8OtkzeMnnLZCi2u9juYrshamrU1KipkLk1c2vmf/BFNwP1gfpAHe6Nvjf63mjYkLIh
ZUMKVI6sHFk5sjBFoUCo/t38q8+nQMDOXDlz5cyVMMo2yjbKBuoh9ZB6qHAx5qjio4qP+sMXx87p
ndM7p8NPPX/q+VPPwkWDD1vEVrCokvOc5zy0fb/t+23f/3OqSMFiuy/4gi+ALVO2TNkyBSp/W/nb
yt/yL9O/f//+/fuDa7Zrtms2bN69effm3bDx1sZbG29BnUCdQJ1A4eLHf5dHnVch/j1U9fdXSD9M
yP774/7X4xXYfZBgMBAIBECSft8142EU7KrxIBcu3L37xxerPFh/2PkFdv/sz++R34clTthsdrvF
An6/ovyxx/btBw8mJ4OmBYOpqX8+74knSpQwm6F69Sef/EcBngK7jxvh4MGDBw8e1PW6devWrVv3
Xx/Ag7tRdi3gsuGkvQcIWXygVQWtQeDLwCHwx3p6ev1gM0bMjVwI6mX9TX8/OD9ta9Tx3lAqqu7Y
GtfB+krEccMQUM+rmXoJ4Kjq0rcB2/SV6isg9DE8aSgP10vcTT63HIpvjq1dph4o/ZSOejzsydjr
OlIDXL+5LWoU0NbxQ9FeUCqztL/Ir1DhXsI6QzJYu1uLsh/UCmor8R5InYUJnASlgrrZtwfEgNBL
PgrCq1Jl8VPQ39I6SfuANeLHWhD0ZxGERBD366LyDgRquirmdQZjiqG9ugDU59xTM14H7auMFzO/
A8kdNTO8G/juZG687wB9avr09NdB2iXrrARfqnTHmwZZJa7vzEmH1df2lLzfCo6PyP5ZSofAEt+E
rM8hkOlplT0VhOryaMtlCH8jrG7kJnC85dxg3ggmh+FV/R4wWO0VkMFXyb3e9y34swPbg5+Bsky/
qI2AQFzgqi8d/IPdlpwDYHZZ1lmHQmR21Ovhb4Lvjmecrwd4i3myXL9AZrWsnNSmoM4UNrpug9ZJ
eNFSFFzdAtuz0yEsz7FSrAqBNM824QPIbejJdfeB8mkJE4p+BvIFMdpSBW5GZNy8exQM9eTtlpch
ek24GtcJovaYz5vKgLZHH6N0h7tD7ozwbQPNZxzCOnBMckpWAcwvySusNyE2N2GDTYHIllHFozPB
MMR8LewcaO8ruw1vgDvVVUHJB1+muiE4EixK+LnwY+BcFjEn/B6IlbRfDDvAFX0/53438K/IHnQn
Fbx+5YvcqZAdcL8VPAB52/Qx4T1ALyPOMx+D4CRmSc+C/77yHq9C8OVgr2A7CB5QvvefBmVWsKvv
HLBAveedDlJlfYm/DxxL3ffJhlOPf+IWCNuC3QMKBPS/i9PpdDqdMGLEiBEjRvznhXOIf42CXwZS
2qW0S2kH7RPaJ7RPKMxtfmHPC3te2FNY39hhY4eNHf5ur0OE+H+DKlXatJkxA6pWrVWrQoV/f5wV
Kz74oF27wnqvXu+//1/tKnH69NGjFy7AmTMbN44eXdgeE9Ot27RpYDIVK5aQUNienPzRRy+9VFgv
UmTUqKVLH97+IP+sn99/+/a9e5Ce/sMP77xT2D506NGjN25A5cqJiVbrn8dNS7t/32CAEyfu3ftX
vngEAvn5WVnQrl3Dhk7nn4+fPZuS4vHAnDm1apUs+dfHfRiHDh06dOjQY4g4a6r3J99AMHxrbG45
Alp77SO9C8jljN8aaoC8xKSYk0AN00dqPwBLvOsDk8DxhWO/bRcYv7R8ZegL4mapnmgC8QnhovAM
aB14Xv0RpBg5w/AapOZlf56SD9dfvz7/0BYo3j6+e3wzyPzSU8czBFwu0yTTC1Ds+7ILKhWFQBHP
m3jg1qz7L7qHQqInor/9JliP2MsZskGvrQ1lOHBcb6mfB3GysEAMgLBE7Cp/CXpR/UttGmgD+dGX
BVRS16kjQVosnrCMBv2IOMR4D+TPHeuiokELqB2DTtA7G2ao34OywFLN1RLkDpY7ce+BOTyqoflz
oE9sUpn+wFRH+9ipYLknmeUYiFxc41PfEXj9dM13z30Hvy3bc+HEz7Buzv6y6tdw71XTaWcJUA7l
dU3fB9kHMqvcfw98eZ6NlsUQsS38ZmRDCD/tLGe3gaVV1C1LPuj19SXqINA3KL7AaghU9U8wbQf3
CEsDw2kwnZfjpCGQeTF7ke8H8D2j7A6+A/J548TgMchZ4uuXPQys7c17LJPBHmVZZ7sHpsOWjv7W
IK8xTNC2gPtOXphnNoQXi5wdXgLy6wSM/iOQszK/S05fEA5Lo8RNYPzSMMnwIlwed7PxtRywvWo9
ZOgIzi3hTYwBiB5T7GKR9RA1IywqojlE3A73O7qCaZbJ5dTBUN623T4BgobgSmkEuCfm/ux/EvLX
+S8G24BktuYYxkPEsdircRJYdlgPOUygvJR30bcPMrLv3L41HDLW3K16YT0EE/SmefNA+1h/W3gP
8kt4qmkrwNVLlfNqQjBbK6IthUB19Tt9FCjb9M76E6DuV/qrmyFQI/hGMAr0idpWdTroJ9X+wfqg
BoPN/O89+kR9GAXCtkDoFgjoAoF169atW7duPfz8glSMgkWCBeOE3ij435OCbed2rdi1YtcKGMAA
BgDMZCYzC7dreyPzjcw3Mv9ub0OE+H8LTfs9Mpyfn5WVnw8mk9X6j/Y5/lcJBP5xzrDf7/H4/YV2
HyQY/P3Nebqel+dygSj+40V+/2oKx8P6aZrX6/OBovzjNwP6/b/7mZ3t8SgKOJ0Wi/wH9Vm6dHS0
1/v7/tBhYXDhQmamIMB/HS+Hp58uWTIh4fdItsdT2J6b6/UqSqHdx80jC2dlqjtf/xkMDcJXiPGg
Lg1sVGuB/1P9q+AyMDY2NSMW5HZyY0MSeA8Fv/a3APG8sESbA4Zl5m6Gt+H+uPu3b64DZbvyW+AH
MCF9rfcBx1Hb8IiDkP9UTs88P9hfMV+LHAemMub19sEQHWHfbI4E12pXkTMaXFmZ0jF3ESRVjJoV
nQa2HZYX1IaQ8m3a3kBZKNYkoojpFKjNBT9FQBmrlAoeBmGK2EFsAhRlgRAOwnbuy9+DbhM92RNA
qENNsRoQpbjUZ0C563LnPAWGpvbmRdqBWkW4p14C2eW4Hl8TDGft4fFVQHtGOeLKBrW972B+RTA2
MDeI+QXUHYbVtmdA/UJ7UZdAs8ovmg+DrUaFYw3fhTblKvR7uh+Un1y2+oZvYH6PH78+XA8ub7XK
pU+Cr5K7RcYq8A7Ov5YbB4EdaRvvDgP3V3mbzRPBuciRHx0DYclhK00HwXbZ+pL5O3C+E/ahQ4Ho
89G11TQInPWucT8DBsWWlFcegruV/mIZUJJ8mr4J5E9K5RfrAnn9ct/0aWBqZnjdXB2ku+qasFTw
GDy1AvPBvt8yUCgNCT9FVoo5DXYMzyROhbSZxrYpL0HYLvsB22SI3he2KmY3uLoWfcvbDwyfGq+x
GxwpEVbbALBcM7vCvwZjY9lsHwrBgLZdegoCRYMmYiEnJ/1L33MQ/EbNYStovxm7mzuB5WvnaMs7
YK8WsTayDUjF/AdxQ27jm8fTN4C7Y9b95L6gnFUWpH8Etu72RdpX4N+iXLHMB1+5wJ5AT7CLlhLa
IZDWB+d5ioL/A6WiXgb0hnJF8kG5rfVXnaA/ZYrnA1D66yb9adCOaZs0EYRLgsEYAEVUVsqP8JPr
X6VA6BYI6Qe3kSvYx7WAglzm6tWrV69e/T/vX4jHQ7VXqr1S7RVYylKWAgxjGMMeddQQIUI8Dp54
onTpyEi4cyclJSMD4uMTE6OjH5+ALqBAMN+//7udArsPUqlS8eKRkXD69K1bmZkgik5nWBiEhw8Z
8tVXf+7/sPZ/1k/XvV6vFzQtNzcvD6pWLV48KurP5zmdRqMs//5q7kAAEhN/T6AID7dYJAmyskRR
kqB4caczLw/q1UtKstlAkgRB/C9W4t269bvd/Hxdl2XIyfF6VRVSUnJzA4FCu4+bR07VuNfo4js3
tkDU+iemFRsFwXRvV7UkKJlqXHAMmPoaWxuOgy4rbr8Nckfv7nEoDPI+1b+Wq0GRy89Wq98esr05
3nsNwb9cGaGMBVO2cYVYHc6+fjnxtxTIvaS+mv8ilC0ds7x0D0hUo9ZUyoXTXS+4jufBuffuBi5c
gotn7p6W6kLVNyp92Po5qDupcmaxsfDEsegNQmsQShm6iMVA3Khv0VeCPk1rod4GPVVsL6SB2FMo
bmgKQqq4R28Dqabs65cGQXp336c3ykHkiMiOYS+D9onLnT0NIiwmV6X3wTnH8XL5BuDvqFX0XADe
F2RRBmEXKfLLIH6pRQZHgDJL/0VrD6IuVjO8DiTpMVoqCF/r8/TToKbrjYREoBL7pGiwfWmpKjeB
Vc5Z/T6+C+s6HDXe6Ad6om1m9EXwTPU1DTYAdb2nZO5voF/0zs67BqKsnQosBeu7cp40C8y77N3t
+eCwOCzWzyFslPUF82kwzzSbDDIYRslj1GdB+40UzQCBMupHig/0k1pppRdo87TTwZ4QNClPqxp4
q/teC4wF4Xs5WWgD0lwhXqwF0gxhvnAJtPlaK0EAk8f0nnEPaBuFltqvYKoq1je+AIZ888/WJ0GL
YI1wDrQpwcZiKviq+FpoFcC111csEITgmODWYAaoDaSFwpsgxRqP2I6DcaIlwpgPMWXD6lmAIv64
IbZLcCd4//WMXyBfyamY/iVk10lNvNgNcvPTvIGZoB5jU/A3kOOV9loJEE3i96ZGwGqjWY4E+QNx
nVQU9Ld5W3obApPUcrwD+sfk6+MBgSbCSdAThV/FlcD74hbpK9Bl7ZReG7Q3hRviTtAzxHPyDPip
5y+jf9j2+CduiBAhQoT470FWVk6OywV9+7799jffwPnzV66kPY5FFg+hYsWyZWNjYfHi6dNffBEi
I8PD//hm0vT03FyXC557buzYBQvg5MkrV/7RPtGPi+rVy5ZNSICff548ecAAiIlxOv/oT3b277Hj
998/cyY5GdLSfo88/6eIjbVaZRk++KBKlSJFICLi8Qjox5aqIU9wfGdcC8GZOfXyPaC/lP1tzi4Q
JrpT3FbQx5abV7o1qGU8/TzLwVV887nf3oJw8/NvdcwHYZ8lUTgOiZONLxUdBNlDPFXz7HAi47h2
YBZYyhmNzhfAu8+2Rr8F0TuspRIag+FtY/mIerAjbVfEnb5wb5Tw491u4ImU1gVvwNZju87/cAH8
XQP0+AZKJzVdX7wBWNym8/QBdb/2mugF4ZR4V5gD4mhhj9QFtFw+CCSCPJ8G5jPgqZPnzxoIl1df
6XO8NCiH9ZmGr0BfYBqp+SHmVGRU8kWotL3IF/4SEJNsbZq0C7CIQw1e0FeIaI2BKcJmMQwEaG1s
C8IHeg21Iujr6M0GYLuwVJgMYoRwm2KgzaarEoSgphTRDoJQKZCbr4O4IaPZdUCeoM1V3wO5n7mH
fQNoz4WXjLoEyq9h1SKvgvpyQHD9AIGB/s35nUGJCY7TakFwQ9aMrIuQ48qqL3cCU0PjB+LbYLaY
dlg6gamyYaSpDIgRpnnSBpBuSLJ8EKR6hvLWnWDcIzcTO4HBHLaXICDzrJYCgo9J4hIQwnRJ3wBa
c/0W5UAZrqdq/UAtr0SxEPJbKmV5Cfxrc/r54sDXNzhNESEoBksqF0A9yl7OgrzGlGyeB8al1pW2
6WDsbG5kPQjxY+zLjUuhZrfys6PXQM3var1YZRbEf1biculpsPmdrZ9+UwpSX8+bcrMM1GhUy9+h
PazetObeL8NA3+x9xVAKmn9XtXbDdLgSf7ZzRjk49u2x8ucrwp2FWZFZ48DfRhmqdAfLeNMy88sg
HzO8YhgAWiW1iP4OqLW1RcoJ0L8RBonfgthS7yU6Qbus39UMoB3X96ljgJ7/uQ+HECFChAjx91Mg
XNev/+qrV1/9u70pFK6HDn3xxRtv/N3eFArXzz//x4v4/m/jkYWz5StlaqAtBJffzLu3Hojyt/JW
Ba2+r0jgeTDuFtqXWgM43Z+6fwG2BK4Hl4Dp49iosOpgWM4MeSNkvulZmyHA8fXHR+77FBJnG7fF
vwnuZHNLdwSEpwmjHEkQtym+ZPGX4dSpa4vSRBBPhw1Nmg/6wsw1KU4oWqTCyKodIKXm9X5X5sKF
+Vd91zLgyJYSnSIT4dnulWbbX4bgquAy/xSQt5kiLc+Aelhb70sB4ZQwx1QU6K+XFSLA8L5lsmkX
xJasqJUFkg+f8l4ZAaV3S5Hx34P9kjvK0gGupW7evSoe7HPLpFVvD8I6oYtUAvTbrJc7gWFU0e1l
e4D8dkx2yadB3643Zh6wUuhDNugL9PPoICQzhqMg1tJjhNJgaKwnqu+D8I22WO0B7q9dT2beB/kV
Zbe3DIhdzbsdG0COteyPjAFjnuVC1CUQa1rm2H4C0y9OT4QA2jTXwKw48KHEaXMh+J5+T8sB7ZBe
XNPB1dK71nscxBfdgfzLoEjqLv0i0FL3cAaEVcIZcQoYF/CEcB70nWI/+oH+irBQcIPQmMVCIuhf
8bO4GvQpwgLCQBuoP6PsAz1ceFcsC/qrQlH5Lghrpe1yK5BOGo4ZDoJ8MqxR+C2wzLDMsP0CZodx
jfkgxGdaPdpOqNm8eB2LHaq3rVO1Wn2I311OrimBslA4Z46B4El9Njuh8TsNPd0ngKuIK9jkHYh8
OfHVMl9AjKXXgnJ7wL7AUbasDM5L4X2LvwsVM2vNuDsASmyt0ePccPjBs/zWhtsQeDc/55wXkruk
fpNdCdQ+4gzJBUaHWbMeBUOStMTwFchmaYFYH+iJS+wG+io1QTsD2mDluP4ZAOVp8ndP8xAhQoQI
ESLE4+CRhbO0QT4inQbd42ho+wmETbFpcWNA6MwFIROoLAfkZuBffif++g2Qu0e/EjEO5PdiI+O+
BW9Y8H5+Dcgbm5d8bwjU2FqlXr0FEDMwYmaCDQ6kn2+6YSxExNh6xU4BvaN83fAGnBt8vMaOXWCc
be1QfDEUn21bVCEGam8rd/UpG1xoFNWnFCC0URdpT0O1jHLeKAH8Y93PpL8LwpveplmtQVslq7bi
IC63DrT5QW9iyDP+CNIl80YxBlIGn5CvVoaUs7nvXugItvkJH5iyIDI1ummJ2VDhvSr+1sPAa65U
/W4A9OSs2veKgH/+vW43fgS9hPvdnGqgShEVHGvB8ExkQkwe8IQwwlkdOMsAZR7obTjHWOAUyXwP
WmvhJz4A/8eBznoL8OcHNuACbZB819ANfLeDCz3LAIPvsGc7CHm5qzJ/BVO+Kfu+Dayt7ePCA1Bs
S7Gk6BToFNO/YYuqcD/93u3sF+D2ymsJd/Ph9sCMoe4+kPmZp2RwOuSfDCwQ6oInRz+nnAShnRql
j4agU0VLAM8JNV3rBTwhTNDXgx4j7GEesJYPyAQxVhwuPgVitOF9w48gbJCiDCtAXmdoZ2wE0iw5
Q54M8iiD1/geGEqIb8rLgYl04xkwxKjWYDpoMzIa368BzxZv07l0S3j6mfZ0KgW+d8V20TfB/1Vw
vC8G9MPil/4WIMZJl8VuID1vDrcthOgxckVLPujjqGZeDEnFiu5tNgGCJmW6shUCmYHLgeNgfM+2
29wKgufVoeEd4OlXanSs6oeEOeEZxV6B5IOebfoLsP3clk/2uiFlTubrd3eB12w4K68Hi6B8bToO
pu9NtYwbQDwk7hOPghxpeFL+ffucUMw5RIgQIUKE+B/CI+c4hwgRIkSIECFChAjxP5mCHOdHfnNg
iBAhQoQIESJEiBD/LxASziFChAgRIkSIECFC/AVCwjlEiBAhQoQIESJEiL9ASDiHCBEiRIgQIUKE
CPEXCAnnECFChAgRIkSIECH+Av//dnQFqwVDhAgRIkSIECFChAjxZ/4/obLWe3CTKPsAAAAASUVO
RK5CYII=

--_004_a64cf984cc42495f9d5d362dd2f9b980BY2PR03MB189namprd03pro_--

From jricher@mitre.org  Tue Aug 13 07:49:20 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0664B21E8105 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:49:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level: 
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=0.001,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CeykrQVAjUsS for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:49:15 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id F3DFD11E80A2 for <oauth@ietf.org>; Tue, 13 Aug 2013 07:49:14 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 957B11F0584; Tue, 13 Aug 2013 10:49:14 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 82A4E1F0549; Tue, 13 Aug 2013 10:49:14 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 13 Aug 2013 10:49:14 -0400
Message-ID: <520A46B6.7030404@mitre.org>
Date: Tue, 13 Aug 2013 10:46:14 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <52016822.2090703@mitre.org> <5208AC1A.5060606@mnt.se> <5208EC80.3060707@mitre.org> <0C7A9772-5D04-4CF6-8723-42AEF0877B43@oracle.com> <520937F2.5060700@mitre.org> <5209E3F9.9090402@gmail.com> <99291d0fdd4742ef9e7ae01aa3eea8b5@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <99291d0fdd4742ef9e7ae01aa3eea8b5@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:49:20 -0000

On 08/13/2013 10:38 AM, Anthony Nadalin wrote:
> so the CRUD operations are not an overlap, the provisioning aspects are not an overlap

Correct.

  -- Justin

>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey Beryozkin
> Sent: Tuesday, August 13, 2013 12:45 AM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>
> For whatever it is worth, let me add my 2c, I've briefly looked through the latest Dynamic Registration Draft, and also briefly looked at SCIM - interesting specification, did not know it even exists :-).
>
> IMHO these are 2 rather different texts, SCIM looks very useful, look forward to understanding it better :-), but it appears to be at a higher level than Dyn Reg Draft is - the latter is centric around a specific use case as far as I can see and the whole language of the latter is about addressing this specific use case. Appears to me SCIM and DynReq of OAuth2 Clients texts complement each other as opposed to 'compete'
> with each other, and they intersect simply because they use some similar terminology. I may be repeating some of what is said below.
>
> Re the use of assertions: I'd like to think that getting the assertions flowing in OAuth2 applications is useful only when we have a task of integrating with existing IDPs or some other involved scenarios. Using them as the central pieces of the protocol will raise the complexity bar.
>
> Apologies for not commenting inline - the above is just the comments after a brief overview of the documents :-)
>
> Cheers, Sergey
>
> On 12/08/13 22:30, Justin Richer wrote:
>> I think you're misunderstanding what I'm saying with regard to the
>> various protocols -- the different registration systems weren't
>> incompatible for any deep seated assumptions or different data models.
>> They were incompatible because of different names, different formats,
>> different things being used to do the same thing. Small, stupid
>> differences that none of the groups were particularly tied to at the
>> time, but getting them all to agree to call something "foo" and not
>> "bar" is where the draft that we have came in. Now you're suggesting
>> that we go back to all these groups and say "well we know we told you
>> to use 'foo' for this field, but now instead we're going to change it
>> to 'bar', except that 'bar' isn't exactly 'bar', it's more like 'baz',
>> and you need to throw out half your use cases". Ridiculous, is it not?
>>
>> All of your questions about what's required or not for supporting
>> dynamic client registration have been brought up and discussed in the
>> history of the document in its various forms over the past couple years.
>> It started out as a one-way registration, no CRUD ops or lifecycle
>> management. Then people started to use it and realized that we needed
>> those things, so we've added them. Once we were in that direction, we
>> realized we were doing CRUD-like operations but weren't being RESTful
>> where it made sense to be, so now it's a JSON-based RESTful API. We
>> used to force client secrets to be used (even by public clients using
>> things like the implicit or assertion flows) to access this API, but
>> then we realized we could eat our own dogfood and use OAuth tokens,
>> and that's where we got the registration access token. We used to have
>> registration be an open POST only, but then there were very real use
>> cases, real deployments, and real extension mechanisms that could be
>> enabled by having the initial registration optionally be protected as
>> an OAuth2 protected resource as well, so that's where we got the
>> initial access token. We originally had a fixed set of client
>> parameters, but groups quickly wanted to add more, so we made that
>> extensible. We originally had simple string values, but people wanted
>> to be able to have localized text as well, so that was added.
>>
>> All of these are visible in the document history, particularly if you
>> look at it across the IETF, UMA, and OpenID specs as a whole. You make
>> it sound as if we simply waved our hands and grabbed a bunch of
>> features out of thin air and implemented them, and that's absolutely
>> not the case. Everything in that draft is the result of lots of
>> discussion, implementation, and deployment. Do I need to mention again
>> that people are actively running this code today?
>>
>> Also, I don't intend to disparage the SCIM protocol -- it's a great
>> protocol for what it does, and in user and group provisioning it's
>> exactly what I look toward. We're looking to potentially deploy it on
>> some of my projects as well, so I'm certainly not against it. However,
>> I'm not one to see it as a silver bullet for solving all RESTful API
>> problems in the world, and that's exactly what I see it being
>> positioned as here. Every function in the Dyn Reg spec that you claim "duplicates"
>> SCIM are actually just things that it gets from being RESTful. So in
>> other words, the similarities are from similar genetics, not from
>> direct competition. Quite frankly, I think that what's happening here
>> is that by taking the SCIM-hammer in hand you're seeing OAuth Dyn Reg as a nail.
>> Also, I still think that you're ignoring the cost of implementing SCIM
>> for people who aren't already doing so, especially when compared to
>> the cost of implementing another (smaller, simpler, fit-to-purpose)
>> RESTful API.
>>
>> As to the direct assertions, I'm interested in seeing where it goes,
>> but I don't yet (today) see how it can work in practice. And in any
>> case it needs a lot more work. Take the code flow, for example -- how
>> does the client present the assertion to the authorization endpoint?
>> And what does it use for client_id (a required parameter)? Also, to
>> the question that I asked at the IETF meeting, what about the case
>> where you've got hundreds of thousands of auth servers protecting the
>> same kind of API -- where does a client go to get its assertion then?
>>
>> As to the "dynamic" nature of the clients, it's the *relationship*
>> that's dynamic. You're once again conflating the code that executes
>> with the instance of the code as seen by a particular authorization server.
>> Also, in my own personal experience, there are things that change for
>> a given piece of code depending on its deployment circumstances -- the
>> redirect_uris for a web client, for instance, are going to be
>> different depending on *where* that client software is served from.
>>
>> Judging by our past conversations, I think that your model of what
>> makes up a client and what makes up an auth server is valid, but
>> limited, and this is continuing to color your view of what this
>> protocol needs. I'd rather have something that works across the many
>> ways that OAuth is being used today and can be used in the future.
>>
>>    -- Justin
>>
>> On 08/12/2013 02:43 PM, Phil Hunt wrote:
>>> Inline...
>>>
>>> Phil
>>>
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>>
>>>
>>>
>>>
>>>
>>> On 2013-08-12, at 4:09 PM, Justin Richer <jricher@mitre.org> wrote:
>>>
>>>> I think it's very important that we put *some* stake in the ground
>>>> for the likes of OIDC, BB+, UMA, and the other higher-level
>>>> protocols and systems that are looking toward us for Dyn Reg now.
>>>> They weren't, previously -- all of these had mutually incompatible
>>>> registration systems, but the work we've done so far with Dyn Reg
>>>> has made a system that everyone can use. If we don't declare a
>>>> baseline, and do so soon, then I fully believe that these groups
>>>> will either fracture unnecessarily, or they'll ignore the IETF. Or both.
>>> [PH] Your position here indicates to me that there is not a lot of
>>> natural consensus between OIDC, BB+, UMA and others. If these groups
>>> are aligning solely because of moral pressure to have a single
>>> standard -- which you seem to imply by the need to "put a stake in
>>> the ground", it suggests the technical proposal is not right yet.
>>>
>>> Despite your disparaging of SCIM, I don't think that's the issue.
>>> Whether SCIM or custom API, the Dyn Reg model places too much
>>> complexity solely on the client to registration endpoint relationship.
>>>
>>> For example, the information content of what the client is asserting
>>> is *not* dynamic - only the act of registration is. The client app is
>>> for the most part, "fixed", coded in a particular way for use with a
>>> specific set of APIs. Dyn Reg (and the SCIM variant) go well beyond
>>> just issuing a client_id and exchange all oauth protocol information
>>> on the assumption any value might change.  This is a very complex
>>> approach.
>>>
>>> Then there is the issue of needing full CRUD support, I have not
>>> bought into the need for apps to be able to update registration.  Why
>>> would they do this?  We do we need de-registration, wouldn't
>>> Torsten's revocation draft suffice?
>>>
>>> The reason I think the assertion model might be a better path, is
>>> that it assumes a larger multi-party flow which moves complexity away
>>> from the registration endpoint to the point that in most cases a
>>> simple cert swap is all that is needed from the clients perspective.
>>>
>>> When Tony and I put forward the SCIM variant, we thought that might
>>> be a compromise.  Still after putting it forward, I now feel the same
>>> way about it as I do the Dyn Reg draft.  What is useful from it, is
>>> the notion of defining a software statement which can be used to
>>> simplify the registration process greatly.
>>>
>>>> I'll leave it to the chairs to decide if this gets tagged
>>>> "experimental" or "standards", but I think that we're doing the
>>>> world a disservice by not shipping what we have.
>>>>
>>>> -- Justin
>>>>
>>>> On 08/12/2013 05:34 AM, Leif Johansson wrote:
>>>>> On 08/06/2013 11:18 PM, Justin Richer wrote:
>>>>>
>>>>> <snip>
>>>>>>    - OAuth Dynamic Registration
>>>>>>    - SCIM-based OAuth Dynamic Registration
>>>>>>    - Software Statements for OAuth Dynamic Registration
>>>>>>
>>>>> This thread makes me think we should break out the EXPERIMENTAL
>>>>> track: spin two or more proposed solutions as EXPERIMENTAL. Let the
>>>>> various groups do what they're gona do (which they'll do anyway)
>>>>> and the the chips fall where they may.
>>>>>
>>>>> Tony is right in interpreting the discussions in Berlin as quite
>>>>> fractured.
>>>>> Pushing for standards track seems premature.
>>>>>
>>>>> OTOH the transition from EXPERIMENTAL to STANDARDS TRACK can be as
>>>>> quick as a couple of I-Ds describing the outcome of the
>>>>> implementation and deployment work that will happen anyway (as you
>>>>> so correctly observe) after which the WG decides how to move
>>>>> forward.
>>>>>
>>>>> Since bb+ and openidc will do dynreg anyway the document track
>>>>> doesn't really matter which means the usual "vendors won't
>>>>> implement unless its a real RFC"-argument doesn't apply here anyway.
>>>>>
>>>>>           Cheers Leif
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Tue Aug 13 07:51:24 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 181A821E8175 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:51:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.298
X-Spam-Level: 
X-Spam-Status: No, score=-6.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7kfc5FoP+Oqv for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 07:51:15 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0FC21E816F for <oauth@ietf.org>; Tue, 13 Aug 2013 07:51:14 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id A0AF31F0591; Tue, 13 Aug 2013 10:51:12 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 7C7291F057F; Tue, 13 Aug 2013 10:51:12 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 13 Aug 2013 10:51:12 -0400
Message-ID: <520A472C.6040101@mitre.org>
Date: Tue, 13 Aug 2013 10:48:12 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> " <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>" <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------030109090800080308060300"
X-Originating-IP: [129.83.31.56]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 14:51:24 -0000

--------------030109090800080308060300
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit

The spec doesn't care where you deploy at -- if URL space is at a 
premium for you, then switch based on input parameters and other things. 
And you're still not clear on which "secrets" you're taking issue with.

  -- Justin

On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>
> #1, its yet another endpoint to have to manage secrets at, yes this is 
> an OAuth item but it’s growing out of control, we are trying to move 
> away from secrets and management of these endpoints as this would be 
> just another one we have to support, monitor and report on
>
> #2 yes, 1 physical endpoint acting as multiple authorization servers
>
> *From:*George Fletcher [mailto:gffletch@aol.com]
> *Sent:* Tuesday, August 13, 2013 7:40 AM
> *To:* Anthony Nadalin
> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please don't 
> remove!
>
> Hi Tony,
>
> Could you please explain a little more?
>
> For issue 1:
> * Which "secret" are you referring to? OAuth2 by default allows for an 
> optional client_secret. I'm not sure why this would cause management 
> issues? Or are you referring to the "Registration Access Token"?
> * Why is a separate endpoint an issue? Any client is going to be 
> talking to more than just the /authorize and /token endpoints anyway 
> so I'm confused regarding the extra complexity?
>
> For issue 2:
> * What specifically do you mean by "multi-tenant"? Is this one server 
> acting on behalf of multiple tenants and so appearing as multiple 
> Authorization Servers?
>
> Thanks,
> George
>
> On 8/13/13 10:34 AM, Anthony Nadalin wrote:
>
>     So, (1) Management of the secret causes us management issues, yet another endpoint to manage, there may be ways around this issue with assertions. (2) The schema/data model are not useable as defined. Internationalization is an issue. Multi-tenant issues, this also goes back to schema/data model.
>
>       
>
>       
>
>     -----Original Message-----
>
>     From:mike@gluu.org  <mailto:mike@gluu.org>  [mailto:mike@gluu.org]
>
>     Sent: Tuesday, August 13, 2013 7:22 AM
>
>     To: Anthony Nadalin
>
>     Cc: Justin Richer; George Fletcher;oauth@ietf.org  <mailto:oauth@ietf.org>
>
>     Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
>
>       
>
>     Anthony,
>
>       
>
>     As I mentioned, we are using it as part of the OX UMA implementation.
>
>     Can you be more specific?
>
>         1) What parts of it would cause add'l management?
>
>         2) What parts do not meet your requirements that could not be satisfied with a
>
>            supplemental profile?
>
>       
>
>     - Mike
>
>       
>
>       
>
>       
>
>     On 2013-08-13 09:15, Anthony Nadalin wrote:
>
>         Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in
>
>         production (of some sort) ? We have no plans to implement as it does
>
>         not meet our requirements/use cases and causes additional management
>
>         and thus I believe would not serve as a valid core document to expand
>
>         upon.
>
>           
>
>         FROM:oauth-bounces@ietf.org  <mailto:oauth-bounces@ietf.org>  [mailto:oauth-bounces@ietf.org] ON BEHALF
>
>         OF Justin Richer
>
>           SENT: Tuesday, August 13, 2013 6:59 AM
>
>           TO: George Fletcher
>
>           CC:mike@gluu.org  <mailto:mike@gluu.org>;oauth@ietf.org  <mailto:oauth@ietf.org>
>
>           SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't
>
>         remove!
>
>           
>
>         +1
>
>           
>
>         On 08/13/2013 09:34 AM, George Fletcher wrote:
>
>           
>
>             I know I wasn't at the IETF meeting but I'm confused regarding all
>
>             this talk of "lack of consensus". It seems to me there is a lot of
>
>             consensus regarding the existing spec (given all the current
>
>             implementations). Couple that with the fact that the current spec
>
>             doesn't exclude the additional use cases that you've raised, I don't
>
>             see why we don't establish the current spec as the core document and
>
>             then develop profiles for the additional use cases. It is unlikely
>
>             that there is going to be a true single solution because to cover all
>
>             the use cases it will have to be so flexible that profiles will arise
>
>             regardless. In that case, let's build off the solid core that we have
>
>             and add these additional profiles providing a win-win for
>
>             implementers.
>
>               
>
>             My 2 cents:)
>
>               
>
>             Thanks,
>
>             George
>
>               
>
>             On 8/12/13 7:55 PM, Phil Hunt wrote:
>
>               
>
>                 I don't think there is a call to stop work. However there is a lack
>
>                 of consensus on the current draft moving forward.
>
>                   
>
>                 I too want a single, simple solution.
>
>                   
>
>                 Phil
>
>                   
>
>                 On 2013-08-08, at 13:22,mike@gluu.org  <mailto:mike@gluu.org>  wrote:
>
>                   
>
>                     OAuth WG,
>
>                       
>
>                     As some of you may know, the OX open source project provides an
>
>                     implementation of Enterprise UMA, which enables organizations to
>
>                     control which people and clients can access web resources.
>
>                       
>
>                     I rarely weigh in, because you all are doing such great job.
>
>                     However, I was quite distressed to learn about the suggestion to
>
>                     stop work on the dynamic client registration spec. This proposed
>
>                     change would have a negative impact on OX, and the varied adopters
>
>                     of our software from around the world.
>
>                       
>
>                     No standard for dynamic client registration would make OX less
>
>                     "standard" by creating a bigger delta between UMA and other OAuth2
>
>                     implementations. As OX also implements the OpenID Connect OP
>
>                     endpoints, and dropping this effort would also makes a convergence
>
>                     path for client registration less likely.
>
>                       
>
>                     Please leave dynamic client registration!
>
>                       
>
>                     Thanks for all your great work!
>
>                       
>
>                     - Mike Schwartz
>
>                       
>
>                     Founder / CEO
>
>                       
>
>                     Gluu
>
>                       
>
>                     http://gluu.org  [1]
>
>                       
>
>                     PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD
>
>                     :http://www.gluu.co/uma-apache  [2]
>
>                       
>
>                     _______________________________________________
>
>                       
>
>                     OAuth mailing list
>
>                       
>
>                     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>                       
>
>                     https://www.ietf.org/mailman/listinfo/oauth  [3]
>
>                   
>
>                 _______________________________________________
>
>                   
>
>                 OAuth mailing list
>
>                   
>
>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>                   
>
>                 https://www.ietf.org/mailman/listinfo/oauth  [3]
>
>               
>
>             --
>
>             [4]
>
>               
>
>             _______________________________________________
>
>               
>
>             OAuth mailing list
>
>               
>
>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>               
>
>             https://www.ietf.org/mailman/listinfo/oauth  [3]
>
>           
>
>           
>
>           
>
>         Links:
>
>         ------
>
>         [1]http://gluu.org
>
>         [2]http://www.gluu.co/uma-apache
>
>         [3]https://www.ietf.org/mailman/listinfo/oauth
>
>         [4]http://connect.me/gffletch
>
>         [5]http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/
>
>       
>
> -- 
> George Fletcher <http://connect.me/gffletch>
>


--------------030109090800080308060300
Content-Type: multipart/related;
	boundary="------------010604010604080005000007"

--------------010604010604080005000007
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    The spec doesn't care where you deploy at -- if URL space is at a
    premium for you, then switch based on input parameters and other
    things. And you're still not clear on which "secrets" you're taking
    issue with.<br>
    <br>
     -- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/13/2013 10:46 AM, Anthony Nadalin
      wrote:<br>
    </div>
    <blockquote
cite="mid:a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#1,
            its yet another endpoint to have to manage secrets at, yes
            this is an OAuth item but it’s growing out of control, we
            are trying to move away from secrets and management of these
            endpoints as this would be just another one we have to
            support, monitor and report on<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#2
            yes, 1 physical endpoint acting as multiple authorization
            servers<o:p></o:p></span></p>
        <p class="MsoNormal"><a moz-do-not-send="true"
            name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></a></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">
                George Fletcher [<a class="moz-txt-link-freetext" href="mailto:gffletch@aol.com">mailto:gffletch@aol.com</a>]
                <br>
                <b>Sent:</b> Tuesday, August 13, 2013 7:40 AM<br>
                <b>To:</b> Anthony Nadalin<br>
                <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a>; Justin Richer; <a class="moz-txt-link-abbreviated" href="mailto:oauth@ietf.org">oauth@ietf.org</a><br>
                <b>Subject:</b> Re: [OAUTH-WG] OX needs Dynamic
                Registration: please don't remove!<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal" style="margin-bottom:12.0pt"><span
            style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Hi
            Tony,<br>
            <br>
            Could you please explain a little more? <br>
            <br>
            For issue 1:<br>
            * Which "secret" are you referring to? OAuth2 by default
            allows for an optional client_secret. I'm not sure why this
            would cause management issues? Or are you referring to the
            "Registration Access Token"?<br>
            * Why is a separate endpoint an issue? Any client is going
            to be talking to more than just the /authorize and /token
            endpoints anyway so I'm confused regarding the extra
            complexity?<br>
            <br>
            For issue 2:<br>
            * What specifically do you mean by "multi-tenant"? Is this
            one server acting on behalf of multiple tenants and so
            appearing as multiple Authorization Servers?
            <br>
            <br>
            Thanks,<br>
            George</span><o:p></o:p></p>
        <div>
          <p class="MsoNormal">On 8/13/13 10:34 AM, Anthony Nadalin
            wrote:<o:p></o:p></p>
        </div>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <pre>So, (1) Management of the secret causes us management issues, yet another endpoint to manage, there may be ways around this issue with assertions. (2) The schema/data model are not useable as defined. Internationalization is an issue. Multi-tenant issues, this also goes back to schema/data model.<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>-----Original Message-----<o:p></o:p></pre>
          <pre>From: <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a> [<a moz-do-not-send="true" href="mailto:mike@gluu.org">mailto:mike@gluu.org</a>] <o:p></o:p></pre>
          <pre>Sent: Tuesday, August 13, 2013 7:22 AM<o:p></o:p></pre>
          <pre>To: Anthony Nadalin<o:p></o:p></pre>
          <pre>Cc: Justin Richer; George Fletcher; <a moz-do-not-send="true" href="mailto:oauth@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
          <pre>Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>Anthony,<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>As I mentioned, we are using it as part of the OX UMA implementation. <o:p></o:p></pre>
          <pre>Can you be more specific?<o:p></o:p></pre>
          <pre>   1) What parts of it would cause add'l management?<o:p></o:p></pre>
          <pre>   2) What parts do not meet your requirements that could not be satisfied with a<o:p></o:p></pre>
          <pre>      supplemental profile?<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>- Mike<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>On 2013-08-13 09:15, Anthony Nadalin wrote:<o:p></o:p></pre>
          <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
            <pre>Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in <o:p></o:p></pre>
            <pre>production (of some sort) ? We have no plans to implement as it does <o:p></o:p></pre>
            <pre>not meet our requirements/use cases and causes additional management <o:p></o:p></pre>
            <pre>and thus I believe would not serve as a valid core document to expand <o:p></o:p></pre>
            <pre>upon.<o:p></o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre>FROM: <a moz-do-not-send="true" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a moz-do-not-send="true" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] ON BEHALF <o:p></o:p></pre>
            <pre>OF Justin Richer<o:p></o:p></pre>
            <pre> SENT: Tuesday, August 13, 2013 6:59 AM<o:p></o:p></pre>
            <pre> TO: George Fletcher<o:p></o:p></pre>
            <pre> CC: <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a>; <a moz-do-not-send="true" href="mailto:oauth@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
            <pre> SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't <o:p></o:p></pre>
            <pre>remove!<o:p></o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre>+1<o:p></o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre>On 08/13/2013 09:34 AM, George Fletcher wrote:<o:p></o:p></pre>
            <pre><o:p> </o:p></pre>
            <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
              <pre>I know I wasn't at the IETF meeting but I'm confused regarding all <o:p></o:p></pre>
              <pre>this talk of "lack of consensus". It seems to me there is a lot of <o:p></o:p></pre>
              <pre>consensus regarding the existing spec (given all the current <o:p></o:p></pre>
              <pre>implementations). Couple that with the fact that the current spec <o:p></o:p></pre>
              <pre>doesn't exclude the additional use cases that you've raised, I don't <o:p></o:p></pre>
              <pre>see why we don't establish the current spec as the core document and <o:p></o:p></pre>
              <pre>then develop profiles for the additional use cases. It is unlikely <o:p></o:p></pre>
              <pre>that there is going to be a true single solution because to cover all <o:p></o:p></pre>
              <pre>the use cases it will have to be so flexible that profiles will arise <o:p></o:p></pre>
              <pre>regardless. In that case, let's build off the solid core that we have <o:p></o:p></pre>
              <pre>and add these additional profiles providing a win-win for <o:p></o:p></pre>
              <pre>implementers.<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>My 2 cents:)<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>Thanks,<o:p></o:p></pre>
              <pre>George<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>On 8/12/13 7:55 PM, Phil Hunt wrote:<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                <pre>I don't think there is a call to stop work. However there is a lack <o:p></o:p></pre>
                <pre>of consensus on the current draft moving forward.<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>I too want a single, simple solution.<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>Phil<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>On 2013-08-08, at 13:22, <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a> wrote:<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                  <pre>OAuth WG,<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>As some of you may know, the OX open source project provides an <o:p></o:p></pre>
                  <pre>implementation of Enterprise UMA, which enables organizations to <o:p></o:p></pre>
                  <pre>control which people and clients can access web resources.<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>I rarely weigh in, because you all are doing such great job. <o:p></o:p></pre>
                  <pre>However, I was quite distressed to learn about the suggestion to <o:p></o:p></pre>
                  <pre>stop work on the dynamic client registration spec. This proposed <o:p></o:p></pre>
                  <pre>change would have a negative impact on OX, and the varied adopters <o:p></o:p></pre>
                  <pre>of our software from around the world.<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>No standard for dynamic client registration would make OX less <o:p></o:p></pre>
                  <pre>"standard" by creating a bigger delta between UMA and other OAuth2 <o:p></o:p></pre>
                  <pre>implementations. As OX also implements the OpenID Connect OP <o:p></o:p></pre>
                  <pre>endpoints, and dropping this effort would also makes a convergence <o:p></o:p></pre>
                  <pre>path for client registration less likely.<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>Please leave dynamic client registration!<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>Thanks for all your great work!<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>- Mike Schwartz<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>Founder / CEO<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>Gluu<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre><a moz-do-not-send="true" href="http://gluu.org">http://gluu.org</a> [1]<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD<o:p></o:p></pre>
                  <pre>: <a moz-do-not-send="true" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a> [2]<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>_______________________________________________<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>OAuth mailing list<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<o:p></o:p></pre>
                </blockquote>
                <pre><o:p> </o:p></pre>
                <pre>_______________________________________________<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>OAuth mailing list<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<o:p></o:p></pre>
              </blockquote>
              <pre><o:p> </o:p></pre>
              <pre>--<o:p></o:p></pre>
              <pre>[4]<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>_______________________________________________<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>OAuth mailing list<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<o:p></o:p></pre>
            </blockquote>
            <pre><o:p> </o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre>Links:<o:p></o:p></pre>
            <pre>------<o:p></o:p></pre>
            <pre>[1] <a moz-do-not-send="true" href="http://gluu.org">http://gluu.org</a><o:p></o:p></pre>
            <pre>[2] <a moz-do-not-send="true" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a><o:p></o:p></pre>
            <pre>[3] <a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
            <pre>[4] <a moz-do-not-send="true" href="http://connect.me/gffletch">http://connect.me/gffletch</a><o:p></o:p></pre>
            <pre>[5] <a moz-do-not-send="true" href="http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/">http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/</a><o:p></o:p></pre>
          </blockquote>
          <pre><o:p> </o:p></pre>
        </blockquote>
        <p class="MsoNormal"><o:p> </o:p></p>
        <div>
          <p class="MsoNormal">-- <br>
            <a moz-do-not-send="true" href="http://connect.me/gffletch"
              title="View full card on Connect.Me"><span
                style="text-decoration:none"><img id="_x0000_i1025"
                  src="cid:part23.08050408.08020602@mitre.org"
                  alt="George Fletcher" height="113" border="0"
                  width="359"></span></a><o:p></o:p></p>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>

--------------010604010604080005000007
Content-Type: image/png
Content-Transfer-Encoding: base64
Content-ID: <part23.08050408.08020602@mitre.org>

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///YO+84K4o1fz/V3SdOTgw55yA5o0Ql5yRRkCgoQQEBlRwUFQlK
lowElZwFBJGcc84MDMwwOZzQXfX7Y5cP+9ldf/d60fXe3Xn+mTndVdXv+616+7ynurp7nzPD
WAeqs/zOGg75x+ctn3sPRG+Kzha1GnL3yf5TjmKQ40m2H7Ingj/T/458F5I9yfUT10PEgohP
I86DsIskW2fQymrvyolgnbdWmidB2VRT2ygwV1rV/cEguoinYjroW7VfNA/46/o+liVAL2sU
lxXA09W/QJ0C1VvYxTYwFlBd9gLe8dcxu4P5kbe89xxkLvIZ1gjwLLISKQypb3vH+7uDzXQO
cQ2F/PPzF8hzCGrdraiV/QJKdi05v8gs0OMDWtjPg2uAPZfrXyARPJB2IO1AGjiXO5c7l0NF
VVFVVHBm0ZlFZxZB8ufJnyd/Dg0aNGjQoMHLH+9/Gxs3bty4cSO0atWqVatWf7U1WWSRRRZZ
/NEcO3bs2LFjoPfu3bt3797jxj2/qeL3sunAgfFfVQKP3V8lcyOIetqhgGtwmwfDrl+BkyGX
bx5fB1HTg2WhJKi3svbIV3PDE/W4xcPB8LDJo0Z3S8CzeUlzMiMhfkh6ubi+YNwWOxJi4OGN
x/Pj1oJ8PfNZZh/INzvvrfx5wV+cMYYb9IFykGc22PM608LugjysVwvUQATqdvNz0KReyD0D
uC/eZwVQWewxLfB/c23k8fKQ3OrQrp+vQnKZde9u3wEJw25uexoCPg/fhNcGrbG7VZ5hYK+U
6+OiuyC0Y/XiZe/CUy0x5f4vcOGdveaOZnAn837eRx9A0gDjk4D7EDIzQDrPgJpsVje3QeLe
1L5JtSD1VMb7afWBCfoVMRCMUO2WuAWOQfYfjGEgOolL5hHQzqstchn42/vftHQwS1qXzSag
vlKj1RKwfrWumX2A7ehSgHhTe5OfQGnqkqwK7FI/EwvygjwsC4M0lUvlA2uKEuoNMJOsdWYv
UNXUA3kTbPuN4qIGqFfFz+oyqPOqnvCAWmq1tN4GaZcrZThIN+XoAuyUbeUxsJTMJVeBTFab
1GpQkWoSu0Bml+NlQ5DV1AH5AOQxGWPuA5VLvKvnhKdvxs1IPQYJ7RM+fLYFfI39nTNvgXXM
DPfHQNSvUfej80FspycLY11gX+RY7xgEtpy2Zs4QeLD8Qfu7Fmgr9VriDKQXyKziWwOnj59b
f3YaxBeMPxlfC4zi9pXGUgiIDyju7ARPc8fHJ1WH4++fLne2KcTPeVY/9nvIdjNb+7BiYFzS
L7kSgFhth/YY9PwUk/3AGiEXm0OBGP2a9i1kVvOM9p0H64w50PoF4pekzEmNB1+RzDrehxD4
oeUU1yC4Z7aQ8NF/dbj/baKORh2NOvriec2HZx+efXg2yE1yk9wErya9mvRqEjjyO/I78v/V
1v7zUbx48eLF/4QlIFlkkUUWWfxzEBMTExMT8wcs1Tj+7YnggwLurs3X5HwZcAy1UsuOgbA3
A9uGJcDTCZ4Hl85C+CqfFtYe7u29N/POfkj+xns71YITM+7uffAq5EpwXAmzQeENkc3LXoYn
+tPq6QvAEeMclLwdLpV42v54MJT4uPDhktUhdGAuX8FfwTPH+CJoDshA9Y62FvSpooJ1BDIK
XdS29wTb0oj+BTeDUSX4XthV8Bx+XPumB7yX75aLDQFxwIgMjIOAIrV99atCsD9bZq7N4JwQ
3iWsGySuOrTtfFGQo8NGh1yDx5rMm7AUbu08Xv9wPDwcfC/kXgrED8PSj4E7yr3XKYFlYq4w
Ib1NWtXUW5AWnRGS9gC09+1farPBOce53dYT1EdWjHoKvi7WFG8gMJjdPAM6y97iDVC3ZHGz
PmhDxOvMAKuf+re1ubOM3FoFEKOs2/I9cAxxFBFzQaap2noCZKSkp5kStAz9SyxQk2moXQc5
1LohT4J4n1PaDdBWiMXMBX9+b7KMA+sq5SkB7OGq+T74a8jDqhEYSXyrtQU+ZqUqBdLPOlUL
xFfyiDgFYrp4QhiIBHLJEqAeqiK8CqoUAzgGWjmzqegNRrAt1PoS5DFVS82GtIh0zGMQu/JJ
+ScrwO10LbF3Anrd+lX/AZyD3E3creH2Z3dz3zsHPsPXV5YDzwXP/NQPIe2HtNqRb8KTe4mH
EjVI+CL1y6QVwJqUIcYCuFMiZvZ9B5Q7+IooshVi9j+YlrEL4oISCybWAdEwYY05DLSW+kR1
BPQm2oeOIDDu23aqC5DPG/00xwaQXZll5QMjRgw3PgJnHeOgKAypZvJXSVNA+9B90PUmnEq9
2u72E7i3/H6pRxOhD6VSCv/V0f53EPBawGsBr0ErWtEK/sM//05ucvMP/LDOIossssgii/9N
vHTi7OniqOHT4O4n8d2exkJ455B+RwbCrTH3r2WaUOZ45O16kfCT72SLtQXB19j6WX4PeckT
XLAeZA8xfo4AGjar2L9ZV6iztp63wU9w7/C9ireDwXvYezVjEHhIym3VBX8vc4/3QzAvqLE+
E7R7tjtBVYCy1hbzAxB5xEfeV8EXfpPr0+BZ+pqZWzIgsn6n3D3zgXNWwfwVXeDYWqCGOw30
C/Ya+mTgiFbGuAf+gQlFHyVAWo6TnY+NAeNV+w+pCqyfclzN2RPu3jgz7+x2eFDhYoXz+eFp
vsyZ3p9AfekKDnwCjhb27/SvIaNcRou0h/CsXup3Sb+A75RZyPoVxJfiZ70e+GI82X0fgNna
v9oqCf4FsqhaAmq7ShYrQEUoyQRQPpUp+4HIFB0JBZGgd1JjQXRgiVgFjk6O9/QgELVlfuqD
0mSYVQTss9y3tNNgtvGusCqBzGXetWLAiDEKikqgVqke1kmgj7gqPgbrdZWgroC5yKwmF4Ea
yGA6ghishxvZQdZU45QAbZdaJiaA+lF8qT4AVVOOldWBmezlfRCJIo94AljiB/ElmAtkiuwC
egJD9CogG/oa+38C3bCVZDDoyUZbYyskDkzOlt4fTlc9N/vyRcg/L+/VVCeofuqivQ0865Rw
PyEf2Kraxun7Ibhw0CdB+cG31b9DAalp6SVSkiHdn9Yj7RBYk9WnrALPfm9IamH4tcHRRqkz
QHylXtPHgtpPcb04aBW16Vo2uNX7zpWYy0BdMUFlgpzAJetreJrjSc3YHFBI5G4S3RaC3w/6
IHojiGJ6eaMaYJpXZWdIDY7Ln/A+8JPYr+8F/5u+Z/7nTxkY8leHeRZZZJFFFllk8Ufw8onz
WvkxoZA++lmYJxlsVmKm8yw4mgTMCa0Kj4JEw/N+sL0S/bbZBDKd1g/P3oe0FU9soTHwTnKb
iAEfQWBL+9aALiAmMVtOg0K9C7Ys7oX4uylTHrnh9OXUxO3fQciP/omVu0F0Mb2M/XXwJvrW
m6kglhpOxydg9WOJ5QZ9ZnCvoAwIXVHznWq7wHmgTIPaMSAqS7u/Kqiucr95GeT3/pKMAt/r
T6pcGQvJTbaM2hQEvs5JB83sEDS/yobajeGxK31MSgrc958aemQcxP6QcDmxGmSUEo+0NhD8
natkQHZQIeYjqwGknkiLSF0E3nPWUTkI1Aoeimsg3PKK/B5UI5FIB5BBah5vAnNVOXKBaqOu
q/4garCLyyBeoy0eUB+qn5UJLJIjCQR5iVlqGnhvmYPNNDAeiLJaEIge4hWcwBdmNrMGSJt1
W60HdVGW4RKIEO2+VgRUX3VUrQO6Ul7LCdZNlUO2BtZRWT0CvZ3orQkQ8aKnWgeytQqgI1iV
rWTrCKAorn4EfbKWQ38X5Keqg5wI6nu1QU0A8bVoIrKBbY/oyBkw+tua8C5QFMlcMD+VFbgK
3vLeNGs8qDuyv6oLopD4XqsG13ffrPEwFkyPNcDKDvpIo5l+HLRUrYh2ABJsSQuT34Lctpyz
olpCYpXkZ0l5wOwoI1RH8B32/uRPBC1TL6O3BF+Eb7D3JNBafiymgXZDO61vACPQENpG0MaL
aqwCcUHPo0tQTVWsWA9PNz9bk34ZXF/YFz/LD/YRtiHuM+A44YgPyQXKbkRrvcCb4t2c2Roy
a6aMSN4I1nZ3Tnt14Afi/uogzyKLLLLIIoss/hheOnFO+eRZ44wxkP2UrU2pMtA3tHncsE5g
vx22wF8bflp8ttjqGeDv6u7kuQAB+5yh6S3g+1aHh80YB91Kuku9fx88OzLWiyNwtOeWxL02
cF8LmB9pgFlb22pNgsKDw08VOg8P5ySviC0JUcVDZj48B4GusPbRMSCbyRHWItC+FwMch8E2
Iefigu+CNj2oUVg6MEIrpQSoK759/rqgKmk/GfsBj7FKPQN/xr30q4vAN/PplKRDoI/OkVKs
JvjSws8GeeHawF8O7FsHD5fc2XprEDytauaXRcGY5ZoS1B70j+mjDkHypfTMlD2QdsZTwTME
bB0dUt8D5nmztLUPNLuWIk6C6shqmQj+H/2brE+A3UwRD0BPMOrr74IsZhU3R4E50SxvhoHm
0PppocBiNVzMAnldFpTrwL9Pfay2g0+p5VigubRocQb4jnPiF5Br5C25GcRoFSHKgD/RN8o8
CLQR5cUOoIo4qNqClahWylygD9GTtO3AKTFcVQXZzHrHqgiqvuqKBnKJtdLKA3ouo4exGdQ6
tV8K0GqKyWwFI7dRX78OapiKVl1A3yUuMx30942ZfALmm9aHaiCwSuUnEKwWVl0rDrQfDUPb
DdRiltwMZj95ShmgxRpztNxghim/3AFMNQ+rOmBGmU/kKrjb4V7A02fALW29egRiqfaGjAb7
FftF/XXw3/D7vMXA2me9JReAvkdvbiwBFaZCJCC+tzpqg0AuFsOoB3oPMtUWkB+pPsYHoO7K
x0qH2K/jRyRVheCooIoBiyH7B+FvOpyg5eKi/T3QO4ns4gPwp6cvS5sORmf71cDxf3V4Z5FF
FllkkUUWfyQvnTgXHxL9cfUtMEB1aDUiGgKCw4q5PoX4AU8OPysIaXnjCgZdhqvd7125XRSe
PHka8Og2aKvthSPywVbbsZJ7+oN7sv5dwBBI+sI/5n4EPG7ka33zCKR/lxaVMRFS0tKOPlkN
Qcm+9QGTIU/fXK9lbwJhVaOt3Bng3ZzZ2dcTeEpPpwf04ZH7ChhA/cyvnu0E7bi134oGs6w2
XJQDbbe6w2mgiizl8YMxKCQ5IAl0PXpWYE+IuFzjiwrt4VmAJ0+6DR6cOP3TyU4Q2zfF78kF
me+JpUYwOCrJcdZ9yDiRcSTNhKTMjLEpS8HXUo62eoDe20xSJqjlag1zwV/KHyvfAv8oy2Ol
g/YVYfoSIJ27NARru3+ptQ/kU5lobgZjrHZMfw9ETm2YmAr+ymZnsxSIH6klyoB4IB8qJ6j+
Iln0Ayu7GqmGgRjDIHUdVCXexgPqjOhAO9BHiFAEyPxyu1oM6o62gvv82/NHvwexWWsljoHY
IiZTANR5856KBeqrdtQBw2f8YISDWKfZRXGgJlPVFRBVRVERArKPLC1bgJjN62oZWOOpz3Lw
7/cYqjPI0uqcygv2FcZyrQDIX+RI8T2QWzWhEqhlYhz1Qd1Xc1Q40E8VlCdBXFQ/UhpUdjlI
7Qf5Fqf5Cvzz5S6rHugrjT5GJChkb9kV5Otqt9UY1Dcyr7oB6jPVVuUH9ataZc4ErZ+YKucA
4/VuxlmwlbNV0gDq/Ns7c83q5lNfd3Ast2/U80DmMe/nYjDEvPK0e1w7CLjlfCXAC4HSnRC+
FnxJYrwIB1nUH+c9DvLXzP3aFaANbf/qIM8iiyyyyCKLLP4YXjpxzq/yNMw1F471Ppd2sBns
v37CsTcvPByV+FlMCLhWR9RInAzBnUN/dLWGRO3RCN9MCOzmHuYMhdTcni8fvgapP8ijqUCe
1kH9Qi5A8KchGZVSIXBntgxXLhAunigHVB5bdnXz03DddiXfiZuQ70GxyYXKAW/bdjvaAnXN
Ep5pYCSFRGf/FtRUxwJWg5LWOrM2iMrimpYK2m013GoBqqSSrvvgqFTwrdINIGJBtshCFgQM
y76j8JdwftLKbxeNgccxdz++txsSx1gleQOsLSKT6eBdnjkqfSSY4dpoaoM33d/UWgjyB5nA
aFD35PtyKchGMkquAmuC6qQ2gFVBRsv2IN7QqqhLwGLGUQJkP1VcPgW1gW9EZ5DJPFXRIIqr
yqwGoshLQ1CBVFS5gYJiCj+AeJsSqjqoVDlAJQF7xHgegdZDZRIHXBY9RDSoTyiqfQqyLXYz
E9RE+T61gRIMEqvAOmSGqZOgf62XEWGgP7K9qt0AtVF1FnHAIDVM9Qe204xJoApKp9oGtNAi
1CqQp63q8i6oXNZB0Q1ENuMtLQnsFexRwgF8Zj+i3QOttrlTfQDWND6X+UFNls+MVcARevEl
UIu8MgKstvKO+g7Q1V4jEsQmbCI3yF6qgjkI1Gh8zALKyiQrL4iPhd3ID+Z88yEdQCspQkRB
EJXoI98AkVflln1AjuSWuA7WNFnBagOijGmqKJC6vCa6gTXdHKQqgO810QMbaGuNulp2eJaU
EJQ5BJ7WCYp8lgjuKc549xawPxKz3Ach4z2xROYH3+7Mn7wh/x4kV14+UK9du3bt2rX/iVNC
FllkkUUWWfzvpVixYsWKFfvH67904rw/z6W1W5fB/TMJC5MHgbuYvacxF8x71j7ZHUTOpPl2
C7JFRTwJqQKeT7I5H9WB7F19+UqUg8c5UyfHvgkBt+yR9kNwe+3TV6wlEDQnuWqsAba3jDmm
CwyHW2S8Db5dt/qqtXB1+QX3xg6QbWyuVLMpVD1T++SATyCjVKY9czjoDr2U2wWiqXtsjp7A
QxWjaoNWm0gGgNwvbCIHqBgSZDCIdcav0aHg7B593z4YUro9GHvnFTjb/kCBg5Xg2aeZEb4k
yFjFHDEN3Dscoe4QMPOIH0QIpJfzXMgMBP8Cc6FcDuJNka4dAS1Oz2P0B/mmOcW3C7RTso1M
Ai1OL6vlB9lM3la/AnmowQXFXdIAAIAASURBVAgQmvCJa8BMNVX9ADgozXugpCqtjoD4XFTX
PgbVS3VXrcCobxtv1AFrvhwoXwc5UzaSX4JeQ2QTUaBd0a5qbUE+kmHqIcjmVGAD2FJtbzuK
g1nVymXmAWlZk2Qb4E3lZCRIJduppwBMktlBS9Gq6ztB+1g/px8Cq6DVxeoBeglRVPwIKpfM
tCqDWqsecwqQek1xEvhU2OgPKoOKJIKa5yslAVnaek3uAJUgOujLgEv8rJaCOq7eUAOACrRT
y0BdtEoTDOJbkcMsDaK3pmkngWrqmrYO5B55QtYFcot4vgYxirrWVuAtlSR/BP8rzJKvgNit
lurZgb2UkIdB7NDfsmaBGmKMNhaDVc7qJ74HvbFmqECQS1Wklgp0E4W5C7bloppWH/xlzbGW
AxLWJg5OqwBRncOcaTYI7OvGfg+E3ZxGbjAPm1WFF+jGw3+GQM8iiyyyyCKLLF4e7WUb8Kzx
7YzzQhlHPodsBeUalOuQ2hxy/JK3ovgFYuMyL/iGw7UBN0fGZoOAlp7rRhCoY8G9nx2Hgk2K
FytcBeJiMyqqziBLcjHjM4hflHbq+vfw5Epqx3vvQ0L5jI2PjsGZ8+d67S8NAQMjKxRuBkc5
+9qu6pC6Ifbd24NAszsm2gaA9YnKZj4CuYeGzmpAA94WeYBqNFb7gIo05H3QqsrlYgzImtyQ
XwEzmeYPhztJR1ccjYeYlneDHtghfrhvsXoPjE8ct931IWR7wOuBY0Bfqn2rXQUZogzugj3F
kdcxFrQG2mn9NsjFcoP1DWjrtO+1xWBEGcWMkqAN1Dpr+0DkwsZ9ENfETvEhaG9ob2kfgsir
l9RdYMtlK20/Beq+OqVeA1tZW1kjPzgPOQ87z4G9h6253QeO2o5TzlRwHXP2dY0CbYW22RgA
+mt6faMrGBcNU78HYrsoQEXQdmvv6KvBZXN848wJ7u+d1xxlwDnLfsWeH+yP9BG2o6CNV2hv
AlusInIWiPpyuloMtuz6Bn0sKEltToIVr2ZzFeRnfMxaUHdklDwEIo1a1AarkZld5QfZzptT
xYPcZ32knQdVSx2jCYh6wqnVABawm3eAUswXT0F8LT7SU0HEiECxBZjHAlYAHeimLoKoLl4R
FqjxsoRqA9IuS2ntQNM1m70n2DKM9e4joKrJndpVsJ6aFdgBTORHfRQwU66iBlhrzSoyBixh
pkgbsE89UM3BKurfb94F61t/tNwK5g1rhNkb4vs+m5FWHhLvJsekNQfaKad3IBgfaG+xA6y6
MrtZ6a8O7yyyyCKLLLLI4o/kpWecXcOdJ51jIGWDd2pqM8iZwRvu7hAwXj0234AcMWFNnSkQ
dc4YFDwf8raNsGv34OYPKaueLIQ87zqrVHwPSs0ptypPPNyr+ODauTuQdiRFBowGA9uXtoKg
X7N1TQ0D7aD3R8cMCPspWAtZDrF3kkpkNIQdtXfXnh0JHVd2Pj+tEKTfU/uMpqC1FQlqEKjc
4pb6BshGgtYN2C46qnYgq9BR9QNtt9beSAB/46TzyRXhon6i19GSED80PSp9MaT71XBtOrh7
u9oERIG2Qz22DoN/rPewtyDgEuPEBtDOiLc0AVqyVlvGgDnHd8m8BNpYcUnzgGhlVNRrAT1V
J/E1iDUkWx+CcrJPNQfq0UMcBPm+shED0i0rqVagfa0t078FXdPdekMQSkjtMFi65bGGgtZD
36LNBbFR7NeOgj7UZhm/gNwjK8gjYI6zGphXwJipj9MXgLVEpsszwCRVlF1gG6/X0lJA3NdS
tJqgNda6abXAumh2Uj6gKpNUOnBTLGMKiClisDgHxkxHWz0QrAeeW77TIPea2c0coFXTArQq
QKr8XCSALCfyiuogZqry/ASqot5Lvw9Gdv17wwUqXaXIAkBBlotoMC5qo43Xge4CVQj4SozQ
R4OYxcfUB+HQBqmuIB7yRNwD0VufJwqC/ZSjbFAwqBU4RU3Q59FZawD41by0U+D/yjcy8xbI
r6zGmgRGyE/kQ9A2qfNsBxxigGoJMlSuMaeAvlbvbKSCOKyKaKXBtd811LkEtLVGc8dVSJ2c
XtQ6Br6F/lZWKOgt9WCxE1SscvoXAR3+6hDPIossssgiiyz+KF56xvlpj7jozPVgD3NMdfaC
cBEZV6ANeJxafPJpsHWnlBoD5hr74swjEBvn/SyxAGT0zyiUuR3OV3y89qdrcL32w4/O14OU
hGcNVGWwxbvGOq+D2xV+NHAx8IN5Qj8OqovVy7oOd4resD8Ih9QKief0XvBor3XqTgpcX3F7
6MJF4L7ivGhvBPJTGloeYAln9X3AWXFbSSCbWsrXwDLZQf4I9tm2ukYGPB1xtealc3C/y623
b70Dz+J9v5rBoMLENJsBjhDHM70leNb5avjOQ0Yd0/BtAllAnZd28C33VfYfAmuKtdt0gnHY
ds8+H/xLzOrWOlDKOiYXg6OVrax2F7SDRnfDAbqh1zFOgm2srbmtEThK2N6zhQHnOKdeA8pQ
TnUCBvEuDUFsF9tYA6quymvdAM93mSMznoG/hz/U9zb4S5uPrH5gWlZBaxPoOfXSeiZoF8VJ
bRpo74krnAWlMVFeAnFGG6flBz5Wq9RgIJ2yfAxikZbJWVBbRDQfgLHU2GQcAnOCnC43gN5c
LRW1wTHcXt4xGfRWxg17HdAjDbf+NahKqqSoC8omJ8ilIGOYQgHQ5zJY18C4r7WyBYFYTWnt
U5CJ0k4LsLZbD2QI+Pv7u5nrwbZM7DBKgG2RFmA7DfYd9vfdd0F+JpurkiDLmFvkTvANyryS
9hX43sm4lVoZMuqmN0wZDtYr/sVmdQioH6SHZkKOq7niihaDsDXhS/OdAkeXgP4Ra8EdGto0
Wx+I3BU1Jd9XEPp5ZJc8hcDVP2RcZH8IqhU2MEdLyLY/en5OB9g+da0ILQn+7uZ6vQLYvhBL
rQVgdBG1jI//6vD+/QyvN7ze8HrQYW+HvR32vtg+rdC0QtMK/dXW/d+hUqVKlSr9jisW/7n8
X9VfL3vcl/X7r/Lvn0X/f1X+2fv9z+LvHU9Z/HPx0olznmPZOtovQs4FuSNCYiAmM+F64q9w
33dvROY+eNoq/bGnIyTc8QQmTIMHnZ6e1s6AUdfq7GoImV+r2WnNwFvFPGrlgYy8/rKOviBu
pBRKrgnaQJ6lNAQr1pilj4OMeBkkZ0DmCdktZQ6Yq4ztdxrBg7bPbFYeWNxz65QfDsO5Jr8G
LY0H12XniYDeYC5RBb3fA9lVGxEOKkKVEz1ArBAV9FygRlv5vbfh5vhTlU8tgPhuiQ+SykFq
N99jTLDdcl5wzQc9SlzSukDGtMz6Ge+B95y6IoeCyivixHqwTbTNM1LAmKI3s00BfYM+XFsB
9ur2KGMHyNvqO7kb5I9qjmwDRgejs/4G6NX12no90MZpH2mTQKSJ+6wEDnOfb0B8K1aIqiCj
ZDG1AcTborv2AdgrGw0dTnCeczxwDQFtqLbG+BxksqrHLtAi9W6aAZpPJOhrwGpmvSM1MN7V
G+kNwJFq15yFwJhnuI2ZIDK1O1o1EI0FYglwBItPwF7QqGyMBEK5RApolcWrojhQT20kAHS7
mKK/CcZIfbFeGVSGrCl6ghrOejkHqIpbfQrGr0ai1gxEC3GXRSCXWsXUdFDL5WN1AEQsE8RU
IFlc0NqAvk+/Z68Avj3+sr5LIMdZm60Q8M7POJL2GPw/+/f5J4NcKGeo70CcEj2FBPWT6ml9
C5QSNWkJWi6jjlENrCLSoR5D0NmgeoF+yPY0R7/chSHPuTyDi9yHPHVyfVToK8j7au6eeUdC
vhXZk7P/CvlP5uwaGQjZ94Yuc6VD6ELHdiM/hFx2v+NsBkZN7aLWC7ROYrjWHvQobZPW7a8O
79/Pzyk/p/ycAmuur7m+5vqL7evC1oWtC/urrcvitzj81uG3Dr/14vNf1V8ve9z/7Mc/G7/l
3z+L/v+q/LP3+59F1jj51+SlE2fzqi3dMx+uNb/95K4dzk67uvjqFoh+NXetwKKQeUplPH0E
cScTyrmqgnZDhDk2Qdyy9G7yJCQOTC4UvAX8LawOEbvB0TfsveRbkFHd3yttCTzbfT9XugbJ
h55O8I4HOda6rBaBJyBzil4TnqYldUluBbGdEyrEjINrhWMeJ70Ly07tbTk5GWIcV3vvmwTO
3M72QQ1A5pFFze4gVotdqi1ot40PtcXguRW3MbYY3L1x6fClZ5DYPnO2NwHS6ltTmA/2mq4v
HH3B97G/qHUGMuf6FmRGg1mDCqSBtUhut4aB0MRFWoA8JJtLQHRjDTfA2G30N5aDbYDRx1Ag
n8rq6iaYb5hNza1gZbfCrWag6qgGagDI+fI7uQbUYjlYbgX1rqrHtyAKCp9oDSzgLdYCH3Ne
pgMLxFpVDVjMl+YQEDnZZhnAbfWY/SC6ad9o2UFfot/S24C2SJ+h/wC2+caPxlegvlXbqA78
qBaLcqBZTNLOg/BQXmwDRqtMDoAqJseqK6Av09ppg4Hv0bQbYE2Wi601IDqLQZoGoofoqV8A
fMSIV8G2xLbTaARaDi1BewvsF+zn7b+CeoDbSgJxmaqqJahw+Zl1HMwwM8U8B2q1fKAag/8H
a6i/PKQv8k4z54C5xBpDMOhP9TXGeMBAiDfA38L/prkN/DP986yDoKorp7UOzJ7mHv91yPgl
o3XK9xBb5/Hpe20hYX78oJjZkNE5tWXcI5Cp/tJpmyA9V3rb5COQ0iglb3InSHen38j4ADzv
e3P670JqsfS+mWGQ6kmrlToaks+m9UxLAf9xq4VvKzja6TPkpT8uUH9K+Cnhp4QXM8Gt87bO
2zovtJzQckLLCbBpzKYxm8a8KJ+UlJSUlAQjR44cOXIkNNnUZFOTTS/Kj3pj1Buj3nhRbkzM
mJgxMS/q96/Sv0r/Kv91e99TfU/1PQVdu3bt2rUrXHn1yqtXXn2xv3fv3r1794ZJkyZNmjTp
xfYtj7Y82vIIPmnySZNPmsDOnTt37twJ7dq1a9eu3Qt/mjVr1qxZM1hyfsn5Jef/qw7PZ2JW
XF5xecVl6JTaKbVTKqSlpaWlpcGQIUOGDBkCzXM2z9k8JwxcPHDxwMUv/Pxb/NF2xeeNzxuf
FwboA/QBOrRq1apVq1Yv9l9afmn5peW/bc+UZ1OeTXkGLba12NZiG8wpO6fsnLL/tVyNZTWW
1Vj22/31e/X5vXb/1nF/L8/9eG7P8ysgDRo0aNCgwYvxO/f43ONzj7+o94/2//N+m+Wd5Z3l
fdH+vHnz5s2b9/f797f0n7h94vaJ22Hr1q1bt259sd86bh23jkPjB40fNH4Az3Y/2/1s99+v
1++N8//s9+zDsw/PPvyiXreS3Up2KwkPsz3M9jDbn6/ry/b7n6XTy54H/tb2vzde/t74z+J/
lpdOnP0lrZjgCeCPT3DaBkJAhPSFtIVs591Efw0loqM2RN4BV7YAW1J/SL2r9X/SGIwV9ooJ
04C7aUPjDfBWNHultgCSxBcZHrBmBVZJPgeBG50+1xMIiNbr24cCFcyNnq3g2BnUyzMKfB/5
ytueQUyTmCvaSfB8mDnbUxOMeiHNI3+CRdU33Bk2A1JnxfS7fBSMEY73Au6DjDL7+Q8Ah4wh
WggkNLxT+nZleHDvUfDDfZCYlBnprwbWU62qfgRsmfYTtn7gSfP19j6BjPH+Mt4WICoKj5gG
qoB1QT4GSzMbmCVBNqed3AmqjPWBvAMkyYbyXdCGiJtCA9FMfSxWgiwkXTIfcJDj6k2Ql+QF
qxqIoaKnAPQ4PVPEgmZRmzagnlqFrNfAOm4m+g6B+Uyuki1B5VZ+lRcYqgqwHFwNHIYzHuwb
bR1t4WDPY1P2SLC3s5Wy1wVRTD5TlYHXVSnmg95XH6i3AXFH+0IsBC1Bq6KNBr2nFq5tB74j
mJsgB8rbMhhoTi56gTyvNqtFwA/iAvuAJDGFWmBgeOwFwXjbqOxwgqORwxGQCa7PXXFBtcDl
dfUNvgiuBu4tQQ3A8bG9uHsLBNcO3BdWHIJaBN8Jbw7WeCvCugfyPFfZBUHLQqaEzwCjg6OS
cxeo0tzmR/AHmp3MaLCOWcWkF2ScrKVqgics43J6D/B/4gvNtIPZ0Zsvow94NqXeTOoMT1yx
kx9dgrvv3Vl0wwl3Pn8w4N5JiGkTNz9pGqR0927wl4Dk5d5jpEDMoMS+mdUgbn9ma38kJLZO
TzEPQ3x48lvenyDzkK+ttQu029hkoz8uUCfknpB7Qm6Y3ml6p+mdYMP9Dfc33If5fef3nd8X
DnQ50OVAlxflp+6eunvqboi6H3U/6j5sfbT10dZHsPHBxgcbH0DOcTnH5RwHn3X4rMNnHWBC
rgm5JuR6UX9BxQUVF1T87e3V7dXt1e1wcv7J+Sfng2+2b7ZvNsTHx8fHx8O5xecWn1v8ot7p
/qf7n+4PNS7UuFDjAqy+vvr66uvQp0KfCn0qvPBn6fml55eeh7kn5p6Ye+Jv67Jq5aqVq1a+
+EJ+/gX1PFGvvar2qtqr4Ktfvvrlq1/+dnt/tF2fFf6s8GeF4dUrr1559Qps3Lhx48aN8O6S
d5e8uwS+LPZlsS//P09LqVunbp26dWBx1cVVF1eFFStXrFyx8v8zTn6jv36vPr/X7t867j/K
84QhNDQ0NDT0RSKzIWpD1IYoSO2U2im104vyL9v/lUVlUVnAojOLziw6A8tqLqu5rObv9++3
yjVq1KhRo0awu8DuArsLvNh/9OjRo0ePQvEuxbsU7wIRb0S8EfHG36/T743z/0xkw8iGkQ1h
e8vtLbe3hHpr6q2ptwam/Tzt52k///m6vmy//1k6/VHngd/i7x1Pvzf+s/if4aUTZ+dE/1v+
nRC+MHhtQAuIdAXvtPUArYhcbVWF5BVWumsfGM3lDdUQQkcbuyJygWOhY4V1CjwntTyxm8BX
3r85KRl8qel5giIg36ng/jlSwVlN3TKbgO1m2jw9HlwnrYKOCmCb7Ppe3YOIJzkm2stCZGRE
ZXM45PSGzw4oARnH4m2aHWLaeqZmHoFV19Z1+LAfkJSukmqDmGcb5m4FxlZVk1YQe+JB0+vF
4VmxxFZpHkh6am6Rh0HPZhNGfxDjRRVtJqQXynyc2hm8y8xU3zQQI6wW8jvApK5YAXwnh4gq
oA/lfe0NUOeYZp4CK7f8zIwDq6Plt34EFjCayiCbyS5qNWgOLVULB+1D8TorwNbbeFe8Cmo6
e7VyoBc0Ttj6gbikjdQjwLoh8zIViCZJ7QXRXjTSagFDxUR9Ilj11Dx6gPpKTsEJ1nrzY/8P
oD0Vm8QW0AfoH+sVgS405jqIHqKD6Ab6ct2rXwS6i2B2gDZXr673A+5qScIGYra4RgvQ1nGc
haCb+iyOgLFW26FdBHFVVRRDwGhj/9o4C9FTczXKPwJyXM7RqogbgiaE3I/MD6FrItOyNYAo
b/Zf8tWCqNw5S+UNhtBz2cpFF4Do5jmiCowG53n3+LB0iP46x8xCHUFbYrj0j8Habc7yTgRz
pD/WlCA/sQ6bn4H81Nrm3wNqlbVPngW5jqlaeRAFSZZDwUy3gs3G4C4XfD10L9hHOwa6WoPV
WFW3akP6rdRdyefA955nRUZFkNPkF9YqsO207XaMB1crd52wOeBc4igVkgPkG6Kd6x6kjzIP
OH6AtLW+7EwDFaK9pw/+4wL1+RfQmC1jtozZAkuXLl26dCnExsbGxsbCl198+cWXX7wof7jH
4R6He0Cvo72O9joK2jvaO9o7IBaKhWIh9JjdY3aP2XDorUNvHfoHLpE+T4BPLTi14NQCuDz4
8uDLg6GyVlmrrIFxzjhnnIOEqQlTE6bCGe2MdkaDatWqVatWDRZXW1xtcTUI/z78+/DvYe2I
tSPWjoA5J+acmHMC5Fw5V8797eO3b9e+Xft2L/x6vsSk5baW21pue1GuTVybuDZxcGzOsTnH
5vxtv/5ou54nRv/ZrppLay6tuRTm9JzTc07P327vecISGRkZGRkJ/p7+nv7/T/nf4vfq87J2
vyzPL90/n/E2DMMwjBe6Pk9o/lH//ovO/Sr1q9QPojZEbYja8I/r/FtUnF9xfsX5cPvD2x/e
/hBSPk/5POVz2DZ+2/ht46HF4xaPWzz+B3R6yThvnqN5juY5/oNe8W3i28TD6X6n+53u9z+v
6+/t9z9Lp5c9D/xR/FHxn8Ufy0s/VcMxzjirVYS0A95gWxuQIUaw3QueGeZjKx0Mp2Nb+hhQ
O8wjagaISvKa5xtwF8DGWIgdaN109gHHYGNv5kJwjNe+ti+A1PXJIwgGedTbKn0bWJO1du4c
EDQyZ2VHIqReSasYUB2e/Ox5nN4fQu45V+nfQ0gjjgUcBOeFnMOS48DTLqVHUByc7Boz/tEy
KNV5d7vFVeDV4g2b9t0I4j3dL0ZATN7rU+5FQ6InM8PzKngvmhvMguAqF/ihqxTI02qQGg6e
YZ5Ezy3gHhvFEbAqq8nWFKC3Gqc9ALlZnVbzQYzge5YDe3Cq9aC2yuWqPfBUNFFrQOzWfGIp
GP2Mxsb7IOfImSoMdGW0Nt4B+bFMlztBDBBuURr0lfo6rQ3Io/KoOgiMUbspCtpIduufgZZb
aJofjNPGM1EfzGfmaPMBiOJ6ET0VtAxRSXwF2lTtJ/EUeCzc+kXgfTGAJ6ALo6KRF7TblrBO
AD+qx0SC2qvlUvdAVFX99QEgSooQcRi0A1QiP6g5RIkWIO4Kv80Dgd+G3Ag5A87jASp4C5i5
zWPWdUh+N3ndk7PAWis+vSp4v06vHD8FhE3P5XwE6pC8YHYGc7pZzDcZ9IF6zqTxEDQ5cKdz
IHjbZg7IdEJq1ZT3E/uDPOUr558BVmkzyjsc1OtUlW+CGi+maMuBs2K0dgXEzzxRVcAMsd4R
YeD4wZ0YIsExz/1F8CjIeDODOBuYZ60Qf20IuxfsyZYAoZ+G9cwRCeITvQB9QJQycF4Go7qt
kqs8qAxVmoZgpBtljEtgFJYzMt8A85rv7YyzYHa0NIYC6/+YQJ1ebHqx6cXg2q1rt67dgvND
zw89PxQW/7r418W/AkMYwhCYxSxmAaqCqqAqgLHT2Gns/K/tiVPilDgF8oF8IB8AXehCl7/f
njJHyhwpcwSub7u+7fo2OFn6ZOmTpaH8lvJbym8B+wn7CfsJ2NV2V9tdbSFoRdCKoBUQdjns
cthleK/GezXeqwFRO6N2Ru18MbNSq1atWrVqwWY2s/n/c3znZedl5+UXn+PyxeWLywd1t9fd
Xnc7UIlKVALs2LGDmCqmiql/26/nl6T/KLusudZcay7ItrKt/G/eIfn8h09+8pP/v2nPtsS2
xLbkJQbOP6jPy9r9sojT4rQ4DTSlKU3/m/3/Pn4JJ5zwl+//P0rn3+J5olZvRr0Z9WbA5jc3
v7n5TTi7+Ozis4thwicTPpnwye9v94+Oc22htlBb+KLd/2ldf2+//1k6DZFD5BD5j58HnvP8
Stw/yp89LrP4x3jpGedEd+rrVneQY/UIXw/wv2N2JgUeb4obnvk5mNPThZ4HwmrohyNvQnRE
yM00N+gx1nGxCLLtCWwSMhmyNY14X8wEWz1bvfgBEBUVvsdWEtxvBWVz9IPAjxyN2QTxc9IP
Jx4FM1uwL3kJRA3JPTVTQcQrIYvcJUDb5BzFl5BWOLkbk8DzxBvsfxd8+13XMtvBmpDj3df2
gJ2lt4QtWgzeVx+vuhMEj5rfcz3MCcmdfSH+IpCxzfpUjgO9ua2b7Wvw9zQL+neDZ5Qv0zcc
VEmG6rOAVXTVqoJ0qFlyBKi+JKn+oALVCXULrHoyTq0DJmgPtbYgftY3a++DWkBpPgCtLfNE
XRBz1VNug1nEPG4eBzlUBak7oM6qX9RBsFZZ0+QCwE0GCuRJuV/uBNVb9ZZvgz5Rn60NA62t
1lE0BH20Pl77BrTvxALxFuhP9Bh9M2g7tZ3aVNCmi0miCNgq2AbZPgOjjbZJLwxGKX2aEQ+G
23jNqAdGupFoKwf2GvZLjl1gW28UtgeDmipiRU6w53YE2Q0IaBB8P+gc2Ac5dzrzgWoip8ov
Ia3Qs8Wxp4Be/pnplUG7JnIbhYFJ6pL2APQLnPANAK2ammeNA9t1rbdWHOw9bM90HQJmBDvD
TkJ4vciz2ZZBvugCQ4s9hejWeX4oDOQpXej6K6GQ93ThORWqQc6pBd4t+yHkulJwVtlZkOPr
vN+U+BnyVCqUUr4iFDCKzK+wCvT69gKh1SDwSviQbF4oUvWVIa8egrDsOYNLXAfXwvBnkekQ
EBbcN6wEiNeNNrYSYN1nNR+AvtRYrm8DFZLeLm4PpOVP+OLhF5DZNX1I5nawqlsLVMAfF6gd
Pu/weYfPX8yAtE9sn9g+ET689eGtD2/BuW/PfXvu2xfln68ZXDZo2aBlg0D1UX1Unxd/lyxd
snTJ0hdfBH8vz+s/nwkqkV4ivUQ6/Njwx4Y/NoTysrwsL1/MsC2vtbzW8lpQ/UL1C9UvvGjn
7NmzZ8+ehYHnBp4beO7FkoAH2R5ke5DtPxywAhX4O2aYco3PNT7XeFhec3nN5TXh5MmTJ0+e
hM1NNzfd3BRGjRw1ctTIv93OH23X8xmj/7wG/YQ6oU4o+CT7J9k/yf7HjZPf6q/fq8/L2v38
uM+J2RyzOebvyTT+nZqDag6qOejFmlbTNE3TfDHTt0AsEAvEi/J/VP//Xl1/b7nnSzbmWHOs
ORbUu1HvRr0bYJw3zhv/zZrZv6Xby8b5lsdbHm/5DzPd66PWR62PggonK5yscPJ/Xtff2+9/
lk7/6HnAdt523nb+xZK1U/1O9TvV7/ePk9/L742vLF6Ol1+qcSU6JrEy2N911X8WDWKpMM0P
Ie0D7/DkkmDP9N21rYWi7ULm5RwOxVLDfIXXQ1Bsjp729eBJSV8jj4I4lvZLSGcQE0RGQH14
siz9kZUGvjeTqtjXQ1jX8JWOvhBUOedc7yhIvPisemYZoHVSA/c0SH+q5/PPh/TU9N7O0uD8
RfiCN0BEVKTI1gIC3OoLx3lIOupf8SQ//Fr1ety+YrBr084bB5ZCzOiUUp4ckF7N28C/FaRN
5JN3wKhtvG60Am8ns5JfA39Zq57/UzBLqy1qJljDzS/lcZCNVQajQN6UE0kBfwdrvCVBXVb5
2ApWa6u39S74VvgO+46DGqjmq49AbBPPxIcgJ8t5VjGQuVUfuQ98hX07/XvBdJmrzQZg9jV3
+4eA+Zb5k382UJWJFAbLrc5bESCvqhFqM1h31TjmghymfqQDsJpDKiewkomMAoE4LZ4CDanD
M7AKmI/NFcAHapzcBFqi1kdEgzZRe6QdAu0N7ouFoLUQc/RzoDc1mtvqg1M4xwakg+MbV4ng
dkA/Ldn5GWjhYqxRFbwT0vOmDQA5nR99NlAV9HtaOgilee3zwPhBvytqg7FZtxvfgauke0/I
Ogg4Hro2m4LwT6O25e4HIbmCPggbDgFRAT8HfQ6unoGlgltD6HtR83MOgpDKEYNyVITwbdne
zmOHyC+yF8m7CcJfyfZurrWQLWfOhfkdkF3L3S1PZXAMd9SznQH3r44tWn+Izpbtg9zfQsB4
9xT3Tghs43bb74OejcosBGuUFOo1EO+zTq6EkGmBJ+znwL5CvKHugHzXGGk/Bq6BkU1z2sCW
O2hWrvogJoqhAeYfF6hvHXrr0FuHoHf53uV7l4fWca3jWsfB4OWDlw9eDh9//PHHH/+Hx9+N
jhgdMToC7n1076N7H0HLVi1btWz14u/zE+3zm2L+FiUOljhY4iB06dqla5euL7bXuFjjYo2L
L2aKcsTkiMkRAxVOVDhR4QTE5Y3LG5f3xdKO5zy/uej5zYQ9/T39Pf1wQp6QJ+SL483oPqP7
jO5/275x48aNGzcOJu6YuGPijhc38wyrN6zesHqQr22+tvna/u12/mi7Rr8++vXRr8P+/fv3
79//4uaqLzp90emLTi9uVvqj+c/99Xv1+Uft/q1x0mV6l+ldpv/99j9vP6F9QvuE9tA4W+Ns
jbO9GPc5tuTYkmPLH9//v1fX31uu5MGSB0seBKfT6XQ6//YSjb+l28vG+e3Xb79++/UXNyfu
zr87/+78MCJkRMiIkP85Xf/Rfv+zdPpHzwPdSnQr0a0E9JrTa06vOXDEf8R/xP/y4+lv8Xvj
K4uXQ/zbWjalqlatWrVq1d/fQM9XxtwoswMqhBbeWqUheOLNk75f4PjRqw8Pn4WQte5BAR9B
9orBVXM/BvlE22F7C549fPJG7Em4Ov9O2eTGEPVV9kO2y1D2YvSb+Y7DvZbPenv9ENya2nIA
xLUxJqQMgwBH+FCzDWgXrapqPjxakVzBWxfCeos9ueeBvJ82LuMARE/N8VFEEgRfsm/NvApJ
5dJdHi/4Nxi7k6ZBgfPh5ar1haJ3wz0NXLDpzKK+i5bA2Qr3y949D5nvqs72RZDzaO5xBRIh
LSH9++Qf4cHUR43u7QCriChs3AZ50HKo7oBGQXUBREcusQRklJKyBKid6pjqASK/aCU6gjwk
d8stoOXTh2jVQVstzurzQV21PlCPAZfopx6BfIdPxSSQB+Ql6xhon+OhGVBZrRGtQNTQToqR
ILzaNUywFTNwNgFxRyymL2gfa7HqImh9td36etBi9A2OiWD8atzSB4ARaVx1dAU1mQJyHaiL
KlN5wHnQedZ9F+yGI5u7PegPtVJ6edCy6UPsx8CWZn/fkQO0ROOR3g2sXeItNoFWSdyx7QOu
yCh5DbyxntfSZwJbmWC9A66+zu7OJyBXWMd8bcD82DMy8wswqhmb7UNAVLZtsX8MYrq+wj4b
1DxW6G+BtGROuRLUYRFpaCAeaEu1HSC3yb3mPPAsybyf2gm0QLarFFD1CNa6gj9WNtPLQeb4
1HyJp8A7wJ+Z+S6E9w6vHvkeBE4PTIv8BLyzvQGZpcA8Jh9njAfbEm2TvhNshVwjwuuDN8Hb
wbcSQj9wYcwHbTdf+8dAUp1UX9rnoK+z3w+6D3phrSkJoP3EObMQ5K2ULdkRCIuci88sPPBX
h3kWWfy19OjRo0ePHi/W5v9f4/mM6Rn9jH5Gf/EDZHXQ6qDVQb9d78/S7fkVheczyP/q/F8f
X//X/f+f4tixY8eOHfsD1jg/+SqpoO6Ho1/fynnlKKhtvnupoyFyYMDn7iDQzKBftWMQ/9R+
PW4DnEo9FvfsFARWdR0Wh8DRVlXV20PEbMIixoNeJDCfHA8Fz7p12xl4eOz+vYRkMDfaJ6fn
huQBGd/4a4NRUB4MiAL3UF3ZvgFfYW+qWgHujaFDxD5IKySWPm4NT4KSLpslwLHV0S+wNASN
kHkDp0DlkUW3v/YQLC2pjWMyJOZJOZA6FjwfWJWs+qD9aFQXr4PYqh9TR8Br877hbw5WdXOJ
soGKM0pLAWqpHC9bgIpUudU5UFUZorKDPKb2qwTQL4lvdBuQm720AlVY3SEeeFv2Ej+BNUb9
aAmgDh4FcFU1Fl+BOiHCcYA2SNtPO9CixHv6QeCeuiISQQWpw3IJ0EZUEFXBekXllbnB1dtx
2h0O+hTjbV0H+1jnuwE3IXhuyOPImyB+Eu8pD2gjRH+bBtJudfetACmts/JXcNx02p3zwSji
GOZcAuqe6GRrCXqGPlIXYDuqbzDeADNZlvTVAOG1GvjeAFVDWdZroL1qBOo+CDga9FFAGshB
/jXWaCBBdvF1ByF4wDBwXAlsG+oHI7vR0ogEvZfxnfMeyF+tb9VwEEdFc3UFZBv2q4lgNjbf
tF4DedE8kVkC5EpvyYx9YG+oAqxL4LtthZEE3k/88818kKQlfJtYAtK/yvg5MQcYA2muPgZT
8/RM/wVkzRw3ZBdwlnUVc/rB3OOz1AYQlbSNag74f0jPkTwG1FT1tj4Mnu3w1kr3gFwqi5mt
QbxtP2nfAfYc1iTPj2CNMW+qJxCaN/DLwApg9MetXwGW/tWhnkUWfz3/17/Qt03YNmHbBJie
Pj19ejpMmT1l9pTZwAUucOG36/1f1+3v5f+6Tv/X/f+f5qUT57xPopdq70JyD8/h2N4Qsltf
4a4PEZ2NANdySLRl5E5rDN7RxgHzfSgti4YFWpBR2VqkBoCRov/onAyOp6mXbB+BrJLp8TeA
UBl6LvBTcGZ62lmTICBIfJlrNHjXOt97+hi856yZmYeAXf7GrjYg5jM4MRY8VczuxgUwNmhl
DA3ChkZ2CP8VPFfc5z1DQH6cONh1FiI/CbHnj4RfLh/utn8v+A4zhx1gdjK/kOPA9qO9tOgA
zBftCQX/FGuQGQ72UJcMmAG2i+6woCQwY/3D1FXgDC4RAs4JLqf7JDiGOy44y4Asat00+4J/
n6n8OUG7po/X+4FQ9Na+A+sbq5P5DmjntNdVBtiu2uOCaoG0i9uyErBKxYrvwZhra+BYATxT
hdgHVrg/p/cA6ENERassGEtsfntRMOKMavaCoH9o2G0GsFgT2odgK2wb624O8heUtQuMwdo2
4x0QXemlOoNeRZ+jh4H1jjxp5gU+4Y7WF8Q4sY6zwEZVWz0E1VL1NV8FowPn1W7QXfa3XRXB
SlLttfsgZukt9ONgvuOv7e8J6msSqQ7292zDHKXBtdf5pv0UeK+ac1VjkEtkqmkDNVh+bkWB
dlO0xQsigRtWMFivkK71BOuW1Ut2Ao6pV1UBCDwcEO5+BGquuVl+DrEn4pxxoyDB9WzQk27g
a+t9Ne02yF+tn2QLyDzlzy0fglzMXi0I4k/GtY0dCQGz3YNC8oGjkysi8CYkH039NCE/OF93
++3lQTzQJzjXgT/Vu99bFxxj9CBbF7D9bP6iHYOMRH+u9DngLhhYMmQZJM9O7ZYWAIGn9VDb
lL86vLPIIot/Bpo/bv64+WNoTnOa/9XGABvvb7y/8f5fbUUWWfxr8vLPcd6dGuHJBfm6ha/J
DgQWdZRw34O08nqKGQ76fPOmHg8RMUbBgDoQni/fWes9cFZ1ZtcaQWTzXDlzHoR43RaTVAKe
FHpS3H4ACt0ILlM2ErLp0UVDl0CEJ+iaV0JEJ0d6dC/QPqGPvTFwi9VqC/ifZbZXv4JjjG2u
0RfcBRxN9K/Au81Z6+l8SGgZd/XObnilRIFb5TeAGKMF0RgelIw9dWsA+D+UFywXyMvyNb4F
8YHWWEsGWVAWEL1Aize66o8htErkoagtEFUg+9ICgZCrW4EbRYMh5958FQubENYl24PcjSDA
ExYUvRQCv4l4L8ctCNajrudpDqEHoivld0GwGfVa3nchpFXE1zmXQWBoaMMoNwR1DduVfT0E
RYa2jz4AwWfCLkZVAle1oEthD8H1flCn8KMQVCRseLa94B4dMj26CNgXBFwOWw96Tler4Hog
ytk7B+QD+25nucDdoP9sT3HNBns9x7WAFaCPtXtcQUATx1z3LyDXanX0WaBV1ffZe4PWRn9o
s4HjXdt9xypwPnTGuXaD1U4elTlBTDSqGl+DqKn/pO0AI9aWU98MIk7EamHgnOY84x4HAa0D
sgemgtMdYAvpA+ptkcu2FbRBVi/5EIx7Io4EYJt8xaODL8ZbNLkpeLJn9k37BtJfS16QNBg8
nTM7pgeC9kBbqs0Cbbmx3T4arHlyiq8mRHUKPetaAtmLRBYNqwPau9pShwHOe86urs6Q/Ua+
wHx2yHY2z/E8H0Fo09CqoVshOCC4ZGA1sD103DEiILRRaIXwRxBZPrRndD2wW9oF+TMYRYyT
WjmQZzWfSAJrhhhoDgdHP3t9Yxkwno9oDubHojffg38oW8h6ZWoWWWTxT0jup7mf5n76V1uR
RRb/mrz0jLPtPfPz0DEg2yX8bGsBTzt6l2SuASMyzJNZDlILstvaDta+2C+8eyGssnu+kQSO
jfp3WiAkjVGH7qSBKyKkt3sPpB/0TElZDccXXTxxEjA+sE/Q+4Jrd3A9+oBnXGqy2RzMilTn
WwiID3ys1QFbA89hdyT4O2Xc82WAN3tYB6MJ2CZmBAe+DpE24xvVCYoVy52rWlNQgzNHaJlg
7JA/i1rgbWr2tfKBv6R6qN4FV0t9NI9AFWWlqgAU5JgxFozj9qXB74BVU67zPwX/wowhGedB
tVfN1AXQvjYG2/uBfsx+KzAX6Iv1Mq7FoA3U23hNUIPMC1YzEJVoarUD0ULPTw2wpenLAtyg
Vqvv/OVAVpV1ZGnQGgmbsRBkJqWthsBEUV/bD850Z58gGwiHWiuPgqX4gADgc1FKjgHjlX97
6oY+RUxUnYEnuL0WiHas0FeAuEy8ag1Ga9nK/A6k6UtJmwE01z6w3wGtsJ5kvAvWJDMnfpDt
aUpvYKIaoJoBDdQuEQHWOauJlQ2sauatzMFgNTY3Mxx8V/yPPZMhY2ZyYkI2cFxyfuXoAs4e
zgGu/RBghGyM7AUiWEwzJoPWV3b2jgI5XG0VBUGeVgPpA46JejZtP2RU9dby94NEe/L61HTA
E9TKNQVsl/Xv9HkQeCLoQOgFCNkVOT37GdBd7ifRg0G7Z0TTFPRXHENtVUCfbY1SgKovKqjJ
oM0yAm3xgKUPcA0Df1jmovQN4DmW0TLVAWGTgloGbQS9iF7K3gMyxni/yFgDVkdi9Z1gFjMt
PgW9kF7DKUBfYp9BCaCksdnoD8BL3PKRRRZZZJFFFln8M/HSifPj0wnfps6BO2P0vQkdQP8x
qBTvgbN7RsPALiDdnrfUz5C2wWfLTAbp8Tx1dobo8a67+dwQ/1la4tXzUKiW4y1nIciIMF41
ckPSWG9hqytYaak9MvZBUOk8vXwTwNXM+Z33MqQfODfBswX8Ne2lDBOiVwU9CxsA7tY0cq6F
iE76GvcBSHvg6x/bCmpvrOBteB0KbIsYWux7uOu88vBqdvC+q85KDaxoMdIqAdZyVphXQNWT
w4zdoAqpYaIh4BHBeiHQXrctctUE9baWz7gEjnKuWUHXwb/GX9A3FYxG9mjjVdCqi/tGY5Bl
zBqZDYBQYq2mwCcyTXwE2hW9negIxIiZRi8wfrU3dvUDa51KZCvYC9kn2TRQV80U6xqob632
3APDZ6wQy8H3rXkiIxbkLPXAMRSMaQxT34Jqbw3JrAH+KvK8vy/4xpnjPXlANNIOqm/AOdix
IbAveL705swYBXTVCtAQjM9405EAFDJy+AuCCLDeogfopp7DGA7WEMvrfxNkH/MV/w3QyzJD
XgFPz4zSac0heU1yrWd7wfu2d5qnOFhLzdc8BcCey9bJGAHead6LojykRyaP0EaC94p3bGZP
kD7NckwGmskB/l6Q2TgtJW0lBD0K/jVoETjuBRG+BxzLHNccFcAWbitgk2DuU9WsiuAq4hrg
/BCMRq63Au+AOV3tJy9E3shRz/4VeBdlbPe/B/7a/jjPDyBihNdfHrwdM+um1QI5nl/FYdB+
0A6ktgfvq5n1U+tAUKWwESE2cA8MnBJ4FNKLpDRPuwJiv5VqrgFjlbATCt4+XgcNwdcn83jy
DZA+PRuZEDRILx6Q4x8MqiyyyCKLLLLI4p+Sl06cnd3drdKagCPTWdz1PmQmmX3lLghp5GgY
UBYK7crfyF0Crud4cCnhGXgOZ3yt34G0Np7I2Otg3+z8XssJSXvTwo0fwWyWOcu6Aum3tNKZ
ucFVRC8V9CuIyw/WZzghpXPmE78B/ivmzsCD4HVa5TzZIG966Bbfbcj1VpVqYT+AdtrVIvF1
KNXXbF75HlRqUmx0x8bgrhBYOioOnIeUeT0G9HZneor7YC43h4inoO+SecVFsDqK0b6pIHOr
MrI/0EGtsvKCWiY3yetg+8xW1GgOvndlP6sM6I2c452JoG00GtneADFHzlFbQXQxc/iTwPzV
6iYvgNTUJPMU6BdVNtsAsP1q/85eFPzf+wdYE4B1Ypc2AMyDvjbmAtA6kF1bBVYf/6PkReAr
nVnU1wX0Lvoz90QQle1FtD0gK/vjvB+CGmcV9NcB6yoX5FLQ8qpMGQT2y7a19nHgsWUGpQeB
mdOsmbEHjLeNtbYo8K2xzqrPwbfZu81fCOzzDc0xFrTTWln9KFgLzbPePeAsbjuv7wRPYtrA
lGmQ1iW1RcI4kPPMRdZtMN/29c24CbpXSzRugixBQXEazLfNPZYTRAs11J8bMr582vixAY5o
9+qAe6DtYojwgxXjz/QnQ3yzZ88yt4K7g3+0FQbGTNurzlDQRmlbjKXg6OIYb3eCNUAsNoZD
ShXvRGskyDB1Ex/4Z5vj/dnBmGHfZDwAsdP6RKsGvk/8v5jXwTfQN8w3FryNMiun7gU9u7Hd
MRR0v5ZNNQPzfZ/yDYHHq55cexoK6WEpWlJrsBfVq6hC4FjjvBHYE2wNjY8C3OCtmnk18zMw
7uvdHIC2VR73VgFaACl/dZhnkUUWWWSRRRZ/BC+dOFvHzOW2shB10VXaKeFRUmo7/3owNOV0
tYbMdv6+cg9kfpo41yYg+ExwweB0uN03JtuD++Bvm5mmd4eggKBvzM6gdHlXHwnittU5aTbI
zfpY/SdI+OzRZK06RL8X9q1zCQTWybNcVgHtVupAdy8I6mCPSTPAX/BeWTkBOjVsVn1SHyj8
bb4adaaBL8QszKegF9AGWBEgDiZMDHoIbHt2wF8I7ANsle23wVqu31GPQbtgdTe6gdjFEHEI
5C052r8HMvemnoivCWaYr6YrFLS+WrweD/JH46GzCch7xjjHXFATrFdVMXAsdNZ3lgd7mD7V
/ilkFva0SzkMqjnDCAL/BWuHdQB0Yett5AXxpRzv6w2ynq+j9wLg0jvqo8CTkXY89QrIZtYN
8w7Y45wlVRL4/Gm3n9YAxxzna85HEDgluHtYb9D3aWVtK8Ecbd2yHOBr4FvjKQ76fVuS9hWI
ipyz9oA2x1jsuA7+VsqVeR6MBrTSOkFSs4RdsRlga6CnaMdBZpfXzfOQuYAVygbyNTnVKgT6
p3qqHgR046jWDUR3MRcTzJJylHUY9GDzhPgA/A3MeVZhkC3lFv9UkHHyrhgKMoYVYhRQjsZi
Jdgv2Lbb3wPrNgdVLPiHqrMo0AeLJto0UBkKVR1UjNqmZoOvhTfRPxtkey3W8oH9I/sxxx0w
Q311ZAp4F5uVkr4EEWuu91cFrZLeU9wF40vhNXKAMS2kZfh4cIeGeqP3Abfl+2oFqJHmNLMW
yOK+b61J4JrlXocE4aOa/yOgk/aLPR1oLpaJDRBUIOh2+Bfg3+O9bpWHlO7PnE+GA0l/dYhn
kUUWWWSRRRZ/FC99c6DR2HlR/QwpjaxxcX3BXOk77D0BidUTsmf2gAu+a8PTCkB6E8dmGsOz
O75Gj6ZAzhxh61VOyF4y4qq2GNKfuqdkXAN2slx1Ba2HHmK7C+HdbXv9k8HRSi8qx8LdV9NC
ky5C6pj0cNMF3i585S0PZe5HD6/3AAaWaffVmktQYELeQvWWQcYdz21/IPhy+19P/hYe3n74
2rklEN/qcq6YYZAtw/G5uzI4DP0r3QHaEO0Qt0HdEu2s4yBWa1u1WaAMGcs9UNus1uZsMEbo
q+33wb0t6FR0DAR+EvpJVEVw6QEZAQ3BftLts30EjuuOV/RyIFDutCvg+i5kX2gFCLweXCu8
DbjPuF5z5AdHmDHHrAT6UIT6BVJGJr/x7CCkVUrZkvAqaN/qj4wUMJuYs/wuyKycUvWJC+R2
s7H/NqjxIkYPBqudCpErwBxlvu05CXIaa9UNcFZ2nnTVBCOvrb59FxgHbD+5DoO6qH1newbq
Q5FkU+Dr5XnVNxbMBv5BvkqQliv1dvwp8DzOjEiJhozGnqlptUHdF6ZcCXK1uq7WgWgu1qsA
4CCtxXaQgVYbazXISVa43wTGmd19w8Ea6B9pOkA+lsv8rcG/x/+VtyuoMNlBXAVvRf9kX0Ow
D3WeCRwAxibtQ/v3wCPlJw/om42GRnfwHzd7mdPBF+Nbk/kRyIFWonkNZBU+pzrYfnGMcsWC
fsj+aVB5YJfzhO0+OCu6iwbWA/eC0AcRDyDgteAiUbnA0cuW4igGtvG2J45e4A30FbF+AeNd
rYXeEdw/uO8420JAoaA2YfEQUjvcHtkdAuJDXg1OAVsHZwvHQTB+Uq39JUBf6ahhG/5Xh/f/
Pp4/f/bPYlqhaYWmFfqrvfyf58/WNYssssjifwsvPePscThGp+yAyKDQ4kERkH7XX95qB2lx
3iqJ9yHlveTPfWuhtC13jULH4frbCcUzwiA6X9iuHPFg5BXfJK6HnPlC5wcmQOIBFa4tgMi+
Rv9oB/h6iv3pn4DtjG+hvTUYt/zekB8h/njKtcfNoMmXJaLK54IOV3tem3IUvF8Kw1YfvF97
EtNmgfiCZPEmJGc8Dn/SFPSZ6npIWdBWpea05kH2qjnuBKeD1lzckLlAX67fcawCNdTq5W8D
orS6Z74BzsGOe/aZIL4KPBLRDYJ+iZiTYwWIJnozezZQF7jHEdC6Cw9rwbXTcAYPhvQpSXMe
lYH0u8mvPLkDwSf0OVo38HW2VujzQA6RCf6eYO2Un1hzwWGz9XcbEGgGqbBR4L/k65T6CmhX
7OX10mB343UFgL7Q2mGvBrblgYkh98Ax3hFozwayl+m1okEVNQbYxoOx0LillwY53nzbFwHp
w9I/SakLLFf75ERIu588MDkBUoumhzx7CAF6wL2A3eC95OmSOQ0YJXda58B4bETzC+jperr+
Nfje9rXw/Qh6RU2T3UC7pZXTCoI2QIvSmoGoKWzSD7IjVcQ0wK0laQMBXa6Xr4AxRT9sewra
SGETbvBb/rMZr4DjA/eRwPvgCHLkCzgPegm9hrEeRGmhiVjQOhjNjH1AJ32Ftgtsd7iuRYF6
WysgPgJVynxkhoDoxy2ugi3OkaFL0LKJstkGg9XCap4eDNqb9jn6EbC9pYXpU8D6wXfKVwC8
pzwbMs4A36t1ZhEgntH+meC95mmW0Q7UDjH935+icdKsCdYjc5L2GOiv5VVJ4Hjg/sT2CkQ8
Ccod/TnQDPjkrw7zLP5e1oWtC1sXBiMYwYi/2pgsssgiiyz+6XjpGecA6e2fbRKEykB7viuQ
s3LwoZxNod61fKsqFYdGm2rfqXIUwoeH3RaZUPHTwntydwO1y2hg+SDwdsCn4TfgfuG0Gemt
ILlAZoCtFViVxIjMAqD9KNY4MyDb0tBi2RtA7kt6UOKr0ORM8c3lhsDbQf3OzWoEnjDVWdYC
65zvduZAMGYZic6DkDk+vUxKCLh6ORdpxyAx4UGRR2XAMdfutMdDicEV4ioKcLxtfC1eAaO0
2GirBaqVjKUzWHGiqf4FaNL4xbkctI3abXEV1CMrj+8mWAE+Z0Z3sH7xNEx9CuZ+T7u0uuDL
ldEqrSkoy8puWwruOQEyfDl4c2T0T78GmdkyniVbYH1uvqKOgtZGa2SvCN6L1seZH4Nx27HC
eADuQqG2yFRwnAi4HzQJgm6EJ0ffAld62HfRC8G22fHMZYKZbmpmH5DDrJPWIhBS3pafAhOs
clZ18Pk8az0jwT7AUcdWF4wzxmZbCgSNDd8U2R9y1s3tKvERBA0NuBn9AcivzVGZjcF6xfrR
Pw+8g3xh3gvg031Hva3A2mguNA+C9CtlVgT/CLO7fyKYgXKPBVg9qKsegJVpLvLNBPnIOuVb
BXq6tl18Bdo5fbutLRgF7EmBKyEoPKJGticQJiPfyZ0N7C2dM4OKgVjg/Mr9Pug57DkdycBJ
63PxLti78op9JKg8Il7/AdRE3HoR0O8YB2wHQJVX+8Q10A5Zhc2noMr4h/oNoLrV0PoF9PVa
OS0CSNbfcxYEfYr9okMH51r3wYCxENUn26zsNcA5wPVpSE4I7B3yU3R1CFkVciY6CrR4o5n7
KohzegHbN2A/5zgS0B7kamOUqyDYSjq/d7/2xwfsb80M/q3tX3b+svOXnV+8OvnzfZ/v+3zf
i1fMPn/O7KxSs0rNKvWi/s6dO3fu3Ant2rVr167di1fuNmvWrFmzZrDk/JLzS86/vD+zD88+
PPswNNnUZFOTTdCtZLeS3UrCw2wPsz3M9l/rTXk25dmUZ9BiW4ttLbbBnLJzys4p+2J/UlJS
UlLSi1f4Pm+35YSWE1pOeOH383JjYsbEjIl5Ub/vqb6n+p76/e3ExsbGxsa+eEVvq1atWrVq
9ULXv9VPKy6vuLziMnRK7ZTaKfUf1//P0jUtLS0tLQ2GDBkyZMiQF+Pp+SuKn+vw9/qXRRZZ
ZPGvxksnziH5Q35y54e0uLRfY1eA70z61fgOYJ4E/9cwZvBb6WuqQJ/2zbYNXAtR2YKCMzOg
cN9cDXMMhxzzjHeDjkD2pu429mUQkTdbV+sQPLZ8YfbLcP/1tGvxk0Ar7K14vT801ivb3qwD
3Tr302aXAq11SLlgAaKc/1O9NIiOeph+EcxLarR1CFSw7OO7B+kD/As90yHp7cdPY0dBvi/K
HXr1KQTMj8qXdwy4Um2rjWhwFjICbaFgdVOb5RzQXARYb4A+QQwQB8F7J6OR5xl4i3h2mQ9A
zZEX8ICpvOHedaAc5mv+GWDtND/zXQQjj1hn9Qd22mu6EsG46gwOtIEL92vBLuB1+1FtD9g3
u2q5DkBgVHBqeHlwnQzYFjoRHGOd0wNjwRajGomCYF7NvOmdDWK0UdXmB32nvaGrFtgIdISH
g/27wGJhv4J4V99o+xB8s+RKvTXYWrlTQsqB/Rf3vojh4LYHD8h5CAL3BhXNVhwCO4dVjCoL
7o5hY6PnQK5BBSeW/xCi0nLNKxgD4VuiR+YNhvCN0b/m/RYC3wyLz14bbCUc6YGhoKXZGgbM
gqCGIbujq0LY/Igauc+Dq2/gsmgDgm6HF87zHUR2zP1RyaUQWTBvxzI/QLjIHl7oc4jMHT2q
8F1wtgs4lG0SiPpaJb0M2OrrB0Qf0GYrt/ULWDusGhnlIfNeZpekd8D/YWaPlNnADLOOpytY
kb43M3KClluFyrpg1THXanlA5iHcNx9kG1XFpoGvmi+3FQ/+1b656b3A6u/zZU4ErZgqLhuA
mM9VvgGuCKneBF8Z71ZfMzA3++PNlaDySp+cBVqA9rH6Gsyi3h+s70G3EyBOgTufzaZi/+rw
fkH9EfVH1B/xItFaO2LtiLUjoOO0jtM6ToPFAxYPWDwAVq9ZvWb1mhf1Vl9ffX31dehToU+F
PhVgw/0N9zfch6Xnl55feh7mnph7Yu6Jl7cvsmFkw8iGsL3l9pbbW0K9NfXW1FsD036e9vO0
n/9r+bp16tapWwcWV11cdXFVWLFyxcoVK1/sn7p76u6puyHqftT9qPuw9dHWR1sfwcYHGx9s
fAA5x+Ucl3McfNbhsw6fdYAJuSbkmpDrRf0FFRdUXFDx97czLXla8rRkeOPOG3feuAMbN27c
uHEj5NmRZ0eeHX+/HqtWrlq5auXL6/9H6zpv3rx58+a9SIS3PNryaMsjqL2q9qraq+CrX776
5atf/n7/ssgiiyz+1XjppRpidfhP8UvAWcO2OawDZHyftMX3EByPmOcKgG0Tto6csR/kes/b
qaOgyL3sF+pOA3u6d4lvBNwxrV8vToJSl5wfv5oTMj4VvsQa8HPOE7UTCkCx6pEf5R8B3Vd2
7/hhfshxrMjqSg7w9fd/5v8WzO6+zeYi0G7rT9Uh0PIRrSeAucaf0xMKYriMs/wQuMK5Nvw1
KHy10revloDgnbncYWUhvWPcDO8kiGgWuiuoGhgN47/OGACqkXeN1wvqjlxNJdAuGMP1ISBm
Ze717IPMd1LrJ8wDn9/+tvsg2MoYj/kGPDLzS88aMJoY52znQI9XZ1V+kGOU12oIYquIFBvA
fGw28P0CNrvtnMMF1geeNamrwPwsPckaCsLU7xlrwD7Y+XbgXBDD9Cu2UqCnOqZrS8G8Zi72
DgCqWxesacA8ddMqCCJGizaWgHVNPdPHglZYO2yNBvEK99kD1m1zuzgLWqS9i8oF7NCO6FNB
zjILWtfAuGofYP8CAvLY1kV/Ce42Mi4qHbS3bUF6e8Dv+ybzHPhn+p6kvwcctyapd0D3GT3E
AFBzxHdaJbBN1saKFaB8aq51Gqz6ShMVAISpVwMVzAOtC5iNZUdKgdXGdHvfBkdx+yOtNHDR
6mGTYBW2PN7K4Lxo5DQUWO/b9zqbgLaDIAk437A1FrPBOiXPqwZgKjNKxoMsI+KtSNAmamts
o0GvZBRzhYEuxRXjPBghWj0zBcwS/ie+oSDW8oEeA0ZFPa9tAHjf8J6zuoAnwXfV0kFrrzWx
zQJLl8XUJmCK8ogLIGrqfucXIM7aXpO9IMCvNzd/AKdl764n/nuQdPyrwxzKflP2m7LfgFgo
FoqF/832DWKD2AD+Sv5K/krASU5yEhZXW1xtcTU43e90v9P9YG3S2qS1SXDtxLUT106AbCqb
yqZAL3rR6x+3r3mO5jma/4fH97WJbxPfJh6+HfPtmG/HAL/yK7++2P88cbNF2iJtkeBv5G/k
b/TC7sM9Dvc43AO2ZN+SfUt20L7TvtO+e1G/R6cenXp0gqZvNX2r6Vu/bdfvbUeVV+VVeZiQ
e0LuCbmB61znOjT8seGPDX+EyUxm8v9Hh/bt2rdr3w60y9pl7TIsPr74+OLj/7j+f7SuP6f8
nPJzCqw5tebUmlNAV7rSFdrEtYlrEweL5yyes3gO0IIWtPjb/mWRRRZZ/Kvx0onzTfvNtj4D
cicEd7DeBOcU7UP5DRxZ+7D46cNwoN2dTvs3Q5Fz4ctyjoESYwtfKrkJnvYk+PFKOFPv2vGn
30BuV45OZjrgSg/0+OGVUkXfKTwB3szVcdngxhBmyxFWIQW8G9InZfwEVprtmToKWgdx1ngP
1KdyhdUYtOJGfnqD1cGTmnEdmGI8tp8Cbbe2KmA3WKc9M558A/4vMj9wjIfIqzmD8nWHPKl5
vsk9Hk7Ku9Pjd4B2xGdprUF2kf1kGhgNbJUcn4HY6c/rXwh6hHOCrRnYmmvdRQLwgVpqAWIL
JbT7YBi2L50/gD7b1dH9DERds4tfgDZKDpMOEN96zIzXwF/Ae98zC6Qh3/QvAb/DXO4xwEjR
u2grwXwiY+QpsNV0tQ0oAVp5/aLRC1Qp2UN1BfOKMFRRUNWtsv6F4KzimKFFgmuCs5NzBKg4
pYsegF0Fy4HgGeCflbkfzDKepqI9aPXt1Z3DQTsururrwVjDm0wG+xlHnIoBsZk5MgqSWqe+
np4beGw9VcvBOGPE2/eAltPeTL8B1vueSZnnQG2Vm7ylIWO2uM1PoFvquJkbbNv03UZxEOfV
FJkL9MdUs9qDdkNVtUqDHqK/57oM7gxjpF4XxFTjrrUHVBOS9K4Q8kpwqdAE8OQxq3ABrChr
o7wN9mzOdcZsUPNUEetj8Lf1LSATvPH+Zd4vwOV0jDVagPhVSO0GmLv8G61+YBzU64gNoBd1
vO10grijCqlnILpplcRTCEhTxbWbEDYhYF/QCPB8bz6y9oBZRXq0D0EVNe+piqBf0CfL+WBE
OPY5KkDwAdsxfRTYlSNcVAPgnT8zgH2zfbN9s/92uf+cMP+t7c95fkk+amfUzqidL2Yka9Wq
VatWLdjMZjb/CX5pC7WF2kJQFVQFVeG/7rctsS2xLfnt+s/rGTuNncbO/8bvU+KUOAXygXwg
HwBd6EKXl29HzpVz5VzQ9+h79D3/odxpcVqc/tt+Oy87Lzv/Q0L5R+v/srrG5YvLF5cP6m6v
u73udqASlagE2LFjBzFVTBVT/37/ssgiiyz+1XjpxNn3ffLntiKQ+ZPRJMUE+ydiamg5cA6z
WljPIPjzgIX5R8KzotrPVghcqHLn1qU0yFEg8mLoVxBcO/qdwEbwdIkv6nIa1JpfvFKjdtC5
2OtpQxLBnjO4VMFY8K/NfJJxA7RLukuUACOn+k7vC6qXymPWBrmdR9avoF1hhjgNvmX+PZmx
4J4VHBt5F+KGPop4fAVs39jaWEFg7+qOc04AzWdr6qoBOZfnrZ5rK7h/tj+6/DOkXvB1dAwE
a5xaKFLB/dRe2FEZUvcnl0j+Bkj0TPNUBdvQkC9c6eAN8eYyC4KjjTPU3RQYI14nO3hnJld6
egscjZzfBe4FsV7kNj4B4yvbN87HIIbo3xr3wIEjzDkKuCG2iSogVlrvWrnB+sKs5h0PehEt
XI8FXx5fXTMfOJYatYxGoH9mtzskqDfU5/oqoJj11GwGqYOTjPhHwKvWT95+4N1r1lAXwfkw
8HRwChj3HV8EtgFbA5thbACjrH7NfglYLNeaoSAWqfW+L8D4hQhbO3AdMCrJEuBo7jwpzoP7
mvu+Xh70FBXjLwBqiP2wLsFXx/ujVQAy3VZBFQTO0e7rQUUg86S/I8ngX80X2n7wnjQ3mAHg
aKMX0TuBfkP/1vY6qPnaRLURXJmuPc4WIOaqRvprYJZXOf0NIWSfK5ctFxhN9K72aDBXyp6M
AnFLVNMsUDNtmaIP+O+YSwkH29e2r4w0kLVldfUdaONdp2wHwd/Zv85TDvSWxke6DuI1tVTl
BdlSLrciQWTXnukKtAJsMUpAQB4SlQWiKh/JVmCfz6fad+ALNxfJa+C9ID+3coLjnnZdfQbu
UfY89qr/HiSv/3EBaztvO287D/Hx8fHx8XCj341+N/oBy1jGsj/+BHH27NmzZ8/CxnMbz208
BxFXIq5EXIGjR48ePXr0PxSsQAUqAKc5zWmI2RyzOWYz5GqRq0WuFn/7OFseb3m85TF0ohOd
gPVR66PWR0GFkxVOVjj5++2usazGshrLYNmgZYOWDYIB+gB9gP5i/5KlS5YuWQq1NtfaXOu/
yTxVH9VH9fn97aTPT5+fPh92BO0I2hEEbWhDG2BX211td7UFJjGJSX++/n+WrrnG5xqfazxM
bj259eTWUHJmyZklZ8KjsY/GPhoLR0ceHXl0JLCLXez6/e1nkUUWWfyz89KJs/tacMHImZCr
R3Dx/MWhfLXoNwo0gLDTIT/5g+CYvLnhbjqcGh3X7vJRMH+Mruv+HsIt32hfCJRc6/vGlQIN
Njb9aObPUDqsyNs1QsCzSIx19wcxTHxq7w8qTsw3GwKa+oEMUK+ISgwH0UkN07qDHqlN08uB
maxaaengaueYGdgZku88OZj0EG6eOpfnSBIUH1xhVtWnoEcYDxwrQO0CcR1ybc3TJPcKCAhz
LnUeBC1H5gDPDGCq9ZOWArZYW4RjNthTnT+41oFV0jZS7wNmFWLFaQiwB34TPA7M7f4YXyOw
hpgD/UXBldsdE7Ia/MPMOKaD9qrxSO8BelVbHL1Ae1d+KeaAKKpt17aBlWydM2uAb5e3euYt
0O9pV4ytoE6pEPUjkGS004JBbRcTVR/wr/XFZjQDLmoJ2jGwZnpP+jqBqqRuirogdHtU4Efg
fuweYgsGVvCZlRfkIt84axH4zkufdQf8zbUA73mwDptPrMugzpk11Vcgc9JX3gNbnE0aFtjf
pqhoDWkjUyek3wWrnBXDFLC9p/+kWoEpuSwtCLwfMjnkCXhi/EO0BFCpmmWOguiCofNDrkCQ
z/G2VhRsG4yVWikQUaK0Vhv8p3wzzD6gjySb9gaIVfoJTUF6Vd9qcxDYRmp35WrQBuuV9Glg
lVad5Bnw3/RN8A4FKrNBLwr+Mb7Dpgkyh/9db3NwTHDMMFqDcMp7/ADaY1qqxWCtMzuYd8FR
1P6pEQJ6OzHSNhbM16w58idQn4mvZG8Qd1VXywD9rH7FWABqv75WCwPP1vTtntfAuq4Fq3Zg
/Wo8EpfAGGRP0ncCc/7YgO1WoluJbiWg15xec3rNgdof1P6g9gd/3gni+U1fvXv37t27N4Te
Cr0VegsqyAqygoQSB0scLHEQZsyfMX/GfBjCEIYAXaZ3md5lOuxvsb/F/r8jcb79+u3Xb78O
jR80ftD4AYTnD88fnh8+vfHpjU9v/H67R0eMjhgdAVM+mvLRlI+g5dWWV1tefbG/5OaSm0tu
fnFz33Oe+9PleJfjXY7DnIg5EXN+RztpNdJqpNWAj9Z/tP6j9fBdu+/afdcOGjRo0KBBA9Cr
6FX0Kn++/n+WruPGjRs3bhxM/HTipxM/Bc8GzwbPBnCtcK1wrYAPcn2Q64Ncv7/dLLLIIot/
FcS/zVwoVbVq1apVq/7+Bmrl7/tR3t5Q7ft8Zyv9BB/+0uXOgKdwPteNdy/MgaUltnVc2Q+0
K4HDHQ3g8da4BQ+fQvc6lWvU3g5tU5oXmfAreL/zd3LOBm19wHHHDrAtDrgTGA1ioByovGB5
1Oa0YaDtEcNdk0E1E8uMKNBO86a5G/hFPtJvAUn2fMZdSG4X1/9+JCTsfHLqWRewhpqdn+WD
XCMKvf5KELh/cDWI3A76DsdYvTfcKn/kvb1pMNE7sfycT+H6e7GPnn4O9iOOgsFnIHRhzm55
S0Faw8StsW+B9xtrpmoMNlvAueCuIIKsXf7NwCTp9uUFMYuPtbWgNdLL2+aAPK7FG0ng7hbW
NPsDsA5m1szoDSljE/M+OQoqyirk3wG288YKIy/YfnUEBzwE+TM1tEtgmd645FMgF9hKu8+B
MUjboBcAZZMN1WLQjxvf2N4B5vGhOAnSoXLKA2Ast690SdB+VNnNa+AtkpEnpRz4k319PZPB
mKvvdfYAUVwvIQJBlNNGywdgbNdTA4LB6G7fYi8EKkqW848DMUOOlffBM8r7kWchyCeqqOUG
85bvjK8OBN5093L8Ag4CroUA5nmrrv4MXMtdP9sdEDrYHWHrCmKhP4evNtjX2G7oH4LtTf0N
UR6ceW03tbqgd9XSCANfWX9x1Qcy4jzrMlPBOKuc1idg5rVCvTr4wvx7/FXBdtU4aXOB1Um+
Q0Ogg9jIXlAfWEF8BJzWhnIMqKGCzOIQMCRQD88AeVbUM14BvYJxw6HA08PzcUZ2kNvNHf5y
YF9sL6r7QHTUDmjVwPSJsWI+yG1mXa0PECLd/plgv+coo8+DyLXumMCZEPJa+HvO0TD0w09O
fnLprw7z/3l69OjRo0cPWLp06dKlS3+73PM1tSdPnjx58h+YAf1n4/ka4PLlypcrXw5Cb4fe
Dr0NCVMTpiZMffE0iV1Tdk3ZNeXPs+N/m65ZZJFFFn81x44dO3bs2B8w48wTERp2Fi5XutXv
dHmYUW/V7c8bQ2Yl80LgZUidYfMoDbT9ySOe1Ie3ZkS9UfUgtHql/I9j2kLyxaQn6T3BE/K0
3fUDkOtIjYD6XcHXz/rBXATaeJXfTAZNioX2niCStdpiIIj3VYJaAPJV8amxCJjKbHMtONyi
jq0ieCfpNzLjIbnjiZ+3n4b0QTvnnnsPoj8b22BcDKiYMr9E3QQ1neraPoi+lbdw/tWQp3TY
rrA6cKvJs3ZpR8Fr82ueiSALKlNEg/HYfsvlgIwzyfUSOoJtrau4ywT9oX5ZXwJWe5qLbmBr
Zay3PwZruvxArw7Mtn7wPwT/nvTYZ4vAN8ez11cZXGedb7nyg3jCY4cN5DnVVTYGFcYYuRJ8
3/ire14BMQFT3wBiE3G2zWDO9V/03+P/tfeecVIVa7/2tULn7unJkRwlB0mKJMkgOYmAimRR
QFBUQAElg4oBUIKAgCgiQZScUXLOOQ4Dk1PnXuH94Jl3PLh5tnvDPj7nOX19qV/VqlX3vdaa
6vn33XfVgmS9V+B5kIeJ+foqCBwKnlfCQRwgjhaPg3hY/E2/CeIAY7TRAWHznWfCFeAp7Zlg
ErBFumYeAv5J3tr+fhBI8Q9xdwUtVk90nwbPSm9qzg9gqWCdYPOAf61STR0C6kVtsvo5WGfb
LhtHg9TeGm90gPGyYbxkBflj2csSMK6V3tO/A27zmXoOXL0DjcW3QWojBKWh4P4uUAYnGPaJ
u7kDQjt/VNACxuOGs4bVECju/y74AwRbBz5Wp4P0rqYqI0A6Kp0SE8E203o+rCTIC8Q2Yn/w
9/Ed93UF9ybvYt/noHQWh0oSBHZ6iqoWMHc3fGt4EaQP/AP8TSFYWf3IOwhUP4O9lUH8VB5n
Wg6KrJYQBoPL7nJ6OoDprPFHcz9QfwzMDpQA6yBLJ3kPaOHCMvNkUH9V94srQb5gPSScAMEn
r5bn/N3T/O/jnwnm/6ns8+7z7vPCGcsZyxkLDKw4sOLAirCy3sp6K+tBjdgasTViH91OiBAh
QoT4e3hk4WxZYarhfh7Csv3PRQPJy+95gt9C9Lb4odpEMJ3TUjNPQxdXzDd1jkH7Le2OjPfB
rd2+oWkaWC+nf+P5BaKKVZ7/ZFHQ5mtLOQ1CCX2C3h/UMH1+dheQ7OKhcA+wgYvCRdCv6bfF
uYBT/SnQFaQ061Lbs3C7yo0jB6rC3WGTPpqwGky9f/sptRdoJf37pNsgfuJLUluBrBCQq8Md
cV+HHVlgmxM91fEllBer+kp3gf2zbz2fegACif5a/hcg+Iy/qPIBGPqah0fsB2F/zrKsl0Av
FzAGUkD/xfibZSvQTy8pvQvKcmWd/iooG5RI9wXAL+YLmRBYl70j1QlSX8MMgwVMGy0/R9QA
7yu+095lYLlkbWs9BGoZtb92FkzV+UxqCNImabn8C/C6eJW9oG1U31fXg5amug37QSjNTbUK
SC8K7ym5ENAC6doYELprN4MfQXSbsFhbEvguer/1fgf5Yq41ayPQVX06MBL0NH6U1oClqW29
8w4IZaWtYh/QdWWZbyn42/nXewaC1MLQyNgGHJXt3S2nQSiteeS+oO7TXlJKgdKCiuoc8J/3
X827C/qH2nrtO5CvGiZaO4BwQ/jZ9AIwkbNCAKy/WDcbAOW6Nl0cAtTUmzEbfJH++oFvQTsh
7BP6g2GP8aa1Efhb+Lv6hoB3i+eY9y5ktXF1zKkOpkkGm3QZDJfkMYZhkL3P1TowGiK2Oz60
usGx0b5fbApqB7GH4V3I3uFa6/0BTG4hPBgJwUmaRXgH9MNCgnwF5I3SWOlLMB029ZVnQeAH
X3/fNRCNQiRHILBI8QfXg+JRo5QjYG9kfE+OBvMV8zCnA6RT4lfyswCMQ/27p/l/X9bdXnd7
3e2/24vHx+D5g+cPng+ja4+uPbo2NLI2sjayQqWXKr1U6SWYtHHSxkkb//N+/E+7ryFChAjx
34VHFs5Pdg9vXGQA5NwQp4bFQvgsW2vHFnBWNnUJrodelbpHvjkYKlcu1b/n56BtismP3gnh
T5zzHdwOtoyYtAoOMD0bviDyHvgjgj8FB4DURjsfaAviVH26vADEuRw3HQS1vz5H/xiEKlgC
HcHYxfSueT14YlxqWgM49fknVz8qAeUWHOyaEQBbjSd2ltUg/GtDvbBYsNaoMKTMPlC8QUHJ
B2tm0SZF14L1mK2dyQVFrNG3ojMhvLH9RPgOcB1xJ+RtA3cr14+eZAjPjWmS0AeMJc2zrasg
0EStpIaBeYx5iDUK9L3CVv1TUJ8LXAvYwHLAUMHwHCgvyW/ZyoP5CWt6MBYootYLfAX+S/7j
3hpg7GF4Vv4YggODbZWmIPSWlsstwPCeNEJNB0Vig/ItiNN0l7AXDNXkeIsf9ASpk3YU6K23
9XYCIVLoJE8Bw6emWcbXwDjBcM6YBb5+rnvZGyBVvvdqSlUQ+xraGNeBbDdUMcWCyW6aYdwK
8ih5vbEHBMb6jnqGgpgqnTD+DJLbeM8UDYZWcl8xEuTZXFEugqGH+U3pJtBZP2LSwD9RGRQY
D5zS4qQeQEfxgv4aBJb79gcWg/iZXjfvMsS0Co80yyDeVB0MBsN02WvaA4YNRqyDwDsg0CNo
hWBrtWLwDsh1lVGiCIZ2Qh19BkhbjQkkgOJXB4jfg/6x9kMwGYQxYpKxOUS8FD0wpikEBvmn
qi+DfjzQU70DqihulmqBeanpiKkcWOeZP7ckgL5XXyrWBtMWw0JpKxhqCZWlVFAvK1cCSRA8
LmdTBoRbpt8sL4HX6t+vFAWryXCS5yF2Y8QTxiEQ0SK8T0Q5UIPBAUptYPffPcX/e1MkrUha
kbS/24vHR+x7se/FvgdLWMKSf9ShLnX5N1Li/lX+p93XECFChPjvwiML5zDkpLjF4BvtbJmf
BkVuFq8b7Aqd5z15Z2guJMwqnVkrGjz7hPHibRDLepe6z4DzTJke1aYCN8S5hq0QlPxxvq/A
sEvcaKoLwQr5ZW/uBbGNlaRWoKfwoTQAhM85FHgHeEOMl++Db5HH474N+4svffOb+WB9OefD
aAkS579jaKtDdv8L08+UA/RLde9GgrZfed/9GUgHLQvMRcBZJelYSRuYLxkqittAjnb0tLwL
5r6WpnY3GO5a5jpywe1x985cA7aqEUXiR4DxBfPUsKGQ0+X+sRu1gLe1NkIDMB+yLbf/ClpZ
dUfgI9BEJgglQLJQRdgOilldyHUIvqndV8uBHqsOVsKAu5TWSwNm4WvpJsjr9a1CNmhN9P3B
L0DwCSM1P0iz5V2WdLAsNR4TXwTfcx7R8z2II2iobAVxtTzEVgfU58Sh0nxQtcBEz28QGBu0
+9+BmM+Kdi5dF0ybpHeNX4EkczTgB6mh5lW+BqVxYIl7NUhDjO3UCAim+z9UN4J/nnes3whq
c/FD0QlhVR1YF4F+nvmsBk+q5yVfKqg1tLq+kmCrb/pRugPhaY7XwkqB4tXe8N8GeZDewFAT
pONChhAE603TAv0r8D3rXy56If3z3K3+XmBpZFyqvQPmzqKdM+CzBNJ950CP0XcJfcC8yhBj
fAvIEs+Ko0C/rlYxvg+Zh9N7pc0Fisgm4wxQ6gsdpCchPM0RbXofIny2slG7wRsMGH0HIfe4
J0G9BWJVYa53CchPit+F/QbeYd5j/hZg6m8ZJF8DpbywRDwNWQcygjm7IXx7WKTtPpg3iJs1
P5Q8WVwIN4F9rWOdIx7cce7qvjsAdPm7J3mIECFChAgR4vHwyML5bhPXAGN7iMhM6Ke2Bn9K
+vs3nwfvczmHMsdD/nGhpLcrmFZLdSx9QbnKZ/rHIOXrrZgFTFIbBKaCuFTsZRwJqq7sz6oJ
+lD1R/1rED4xvRUeD/rzGJQZwETtonYCTNON5cxr4VDng0sPZ8OxV0/2ytwBfTJenvtiGwib
/Wx2LROkr+z30YiW4FZcRTI7Q07+horLXwOH+Zl7z78Eposlt8evg5x62U3cReBO+dyXLQkQ
tyL+RsxCSG+b18A3FTzd8623doLnFbffXRvsQxy9nXfAOtV00zYb9IxgZ3cfUMOCu/T7YIg2
GR1Pgu4TnOJc0NcSr88B9WmlaOAKGHobJ8jHweCyDo0cBnoJ7SMxBbimzVMugRYIrnbvgOAw
/ynvZZB/NtQSR4M/y3fNMwT0if4EwQaBTVQw/QjW16yHnUXB3ttWRnwbtKB3v6sKWFLtZ7UN
4J6pyOYO4J7u6+k5B4aq8ufeDaA7g7HeOJCGSj20J8HuMA83twdmSJmWjZB7Qdjnrw4OUV5s
mgSBUcFBvA8+n6eH7yq4h+bvSd8FUTui4qw/grmpIVN8HzJj89a5voLcstnz8v0Q/rHzDXsU
qKLwrtgI1LXEiC+BwZK3XekBaotA0/zrYHrSetswGnJr5L6v3oFAl+AYfy3gc7EL+0E+IS83
vAPKufxxeSNAnmWoZJgHfKwt1XuB8Wnr95b94K8aiPIlguktSgS7gPhi8LjmBLmlXts/D8IG
GFfKGSBdtXQ2DoagQTlmeB+0ukIbtRoYArY14jYILlH76g3A11pJ8FYCc4oxRRwCvp75sTm/
QZnVJY7aJXgivfKYYj9AXnR2B/EY6PeF18K8f/f0DhEiRIgQIUI8Th5ZOFe+WqV5sTOQPP7s
GU9raPrj097eKyHhw1rmesuAEaayVh206soWToDwnbBI3AhsE7IMc0A3qJmBF0CYKpYVM0F/
22XIygPDWL2l9QgwW/xabAeB466S+RVBmCDMVYuA1io4gI1w+/KdCfJgaGJ4oUXDNIju8FTp
iingrnl/SsorIAg5O/P2Q/jJIidLJoApv+TzlY9C5pOfdl/SCRKksZ0HXoecyi5r8EUwfm2N
jp0BZaeW2l0qHG62vh+dVwVyZ+Um2ieD52heMH0RWL5x2IpXBkudsFERAhgGcTuvBYStdHSR
ZXD94j3sCYCjgu12WEWgprBfKgLy7ojqEZ9A4I4QY/wC1G3KIn8U+Crn7M4YDnp1vZ/yIpAg
XpEEkHZKE4UmIG4VokUniOPMomkomCvartvXgbOo0WJJA+ubljXmIhDId73pmgzqvMBW71eQ
8WT+MS0eXPUCc7QtoB+R4sXq4Djr/MxcFeTd4nvaDTDskIrqXYGd1AmYwF0uf4HSBdTW+kr9
CmiqYDBuA62Hpmq7wNRC3i6mQ0ljmVKJ90FurZ/RRsPV7il6fk+QMAyX4yFwVmurlYPAJf1t
BkLEC87fwsMha0NOI09xyPDmHs3PBstZ80RtESiXXB2VBqDbMOqxIB8zTpA/BT2LNEyg/qTO
UieCcZ/psMkJ2mxNUBqCoa9psjEBlE6qRasPwTTtR/0XsL5ozTbdheBO9ZgwBTIOZ7XK2AP2
sfa3HBfBeNQw1Pg+SNFyf/NF8IqePu47gKI7lE9B3aTfFtYBqqeiOxmC4VJAvAfmqoErucug
sqW4KToIUfctSx3JkDM6dVDgKjg7xdgd2cDYv3uKhwgRIkSIECEeF4++q8YYX/3b16DGpZKT
yhWFyjSLeb4iaIo1SuwIgbaZXbIbgviNeYMpGkSF95VkUOcKgxQbGGubc+wvgLpcrK8PB7Vd
7veeMhCso9+z9wPLcwlh+gbI75y3wV8EnFr4xfDZ4G0a+ClQD+qfaPxuWTMkdE5SI5qBX8kz
pPUAVc3tltMMjIlunVwQW8aWNn8Oho8jwmLbANdtE8MrQOBk7v3c8hA9OW5m/PMQu9X+sVoG
pOTYoZYosB8NOy6sA2P18HGxqeC6lF7kZmfwFvO2S9gIZrNldcQyEO3uV30OCC9v3GWeD7bx
wo9KI5CtanqqCMI54ZxUHbQ3vdPz3wP1G3W7ZAFxsTZFag3+e8IctTUox7Qa+kzQvw6s8seA
3MLS2vYrCLW0EooHdI9S370d1CLeDdJmEBOEycbtwBGhtO8r0ItqWe7fQKhn2GGbAOpa9cfA
YHCqlgZyMbCes163dQLrecNSvQFYX5Onh0WCOjo4zN8GgqcDk9RfwF477JCwBCIdprmGVyGv
d2CAOBMCz3obB1ZBiZKxi00SKPHKAuky5K53l/IdgiLRsW9Zw8HzomdqsCxkFdf6Ct1Bve1P
8/YG5XtXXsZ1KPq1daDaCFzrbbvD9kC6MW9RsCtoyUpVVz9w1LSIxuVgqG0oZ0wE9pPCKNB+
0mOE0hBUtDj9BATfVzLFAyDMFg6KZ8F22NJeLg0xg53DLDKYNXOSPR2UdcFkYRjoOlf8gD5E
9WheCGT5dvlKgLDfsFlJgfzRrui8YSD4dI/2Nvjrar+oCgi11MbKAvCeDvRRP4NS1xNOmMZC
+Nik+iWTIKh7u4plwfiqrZ/lGbC1ivwx7MLfPb1DhAgRIkSIEI8T8VEHkG7qjfJEePpsS62z
AlyxzTMsgjxnar877WHvpJ96r4wA9847Z5LXgGdkZnb2W6BUyI/LfwHSa5/cf2QlqE97vnSl
Qm7lnFdUQH3Kctb5HShHArsUKyj31auWPBCWytcFCZxb7JJxO8RnxLUOew38Ddxl3e+BeMox
JzYD9JKuQ9oaECdlVsn8BcQVhpFWH0jzwvo5j4DwrO2crTLou6S9higQcgMfuzpAaXPxjGK7
Ifxe5DdaXXBss6r+fHBanF1jnSDJxlzzcPBMz5qeMhbUOKmqaRJ4DwnDbO/C+XnJH2WPhbzh
/kitDph+du5Nug52k+2ryA6Q3SV/pA/wf+2elb8Xsltnpae0Bc9bntu5S0A9HRjqPgXm90xB
qTFYixrb0glM1UxWyxBQL+vHxYmgXAy+4K4I2ZdyyyZfh3yXe4FrGGTczUlQB0NKx8zueRUg
amFYtG0aWMqZ3jPsBf209qT3Iggn9BdFBzjmWzTzaxC20zE8fBIYYsxPWoaBGCPVdKyHnNJ5
n4urwPVyrtU/FZRTgQXuA+Dv7X3L/y74Xwh874oE6xYpW1Mg7uOwZyzzQPlRXauHg2ua/03P
FPBEqO21w2DTja/olUBL41nJDuJYNUKNBEN5oYM4D6JfdRoiskH+1LTe2hGsKdaPrdtAeoaR
8kjQFwpPEwTTK6IqDwNTKcOr0jwQukhJhEMgN3hdXQSB6/4VWhXQygfwS2AaLiewHkytxfcM
n4FxqfS6XAqEVsJ04zVwX8t7NdAC3FneZq5t4M+hpR4AyWncaKwKYntLacsKCL8ZNsC+E0od
LZVWtBRofeQM5wZIm5S3yTcL4l9K6hnlAdMZrb9Y9O+e3iFChAgRIkSIx8kjR5yLua2tG70K
iQ1LqrWNkGfK/D41ES5XPl7r8FzIuB6zXBwKP8/ce27t01Ai15RcbDE0mNMzvJsA7DaMN9iB
Ju592REQ3JKzPn0DmFxPLKtcDbI7piYd3gNSW72+5TwY9prerj4LAk2CmxQFGKBe0aeCfFLI
MXwJQjVhoHQRlGMpC9NvgdJP+tmSCuaEqLKxdhAqxJ9KNIDxm/DUsPYgXNWq6XXAkGyrb2oB
2V/Z6l2YAhmf59Y7thme+PWJ65Ht4P6B/L6BIeCoH/1NsTzIKnN3+dWG4Nvi6pX/LJifs5nD
3SB8Fcj3vAm5Pf3l9B9BG5bmcm+EsC+NnTQVIt+LHRmzFfR5WphWEcyTXY3zx0PUSuec8Dqg
n8Agvg7uLwI3vfch/6inXeAT8Bq8ZXy1QEiVBprbgnaHgYIIYm29vToY3IJvRb4RhPZUYwEk
9Ima65gATqfpVaERuIf7FmrbQHhX7CPsBst2Y0fpOvhLBdvq/SHnRHZe1kAIlFIuMge8nygJ
ru9Av6O94Z8J9s+Ms5TOELzo9weLg3dW4FMGQ3yD8JExJ+Bm/4zlma9Ddh/3PO1JCH6jFxe/
BMtM09hgFbCnGl+TywIj1G3Kh8AoY3epKuSv9FViHOQ28szx2cG4TIqSfoL4b8NrmCeCmCzu
lBqAMs3c1WQCY5XA7kBb0A4KG3gDxGFKslAK9Gyluj4RTG6TSHHwt/NN808BaZkwWUyBnF55
QfdWCFZVJ+n1IBirrVK+A8MG01GrFXxn/GnuY+B8yXk4YgEol5WA9gUo4/RNCiCu1WcafoFi
MeGnxKNQ+WpZQ4keYPnAUNY2AqTe8mZ7S4gsEZkZocDx5b/1vdQcqvP0dvb/3dM8RIgQIUKE
CPE4eOSI85OTms7t8hoEvGo3ZSFIJwwmiwyMivxK3gQ5nTwr8upAxjh5qrsshIUnLdArQ7BJ
xkfX0sH4TlSFqNHALO+xzGEQ/VxcMccNkOqapxiHQ1TlmJpPXIDoVfHPlu4PyknlR304CNFs
1GuD+IN+jtWgXxV8LAJtJ+gZoH+mlhPCgHW2Jo5NoNv8S7RXwDDIYDFsAslcYn74YmCjPlVc
BwHRc9fzKZTdXiQ++jPIn6Gn6E7wTM6alfElFHNGbhcrg2GTY2p0SzDXdESGXwf/xOxmaRVB
SNQ+NE4D83zbV7ZW4L3i7yb8DHlj9Q6yA3K8Qox5Bni/UMYL/UDbqnWSxoNhu3m7zQvaG9oo
NQ3cp9w33T1BOqtmBnZC4vMRMXYnFEuOvRLxHhiD2kK/BlJQPRpMB0d183zbN2DeaFxq6ACW
2YbD0i4w35MPG3rBjdZp2ZlHIWDTB6tfg62bdaqjNHgmuFv7wuHuKxlJmUshp6L7bN7H4HnO
VyN7Gnhne6LT64LyXbCfKx/cN71NtXCQYqST2gIoVj9mRXQanIu48WJ6JCQ3yw7z9Yfs3u6h
3rkgzNUVdT04TVJDcTXEzrU1FDuCsNbYWCoNWRZXLSkfAiuCP6rvQkxUeGvLOrAtNB8wWICg
/qq2AdLPZkl5DSF7Zu47bhv4anmt3s/Aty3fn/8deDa5W+V2Bel5PvV9CKrBlyGeAj1b7yS3
h+yzroX+tpA5zlXM2xbSruU0zMmF7NGusZ5lkH04t2VOZzCeMXqZA8Zy4mZhF4SttD1t/ATC
F9ojbFvAEDTkMAOS9hVPid4OCbfie8VHgnOtKcJ2D4peLnOh7FcQrOMZrpngmu+4+WLjv3t6
hwgRIkSIECEeJ48ccXaciA5PrAXa6/pSEkHUjZGGk5D+Ws6P2c+BW7tjuW+DWiMq3Kl+Eyp/
U21pkzGgHDfNle+C1FA7pFtAre3Lc/8IHBC60hL4Xl3uLgPa/fxfvG1ALB/ZLvEuSFODq5Tr
oP0qrmIrUEp8CR0Cn6ot/K+AaVRgQOAWqO2VY9Ii0HNN+fYRIGzwDJAnAfdB2g7G1Um14yoC
PyjJwc8g0C6j0d2ikDfA0S0tC8q3rGl8sh6cPXLuwHw/1OtQ9esKL4K9q74wdjn8ttK3oWhf
yDl8d8jFMuAdkfda6kqwtI94JfIwSEOCb/o/BS1JGaSNB22c8XJMVch7Uq+v/gDKO/5G7lZg
uK5+p+0H9wveQ56yYOtqXeg4DmFzhabSIbB+ZOho+AWkHczVDkCJQwmzooaA+6hfUJaAd0r+
spwWUGRK3LGYSHBV9DnV2iDWlT+SLVCkjf2LYrdANOj4VPBO91x2LQPXfW9q7hbwHfUu8/rA
vNV0wuQEZgt7TR+D/aJ1fZgNLINlp/AGWOZI1ZVFYJpg/MRqhKvT7l5zzQT3fC3HPxAsuwxv
ma5DzKawiqaFkDIxdfi9cIiZ7+hrfR7sLW0dnNXhXPDOxPvPgukDU7R9BDieM8w0lwfZoCS6
B4HWXUsT90CyKXeU0hL0ZHVd4CZo1XjO2A1ymqjDgimgib6uyirQ2igX3FvANU3+Vs8A0S7U
0HtDRDCmVvw7EJykNCQL5AjxvnoeHGmWT8RToOfqg/UkMK6Xd2lPQdhts4UioO4J3vL3BvN2
+54IE+jfB7boXSD857hS9hiIvlBmX/m14M3WdFM/iElPKBXbAiKMiWtjUuBIwpohv9ngxtr7
r9wJA7r+PRM7JycnJyfnz2/wK3gVdnh4eHh4+N/jW4gQIUKECPF/K48snPXLQpK+EFSbu27+
WMhS7s+8Egslp6k2S2UoP6ma/Ex/SCpSbdPTz4D2Y2yLpHIg3gjc8CeCeFUPExaA671bbU8N
BWt6nK9qBdBdnsH5rwMfegZm1wHuRX6bWA30S2ITPRP0+sI9ZJD26WnC96DXpkTwJPg+8ke4
+0Kw1vWVyVtBW6D1pxfk9JfteS+A49Sd7y/OAN+mY72PVQPLk0/sLHkOzFWqa2UOgn7fVyds
Ejz5ZpHPLF7wj2i28fY1qFSh4nvtoqDlp/UG+2pD6qnpT37XFU4t8oyI94Lnk8wrd0+A3NiS
7ngTTFPNx8J/Bf+d/F+yN4Fncs6R7I/A4DfZjW1BKC7ME3qD57BeQv4ELM8a3eEVwLdCXcJe
yGklLRFbgj8quI0+ELPR8ZxNAJPJXMH2PuS3d+V67kIw0jzZ1BycC6xPW09CXP2IznIa+Jr5
p+rjwEVefu4VkF4WbuofgPS5vZRhHNium9s5PwbfWH8Ty0Cgs/JJsBqIMQbdeA2yu3m2KT9A
cEFAEKYAO+WRYmU4+/HNpLR0CF6R47VPwWE0bTSVBT5V6maUh7ud0seKvcD+pOUbkxdIE9O8
AmSYsn42L4Lw38KnxQyHeGNEinUU5Mo5NfPuQ8AdqKC/ABljcu+4PgP/WvWEehmiV4b9am4K
JtH0vv462N4IDhIPQobGUXkfyPGSGnEJYvaGHTfFgamcvFjNgkDbQD1xB3ifZZtaHqSeRsGg
g7RZO2qpAXoVvXHwJ1A3aN302ZC/1FNFdYD0imm3cSHk9XDt840CxwnzJsP3kLg28VjsdhAq
iAesS0Ftp1aXL4L9SNzW+EsQHOde7H4bDvoPeI6Z4GSNm81u6H/fxG7cuHHjxo0LBXQBBUL6
5MmTJ0+e/Pv8CxEiRIj/KbhcbrffDzNnLlz4229w+fLNm9nZ/zl75cqVKBERAW+91b9//fpg
t9tsJtMf/fH7g0GYNm337gsX4PLlrCyf7z/pT2Sk2QzvvNO4cYUKYLebTAZD4XGfT9M0Dfbs
yczMy4PcXEVRlP+cP06nLMsyNGoUFRUWBmazKIqPnF9RyKPvqrHNvcG9Bnz5nks5i8FWO3xV
3HAo2qxt0bqVQJvKOf0wBMspb6mpoM/zqb5bQH8xXG8HqjH4ptsI5oiIV6Jqg1yr6IIKlUCa
aW8Q1gT0bbaoiHGgaapdeBv03sIPtAZhLueFWNAq0oMfwLRWcDhmgtrAZotYDxGb61RPrAOn
jtxt4gvA8TqxX1y6BD3GSlm3IuD+pgr63Y8g8WrJt4tFgO0t08sJr4BU1vx5+McgobcLfAjN
X28WGFMJ9M/0bPqB8G7iEd6CLrVaxF/sCDcHr2l3egXkRLoP5lQA1/tZTe5lQrgYV67o+2Aq
a4sKWwze3vnHs3dBcLa3hXYIhHbiPnaA8JvhU9EO4q3gJMs3oDjlqsaPwLPN3F9OAOl7/2fe
3uDPU19kBeQvcHfI/QjMp1RH3rOQPSzjzv2fgHnmbyIGArODbZUNII6SF6rTwPy9ZZVpPQgj
6CyfAD0/6PSdhrA+pjtSPdCMksPWGpR0McOcAJ5ozzilOrg7ew3e+sAqbYivH4hthCPWLRCe
G3nLbgD3E3nbcxzgve/5OncjJJhiDNHvQGZuRvUrvSGsa/jiEtXBucgxNu5tyL7r7xE4B4Gc
nDfVs5Dxli8rZRaYt1q+Nn0DWSfyf/PdBm8nX5y/BBTJSpgTeQYM+w21rJ8DL6hdfDEQccL5
jLkJqBMDLfMGQmqsO8LdDTI1YYU8CPSPSNM+Aq0PpWkGpm8NbmMSqAeFZ/UjEPxF+0ibC/6J
wc+1X0F5UnnN2wukytpnQi3Qh9HWK4JjjbWEfBJKVirmKqtB5IDoi1G1wfBR4CUtHSJ+jnHF
7ATTbXGJ6IQDB9euPrYMfj190XX5Y0hLUAzalf/cB8PD2L179+7du+HUqVOnTp2CGzdu3Lhx
o/B4yZIlS5YsWdivQGCHCBEiRIh/j2nTvvpqzx7IzMzLCwahbNnSpaOjQRAEQRAenx1d13Vd
h7S0jAyXq9DupEkjR7ZoUdhv0qRt286eBa9X0wQBnn66WLHIyN/9eZzX/bs3cONGZqbLVWh3
2rTnnqtRo7Dfjh0ZGTk5YLVKkiRB9epOp90Oj9cb0P9XsOruXa/X7y+027ZtbGxk5OOz88jC
2VPeVTz7KTBeMM43zwEpN2xSxD7wunztvcVAKKbdFlJBXSlvZQIIT4it9LEgxRNm2Aj6NvVt
zwtgbFP8h0rnwHjEtt1xDdQ6/Mx1IJYhYlEwmPQ+gacg+IzgZyNwUG8q5oLuEw7rd4B21FXD
QbwZ2GMoBtYKjV+v/Trkn80qsSUbcsom7wp0hrzm7PLsBnVG6SNFq8FvHS6f25sBLfaGnSz/
AvjC046aj8L9j29bMhUw1jMsyRoJ2d1TFt8/AdkL7w+6kgKn+t96PjkarO87moT9Cp7n+Lp8
J/ANv3ng2CbIH529N70dhN2KiozdBMaGFnOgLgRd/uK5L4I0QOwkDAd7H2tkWFtgpsFiHAHG
Z+VkcTI4c8X52jkwlDTedhyCuzfyJulx4O/i/s7/AmSd0gcZ8kBpYMyJ1qHI3LBSxo8gc0LW
Ys9IkOZzS8+BPLfnF90C/tJqQ78Z5JLyEiEdfBW00tqzILcSw3LfgHtazjn3HpBEY01HJTDW
NviNjcE0xVDZ8TxYj3PDtw/8971fZqWCepIZuhVMw8zbtDBQjqvvalWhyLNxlctNh4gGkXG2
M+B93n1Bngt5KdkXvZ3B3VubEOgKjpr2c5bj4GsaTNbKgq+PupXOEPd67ILo02Cda21nKQJ3
HfcmZnsgOCQ40HsMOKp/GlwJOQbf2oAbhC/ll6yNIbhYu009MH9u+cq4AowH5GzpOChjtQix
CyjG4H1fMbDNMowUVoNlkeyQy4D8k7Qy4grkbgycDnYF+1TjZrEjlB9etEFcKhQbWGx6sftg
+F64K70BcZFRwyOuQXRE1KLo7nDpjd9KXP4B1rXfVHq3E5Lv+su5c0HuIm6zv/m/JsnWx/vh
8F9RvXr16tWrF9Znz549e/bsf94vRIgQIUL8e5w7d+VKVhYkJCQlhYfDzZv37uXl/efs2e0W
i8FQaPdBzpxJScnNhTJl4uPDw+HAgdu3MzL+c/7Ex9tsZnOh3QdJTw8EFAVKlbLbDQa4cMHr
9f4HXxAWESFJsgzp6b8L6MfNIwvnlNevGq+/BH5r6p2sSVD9Rre1XTIgEOkvF3wJ9JOyme9A
Oqud4CgILYVBwnzQE8VTvA36Rf2cvwmIpcRo+QvQfhHuyEnAVa1fsBkILwgLBQ8EpwividNA
vKjdFRsBccJJRQdhhL5fPAJaGA7ZCnwtfB0sC2oFz4vKN1B2VOLrVT+BW6rPu/dDyIiQD+Tv
hCSTdtXRCVKeU7+Vv4CsWvdfvrcbPnG8df2TpXDTlGYIvg9R40xT82aDflD53DUaMmPdC72v
gPdL+/riNSChV9GfSyQCc8PaODdD+t3o3GKHwHcgvWtyHPjOGJ817wFHmPOtsNsg3OJLvQSY
s8X5QQnCgwZdvQr6u+pVlwuc3YwviqXBvEsKD0bD1bbJL+acBH8nLc/aANT9DJDcoHehljYC
5J+FbvpZSE3NDQvsBltTRwVze5CHyNUsA8FX05vpfQ+cmXJfVQIxyEvCdTCWk7vbToM53Bxh
jgXjPPsWbwYIRWjNDRC3CcnCE6AW1T4I/gC2ZXK6dA3MLxpLR88E39P+LrnVQOhAK+Nh8OcE
n1DmgH+765n8HAg2N621esBt9MzKnQz6fOEt5UMo7ot4WagJRrcQJU2EbLN3vnYPYrs7d1jy
wXnSlK6dgJwS+Yvze4NH1b7QPUA86YZPQMumL83BfNFWxZoDlpcMTxuOgtpcP6L2ADVW3SZ0
A7WffkS8AfJaSQ/WAVN/c0M5ABHrnZ86OoNvua+EfBk8H/lr+yuD7YjBLk2G4pvjzjrPQ5yx
2PLib4BeVPjIEgT7QbGH8RSUeL+0Jak1uIPZNz0zYPNzv2zYdwPudM+9daMuWIrzsS8elE91
hGjgmf/ch8M/oiB3efHixYsXL4a+ffv27du38HhBeyjHOUSIECEeD4qiaaoKubm/p2w8+njB
oM8HPp/b/cdUO7s9PDw+vtBOgd0HCQQCgWAQbt/OyXG5CttTU0+dOnCgsB4XV63aU089ur8F
dgrs/vl6VFXXISNDUf7R8R07tmw5ehT27Ttw4MYNaNDgqadKloSmTVu2rFXrX/enwE6B3cfN
I2d9ZAfUJhkTISNIh7z2IH8nKNJ1EHrou7QYoCSrOAbCZGGVsAVI1/cKh0H4SFgm1IBAkath
v5pA2Zmdl7MbxBtyshwELUroKb4B+la8QlkQbgtf0BsYI1TTrgGdGSZUAl2ksl4dhPFCS6EY
iMuJYQb4FeEdfR0UnVjmy8YXoXlS7ZldWoP9GXP5hFpweXOGfL4smM2Wk85s2Jd88OkDFeDm
RYv5zlsQsFpreXeAvVW5L8ucgurVn3uvTQ6UblK9bL0hMLzMwNrdu0MDR0U99kOIe49VeXPB
Oj+2eZGVIAfCf47qBN69Oc+mlgZPH09L33tgbGqvEdYJtExdlI+Bt493tncKGJ+U7wTzwYfv
E89PcD7hxmv3v4NkS/p3GbfAl+0d4y4N0j2jxfgLmP3WV2zdgVOCT+oP0jmD17gXlIFahmE3
5A1wV/VZwbTY/JxxIYRbwupYv4HoSmE1wlqA+bgYqRwChgT9rr4Qdsd8lqch4evIT8KTIfaG
LWCvB0kf2Xo5loJREFvYcyCwRZkdCIf8b3OfyU+ClEP3v0yeBqpDfTk4C/LDlHDfi3D9aOaU
kwtBbiDc8s0GdumXck+D57fAskBpuHck80amFQxfSFGBnWB/wlpSehNSjBnFXfPANcV7O7AD
/JV81X0/gPdz/+agC5T7rBLmg1Saz3QZjLHGnfJ4sFewx5hagq28+Xvb+yDXNGaKIgS76nvF
TMj8KC9LuwNX5tx8OT0RMjZm6kgXlQAANJlJREFUl8i8AsoO5QfvzxDzTfTz1mWQsKd4/cTr
IH4nDzO1Bt+OQBXtA3A0jm8T1w3yJrjShFdgy73NR45Ew+Ffr3x9oSuk783bk9YZXPWyut5v
B4FR3hn3f3z8E/avUrAI8K+2Pyq1atWqVavWPy+77+i+o/uOv+++PG66TOkypcuUwut72H0p
6PffhZWOlY6Vjr/+3ArKy6Muj7o86u/2vpApmVMyp2TCVwO/GvjVwH/9/Pye+T3ze8JTxqeM
TxkLr/NO6zut77T+u6/uv+/fT4j/HVVVFFUFVVVVTfv3S7/f5/N4YMqUYcOaNoX16+fNGzSo
sPzzeb/bfZBAwO8PBCAQCAYVpbDcv/+jj956q7B88Pijl7/bfZBgUNMANO13GftgeeDAqVOZ
mWA2R0UlJRXWH9b/r5YFdh83jxxxluuWscbOAHNGxPcRn4K+gycZB3pTevIqCDu1uEAiqN/q
t/U3QeggvmlYDeKzQhkpCcSDQi/DcpB22mNjl4L6jv4jCSB6eVKpAEJznpXMoB/Qx9EY9EYY
eRmIQRBagtBdeEp/Heig19FPg57BarE3iD+LmuUAKAflYsFPoahWVG90C8TVMtJlyMwUx1y+
BdddqWnXf4KL6dfPeOtA+e+bptR/Ds5+/FPXEwMhfHDxzo4UqBBTdmnlzfD8sZ43Xq4E1q22
YqY2sKvbzjLfFYOme2Jv54+DsBPHc7WNcLZS4PXSdyDrQ+2wMhn8CzOKpMwHY19pZtFyII+y
PxkRDf6PA7PyPoQcf97KvFngKRecJXSB7IO+u3oWmI4ZPjE0A8O3wrpgRRB7K0c9AgTDfW45
GczTLD+b2kBwRuAlvxVyDuW9kH0ObEUscyzjQKmvWSxnwHXJV0T6EIyl5eLGkxAw6nO0I6Cc
Dw73XgbbFMOntm3g7Zi/OjgNAl/722VdA/cHys3LRkg9lbY/YyVIv8hNuQSGZcJ0y1jwrfeJ
UjfQV0kx5nBgkVg1PwjuQKBb1kkQazPT/ivklc8fkRcDZ+/feM9dAkodTBgTrULsGet+RxKk
PJv2VP5+8PUgKzAeLLUZI68Bc1k5lWwIX+GsYl4IwgphnukYKHvFi9JSkPca1kvvgRofvCv+
ArkR+W9nZwK1iJbag3Wo9Zi1EsTODeuktwI1N9DHtAoMnczdjU9AkWkRa8P3QuTNYlL8fJA3
Weo6roFayzeU0RDzdYIl6jzIqq1vuA4HXvj110s1YG/S0Xannof0RmwI/gzal8bZ0TL4nqbn
3U9A6CQ1lyoB9/4T0/bhFOQs79mzZ8+ePX8+XpBz16hRo0aNGhXmOj8uolpEtYhqAa+99tpr
r7325+OOy47Ljsv/Z+/J38n4n8b/NP4nsNvtdrv97/amkHr16tWrVw/GLx2/dPzSwvaJ7Se2
n9j+4c8xfkX8ivgVf7f3haxpuablmpZQvHPxzsU7wyAGMehfOH/79u3bt2+HYNVg1WDVwvYt
XbZ02dIF+tOf/n/3RYb4b4+iFAjZAsn27zFt2htvNG8OpUsXKxYd/efjD45fYPdBAgGvNxiE
QMBq/a8W4QUCv6dQKIrX63YXtsuyxWKzga6rqqJAMOh25+f/3m61gigaDH9cjPig3QcJBn9f
HKiqhXnIf0SWLRaH48/1h/X/qxTYfdw8snDOst5NTH4Z4kdGbC37IQifqAl6FjCU17AAfj1X
ugDiOvFZ4XMgyCdSLGhfaK20fiC1Kjqy3GIQD1iHxuwFIVId6t8L2nr9hnwaGC2OZTEIFn29
PgL0FJyYQSiJm1pALf0jwQD6FUrqNuCebtR/BL0l57T+IHWW60qJoNRXv1B+Bem+YZp1Jzyx
O650o14Qmav/EnYSooMlD5u3w+rTi7M2x0PpjpVOR7qhRm71Q6bGkBx2N+5cZUhskHZM2w5R
b9jL2DtD2erhKy1vgNBBa5X4HKQskFMufQL3Eu0bnM+CXpvwcj+Aa+m9FedkyLNn/pLsh4gZ
UQuT1oM+2zrb4YOcqsGeWg1QR/scaSfB0EoeLn4HsWsji0c/D4bOpKjjIXV/VqM7FcFZ01kx
8hnQivpPSgfBGR2mh88G+w7LbWkHuH71/OoZCYHWviP5e0C4bOhqjAPS9T7+++DO8d7xzgDL
WNML8j5QRyiTfG7w3PHlu4uALy/YKtML2ibjDn9vkNcb2tqng2eE5+mcZ0DMNc+R2oN1sXkP
J0FuJLyrnwYRfZztKYiPiImpegTyp7jb5FyFIneimsZdB+lrcVl6f0jc7IwOmwxZ5TOXeL+H
u19nkvMLlH4p4Un7JgjGCfnB2iBOMs+yTAJlDt35GOwJTFN8YFomntIvgsEldpSrQeauvOYZ
KyAm0Z5gmAbxF6Pfjf0ZzG+bv5GPQUr9zF6eCnBzfGrLe8Oh3AtllhU5B45NRd6JKQWGBcbu
tpPg7ZR/LfgyRDeILRG7F8KWxc6Jbgw33j7X9q4fDr9+IuNkdbh/Ua+mHwF1lPxZ9DVgZiAm
5SAY51pnyjfB1MFSIuH5xz9h/xkFEeUCAT1x4sSJEycWHh8/fvz48eOhRIkSJUqUePz2CwRi
u8R2ie0S/0GHRBJJBG2eNk+bB4vqLqq7qC6sW7du3bp1kJGRkZGRAdHR0dHR0dCxY8eOHTtC
v0P9DvU7BOIQcYg4pDASVyCYfhzz45gfxxRG5m6tubXm1ho4evTo0aNHC80XnBcfHx8fHw+W
ZZZllmXgKu8q7yoPIy+OvDjyIjSPbB7ZPBKUqkpVpSrMyJ2ROyMXNhbdWHRjUShTpkyZMmXA
28nbydsJWMMa1vz5cgtyzIumFU0rmgZNljRZ0mTJ4/OjhlZDq6HB7Va3W91uBXd/uvvT3Z/+
fN0PUnJbyW0lt0FJSlLyD+0TmcjE/+o5vsVbvFXof7HJxSYXmwx1F9VdVHcRZHXN6prVFXbM
2DFjx4y//nyurbq26toqmF56eunppeHs2bNnz54tNFv+hfIvlH8Bhp8bfm74Ofh8/+f7P//D
i4UKxhuRNiJtRNrDc/sfZGPaxrSNaVD+k/KflP8EjEuMS4xL/iCca/av2b8mcJzjHH/0v6PP
/J/5P/PDpvRN6ZvSweVyuVwuqPllzS9rfgkTJ0ycMHECRN+Ovh19u9Cef79/v38/9JjRY0aP
GZA3K29W3iwYdnbY2WFnoXVs69jWsY9vXj3suU7vPr379O6P/3Pj/3YU5XeBqSiPJtTKlPnf
BXOnTiNHrl79z+0+SCDg9xdEgv8Yka5SZfDgSZMK65GRFSvWrg3x8T7fH3Ogb9zIzs7MBIPB
48nJgVq1ypYtWhQuXrxz58YNyMuzWqOjwWh0OCIi/mz3QYLB3wX/w75WyLLZbDb/uX369GnT
Nmx4+PXXrVurVpEi0LBh06Z/XIz4oN3HzSOnahjyA87gbYioZloaNhqCJagivA56Q+ED4RkQ
lokrDRuApwSflAmsFHZjAvoon3omgDY8t1XaOKCidls8DbTjbWEZCE3FAboHkGmhfw6IZBED
GAQzEpBKPrdAb0NnPRmE6kI13QF8RxvlW9AFbVhAAr0vM429QZonOKWWoPZVznlPQkQJh7XC
VahQtdT4tjPBd1v+wdAUzGLZdrb+0Nvx/KT2LcDRzDs6ciAE7t4fnrsfXMK5Q6nJEDbXcDt8
JxRfGhWM7wH6YHmAVAScI4quNPWHqJG2Knl2iBprXyQlg3lw/M7y28C43zDRshI8jbIcdyVQ
O3kv+F0QNjPsGWdzcLSOPV3kAsTVjr4emwpx8dGxMZMgyud0xuhQpn/RiDJnIfJn25mwvRC9
z9HHUAlMO/SRnk9Aaup7K2sTlEiJGiTvAWdPQ1llOths0he+jWBYQwVXEli/NpY2NwbfQK89
WAKyv81U074A737PDr8GmLVExwowxWtHq2gQftLUv1QYWJsYblr6A3dVu3kBOPaY9hbPh+wW
7mD6CAg8r8+gKGQ1Se3pVsDwlv5KWDPwfO9Lzm8KpVNjjxafB7b35bSIveBu4f/cdxTilkcm
WW+AfbdpoWkHJJSP7BgRD0mNwotavwBfy/yzQTs4NlhUcQwYW+kfKyUgo8r9V273h8BPgc2p
gyA3ybssoytc+T6twqnecDHxTkTyUsg9kHfWUxwqHqt4tkgilOxaRij5HZgOmF52KuAu5tmp
/QDWY47K4c0hnNh3o3Ph3vVb32aVhqNPHss+dRtulMrf5zkMvoa6V+wP3vHeDbmvgesL1920
JDBkWe5FLwPPNH2j+cvHN1ELto+bMGHChAkTHt6vQDg/rF+BkL558+bNmzcfPk7B+f/qtnUF
AuZhP/VvKrqp6KaisOzCsgvLLhT+xF5ud7nd5XbDzNyZuTNzC+sFx1eMXDFyxcjHdz9TP0z9
MPVD6Dq169SuUyFnR86OnB0wc9fMXTN3FfZb+szSZ5Y+A2ti1sSsiYEWN1rcaHGj8Kf9tA/T
Pkz78OF2cnfm7szdCfnl8svll/v3/Vi2fNnyZcsL/Wg5puWYlmOg3Kxys8rNKhTM/6dJTk5O
Tk4uFO7PDH9m+DPD//Vxpm6dunXqVjg+6Pig44Ng0sZJGydthOndpneb3g2S45LjkuMKI+KT
J02eNPkPAiBhQ8KGhA3wbot3W7zb4p/bu594P/F+IpyofaL2idqFArd5RPOI5hFwo/mN5jea
w9WrV69evfrwcf7q8/va8LXhawN86/jW8a0DmjiaOJo4YErxKcWnFIeLFy9evHgRPq38aeVP
Kz/cTscPO37Y8cP/4u/kMc2rx/Vc/1/h303VyMvLyrp3r7B8kAeP/9VUjWDQ7/f7fxfOv0ee
fy/PnPnyy3HjCsuC9u+/HzOmX7/C8uWX69UrWxY2b5406dVX4dNPBw/u1g22bJk8+bXXoE6d
uDiL5c/jF9h9kEDg91xjVf19H44HS0kymczmP5c2W1JSmTIPL0+evHrV73/4uAV2HzePLJyN
C80Zxicgop/zQGQsaG/okxQPCPlCmJAKpGHSGwPb9SrCMhDeFz+RJoHwsX9m7qegXsqrmxcG
4pfCPPNeUAcIGfoqEOro3zAbqKyPFiJB91ASAZAQAPQ8MvCBMIc5QiPQVyAJc0HPUmd4JRC7
eq94XwZe9vh96wATn2spINQQqpIFYgPpTabD/e+zaqTfA3H3taeupsN4S89Vw9+AqscqNmx3
Fao3qPt8247QNuuF5l0HgGFCxY+SIuDn73e23bEatnfcm3V6ExhPBedoeVCpqSMiohEkOPRE
77tQOmCKyX0SKjwde9nYAcJKxPcvK4C017LP0Qv8m7NeSTsDgRGui+6+YEyWLc5yoLcxmaLO
QNqGvEFaVbhbNXemvwlkbnOVVTtA6vbMgx4R0hdlD3EvgnutMrbkfAvm4+bqkguE24E0bQTI
3ZmqDofobOtLQhWI+c76pbkmOM7JNrUsWM+YXjcmQCBWeY2G4Buu3shNhVwxuOdEFKS9mlPr
3BnI2hHsc2kkuGr7v/HEgXSHHQYZPO2CYd6vgAhpoOEeePr4jTmVIH97cH/yAkgfkHPs5izI
+CDnG+89yFjrMqa9C4bnwq87+kOY4MiO3gKOjqZvsEO4IeywsSIILyrTTRMg/0J+ovcZMJ6Q
zihe4CnRTkdQe4l221rQPjc39w8BoZNtYE4y5F4KFk/vBpcb3nNei4f0KO+ZexehyOjS3cJn
QbHDxdqV6QeCIiRYB4KnWH7xYDpY4hxDwl4F5+rYO7FVIP2zZGfePjgTd+SbUwLcfD73YG44
qPUMIw2ngG6aX+gOrBaaCXVAei4itWg8KBtkZ4IAQpY4UvgL/8D/KgX7MRcI34KI0YP7NP8z
ClIzHsx1LhinYNwCO//q+AUCZvXq1atXr/5z2eBCgwsNLsD26dunb59eeN64cePGjRsHDVc0
XNFwBYxdM3bN2D9EcB/s/6gU6VCkQ5EOhRG8gshh1tSsqVlTC/vt6bWn155ehfXhy4YvG74M
Bh0ddHTQUYi4HnE94vp/3o8HU2qGmYeZh5nhtcWvLX5tMYS9FfZW2FuP7/78VZzPOp91Pguf
+z/3f+6Hdvfa3Wv3b6QnFVx3ATNnzZw1cxZsy96WvS0bhpmGmYaZYJl5mXmZGeJT4lPiUwr7
GxcbFxsXQ1ybuDZxbf65vc1TNk/Z/Iec4WbNmjVr1gyavt307aZvF7Zv6bql65b/4iVGf/X5
7ft136/7fi2sF6TANLnS5EqTK7DwxMITC09A7969e/fu/Wc7SROTJiZNhJ75PfN75hfayZuZ
NzNvZmG/xzWvHtdz/X+FB1M1/mq5Y8eSJa+/Xlg+yIPHHzz/4akav+/jXBBxfjDyXNjvH7d3
7Pj00zVqgMNhsfyjSHCvXg0aVKv25/EL7D5IYcT59/qDZUHE+V8tn3uuSZNKlR4+7n8q4vzI
qRrFP4/qW+xLMNw0H7U6QFupZ2vlQUjghn4bdKveQ9gMYiLTlEbAKGGe9TvwP5UzO+86BI57
JedhMBoMvaXeIHZTLweXAmv1cHkjsFzso/tA+ESfSz7o+/UL/AbCAKE7y0CN0ttriSD10EoJ
V8E/KP8tvwBCitfluwuCLpczzQeprWmdtgaEZ2RRbgX6Qu2IOgYMG3zfe+OgsfNJf6caEHHd
dqt0IvgjAtm+QWDvGTOi+ChwGIVGJRtDtK+ER/kZIr2Rb4Q/AXv67Rmx/UNYlXrpQGYliJ3h
baBfgNIXwifbOoAxQdzti4YiPcJFtRmsfUKrTB4csxnqlh4M2u6s/nfWQfDDvPXpe4G31D56
H7BUD2sacQC0hfI64XMIPBvopW0Bz/280ek5EIzyh+V3BHsNc2tpKES9bFPNm8B+1nDAWg68
n+hN9XCIrhex2DAVIgeFJ4XnQtrXGT94l4JtqPyFew2YNsqZ0j5IK5YlpO6AxHei+sf3hPQd
/uExwyF9kb/hlUFgj7I2dIwFfaL0rlmF9DUe7dY6EBbnxcknIOy45bu4oiD9bP3JswFsFR3t
nPNA7Kn8GPkZGH8T7xiTQZtOCffPcKvh3UkZ5cD/ii/dtRqKNo1dbC8FN/emVdVfAE+isip9
IBTJiWgt94PgHOVL8yHwtPI+G4yA7PuegdosiCpr/7bIOXC/EhxMabDFmOYbx0DJLrHbyp+A
IreLflzqEIS/FjEyYQkE2ganSo3BUztQ0e8E57GIzpFx4LgcUymyC2Q/lb7FtRRunj4Vd349
3HFkv5E6CLQZxijncGCe+pLwJmg9WO8/C2JFU9NwEwjTtSPBSNCe9lfMPgDS/aDujgVKPZ6J
+mBqxfr169evX18YEf6r+zEX5DY/SME4BeM+zO4/o0DAlBhTYkyJMf9FRy9e/rAdkXBMOCYc
A1rQghYgHBeOC3/4aVwboA3QBvx5mAfb1cPqYfXwP/dTHCwOFgf/ob5AXCAu+HM/fYA+QB8A
WLFi/YOfBRzjGMeAbnSj21+/T/+qH8FqwWrBaoV1abA0WBoMgl2wC3aQxkhjpDH/3N7jJmxl
2MqwlSCOEceI/8D+X30+HyR9kPRBEnT8suOXHb+Ew88dfu7wc3Co36F+h/rBxqSNSRuTYNn0
ZdOXTYdVrGLVv+NwTWpSEzbO3Dhz4x8EZ8EXxgcpSNkYWnNozaH/IGXjrz6/ghSKP/X7X6kv
/wypjlRHqvPP7TzIvzuv/tlzDfG/U5iq8Y+F7OO088fxH5aqEQz6fH9cHPgwHnZ8+fJDhy5f
hmXLjhy5cQPef79162rVoFu3WrXKlIE6dcqXL1Hi9/OPHfuz3T/b+d8jzg/ysFSNiRO7di1e
/OH+37mTl5efDx7PPx73v23E2XzU3UBuBoZq9JKKAuhzuQ1cFyoLV0H0y6/Kt0FFmKqvBUYI
h/QjoL7nmyVdBH8LqVbcpyAOkRagAGW1s8wHfbjwLjeA8/pKPQr0dLxEAntwcR70HnpdvgLD
QOmg/B0YmhtnGauCdMiRFFsPktf7JxmLwqXFmWP0eZAz019MGAbST2I72oOyUdkV2AlhRRKK
l/sRnPaYEkW7gO9Hxee5D8JnYkcGg/KmmulbCsH6wSW+kaCd9L2hzoPEvvEVaxyGjmvqSE9X
goafVakYmQfhw0rWNdQDZY1xkP8jKGmJ2RkZC+Wjy9UPOwHVdaszpyY8Mdooaa0gXIkJK74M
JMKbFmsNahP/jZx64E7IOZIyCbik1WQaOE84f40aA3HjkvwlciHpbtHXSg4Dp99WObI0CNcN
s+QK4NwfMz8yCA6TZZrpG0jdm9Yx5yqc2X6xXNqHkLvZFxZYDra+9laR2WD/yibZOkC1PiW2
Fl8MZXtHxheLBoOd9v5FUCw/+lDJX6DCkPDsBm9D0Uv2xkW/AdtVi8XSAMokljxfpRVE2sJf
jjoOkZOcpvjJIE+TpMjy4O2hHvMqoIzU7bl7wCSaZ5p7QsRa+/OEQ+JH8RvD9oEq4rZWh+g3
on9xfAtPnilXNvEsOCNsHzkHgDRViJJbgc1pSbb0AavH9rLRCmILUwfzYYi7HZ5Q4iso26N4
RjkZKhyoWL9Wc7Anh/2Q9Cvk9nRP1fMhZ5jPpNwHa92onKhaYJoY9XlUHuTqd/vnVoVbZ4+9
cOIEpB7I6nf9MKiR5mqWVNBfkmKM50FT9FV6WxBKCl9QBLivbvc1AMXmX+e6D0pl9Rn3dVCs
PKvsfnwTtUDAFi9evPgfP0gK/uE/+Grtv0rBeQ8KhwI7/6lc6KbfN/2+6feF9Q83fbjpw02w
r8K+CvsqwKRJkyb9MRevebPmzZo3K6wX5OCmbkzdmLoRVjVd1XRVU7g7/u74u+Mfn5/1h9Uf
Vn9YYX32i7NfnP0izBfmC/MFyO6W3S373xDM/yp1TtQ5UedEYf2zA58d+OwAzD0y98jcI//n
/Pir/KvP5w3bG7Y3bIU5zjWO1DhS4wgMqTOkzpA6YH3D+ob1jT9HWIUFwgJhQWGucEGKwcO4
4rzivOKE629ff/v624XjP/jLSEFEOGV8yviU8XD2m7PfnP3m378f9ZfWX1r/D4swP9738b6P
98HOHjt77OwBr8x9Ze4rc2Hl5ZWXVz7C4tlHnVch/j0KUyf+tYhzs2aDB3/7bWH5IA8e//M4
/1ioB4O/bwv34K4XD/Kw9t27r1xJTS08vnjxgQNXrjz8/IKywO6f+xUsDvzHKRWy/HtqxoPl
3r3Xr6ekwPnzbrfX++cyP//3/Zofnqrx33RxoO23qPHxC0HvLNU1XAJxOeN5D5SUwO7gy+B/
wrvKUxVMLzmxfwbGYsJY/QycnXMtN7MfOBuX6FWiHRjHMksbAb4PhA7ifBB+4RfdD/rbHNeS
QZwl9JIOg1CVjcJq0M9Sm7LgetWVl3MNVs9ac3aDBfxfqObI7VB921PtG24DvYjhLrtA6i2n
yWdBjNG2KSVBGyCeMLwMvEht4QsIPhW4oZ8FMSC1YzuwXu9BJggreVOcCswVS6gvAkW0obIV
gr1JE98E8fukt6uVhCqHxfft66Hka6b5pz+FrNIRqTmjQbyQd9RrA/HjpHee8ELlcZX3Bi9A
0uq0NNd0OFUiy6+sgzNzxcv2t+FOBXOzEndAu5m3M20M+LtmNk8dCFpR+yLnVrC/G7YoTAHT
L5bmpiQQP7Z/bT8DWlDpGmgOadtzYoQB4C7mPa/mgnuW/rxhJ4ixcin1BjBcW6RHw51X005n
+IBN6qsGJ4S3dBa3nAHleemMfz+U3hbWr/hzICca5kUWhbwzbq93MeizhK3+d8C8RRscvhNo
pzVlEJimyJ3Er8F4ibaRaWDob+ufcxG8P3ilrIuQacztxpegjg9MTj4PZUvHxlUIgnOitC/h
JbCtC5+FH5TK7lMuCe6PSlbdYyHtZVeq2wLmF82q6TSIzYWd6hFwpJmn2nqDs3xkg7B5YB/v
MISvBPMH9tmWSuDP95cSdoPrfdeQgADSO6a3TREQpcYtjl0C5m7mnYYxkD/59supn0D6mpsD
rpogr1mudqsMeDEaIj4DdTjjjK+BPk2bo/7+9zdEvQD6Hf2QXhm0UcTpVYBIIUtdB6KdGONb
wDO01qv/r0nS6fFN2ILc44L9mXNzc3NzcwvrBeXDIsv/bNeNB+38p3jR+6L3RS8E9IAe0GHd
qHWj1o2CURmjMkZlQMytmFsxt2BwscHFBheD3sHewd5/+EAeaRtpG2mD2ebZ5tlm+G70d6O/
Gw0xt2Nux9yGNNJIewx+9q3at2rfqnD/ufvP3X8OtkzeMnnLZCi2u9juYrshamrU1KipkLk1
c2vmf/BFNwP1gfpAHe6Nvjf63mjYkLIhZUMKVI6sHFk5sjBFoUCo/t38q8+nQMDOXDlz5cyV
MMo2yjbKBuoh9ZB6qHAx5qjio4qP+sMXx87pndM7p8NPPX/q+VPPwkWDD1vEVrCokvOc5zy0
fb/t+23f/3OqSMFiuy/4gi+ALVO2TNkyBSp/W/nbyt/yL9O/f//+/fuDa7Zrtms2bN69effm
3bDx1sZbG29BnUCdQJ1A4eLHf5dHnVch/j1U9fdXSD9MyP774/7X4xXYfZBgMBAIBECSft81
42EU7KrxIBcu3L37xxerPFh/2PkFdv/sz++R34clTthsdrvFAn6/ovyxx/btBw8mJ4OmBYOp
qX8+74knSpQwm6F69Sef/EcBngK7jxvh4MGDBw8e1PW6devWrVv3Xx/Ag7tRdi3gsuGkvQcI
WXygVQWtQeDLwCHwx3p6ev1gM0bMjVwI6mX9TX8/OD9ta9Tx3lAqqu7YGtfB+krEccMQUM+r
mXoJ4Kjq0rcB2/SV6isg9DE8aSgP10vcTT63HIpvjq1dph4o/ZSOejzsydjrOlIDXL+5LWoU
0NbxQ9FeUCqztL/Ir1DhXsI6QzJYu1uLsh/UCmor8R5InYUJnASlgrrZtwfEgNBLPgrCq1Jl
8VPQ39I6SfuANeLHWhD0ZxGERBD366LyDgRquirmdQZjiqG9ugDU59xTM14H7auMFzO/A8kd
NTO8G/juZG687wB9avr09NdB2iXrrARfqnTHmwZZJa7vzEmH1df2lLzfCo6PyP5ZSofAEt+E
rM8hkOlplT0VhOryaMtlCH8jrG7kJnC85dxg3ggmh+FV/R4wWO0VkMFXyb3e9y34swPbg5+B
sky/qI2AQFzgqi8d/IPdlpwDYHZZ1lmHQmR21Ovhb4Lvjmecrwd4i3myXL9AZrWsnNSmoM4U
Nrpug9ZJeNFSFFzdAtuz0yEsz7FSrAqBNM824QPIbejJdfeB8mkJE4p+BvIFMdpSBW5GZNy8
exQM9eTtlpchek24GtcJovaYz5vKgLZHH6N0h7tD7ozwbQPNZxzCOnBMckpWAcwvySusNyE2
N2GDTYHIllHFozPBMMR8LewcaO8ruw1vgDvVVUHJB1+muiE4EixK+LnwY+BcFjEn/B6IlbRf
DDvAFX0/53438K/IHnQnFbx+5YvcqZAdcL8VPAB52/Qx4T1ALyPOMx+D4CRmSc+C/77yHq9C
8OVgr2A7CB5QvvefBmVWsKvvHLBAveedDlJlfYm/DxxL3ffJhlOPf+IWCNuC3QMKBPS/i9Pp
dDqdMGLEiBEjRvznhXOIf42CXwZS2qW0S2kH7RPaJ7RPKMxtfmHPC3te2FNY39hhY4eNHf5u
r0OE+H+DKlXatJkxA6pWrVWrQoV/f5wVKz74oF27wnqvXu+//1/tKnH69NGjFy7AmTMbN44e
XdgeE9Ot27RpYDIVK5aQUNienPzRRy+9VFgvUmTUqKVLH97+IP+sn99/+/a9e5Ce/sMP77xT
2D506NGjN25A5cqJiVbrn8dNS7t/32CAEyfu3ftXvngEAvn5WVnQrl3Dhk7nn4+fPZuS4vHA
nDm1apUs+dfHfRiHDh06dOjQY4g4a6r3J99AMHxrbG45Alp77SO9C8jljN8aaoC8xKSYk0AN
00dqPwBLvOsDk8DxhWO/bRcYv7R8ZegL4mapnmgC8QnhovAMaB14Xv0RpBg5w/AapOZlf56S
D9dfvz7/0BYo3j6+e3wzyPzSU8czBFwu0yTTC1Ds+7ILKhWFQBHPm3jg1qz7L7qHQqInor/9
JliP2MsZskGvrQ1lOHBcb6mfB3GysEAMgLBE7Cp/CXpR/UttGmgD+dGXBVRS16kjQVosnrCM
Bv2IOMR4D+TPHeuiokELqB2DTtA7G2ao34OywFLN1RLkDpY7ce+BOTyqoflzoE9sUpn+wFRH
+9ipYLknmeUYiFxc41PfEXj9dM13z30Hvy3bc+HEz7Buzv6y6tdw71XTaWcJUA7ldU3fB9kH
Mqvcfw98eZ6NlsUQsS38ZmRDCD/tLGe3gaVV1C1LPuj19SXqINA3KL7AaghU9U8wbQf3CEsD
w2kwnZfjpCGQeTF7ke8H8D2j7A6+A/J548TgMchZ4uuXPQys7c17LJPBHmVZZ7sHpsOWjv7W
IK8xTNC2gPtOXphnNoQXi5wdXgLy6wSM/iOQszK/S05fEA5Lo8RNYPzSMMnwIlwed7PxtRyw
vWo9ZOgIzi3hTYwBiB5T7GKR9RA1IywqojlE3A73O7qCaZbJ5dTBUN623T4BgobgSmkEuCfm
/ux/EvLX+S8G24BktuYYxkPEsdircRJYdlgPOUygvJR30bcPMrLv3L41HDLW3K16YT0EE/Sm
efNA+1h/W3gP8kt4qmkrwNVLlfNqQjBbK6IthUB19Tt9FCjb9M76E6DuV/qrmyFQI/hGMAr0
idpWdTroJ9X+wfqgBoPN/O89+kR9GAXCtkDoFgjoAoF169atW7duPfz8glSMgkWCBeOE3ij4
35OCbed2rdi1YtcKGMAABgDMZCYzC7dreyPzjcw3Mv9ub0OE+H8LTfs9Mpyfn5WVnw8mk9X6
j/Y5/lcJBP5xzrDf7/H4/YV2HyQY/P3Nebqel+dygSj+40V+/2oKx8P6aZrX6/OBovzjNwP6
/b/7mZ3t8SgKOJ0Wi/wH9Vm6dHS01/v7/tBhYXDhQmamIMB/HS+Hp58uWTIh4fdItsdT2J6b
6/UqSqHdx80jC2dlqjtf/xkMDcJXiPGgLg1sVGuB/1P9q+AyMDY2NSMW5HZyY0MSeA8Fv/a3
APG8sESbA4Zl5m6Gt+H+uPu3b64DZbvyW+AHMCF9rfcBx1Hb8IiDkP9UTs88P9hfMV+LHAem
Mub19sEQHWHfbI4E12pXkTMaXFmZ0jF3ESRVjJoVnQa2HZYX1IaQ8m3a3kBZKNYkoojpFKjN
BT9FQBmrlAoeBmGK2EFsAhRlgRAOwnbuy9+DbhM92RNAqENNsRoQpbjUZ0C563LnPAWGpvbm
RdqBWkW4p14C2eW4Hl8TDGft4fFVQHtGOeLKBrW972B+RTA2MDeI+QXUHYbVtmdA/UJ7UZdA
s8ovmg+DrUaFYw3fhTblKvR7uh+Un1y2+oZvYH6PH78+XA8ub7XKpU+Cr5K7RcYq8A7Ov5Yb
B4EdaRvvDgP3V3mbzRPBuciRHx0DYclhK00HwXbZ+pL5O3C+E/ahQ4Ho89G11TQInPWucT8D
BsWWlFcegruV/mIZUJJ8mr4J5E9K5RfrAnn9ct/0aWBqZnjdXB2ku+qasFTwGDy1AvPBvt8y
UCgNCT9FVoo5DXYMzyROhbSZxrYpL0HYLvsB22SI3he2KmY3uLoWfcvbDwyfGq+xGxwpEVbb
ALBcM7vCvwZjY9lsHwrBgLZdegoCRYMmYiEnJ/1L33MQ/EbNYStovxm7mzuB5WvnaMs7YK8W
sTayDUjF/AdxQ27jm8fTN4C7Y9b95L6gnFUWpH8Etu72RdpX4N+iXLHMB1+5wJ5AT7CLlhLa
IZDWB+d5ioL/A6WiXgb0hnJF8kG5rfVXnaA/ZYrnA1D66yb9adCOaZs0EYRLgsEYAEVUVsqP
8JPrX6VA6BYI6Qe3kSvYx7WAglzm6tWrV69e/T/vX4jHQ7VXqr1S7RVYylKWAgxjGMMeddQQ
IUI8Dp54onTpyEi4cyclJSMD4uMTE6OjH5+ALqBAMN+//7udArsPUqlS8eKRkXD69K1bmZkg
ik5nWBiEhw8Z8tVXf+7/sPZ/1k/XvV6vFzQtNzcvD6pWLV48KurP5zmdRqMs//5q7kAAEhN/
T6AID7dYJAmyskRRkqB4caczLw/q1UtKstlAkgRB/C9W4t269bvd/Hxdl2XIyfF6VRVSUnJz
A4FCu4+bR07VuNfo4js3tkDU+iemFRsFwXRvV7UkKJlqXHAMmPoaWxuOgy4rbr8Nckfv7nEo
DPI+1b+Wq0GRy89Wq98esr053nsNwb9cGaGMBVO2cYVYHc6+fjnxtxTIvaS+mv8ilC0ds7x0
D0hUo9ZUyoXTXS+4jufBuffuBi5cgotn7p6W6kLVNyp92Po5qDupcmaxsfDEsegNQmsQShm6
iMVA3Khv0VeCPk1rod4GPVVsL6SB2FMobmgKQqq4R28Dqabs65cGQXp336c3ykHkiMiOYS+D
9onLnT0NIiwmV6X3wTnH8XL5BuDvqFX0XADeF2RRBmEXKfLLIH6pRQZHgDJL/0VrD6IuVjO8
DiTpMVoqCF/r8/TToKbrjYREoBL7pGiwfWmpKjeBVc5Z/T6+C+s6HDXe6Ad6om1m9EXwTPU1
DTYAdb2nZO5voF/0zs67BqKsnQosBeu7cp40C8y77N3t+eCwOCzWzyFslPUF82kwzzSbDDIY
Rslj1GdB+40UzQCBMupHig/0k1pppRdo87TTwZ4QNClPqxp4q/teC4wF4Xs5WWgD0lwhXqwF
0gxhvnAJtPlaK0EAk8f0nnEPaBuFltqvYKoq1je+AIZ888/WJ0GLYI1wDrQpwcZiKviq+Fpo
FcC111csEITgmODWYAaoDaSFwpsgxRqP2I6DcaIlwpgPMWXD6lmAIv64IbZLcCd4//WMXyBf
yamY/iVk10lNvNgNcvPTvIGZoB5jU/A3kOOV9loJEE3i96ZGwGqjWY4E+QNxnVQU9Ld5W3ob
ApPUcrwD+sfk6+MBgSbCSdAThV/FlcD74hbpK9Bl7ZReG7Q3hRviTtAzxHPyDPip5y+jf9j2
+CduiBAhQoT470FWVk6OywV9+7799jffwPnzV66kPY5FFg+hYsWyZWNjYfHi6dNffBEiI8PD
//hm0vT03FyXC557buzYBQvg5MkrV/7RPtGPi+rVy5ZNSICff548ecAAiIlxOv/oT3b277Hj
998/cyY5GdLSfo88/6eIjbVaZRk++KBKlSJFICLi8Qjox5aqIU9wfGdcC8GZOfXyPaC/lP1t
zi4QJrpT3FbQx5abV7o1qGU8/TzLwVV887nf3oJw8/NvdcwHYZ8lUTgOiZONLxUdBNlDPFXz
7HAi47h2YBZYyhmNzhfAu8+2Rr8F0TuspRIag+FtY/mIerAjbVfEnb5wb5Tw491u4ImU1gVv
wNZju87/cAH8XQP0+AZKJzVdX7wBWNym8/QBdb/2mugF4ZR4V5gD4mhhj9QFtFw+CCSCPJ8G
5jPgqZPnzxoIl1df6XO8NCiH9ZmGr0BfYBqp+SHmVGRU8kWotL3IF/4SEJNsbZq0C7CIQw1e
0FeIaI2BKcJmMQwEaG1sC8IHeg21Iujr6M0GYLuwVJgMYoRwm2KgzaarEoSgphTRDoJQKZCb
r4O4IaPZdUCeoM1V3wO5n7mHfQNoz4WXjLoEyq9h1SKvgvpyQHD9AIGB/s35nUGJCY7TakFw
Q9aMrIuQ48qqL3cCU0PjB+LbYLaYdlg6gamyYaSpDIgRpnnSBpBuSLJ8EKR6hvLWnWDcIzcT
O4HBHLaXICDzrJYCgo9J4hIQwnRJ3wBac/0W5UAZrqdq/UAtr0SxEPJbKmV5Cfxrc/r54sDX
NzhNESEoBksqF0A9yl7OgrzGlGyeB8al1pW26WDsbG5kPQjxY+zLjUuhZrfys6PXQM3var1Y
ZRbEf1biculpsPmdrZ9+UwpSX8+bcrMM1GhUy9+hPazetObeL8NA3+x9xVAKmn9XtXbDdLgS
f7ZzRjk49u2x8ucrwp2FWZFZ48DfRhmqdAfLeNMy88sgHzO8YhgAWiW1iP4OqLW1RcoJ0L8R
BonfgthS7yU6Qbus39UMoB3X96ljgJ7/uQ+HECFChAjx91MgXNev/+qrV1/9u70pFK6HDn3x
xRtv/N3eFArXzz//x4v4/m/jkYWz5StlaqAtBJffzLu3Hojyt/JWBa2+r0jgeTDuFtqXWgM4
3Z+6fwG2BK4Hl4Dp49iosOpgWM4MeSNkvulZmyHA8fXHR+77FBJnG7fFvwnuZHNLdwSEpwmj
HEkQtym+ZPGX4dSpa4vSRBBPhw1Nmg/6wsw1KU4oWqTCyKodIKXm9X5X5sKF+Vd91zLgyJYS
nSIT4dnulWbbX4bgquAy/xSQt5kiLc+Aelhb70sB4ZQwx1QU6K+XFSLA8L5lsmkXxJasqJUF
kg+f8l4ZAaV3S5Hx34P9kjvK0gGupW7evSoe7HPLpFVvD8I6oYtUAvTbrJc7gWFU0e1le4D8
dkx2yadB3643Zh6wUuhDNugL9PPoICQzhqMg1tJjhNJgaKwnqu+D8I22WO0B7q9dT2beB/kV
Zbe3DIhdzbsdG0COteyPjAFjnuVC1CUQa1rm2H4C0y9OT4QA2jTXwKw48KHEaXMh+J5+T8sB
7ZBeXNPB1dK71nscxBfdgfzLoEjqLv0i0FL3cAaEVcIZcQoYF/CEcB70nWI/+oH+irBQcIPQ
mMVCIuhf8bO4GvQpwgLCQBuoP6PsAz1ceFcsC/qrQlH5Lghrpe1yK5BOGo4ZDoJ8MqxR+C2w
zLDMsP0CZodxjfkgxGdaPdpOqNm8eB2LHaq3rVO1Wn2I311OrimBslA4Z46B4El9Njuh8TsN
Pd0ngKuIK9jkHYh8OfHVMl9AjKXXgnJ7wL7AUbasDM5L4X2LvwsVM2vNuDsASmyt0ePccPjB
s/zWhtsQeDc/55wXkrukfpNdCdQ+4gzJBUaHWbMeBUOStMTwFchmaYFYH+iJS+wG+io1QTsD
2mDluP4ZAOVp8ndP8xAhQoQIESLE4+CRhbO0QT4inQbd42ho+wmETbFpcWNA6MwFIROoLAfk
ZuBffif++g2Qu0e/EjEO5PdiI+O+BW9Y8H5+Dcgbm5d8bwjU2FqlXr0FEDMwYmaCDQ6kn2+6
YSxExNh6xU4BvaN83fAGnBt8vMaOXWCcbe1QfDEUn21bVCEGam8rd/UpG1xoFNWnFCC0URdp
T0O1jHLeKAH8Y93PpL8LwpveplmtQVslq7biIC63DrT5QW9iyDP+CNIl80YxBlIGn5CvVoaU
s7nvXugItvkJH5iyIDI1ummJ2VDhvSr+1sPAa65U/W4A9OSs2veKgH/+vW43fgS9hPvdnGqg
ShEVHGvB8ExkQkwe8IQwwlkdOMsAZR7obTjHWOAUyXwPWmvhJz4A/8eBznoL8OcHNuACbZB8
19ANfLeDCz3LAIPvsGc7CHm5qzJ/BVO+Kfu+Dayt7ePCA1BsS7Gk6BToFNO/YYuqcD/93u3s
F+D2ymsJd/Ph9sCMoe4+kPmZp2RwOuSfDCwQ6oInRz+nnAShnRqlj4agU0VLAM8JNV3rBTwh
TNDXgx4j7GEesJYPyAQxVhwuPgVitOF9w48gbJCiDCtAXmdoZ2wE0iw5Q54M8iiD1/geGEqI
b8rLgYl04xkwxKjWYDpoMzIa368BzxZv07l0S3j6mfZ0KgW+d8V20TfB/1VwvC8G9MPil/4W
IMZJl8VuID1vDrcthOgxckVLPujjqGZeDEnFiu5tNgGCJmW6shUCmYHLgeNgfM+229wKgufV
oeEd4OlXanSs6oeEOeEZxV6B5IOebfoLsP3clk/2uiFlTubrd3eB12w4K68Hi6B8bToOpu9N
tYwbQDwk7hOPghxpeFL+ffucUMw5RIgQIUKE+B/CI+c4hwgRIkSIECFChAjxP5mCHOdHfnNg
iBAhQoQIESJEiBD/LxASziFChAgRIkSIECFC/AVCwjlEiBAhQoQIESJEiL9ASDiHCBEiRIgQ
IUKECPEXCAnnECFChAgRIkSIECH+Av//dnQFqwVDhAgRIkSIECFChAjxZ/4/obLWe3CTKPsA
AAAASUVORK5CYII=
--------------010604010604080005000007--

--------------030109090800080308060300--

From phil.hunt@oracle.com  Tue Aug 13 08:00:28 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08ACD21E814A for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:00:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.602
X-Spam-Level: 
X-Spam-Status: No, score=-4.602 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p2axlxAGG7r7 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:00:22 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 3D87D21E816F for <oauth@ietf.org>; Tue, 13 Aug 2013 08:00:21 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7DF0Cu4001518 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 13 Aug 2013 15:00:13 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7DF083R020758 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 13 Aug 2013 15:00:12 GMT
Received: from abhmt114.oracle.com (abhmt114.oracle.com [141.146.116.66]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7DF085h011330; Tue, 13 Aug 2013 15:00:08 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 13 Aug 2013 08:00:07 -0700
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <520A472C.6040101@mitre.org>
Content-Type: multipart/alternative; boundary=Apple-Mail-D7DA9FEA-5F67-4FB9-BDDA-0092E8778EE7
Content-Transfer-Encoding: 7bit
Message-Id: <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Tue, 13 Aug 2013 08:00:05 -0700
To: Justin Richer <jricher@mitre.org>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 15:00:28 -0000

--Apple-Mail-D7DA9FEA-5F67-4FB9-BDDA-0092E8778EE7
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Dyn reg and the scim reg variant depend too much/biased towards  passwords e=
xpressed as client secrets.=20

A signed token approach has many advantages for service providers like not h=
aving to maintain a secure database of secrets/passwords.=20

Finally issuing both a client secret and registration token is costly and co=
nfusing to client developers.  I relented somewhat when I realized kerberos d=
oes this--but i still feel it is a bad design at cloud scale.=20

Phil

On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org> wrote:

> The spec doesn't care where you deploy at -- if URL space is at a premium f=
or you, then switch based on input parameters and other things. And you're s=
till not clear on which "secrets" you're taking issue with.
>=20
>  -- Justin
>=20
> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>> #1, its yet another endpoint to have to manage secrets at, yes this is an=
 OAuth item but it=E2=80=99s growing out of control, we are trying to move a=
way from secrets and management of these endpoints as this would be just ano=
ther one we have to support, monitor and report on
>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>> =20
>> From: George Fletcher [mailto:gffletch@aol.com]=20
>> Sent: Tuesday, August 13, 2013 7:40 AM
>> To: Anthony Nadalin
>> Cc: mike@gluu.org; Justin Richer; oauth@ietf.org
>> Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remov=
e!
>> =20
>> Hi Tony,
>>=20
>> Could you please explain a little more?=20
>>=20
>> For issue 1:
>> * Which "secret" are you referring to? OAuth2 by default allows for an op=
tional client_secret. I'm not sure why this would cause management issues? O=
r are you referring to the "Registration Access Token"?
>> * Why is a separate endpoint an issue? Any client is going to be talking t=
o more than just the /authorize and /token endpoints anyway so I'm confused r=
egarding the extra complexity?
>>=20
>> For issue 2:
>> * What specifically do you mean by "multi-tenant"? Is this one server act=
ing on behalf of multiple tenants and so appearing as multiple Authorization=
 Servers?=20
>>=20
>> Thanks,
>> George
>>=20
>> On 8/13/13 10:34 AM, Anthony Nadalin wrote:
>> So, (1) Management of the secret causes us management issues, yet another=
 endpoint to manage, there may be ways around this issue with assertions. (2=
) The schema/data model are not useable as defined. Internationalization is a=
n issue. Multi-tenant issues, this also goes back to schema/data model.
>> =20
>> =20
>> -----Original Message-----
>> From: mike@gluu.org [mailto:mike@gluu.org]=20
>> Sent: Tuesday, August 13, 2013 7:22 AM
>> To: Anthony Nadalin
>> Cc: Justin Richer; George Fletcher; oauth@ietf.org
>> Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remov=
e!
>> =20
>> Anthony,
>> =20
>> As I mentioned, we are using it as part of the OX UMA implementation.=20
>> Can you be more specific?
>>    1) What parts of it would cause add'l management?
>>    2) What parts do not meet your requirements that could not be satisfie=
d with a
>>       supplemental profile?
>> =20
>> - Mike
>> =20
>> =20
>> =20
>> On 2013-08-13 09:15, Anthony Nadalin wrote:
>> Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in=20
>> production (of some sort) ? We have no plans to implement as it does=20
>> not meet our requirements/use cases and causes additional management=20
>> and thus I believe would not serve as a valid core document to expand=20
>> upon.
>> =20
>> FROM: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] ON BEHALF=20=

>> OF Justin Richer
>>  SENT: Tuesday, August 13, 2013 6:59 AM
>>  TO: George Fletcher
>>  CC: mike@gluu.org; oauth@ietf.org
>>  SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't=20
>> remove!
>> =20
>> +1
>> =20
>> On 08/13/2013 09:34 AM, George Fletcher wrote:
>> =20
>> I know I wasn't at the IETF meeting but I'm confused regarding all=20
>> this talk of "lack of consensus". It seems to me there is a lot of=20
>> consensus regarding the existing spec (given all the current=20
>> implementations). Couple that with the fact that the current spec=20
>> doesn't exclude the additional use cases that you've raised, I don't=20
>> see why we don't establish the current spec as the core document and=20
>> then develop profiles for the additional use cases. It is unlikely=20
>> that there is going to be a true single solution because to cover all=20
>> the use cases it will have to be so flexible that profiles will arise=20
>> regardless. In that case, let's build off the solid core that we have=20
>> and add these additional profiles providing a win-win for=20
>> implementers.
>> =20
>> My 2 cents:)
>> =20
>> Thanks,
>> George
>> =20
>> On 8/12/13 7:55 PM, Phil Hunt wrote:
>> =20
>> I don't think there is a call to stop work. However there is a lack=20
>> of consensus on the current draft moving forward.
>> =20
>> I too want a single, simple solution.
>> =20
>> Phil
>> =20
>> On 2013-08-08, at 13:22, mike@gluu.org wrote:
>> =20
>> OAuth WG,
>> =20
>> As some of you may know, the OX open source project provides an=20
>> implementation of Enterprise UMA, which enables organizations to=20
>> control which people and clients can access web resources.
>> =20
>> I rarely weigh in, because you all are doing such great job.=20
>> However, I was quite distressed to learn about the suggestion to=20
>> stop work on the dynamic client registration spec. This proposed=20
>> change would have a negative impact on OX, and the varied adopters=20
>> of our software from around the world.
>> =20
>> No standard for dynamic client registration would make OX less=20
>> "standard" by creating a bigger delta between UMA and other OAuth2=20
>> implementations. As OX also implements the OpenID Connect OP=20
>> endpoints, and dropping this effort would also makes a convergence=20
>> path for client registration less likely.
>> =20
>> Please leave dynamic client registration!
>> =20
>> Thanks for all your great work!
>> =20
>> - Mike Schwartz
>> =20
>> Founder / CEO
>> =20
>> Gluu
>> =20
>> http://gluu.org [1]
>> =20
>> PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD
>> : http://www.gluu.co/uma-apache [2]
>> =20
>> _______________________________________________
>> =20
>> OAuth mailing list
>> =20
>> OAuth@ietf.org
>> =20
>> https://www.ietf.org/mailman/listinfo/oauth [3]
>> =20
>> _______________________________________________
>> =20
>> OAuth mailing list
>> =20
>> OAuth@ietf.org
>> =20
>> https://www.ietf.org/mailman/listinfo/oauth [3]
>> =20
>> --
>> [4]
>> =20
>> _______________________________________________
>> =20
>> OAuth mailing list
>> =20
>> OAuth@ietf.org
>> =20
>> https://www.ietf.org/mailman/listinfo/oauth [3]
>> =20
>> =20
>> =20
>> Links:
>> ------
>> [1] http://gluu.org
>> [2] http://www.gluu.co/uma-apache
>> [3] https://www.ietf.org/mailman/listinfo/oauth
>> [4] http://connect.me/gffletch
>> [5] http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/
>> =20
>> =20
>> --=20
>> <mime-attachment.png>
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-D7DA9FEA-5F67-4FB9-BDDA-0092E8778EE7
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>Dyn reg and the scim reg variant depen=
d too much/biased towards &nbsp;passwords expressed as client secrets.&nbsp;=
</div><div><br></div><div>A signed token approach has many advantages for se=
rvice providers like not having to maintain a secure database of secrets/pas=
swords.&nbsp;</div><div><br></div><div>Finally issuing both a client secret a=
nd registration token is costly and confusing to client developers. &nbsp;I r=
elented somewhat when I realized kerberos does this--but i still feel it is a=
 bad design at cloud scale.&nbsp;</div><div><br></div><div>Phil</div><div><b=
r>On 2013-08-13, at 7:48, Justin Richer &lt;<a href=3D"mailto:jricher@mitre.=
org">jricher@mitre.org</a>&gt; wrote:<br><br></div><div><span></span></div><=
blockquote type=3D"cite"><div>
 =20
    <meta content=3D"text/html; charset=3DUTF-8" http-equiv=3D"Content-Type"=
>
 =20
 =20
    The spec doesn't care where you deploy at -- if URL space is at a
    premium for you, then switch based on input parameters and other
    things. And you're still not clear on which "secrets" you're taking
    issue with.<br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class=3D"moz-cite-prefix">On 08/13/2013 10:46 AM, Anthony Nadalin
      wrote:<br>
    </div>
    <blockquote cite=3D"mid:a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.na=
mprd03.prod.outlook.com" type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-=
8">
      <meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
      <div class=3D"WordSection1">
        <p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&=
quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#1,
            its yet another endpoint to have to manage secrets at, yes
            this is an OAuth item but it=E2=80=99s growing out of control, w=
e
            are trying to move away from secrets and management of these
            endpoints as this would be just another one we have to
            support, monitor and report on<o:p></o:p></span></p>
        <p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&=
quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#2
            yes, 1 physical endpoint acting as multiple authorization
            servers<o:p></o:p></span></p>
        <p class=3D"MsoNormal"><a moz-do-not-send=3D"true" name=3D"_MailEndC=
ompose"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quo=
t;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></a></p>
        <div>
          <div style=3D"border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-f=
amily:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</sp=
an></b><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot=
;sans-serif&quot;;color:windowtext">
                George Fletcher [<a class=3D"moz-txt-link-freetext" href=3D"=
mailto:gffletch@aol.com">mailto:gffletch@aol.com</a>]
                <br>
                <b>Sent:</b> Tuesday, August 13, 2013 7:40 AM<br>
                <b>To:</b> Anthony Nadalin<br>
                <b>Cc:</b> <a class=3D"moz-txt-link-abbreviated" href=3D"mai=
lto:mike@gluu.org">mike@gluu.org</a>; Justin Richer; <a class=3D"moz-txt-lin=
k-abbreviated" href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a><br>
                <b>Subject:</b> Re: [OAUTH-WG] OX needs Dynamic
                Registration: please don't remove!<o:p></o:p></span></p>
          </div>
        </div>
        <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
        <p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D=
"font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Hi
            Tony,<br>
            <br>
            Could you please explain a little more? <br>
            <br>
            For issue 1:<br>
            * Which "secret" are you referring to? OAuth2 by default
            allows for an optional client_secret. I'm not sure why this
            would cause management issues? Or are you referring to the
            "Registration Access Token"?<br>
            * Why is a separate endpoint an issue? Any client is going
            to be talking to more than just the /authorize and /token
            endpoints anyway so I'm confused regarding the extra
            complexity?<br>
            <br>
            For issue 2:<br>
            * What specifically do you mean by "multi-tenant"? Is this
            one server acting on behalf of multiple tenants and so
            appearing as multiple Authorization Servers?
            <br>
            <br>
            Thanks,<br>
            George</span><o:p></o:p></p>
        <div>
          <p class=3D"MsoNormal">On 8/13/13 10:34 AM, Anthony Nadalin
            wrote:<o:p></o:p></p>
        </div>
        <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
          <pre>So, (1) Management of the secret causes us management issues,=
 yet another endpoint to manage, there may be ways around this issue with as=
sertions. (2) The schema/data model are not useable as defined. Internationa=
lization is an issue. Multi-tenant issues, this also goes back to schema/dat=
a model.<o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre>-----Original Message-----<o:p></o:p></pre>
          <pre>From: <a moz-do-not-send=3D"true" href=3D"mailto:mike@gluu.or=
g">mike@gluu.org</a> [<a moz-do-not-send=3D"true" href=3D"mailto:mike@gluu.o=
rg">mailto:mike@gluu.org</a>] <o:p></o:p></pre>
          <pre>Sent: Tuesday, August 13, 2013 7:22 AM<o:p></o:p></pre>
          <pre>To: Anthony Nadalin<o:p></o:p></pre>
          <pre>Cc: Justin Richer; George Fletcher; <a moz-do-not-send=3D"tru=
e" href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
          <pre>Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please=
 don't remove!<o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre>Anthony,<o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre>As I mentioned, we are using it as part of the OX UMA impleme=
ntation. <o:p></o:p></pre>
          <pre>Can you be more specific?<o:p></o:p></pre>
          <pre>&nbsp;&nbsp; 1) What parts of it would cause add'l management=
?<o:p></o:p></pre>
          <pre>&nbsp;&nbsp; 2) What parts do not meet your requirements that=
 could not be satisfied with a<o:p></o:p></pre>
          <pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; supplemental profile?<o:p></o:=
p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre>- Mike<o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre>On 2013-08-13 09:15, Anthony Nadalin wrote:<o:p></o:p></pre>
          <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
            <pre>Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is i=
n <o:p></o:p></pre>
            <pre>production (of some sort) ? We have no plans to implement a=
s it does <o:p></o:p></pre>
            <pre>not meet our requirements/use cases and causes additional m=
anagement <o:p></o:p></pre>
            <pre>and thus I believe would not serve as a valid core document=
 to expand <o:p></o:p></pre>
            <pre>upon.<o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>FROM: <a moz-do-not-send=3D"true" href=3D"mailto:oauth-boun=
ces@ietf.org">oauth-bounces@ietf.org</a> [<a moz-do-not-send=3D"true" href=3D=
"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] ON BEHALF=
 <o:p></o:p></pre>
            <pre>OF Justin Richer<o:p></o:p></pre>
            <pre> SENT: Tuesday, August 13, 2013 6:59 AM<o:p></o:p></pre>
            <pre> TO: George Fletcher<o:p></o:p></pre>
            <pre> CC: <a moz-do-not-send=3D"true" href=3D"mailto:mike@gluu.o=
rg">mike@gluu.org</a>; <a moz-do-not-send=3D"true" href=3D"mailto:oauth@ietf=
.org">oauth@ietf.org</a><o:p></o:p></pre>
            <pre> SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: ple=
ase don't <o:p></o:p></pre>
            <pre>remove!<o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>+1<o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>On 08/13/2013 09:34 AM, George Fletcher wrote:<o:p></o:p></=
pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
              <pre>I know I wasn't at the IETF meeting but I'm confused rega=
rding all <o:p></o:p></pre>
              <pre>this talk of "lack of consensus". It seems to me there is=
 a lot of <o:p></o:p></pre>
              <pre>consensus regarding the existing spec (given all the curr=
ent <o:p></o:p></pre>
              <pre>implementations). Couple that with the fact that the curr=
ent spec <o:p></o:p></pre>
              <pre>doesn't exclude the additional use cases that you've rais=
ed, I don't <o:p></o:p></pre>
              <pre>see why we don't establish the current spec as the core d=
ocument and <o:p></o:p></pre>
              <pre>then develop profiles for the additional use cases. It is=
 unlikely <o:p></o:p></pre>
              <pre>that there is going to be a true single solution because t=
o cover all <o:p></o:p></pre>
              <pre>the use cases it will have to be so flexible that profile=
s will arise <o:p></o:p></pre>
              <pre>regardless. In that case, let's build off the solid core t=
hat we have <o:p></o:p></pre>
              <pre>and add these additional profiles providing a win-win for=
 <o:p></o:p></pre>
              <pre>implementers.<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>My 2 cents:)<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>Thanks,<o:p></o:p></pre>
              <pre>George<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>On 8/12/13 7:55 PM, Phil Hunt wrote:<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
                <pre>I don't think there is a call to stop work. However the=
re is a lack <o:p></o:p></pre>
                <pre>of consensus on the current draft moving forward.<o:p><=
/o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>I too want a single, simple solution.<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>Phil<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>On 2013-08-08, at 13:22, <a moz-do-not-send=3D"true" hr=
ef=3D"mailto:mike@gluu.org">mike@gluu.org</a> wrote:<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
                  <pre>OAuth WG,<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>As some of you may know, the OX open source project p=
rovides an <o:p></o:p></pre>
                  <pre>implementation of Enterprise UMA, which enables organ=
izations to <o:p></o:p></pre>
                  <pre>control which people and clients can access web resou=
rces.<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>I rarely weigh in, because you all are doing such gre=
at job. <o:p></o:p></pre>
                  <pre>However, I was quite distressed to learn about the su=
ggestion to <o:p></o:p></pre>
                  <pre>stop work on the dynamic client registration spec. Th=
is proposed <o:p></o:p></pre>
                  <pre>change would have a negative impact on OX, and the va=
ried adopters <o:p></o:p></pre>
                  <pre>of our software from around the world.<o:p></o:p></pr=
e>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>No standard for dynamic client registration would mak=
e OX less <o:p></o:p></pre>
                  <pre>"standard" by creating a bigger delta between UMA and=
 other OAuth2 <o:p></o:p></pre>
                  <pre>implementations. As OX also implements the OpenID Con=
nect OP <o:p></o:p></pre>
                  <pre>endpoints, and dropping this effort would also makes a=
 convergence <o:p></o:p></pre>
                  <pre>path for client registration less likely.<o:p></o:p><=
/pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>Please leave dynamic client registration!<o:p></o:p><=
/pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>Thanks for all your great work!<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>- Mike Schwartz<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>Founder / CEO<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>Gluu<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre><a moz-do-not-send=3D"true" href=3D"http://gluu.org">=
http://gluu.org</a> [1]<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>PS: Help us crowd fund open source OAuth2 plugins for=
 Apache HTTPD<o:p></o:p></pre>
                  <pre>: <a moz-do-not-send=3D"true" href=3D"http://www.gluu=
.co/uma-apache">http://www.gluu.co/uma-apache</a> [2]<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>_______________________________________________<o:p><=
/o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>OAuth mailing list<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre><a moz-do-not-send=3D"true" href=3D"mailto:OAuth@ietf=
.org">OAuth@ietf.org</a><o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre><a moz-do-not-send=3D"true" href=3D"https://www.ietf.=
org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [=
3]<o:p></o:p></pre>
                </blockquote>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>_______________________________________________<o:p></o=
:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>OAuth mailing list<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre><a moz-do-not-send=3D"true" href=3D"mailto:OAuth@ietf.o=
rg">OAuth@ietf.org</a><o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre><a moz-do-not-send=3D"true" href=3D"https://www.ietf.or=
g/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3=
]<o:p></o:p></pre>
              </blockquote>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>--<o:p></o:p></pre>
              <pre>[4]<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>_______________________________________________<o:p></o:p=
></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>OAuth mailing list<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre><a moz-do-not-send=3D"true" href=3D"mailto:OAuth@ietf.org=
">OAuth@ietf.org</a><o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre><a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/=
mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<=
o:p></o:p></pre>
            </blockquote>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>Links:<o:p></o:p></pre>
            <pre>------<o:p></o:p></pre>
            <pre>[1] <a moz-do-not-send=3D"true" href=3D"http://gluu.org">ht=
tp://gluu.org</a><o:p></o:p></pre>
            <pre>[2] <a moz-do-not-send=3D"true" href=3D"http://www.gluu.co/=
uma-apache">http://www.gluu.co/uma-apache</a><o:p></o:p></pre>
            <pre>[3] <a moz-do-not-send=3D"true" href=3D"https://www.ietf.or=
g/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:=
p></o:p></pre>
            <pre>[4] <a moz-do-not-send=3D"true" href=3D"http://connect.me/g=
ffletch">http://connect.me/gffletch</a><o:p></o:p></pre>
            <pre>[5] <a moz-do-not-send=3D"true" href=3D"http://datatracker.=
ietf.org/doc/draft-ietf-oauth-dyn-reg/">http://datatracker.ietf.org/doc/draf=
t-ietf-oauth-dyn-reg/</a><o:p></o:p></pre>
          </blockquote>
          <pre><o:p>&nbsp;</o:p></pre>
        </blockquote>
        <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
        <div>
          <p class=3D"MsoNormal">-- <br>
            <a moz-do-not-send=3D"true" href=3D"http://connect.me/gffletch" t=
itle=3D"View full card on Connect.Me"><span style=3D"text-decoration:none">&=
lt;mime-attachment.png&gt;</span></a><o:p></o:p></p>
        </div>
      </div>
    </blockquote>
    <br>
 =20

</div></blockquote><blockquote type=3D"cite"><div><span>____________________=
___________________________</span><br><span>OAuth mailing list</span><br><sp=
an><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a></span><br><span><a h=
ref=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mai=
lman/listinfo/oauth</a></span><br></div></blockquote></body></html>=

--Apple-Mail-D7DA9FEA-5F67-4FB9-BDDA-0092E8778EE7--

From gffletch@aol.com  Tue Aug 13 08:02:05 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFE0B21E811E for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level: 
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFhVhsq2G4GM for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:02:01 -0700 (PDT)
Received: from omr-m04.mx.aol.com (omr-m04.mx.aol.com [64.12.143.78]) by ietfa.amsl.com (Postfix) with ESMTP id 3116B11E80AD for <oauth@ietf.org>; Tue, 13 Aug 2013 08:02:01 -0700 (PDT)
Received: from mtaout-db01.r1000.mx.aol.com (mtaout-db01.r1000.mx.aol.com [172.29.51.193]) by omr-m04.mx.aol.com (Outbound Mail Relay) with ESMTP id D58F470001D71; Tue, 13 Aug 2013 11:01:59 -0400 (EDT)
Received: from ping-audit-10-181-176-212-20120320.ops.aol.com (ping-audit-10-181-176-212-20120320.ops.aol.com [10.181.176.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db01.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 46887E0000B3; Tue, 13 Aug 2013 11:01:59 -0400 (EDT)
Message-ID: <520A4A66.7040707@aol.com>
Date: Tue, 13 Aug 2013 11:01:58 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> " <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>" <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------060603090208030100080502"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/92917
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1376406119; bh=TRjuD7l/dMBij2WklcOv+8sCPaWhszPgYESyV82Z0zQ=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=URi4TkiovlZVAx3y2OgRzqe27wt8AnvznaNfe0qa1c2MzusKLXqP0d1UbY31O/qRL 9V4pBvSbIR0JrBeXIJ7Wt/2ADl0xz53SDxp3BenrpiEHEZl+GrnUuyQo9Q9huCQYE2 PvI1OuKDp1tZx5lCIGEKQW/t+a0hgaqUv8B05BVc=
x-aol-sid: 3039ac1d33c1520a4a670fde
X-AOL-IP: 10.181.176.212
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 15:02:05 -0000

This is a multi-part message in MIME format.
--------------060603090208030100080502
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit


On 8/13/13 10:46 AM, Anthony Nadalin wrote:
>
> #1, its yet another endpoint to have to manage secrets at, yes this is 
> an OAuth item but it’s growing out of control, we are trying to move 
> away from secrets and management of these endpoints as this would be 
> just another one we have to support, monitor and report on
>
So I don't see the "Registration Access Token" as a "secret" but if you 
mean that the client has to keep it protected in some way then I at 
least understand what you are referring to:) However, from what I've 
seen with all these protocols (OAuth2, Dyn Reg, OIDC, ..) the client HAS 
to protect some value anyway. Once the client has determine what that 
mechanism is... it's not hard to store another value so I don't get the 
argument.

If the plan is to leverage on device trusted hardware to sign "data" for 
proof of the client, then that still works with this spec. It's just the 
"Initial Access Token" and potentially the "Registration Access Token" 
can be self-asserted by the "client" rather than storing a value. I 
don't see the complexity.

> #2 yes, 1 physical endpoint acting as multiple authorization servers
>
This same requirement came up in OIDC and the solution was to use a 
specific path on the host to represent the tenant. That same solution 
will work here with out any changes. Each tenant has it's own 
registration URL.

Am I missing something?

Thanks,
George
>
> *From:*George Fletcher [mailto:gffletch@aol.com]
> *Sent:* Tuesday, August 13, 2013 7:40 AM
> *To:* Anthony Nadalin
> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please don't 
> remove!
>
> Hi Tony,
>
> Could you please explain a little more?
>
> For issue 1:
> * Which "secret" are you referring to? OAuth2 by default allows for an 
> optional client_secret. I'm not sure why this would cause management 
> issues? Or are you referring to the "Registration Access Token"?
> * Why is a separate endpoint an issue? Any client is going to be 
> talking to more than just the /authorize and /token endpoints anyway 
> so I'm confused regarding the extra complexity?
>
> For issue 2:
> * What specifically do you mean by "multi-tenant"? Is this one server 
> acting on behalf of multiple tenants and so appearing as multiple 
> Authorization Servers?
>
> Thanks,
> George
>
> On 8/13/13 10:34 AM, Anthony Nadalin wrote:
>
>     So, (1) Management of the secret causes us management issues, yet another endpoint to manage, there may be ways around this issue with assertions. (2) The schema/data model are not useable as defined. Internationalization is an issue. Multi-tenant issues, this also goes back to schema/data model.
>
>       
>
>       
>
>     -----Original Message-----
>
>     From:mike@gluu.org  <mailto:mike@gluu.org>  [mailto:mike@gluu.org]
>
>     Sent: Tuesday, August 13, 2013 7:22 AM
>
>     To: Anthony Nadalin
>
>     Cc: Justin Richer; George Fletcher;oauth@ietf.org  <mailto:oauth@ietf.org>
>
>     Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
>
>       
>
>     Anthony,
>
>       
>
>     As I mentioned, we are using it as part of the OX UMA implementation.
>
>     Can you be more specific?
>
>         1) What parts of it would cause add'l management?
>
>         2) What parts do not meet your requirements that could not be satisfied with a
>
>            supplemental profile?
>
>       
>
>     - Mike
>
>       
>
>       
>
>       
>
>     On 2013-08-13 09:15, Anthony Nadalin wrote:
>
>         Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in
>
>         production (of some sort) ? We have no plans to implement as it does
>
>         not meet our requirements/use cases and causes additional management
>
>         and thus I believe would not serve as a valid core document to expand
>
>         upon.
>
>           
>
>         FROM:oauth-bounces@ietf.org  <mailto:oauth-bounces@ietf.org>  [mailto:oauth-bounces@ietf.org] ON BEHALF
>
>         OF Justin Richer
>
>           SENT: Tuesday, August 13, 2013 6:59 AM
>
>           TO: George Fletcher
>
>           CC:mike@gluu.org  <mailto:mike@gluu.org>;oauth@ietf.org  <mailto:oauth@ietf.org>
>
>           SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't
>
>         remove!
>
>           
>
>         +1
>
>           
>
>         On 08/13/2013 09:34 AM, George Fletcher wrote:
>
>           
>
>             I know I wasn't at the IETF meeting but I'm confused regarding all
>
>             this talk of "lack of consensus". It seems to me there is a lot of
>
>             consensus regarding the existing spec (given all the current
>
>             implementations). Couple that with the fact that the current spec
>
>             doesn't exclude the additional use cases that you've raised, I don't
>
>             see why we don't establish the current spec as the core document and
>
>             then develop profiles for the additional use cases. It is unlikely
>
>             that there is going to be a true single solution because to cover all
>
>             the use cases it will have to be so flexible that profiles will arise
>
>             regardless. In that case, let's build off the solid core that we have
>
>             and add these additional profiles providing a win-win for
>
>             implementers.
>
>               
>
>             My 2 cents:)
>
>               
>
>             Thanks,
>
>             George
>
>               
>
>             On 8/12/13 7:55 PM, Phil Hunt wrote:
>
>               
>
>                 I don't think there is a call to stop work. However there is a lack
>
>                 of consensus on the current draft moving forward.
>
>                   
>
>                 I too want a single, simple solution.
>
>                   
>
>                 Phil
>
>                   
>
>                 On 2013-08-08, at 13:22,mike@gluu.org  <mailto:mike@gluu.org>  wrote:
>
>                   
>
>                     OAuth WG,
>
>                       
>
>                     As some of you may know, the OX open source project provides an
>
>                     implementation of Enterprise UMA, which enables organizations to
>
>                     control which people and clients can access web resources.
>
>                       
>
>                     I rarely weigh in, because you all are doing such great job.
>
>                     However, I was quite distressed to learn about the suggestion to
>
>                     stop work on the dynamic client registration spec. This proposed
>
>                     change would have a negative impact on OX, and the varied adopters
>
>                     of our software from around the world.
>
>                       
>
>                     No standard for dynamic client registration would make OX less
>
>                     "standard" by creating a bigger delta between UMA and other OAuth2
>
>                     implementations. As OX also implements the OpenID Connect OP
>
>                     endpoints, and dropping this effort would also makes a convergence
>
>                     path for client registration less likely.
>
>                       
>
>                     Please leave dynamic client registration!
>
>                       
>
>                     Thanks for all your great work!
>
>                       
>
>                     - Mike Schwartz
>
>                       
>
>                     Founder / CEO
>
>                       
>
>                     Gluu
>
>                       
>
>                     http://gluu.org  [1]
>
>                       
>
>                     PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD
>
>                     :http://www.gluu.co/uma-apache  [2]
>
>                       
>
>                     _______________________________________________
>
>                       
>
>                     OAuth mailing list
>
>                       
>
>                     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>                       
>
>                     https://www.ietf.org/mailman/listinfo/oauth  [3]
>
>                   
>
>                 _______________________________________________
>
>                   
>
>                 OAuth mailing list
>
>                   
>
>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>                   
>
>                 https://www.ietf.org/mailman/listinfo/oauth  [3]
>
>               
>
>             --
>
>             [4]
>
>               
>
>             _______________________________________________
>
>               
>
>             OAuth mailing list
>
>               
>
>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>               
>
>             https://www.ietf.org/mailman/listinfo/oauth  [3]
>
>           
>
>           
>
>           
>
>         Links:
>
>         ------
>
>         [1]http://gluu.org
>
>         [2]http://www.gluu.co/uma-apache
>
>         [3]https://www.ietf.org/mailman/listinfo/oauth
>
>         [4]http://connect.me/gffletch
>
>         [5]http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/
>
>       
>
> -- 
> George Fletcher <http://connect.me/gffletch>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------060603090208030100080502
Content-Type: multipart/related;
 boundary="------------090706020406020401090908"


--------------090706020406020401090908
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <div class="moz-cite-prefix">On 8/13/13 10:46 AM, Anthony Nadalin
      wrote:<br>
    </div>
    <blockquote
cite="mid:a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#1,
            its yet another endpoint to have to manage secrets at, yes
            this is an OAuth item but it’s growing out of control, we
            are trying to move away from secrets and management of these
            endpoints as this would be just another one we have to
            support, monitor and report on</span></p>
      </div>
    </blockquote>
    So I don't see the "Registration Access Token" as a "secret" but if
    you mean that the client has to keep it protected in some way then I
    at least understand what you are referring to:) However, from what
    I've seen with all these protocols (OAuth2, Dyn Reg, OIDC, ..) the
    client HAS to protect some value anyway. Once the client has
    determine what that mechanism is... it's not hard to store another
    value so I don't get the argument. <br>
    <br>
    If the plan is to leverage on device trusted hardware to sign "data"
    for proof of the client, then that still works with this spec. It's
    just the "Initial Access Token" and potentially the "Registration
    Access Token" can be self-asserted by the "client" rather than
    storing a value. I don't see the complexity.<br>
    <br>
    <blockquote
cite="mid:a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com"
      type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#2
            yes, 1 physical endpoint acting as multiple authorization
            servers</span></p>
      </div>
    </blockquote>
    This same requirement came up in OIDC and the solution was to use a
    specific path on the host to represent the tenant. That same
    solution will work here with out any changes. Each tenant has it's
    own registration URL.<br>
    <br>
    Am I missing something?<br>
    <br>
    Thanks,<br>
    George<br>
    <blockquote
cite="mid:a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com"
      type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></p>
        <p class="MsoNormal"><a moz-do-not-send="true"
            name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></a></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">
                George Fletcher [<a class="moz-txt-link-freetext" href="mailto:gffletch@aol.com">mailto:gffletch@aol.com</a>]
                <br>
                <b>Sent:</b> Tuesday, August 13, 2013 7:40 AM<br>
                <b>To:</b> Anthony Nadalin<br>
                <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a>; Justin Richer; <a class="moz-txt-link-abbreviated" href="mailto:oauth@ietf.org">oauth@ietf.org</a><br>
                <b>Subject:</b> Re: [OAUTH-WG] OX needs Dynamic
                Registration: please don't remove!<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal" style="margin-bottom:12.0pt"><span
            style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Hi
            Tony,<br>
            <br>
            Could you please explain a little more? <br>
            <br>
            For issue 1:<br>
            * Which "secret" are you referring to? OAuth2 by default
            allows for an optional client_secret. I'm not sure why this
            would cause management issues? Or are you referring to the
            "Registration Access Token"?<br>
            * Why is a separate endpoint an issue? Any client is going
            to be talking to more than just the /authorize and /token
            endpoints anyway so I'm confused regarding the extra
            complexity?<br>
            <br>
            For issue 2:<br>
            * What specifically do you mean by "multi-tenant"? Is this
            one server acting on behalf of multiple tenants and so
            appearing as multiple Authorization Servers?
            <br>
            <br>
            Thanks,<br>
            George</span><o:p></o:p></p>
        <div>
          <p class="MsoNormal">On 8/13/13 10:34 AM, Anthony Nadalin
            wrote:<o:p></o:p></p>
        </div>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <pre>So, (1) Management of the secret causes us management issues, yet another endpoint to manage, there may be ways around this issue with assertions. (2) The schema/data model are not useable as defined. Internationalization is an issue. Multi-tenant issues, this also goes back to schema/data model.<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>-----Original Message-----<o:p></o:p></pre>
          <pre>From: <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a> [<a moz-do-not-send="true" href="mailto:mike@gluu.org">mailto:mike@gluu.org</a>] <o:p></o:p></pre>
          <pre>Sent: Tuesday, August 13, 2013 7:22 AM<o:p></o:p></pre>
          <pre>To: Anthony Nadalin<o:p></o:p></pre>
          <pre>Cc: Justin Richer; George Fletcher; <a moz-do-not-send="true" href="mailto:oauth@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
          <pre>Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>Anthony,<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>As I mentioned, we are using it as part of the OX UMA implementation. <o:p></o:p></pre>
          <pre>Can you be more specific?<o:p></o:p></pre>
          <pre>   1) What parts of it would cause add'l management?<o:p></o:p></pre>
          <pre>   2) What parts do not meet your requirements that could not be satisfied with a<o:p></o:p></pre>
          <pre>      supplemental profile?<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>- Mike<o:p></o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre><o:p> </o:p></pre>
          <pre>On 2013-08-13 09:15, Anthony Nadalin wrote:<o:p></o:p></pre>
          <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
            <pre>Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in <o:p></o:p></pre>
            <pre>production (of some sort) ? We have no plans to implement as it does <o:p></o:p></pre>
            <pre>not meet our requirements/use cases and causes additional management <o:p></o:p></pre>
            <pre>and thus I believe would not serve as a valid core document to expand <o:p></o:p></pre>
            <pre>upon.<o:p></o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre>FROM: <a moz-do-not-send="true" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a moz-do-not-send="true" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] ON BEHALF <o:p></o:p></pre>
            <pre>OF Justin Richer<o:p></o:p></pre>
            <pre> SENT: Tuesday, August 13, 2013 6:59 AM<o:p></o:p></pre>
            <pre> TO: George Fletcher<o:p></o:p></pre>
            <pre> CC: <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a>; <a moz-do-not-send="true" href="mailto:oauth@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
            <pre> SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't <o:p></o:p></pre>
            <pre>remove!<o:p></o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre>+1<o:p></o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre>On 08/13/2013 09:34 AM, George Fletcher wrote:<o:p></o:p></pre>
            <pre><o:p> </o:p></pre>
            <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
              <pre>I know I wasn't at the IETF meeting but I'm confused regarding all <o:p></o:p></pre>
              <pre>this talk of "lack of consensus". It seems to me there is a lot of <o:p></o:p></pre>
              <pre>consensus regarding the existing spec (given all the current <o:p></o:p></pre>
              <pre>implementations). Couple that with the fact that the current spec <o:p></o:p></pre>
              <pre>doesn't exclude the additional use cases that you've raised, I don't <o:p></o:p></pre>
              <pre>see why we don't establish the current spec as the core document and <o:p></o:p></pre>
              <pre>then develop profiles for the additional use cases. It is unlikely <o:p></o:p></pre>
              <pre>that there is going to be a true single solution because to cover all <o:p></o:p></pre>
              <pre>the use cases it will have to be so flexible that profiles will arise <o:p></o:p></pre>
              <pre>regardless. In that case, let's build off the solid core that we have <o:p></o:p></pre>
              <pre>and add these additional profiles providing a win-win for <o:p></o:p></pre>
              <pre>implementers.<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>My 2 cents:)<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>Thanks,<o:p></o:p></pre>
              <pre>George<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>On 8/12/13 7:55 PM, Phil Hunt wrote:<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                <pre>I don't think there is a call to stop work. However there is a lack <o:p></o:p></pre>
                <pre>of consensus on the current draft moving forward.<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>I too want a single, simple solution.<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>Phil<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>On 2013-08-08, at 13:22, <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a> wrote:<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                  <pre>OAuth WG,<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>As some of you may know, the OX open source project provides an <o:p></o:p></pre>
                  <pre>implementation of Enterprise UMA, which enables organizations to <o:p></o:p></pre>
                  <pre>control which people and clients can access web resources.<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>I rarely weigh in, because you all are doing such great job. <o:p></o:p></pre>
                  <pre>However, I was quite distressed to learn about the suggestion to <o:p></o:p></pre>
                  <pre>stop work on the dynamic client registration spec. This proposed <o:p></o:p></pre>
                  <pre>change would have a negative impact on OX, and the varied adopters <o:p></o:p></pre>
                  <pre>of our software from around the world.<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>No standard for dynamic client registration would make OX less <o:p></o:p></pre>
                  <pre>"standard" by creating a bigger delta between UMA and other OAuth2 <o:p></o:p></pre>
                  <pre>implementations. As OX also implements the OpenID Connect OP <o:p></o:p></pre>
                  <pre>endpoints, and dropping this effort would also makes a convergence <o:p></o:p></pre>
                  <pre>path for client registration less likely.<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>Please leave dynamic client registration!<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>Thanks for all your great work!<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>- Mike Schwartz<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>Founder / CEO<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>Gluu<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre><a moz-do-not-send="true" href="http://gluu.org">http://gluu.org</a> [1]<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD<o:p></o:p></pre>
                  <pre>: <a moz-do-not-send="true" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a> [2]<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>_______________________________________________<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>OAuth mailing list<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<o:p></o:p></pre>
                </blockquote>
                <pre><o:p> </o:p></pre>
                <pre>_______________________________________________<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>OAuth mailing list<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<o:p></o:p></pre>
              </blockquote>
              <pre><o:p> </o:p></pre>
              <pre>--<o:p></o:p></pre>
              <pre>[4]<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>_______________________________________________<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre>OAuth mailing list<o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
              <pre><o:p> </o:p></pre>
              <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<o:p></o:p></pre>
            </blockquote>
            <pre><o:p> </o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre><o:p> </o:p></pre>
            <pre>Links:<o:p></o:p></pre>
            <pre>------<o:p></o:p></pre>
            <pre>[1] <a moz-do-not-send="true" href="http://gluu.org">http://gluu.org</a><o:p></o:p></pre>
            <pre>[2] <a moz-do-not-send="true" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a><o:p></o:p></pre>
            <pre>[3] <a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
            <pre>[4] <a moz-do-not-send="true" href="http://connect.me/gffletch">http://connect.me/gffletch</a><o:p></o:p></pre>
            <pre>[5] <a moz-do-not-send="true" href="http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/">http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/</a><o:p></o:p></pre>
          </blockquote>
          <pre><o:p> </o:p></pre>
        </blockquote>
        <p class="MsoNormal"><o:p> </o:p></p>
        <div>
          <p class="MsoNormal">-- <br>
            <a moz-do-not-send="true" href="http://connect.me/gffletch"
              title="View full card on Connect.Me"><span
                style="text-decoration:none"><img id="_x0000_i1025"
                  src="cid:part23.04040609.06020401@aol.com" alt="George
                  Fletcher" height="113" border="0" width="359"></span></a><o:p></o:p></p>
        </div>
      </div>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part25.08030105.09010802@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------090706020406020401090908
Content-Type: image/png
Content-Transfer-Encoding: base64
Content-ID: <part23.04040609.06020401@aol.com>

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///YO+84K4o1fz/V3SdOTgw55yA5o0Ql5yRRkCgoQQEBlRwUFQlK
lowElZwFBJGcc84MDMwwOZzQXfX7Y5cP+9ldf/d60fXe3Xn+mTndVdXv+616+7ynurp7nzPD
WAeqs/zOGg75x+ctn3sPRG+Kzha1GnL3yf5TjmKQ40m2H7Ingj/T/458F5I9yfUT10PEgohP
I86DsIskW2fQymrvyolgnbdWmidB2VRT2ygwV1rV/cEguoinYjroW7VfNA/46/o+liVAL2sU
lxXA09W/QJ0C1VvYxTYwFlBd9gLe8dcxu4P5kbe89xxkLvIZ1gjwLLISKQypb3vH+7uDzXQO
cQ2F/PPzF8hzCGrdraiV/QJKdi05v8gs0OMDWtjPg2uAPZfrXyARPJB2IO1AGjiXO5c7l0NF
VVFVVHBm0ZlFZxZB8ufJnyd/Dg0aNGjQoMHLH+9/Gxs3bty4cSO0atWqVatWf7U1WWSRRRZZ
/NEcO3bs2LFjoPfu3bt3797jxj2/qeL3sunAgfFfVQKP3V8lcyOIetqhgGtwmwfDrl+BkyGX
bx5fB1HTg2WhJKi3svbIV3PDE/W4xcPB8LDJo0Z3S8CzeUlzMiMhfkh6ubi+YNwWOxJi4OGN
x/Pj1oJ8PfNZZh/INzvvrfx5wV+cMYYb9IFykGc22PM608LugjysVwvUQATqdvNz0KReyD0D
uC/eZwVQWewxLfB/c23k8fKQ3OrQrp+vQnKZde9u3wEJw25uexoCPg/fhNcGrbG7VZ5hYK+U
6+OiuyC0Y/XiZe/CUy0x5f4vcOGdveaOZnAn837eRx9A0gDjk4D7EDIzQDrPgJpsVje3QeLe
1L5JtSD1VMb7afWBCfoVMRCMUO2WuAWOQfYfjGEgOolL5hHQzqstchn42/vftHQwS1qXzSag
vlKj1RKwfrWumX2A7ehSgHhTe5OfQGnqkqwK7FI/EwvygjwsC4M0lUvlA2uKEuoNMJOsdWYv
UNXUA3kTbPuN4qIGqFfFz+oyqPOqnvCAWmq1tN4GaZcrZThIN+XoAuyUbeUxsJTMJVeBTFab
1GpQkWoSu0Bml+NlQ5DV1AH5AOQxGWPuA5VLvKvnhKdvxs1IPQYJ7RM+fLYFfI39nTNvgXXM
DPfHQNSvUfej80FspycLY11gX+RY7xgEtpy2Zs4QeLD8Qfu7Fmgr9VriDKQXyKziWwOnj59b
f3YaxBeMPxlfC4zi9pXGUgiIDyju7ARPc8fHJ1WH4++fLne2KcTPeVY/9nvIdjNb+7BiYFzS
L7kSgFhth/YY9PwUk/3AGiEXm0OBGP2a9i1kVvOM9p0H64w50PoF4pekzEmNB1+RzDrehxD4
oeUU1yC4Z7aQ8NF/dbj/baKORh2NOvriec2HZx+efXg2yE1yk9wErya9mvRqEjjyO/I78v/V
1v7zUbx48eLF/4QlIFlkkUUWWfxzEBMTExMT8wcs1Tj+7YnggwLurs3X5HwZcAy1UsuOgbA3
A9uGJcDTCZ4Hl85C+CqfFtYe7u29N/POfkj+xns71YITM+7uffAq5EpwXAmzQeENkc3LXoYn
+tPq6QvAEeMclLwdLpV42v54MJT4uPDhktUhdGAuX8FfwTPH+CJoDshA9Y62FvSpooJ1BDIK
XdS29wTb0oj+BTeDUSX4XthV8Bx+XPumB7yX75aLDQFxwIgMjIOAIrV99atCsD9bZq7N4JwQ
3iWsGySuOrTtfFGQo8NGh1yDx5rMm7AUbu08Xv9wPDwcfC/kXgrED8PSj4E7yr3XKYFlYq4w
Ib1NWtXUW5AWnRGS9gC09+1farPBOce53dYT1EdWjHoKvi7WFG8gMJjdPAM6y97iDVC3ZHGz
PmhDxOvMAKuf+re1ubOM3FoFEKOs2/I9cAxxFBFzQaap2noCZKSkp5kStAz9SyxQk2moXQc5
1LohT4J4n1PaDdBWiMXMBX9+b7KMA+sq5SkB7OGq+T74a8jDqhEYSXyrtQU+ZqUqBdLPOlUL
xFfyiDgFYrp4QhiIBHLJEqAeqiK8CqoUAzgGWjmzqegNRrAt1PoS5DFVS82GtIh0zGMQu/JJ
+ScrwO10LbF3Anrd+lX/AZyD3E3creH2Z3dz3zsHPsPXV5YDzwXP/NQPIe2HtNqRb8KTe4mH
EjVI+CL1y6QVwJqUIcYCuFMiZvZ9B5Q7+IooshVi9j+YlrEL4oISCybWAdEwYY05DLSW+kR1
BPQm2oeOIDDu23aqC5DPG/00xwaQXZll5QMjRgw3PgJnHeOgKAypZvJXSVNA+9B90PUmnEq9
2u72E7i3/H6pRxOhD6VSCv/V0f53EPBawGsBr0ErWtEK/sM//05ucvMP/LDOIossssgii/9N
vHTi7OniqOHT4O4n8d2exkJ455B+RwbCrTH3r2WaUOZ45O16kfCT72SLtQXB19j6WX4PeckT
XLAeZA8xfo4AGjar2L9ZV6iztp63wU9w7/C9ireDwXvYezVjEHhIym3VBX8vc4/3QzAvqLE+
E7R7tjtBVYCy1hbzAxB5xEfeV8EXfpPr0+BZ+pqZWzIgsn6n3D3zgXNWwfwVXeDYWqCGOw30
C/Ya+mTgiFbGuAf+gQlFHyVAWo6TnY+NAeNV+w+pCqyfclzN2RPu3jgz7+x2eFDhYoXz+eFp
vsyZ3p9AfekKDnwCjhb27/SvIaNcRou0h/CsXup3Sb+A75RZyPoVxJfiZ70e+GI82X0fgNna
v9oqCf4FsqhaAmq7ShYrQEUoyQRQPpUp+4HIFB0JBZGgd1JjQXRgiVgFjk6O9/QgELVlfuqD
0mSYVQTss9y3tNNgtvGusCqBzGXetWLAiDEKikqgVqke1kmgj7gqPgbrdZWgroC5yKwmF4Ea
yGA6ghishxvZQdZU45QAbZdaJiaA+lF8qT4AVVOOldWBmezlfRCJIo94AljiB/ElmAtkiuwC
egJD9CogG/oa+38C3bCVZDDoyUZbYyskDkzOlt4fTlc9N/vyRcg/L+/VVCeofuqivQ0865Rw
PyEf2Kraxun7Ibhw0CdB+cG31b9DAalp6SVSkiHdn9Yj7RBYk9WnrALPfm9IamH4tcHRRqkz
QHylXtPHgtpPcb04aBW16Vo2uNX7zpWYy0BdMUFlgpzAJetreJrjSc3YHFBI5G4S3RaC3w/6
IHojiGJ6eaMaYJpXZWdIDY7Ln/A+8JPYr+8F/5u+Z/7nTxkY8leHeRZZZJFFFllk8Ufw8onz
WvkxoZA++lmYJxlsVmKm8yw4mgTMCa0Kj4JEw/N+sL0S/bbZBDKd1g/P3oe0FU9soTHwTnKb
iAEfQWBL+9aALiAmMVtOg0K9C7Ys7oX4uylTHrnh9OXUxO3fQciP/omVu0F0Mb2M/XXwJvrW
m6kglhpOxydg9WOJ5QZ9ZnCvoAwIXVHznWq7wHmgTIPaMSAqS7u/Kqiucr95GeT3/pKMAt/r
T6pcGQvJTbaM2hQEvs5JB83sEDS/yobajeGxK31MSgrc958aemQcxP6QcDmxGmSUEo+0NhD8
natkQHZQIeYjqwGknkiLSF0E3nPWUTkI1Aoeimsg3PKK/B5UI5FIB5BBah5vAnNVOXKBaqOu
q/4garCLyyBeoy0eUB+qn5UJLJIjCQR5iVlqGnhvmYPNNDAeiLJaEIge4hWcwBdmNrMGSJt1
W60HdVGW4RKIEO2+VgRUX3VUrQO6Ul7LCdZNlUO2BtZRWT0CvZ3orQkQ8aKnWgeytQqgI1iV
rWTrCKAorn4EfbKWQ38X5Keqg5wI6nu1QU0A8bVoIrKBbY/oyBkw+tua8C5QFMlcMD+VFbgK
3vLeNGs8qDuyv6oLopD4XqsG13ffrPEwFkyPNcDKDvpIo5l+HLRUrYh2ABJsSQuT34Lctpyz
olpCYpXkZ0l5wOwoI1RH8B32/uRPBC1TL6O3BF+Eb7D3JNBafiymgXZDO61vACPQENpG0MaL
aqwCcUHPo0tQTVWsWA9PNz9bk34ZXF/YFz/LD/YRtiHuM+A44YgPyQXKbkRrvcCb4t2c2Roy
a6aMSN4I1nZ3Tnt14Afi/uogzyKLLLLIIoss/hheOnFO+eRZ44wxkP2UrU2pMtA3tHncsE5g
vx22wF8bflp8ttjqGeDv6u7kuQAB+5yh6S3g+1aHh80YB91Kuku9fx88OzLWiyNwtOeWxL02
cF8LmB9pgFlb22pNgsKDw08VOg8P5ySviC0JUcVDZj48B4GusPbRMSCbyRHWItC+FwMch8E2
Iefigu+CNj2oUVg6MEIrpQSoK759/rqgKmk/GfsBj7FKPQN/xr30q4vAN/PplKRDoI/OkVKs
JvjSws8GeeHawF8O7FsHD5fc2XprEDytauaXRcGY5ZoS1B70j+mjDkHypfTMlD2QdsZTwTME
bB0dUt8D5nmztLUPNLuWIk6C6shqmQj+H/2brE+A3UwRD0BPMOrr74IsZhU3R4E50SxvhoHm
0PppocBiNVzMAnldFpTrwL9Pfay2g0+p5VigubRocQb4jnPiF5Br5C25GcRoFSHKgD/RN8o8
CLQR5cUOoIo4qNqClahWylygD9GTtO3AKTFcVQXZzHrHqgiqvuqKBnKJtdLKA3ouo4exGdQ6
tV8K0GqKyWwFI7dRX78OapiKVl1A3yUuMx30942ZfALmm9aHaiCwSuUnEKwWVl0rDrQfDUPb
DdRiltwMZj95ShmgxRpztNxghim/3AFMNQ+rOmBGmU/kKrjb4V7A02fALW29egRiqfaGjAb7
FftF/XXw3/D7vMXA2me9JReAvkdvbiwBFaZCJCC+tzpqg0AuFsOoB3oPMtUWkB+pPsYHoO7K
x0qH2K/jRyRVheCooIoBiyH7B+FvOpyg5eKi/T3QO4ns4gPwp6cvS5sORmf71cDxf3V4Z5FF
FllkkUUWfyQvnTgXHxL9cfUtMEB1aDUiGgKCw4q5PoX4AU8OPysIaXnjCgZdhqvd7125XRSe
PHka8Og2aKvthSPywVbbsZJ7+oN7sv5dwBBI+sI/5n4EPG7ka33zCKR/lxaVMRFS0tKOPlkN
Qcm+9QGTIU/fXK9lbwJhVaOt3Bng3ZzZ2dcTeEpPpwf04ZH7ChhA/cyvnu0E7bi134oGs6w2
XJQDbbe6w2mgiizl8YMxKCQ5IAl0PXpWYE+IuFzjiwrt4VmAJ0+6DR6cOP3TyU4Q2zfF78kF
me+JpUYwOCrJcdZ9yDiRcSTNhKTMjLEpS8HXUo62eoDe20xSJqjlag1zwV/KHyvfAv8oy2Ol
g/YVYfoSIJ27NARru3+ptQ/kU5lobgZjrHZMfw9ETm2YmAr+ymZnsxSIH6klyoB4IB8qJ6j+
Iln0Ayu7GqmGgRjDIHUdVCXexgPqjOhAO9BHiFAEyPxyu1oM6o62gvv82/NHvwexWWsljoHY
IiZTANR5856KBeqrdtQBw2f8YISDWKfZRXGgJlPVFRBVRVERArKPLC1bgJjN62oZWOOpz3Lw
7/cYqjPI0uqcygv2FcZyrQDIX+RI8T2QWzWhEqhlYhz1Qd1Xc1Q40E8VlCdBXFQ/UhpUdjlI
7Qf5Fqf5Cvzz5S6rHugrjT5GJChkb9kV5Otqt9UY1Dcyr7oB6jPVVuUH9ataZc4ErZ+YKucA
4/VuxlmwlbNV0gDq/Ns7c83q5lNfd3Ast2/U80DmMe/nYjDEvPK0e1w7CLjlfCXAC4HSnRC+
FnxJYrwIB1nUH+c9DvLXzP3aFaANbf/qIM8iiyyyyCKLLP4YXjpxzq/yNMw1F471Ppd2sBns
v37CsTcvPByV+FlMCLhWR9RInAzBnUN/dLWGRO3RCN9MCOzmHuYMhdTcni8fvgapP8ijqUCe
1kH9Qi5A8KchGZVSIXBntgxXLhAunigHVB5bdnXz03DddiXfiZuQ70GxyYXKAW/bdjvaAnXN
Ep5pYCSFRGf/FtRUxwJWg5LWOrM2iMrimpYK2m013GoBqqSSrvvgqFTwrdINIGJBtshCFgQM
y76j8JdwftLKbxeNgccxdz++txsSx1gleQOsLSKT6eBdnjkqfSSY4dpoaoM33d/UWgjyB5nA
aFD35PtyKchGMkquAmuC6qQ2gFVBRsv2IN7QqqhLwGLGUQJkP1VcPgW1gW9EZ5DJPFXRIIqr
yqwGoshLQ1CBVFS5gYJiCj+AeJsSqjqoVDlAJQF7xHgegdZDZRIHXBY9RDSoTyiqfQqyLXYz
E9RE+T61gRIMEqvAOmSGqZOgf62XEWGgP7K9qt0AtVF1FnHAIDVM9Qe204xJoApKp9oGtNAi
1CqQp63q8i6oXNZB0Q1ENuMtLQnsFexRwgF8Zj+i3QOttrlTfQDWND6X+UFNls+MVcARevEl
UIu8MgKstvKO+g7Q1V4jEsQmbCI3yF6qgjkI1Gh8zALKyiQrL4iPhd3ID+Z88yEdQCspQkRB
EJXoI98AkVflln1AjuSWuA7WNFnBagOijGmqKJC6vCa6gTXdHKQqgO810QMbaGuNulp2eJaU
EJQ5BJ7WCYp8lgjuKc549xawPxKz3Ach4z2xROYH3+7Mn7wh/x4kV14+UK9du3bt2rX/iVNC
FllkkUUWWfzvpVixYsWKFfvH67904rw/z6W1W5fB/TMJC5MHgbuYvacxF8x71j7ZHUTOpPl2
C7JFRTwJqQKeT7I5H9WB7F19+UqUg8c5UyfHvgkBt+yR9kNwe+3TV6wlEDQnuWqsAba3jDmm
CwyHW2S8Db5dt/qqtXB1+QX3xg6QbWyuVLMpVD1T++SATyCjVKY9czjoDr2U2wWiqXtsjp7A
QxWjaoNWm0gGgNwvbCIHqBgSZDCIdcav0aHg7B593z4YUro9GHvnFTjb/kCBg5Xg2aeZEb4k
yFjFHDEN3Dscoe4QMPOIH0QIpJfzXMgMBP8Cc6FcDuJNka4dAS1Oz2P0B/mmOcW3C7RTso1M
Ai1OL6vlB9lM3la/AnmowQXFXdIAAIAASURBVAgQmvCJa8BMNVX9ADgozXugpCqtjoD4XFTX
PgbVS3VXrcCobxtv1AFrvhwoXwc5UzaSX4JeQ2QTUaBd0a5qbUE+kmHqIcjmVGAD2FJtbzuK
g1nVymXmAWlZk2Qb4E3lZCRIJduppwBMktlBS9Gq6ztB+1g/px8Cq6DVxeoBeglRVPwIKpfM
tCqDWqsecwqQek1xEvhU2OgPKoOKJIKa5yslAVnaek3uAJUgOujLgEv8rJaCOq7eUAOACrRT
y0BdtEoTDOJbkcMsDaK3pmkngWrqmrYO5B55QtYFcot4vgYxirrWVuAtlSR/BP8rzJKvgNit
lurZgb2UkIdB7NDfsmaBGmKMNhaDVc7qJ74HvbFmqECQS1Wklgp0E4W5C7bloppWH/xlzbGW
AxLWJg5OqwBRncOcaTYI7OvGfg+E3ZxGbjAPm1WFF+jGw3+GQM8iiyyyyCKLLF4e7WUb8Kzx
7YzzQhlHPodsBeUalOuQ2hxy/JK3ovgFYuMyL/iGw7UBN0fGZoOAlp7rRhCoY8G9nx2Hgk2K
FytcBeJiMyqqziBLcjHjM4hflHbq+vfw5Epqx3vvQ0L5jI2PjsGZ8+d67S8NAQMjKxRuBkc5
+9qu6pC6Ifbd24NAszsm2gaA9YnKZj4CuYeGzmpAA94WeYBqNFb7gIo05H3QqsrlYgzImtyQ
XwEzmeYPhztJR1ccjYeYlneDHtghfrhvsXoPjE8ct931IWR7wOuBY0Bfqn2rXQUZogzugj3F
kdcxFrQG2mn9NsjFcoP1DWjrtO+1xWBEGcWMkqAN1Dpr+0DkwsZ9ENfETvEhaG9ob2kfgsir
l9RdYMtlK20/Beq+OqVeA1tZW1kjPzgPOQ87z4G9h6253QeO2o5TzlRwHXP2dY0CbYW22RgA
+mt6faMrGBcNU78HYrsoQEXQdmvv6KvBZXN848wJ7u+d1xxlwDnLfsWeH+yP9BG2o6CNV2hv
AlusInIWiPpyuloMtuz6Bn0sKEltToIVr2ZzFeRnfMxaUHdklDwEIo1a1AarkZld5QfZzptT
xYPcZ32knQdVSx2jCYh6wqnVABawm3eAUswXT0F8LT7SU0HEiECxBZjHAlYAHeimLoKoLl4R
FqjxsoRqA9IuS2ntQNM1m70n2DKM9e4joKrJndpVsJ6aFdgBTORHfRQwU66iBlhrzSoyBixh
pkgbsE89UM3BKurfb94F61t/tNwK5g1rhNkb4vs+m5FWHhLvJsekNQfaKad3IBgfaG+xA6y6
MrtZ6a8O7yyyyCKLLLLI4o/kpWecXcOdJ51jIGWDd2pqM8iZwRvu7hAwXj0234AcMWFNnSkQ
dc4YFDwf8raNsGv34OYPKaueLIQ87zqrVHwPSs0ptypPPNyr+ODauTuQdiRFBowGA9uXtoKg
X7N1TQ0D7aD3R8cMCPspWAtZDrF3kkpkNIQdtXfXnh0JHVd2Pj+tEKTfU/uMpqC1FQlqEKjc
4pb6BshGgtYN2C46qnYgq9BR9QNtt9beSAB/46TzyRXhon6i19GSED80PSp9MaT71XBtOrh7
u9oERIG2Qz22DoN/rPewtyDgEuPEBtDOiLc0AVqyVlvGgDnHd8m8BNpYcUnzgGhlVNRrAT1V
J/E1iDUkWx+CcrJPNQfq0UMcBPm+shED0i0rqVagfa0t078FXdPdekMQSkjtMFi65bGGgtZD
36LNBbFR7NeOgj7UZhm/gNwjK8gjYI6zGphXwJipj9MXgLVEpsszwCRVlF1gG6/X0lJA3NdS
tJqgNda6abXAumh2Uj6gKpNUOnBTLGMKiClisDgHxkxHWz0QrAeeW77TIPea2c0coFXTArQq
QKr8XCSALCfyiuogZqry/ASqot5Lvw9Gdv17wwUqXaXIAkBBlotoMC5qo43Xge4CVQj4SozQ
R4OYxcfUB+HQBqmuIB7yRNwD0VufJwqC/ZSjbFAwqBU4RU3Q59FZawD41by0U+D/yjcy8xbI
r6zGmgRGyE/kQ9A2qfNsBxxigGoJMlSuMaeAvlbvbKSCOKyKaKXBtd811LkEtLVGc8dVSJ2c
XtQ6Br6F/lZWKOgt9WCxE1SscvoXAR3+6hDPIossssgiiyz+KF56xvlpj7jozPVgD3NMdfaC
cBEZV6ANeJxafPJpsHWnlBoD5hr74swjEBvn/SyxAGT0zyiUuR3OV3y89qdrcL32w4/O14OU
hGcNVGWwxbvGOq+D2xV+NHAx8IN5Qj8OqovVy7oOd4resD8Ih9QKief0XvBor3XqTgpcX3F7
6MJF4L7ivGhvBPJTGloeYAln9X3AWXFbSSCbWsrXwDLZQf4I9tm2ukYGPB1xtealc3C/y623
b70Dz+J9v5rBoMLENJsBjhDHM70leNb5avjOQ0Yd0/BtAllAnZd28C33VfYfAmuKtdt0gnHY
ds8+H/xLzOrWOlDKOiYXg6OVrax2F7SDRnfDAbqh1zFOgm2srbmtEThK2N6zhQHnOKdeA8pQ
TnUCBvEuDUFsF9tYA6quymvdAM93mSMznoG/hz/U9zb4S5uPrH5gWlZBaxPoOfXSeiZoF8VJ
bRpo74krnAWlMVFeAnFGG6flBz5Wq9RgIJ2yfAxikZbJWVBbRDQfgLHU2GQcAnOCnC43gN5c
LRW1wTHcXt4xGfRWxg17HdAjDbf+NahKqqSoC8omJ8ilIGOYQgHQ5zJY18C4r7WyBYFYTWnt
U5CJ0k4LsLZbD2QI+Pv7u5nrwbZM7DBKgG2RFmA7DfYd9vfdd0F+JpurkiDLmFvkTvANyryS
9hX43sm4lVoZMuqmN0wZDtYr/sVmdQioH6SHZkKOq7niihaDsDXhS/OdAkeXgP4Ra8EdGto0
Wx+I3BU1Jd9XEPp5ZJc8hcDVP2RcZH8IqhU2MEdLyLY/en5OB9g+da0ILQn+7uZ6vQLYvhBL
rQVgdBG1jI//6vD+/QyvN7ze8HrQYW+HvR32vtg+rdC0QtMK/dXW/d+hUqVKlSr9jisW/7n8
X9VfL3vcl/X7r/Lvn0X/f1X+2fv9z+LvHU9Z/HPx0olznmPZOtovQs4FuSNCYiAmM+F64q9w
33dvROY+eNoq/bGnIyTc8QQmTIMHnZ6e1s6AUdfq7GoImV+r2WnNwFvFPGrlgYy8/rKOviBu
pBRKrgnaQJ6lNAQr1pilj4OMeBkkZ0DmCdktZQ6Yq4ztdxrBg7bPbFYeWNxz65QfDsO5Jr8G
LY0H12XniYDeYC5RBb3fA9lVGxEOKkKVEz1ArBAV9FygRlv5vbfh5vhTlU8tgPhuiQ+SykFq
N99jTLDdcl5wzQc9SlzSukDGtMz6Ge+B95y6IoeCyivixHqwTbTNM1LAmKI3s00BfYM+XFsB
9ur2KGMHyNvqO7kb5I9qjmwDRgejs/4G6NX12no90MZpH2mTQKSJ+6wEDnOfb0B8K1aIqiCj
ZDG1AcTborv2AdgrGw0dTnCeczxwDQFtqLbG+BxksqrHLtAi9W6aAZpPJOhrwGpmvSM1MN7V
G+kNwJFq15yFwJhnuI2ZIDK1O1o1EI0FYglwBItPwF7QqGyMBEK5RApolcWrojhQT20kAHS7
mKK/CcZIfbFeGVSGrCl6ghrOejkHqIpbfQrGr0ai1gxEC3GXRSCXWsXUdFDL5WN1AEQsE8RU
IFlc0NqAvk+/Z68Avj3+sr5LIMdZm60Q8M7POJL2GPw/+/f5J4NcKGeo70CcEj2FBPWT6ml9
C5QSNWkJWi6jjlENrCLSoR5D0NmgeoF+yPY0R7/chSHPuTyDi9yHPHVyfVToK8j7au6eeUdC
vhXZk7P/CvlP5uwaGQjZ94Yuc6VD6ELHdiM/hFx2v+NsBkZN7aLWC7ROYrjWHvQobZPW7a8O
79/Pzyk/p/ycAmuur7m+5vqL7evC1oWtC/urrcvitzj81uG3Dr/14vNf1V8ve9z/7Mc/G7/l
3z+L/v+q/LP3+59F1jj51+SlE2fzqi3dMx+uNb/95K4dzk67uvjqFoh+NXetwKKQeUplPH0E
cScTyrmqgnZDhDk2Qdyy9G7yJCQOTC4UvAX8LawOEbvB0TfsveRbkFHd3yttCTzbfT9XugbJ
h55O8I4HOda6rBaBJyBzil4TnqYldUluBbGdEyrEjINrhWMeJ70Ly07tbTk5GWIcV3vvmwTO
3M72QQ1A5pFFze4gVotdqi1ot40PtcXguRW3MbYY3L1x6fClZ5DYPnO2NwHS6ltTmA/2mq4v
HH3B97G/qHUGMuf6FmRGg1mDCqSBtUhut4aB0MRFWoA8JJtLQHRjDTfA2G30N5aDbYDRx1Ag
n8rq6iaYb5hNza1gZbfCrWag6qgGagDI+fI7uQbUYjlYbgX1rqrHtyAKCp9oDSzgLdYCH3Ne
pgMLxFpVDVjMl+YQEDnZZhnAbfWY/SC6ad9o2UFfot/S24C2SJ+h/wC2+caPxlegvlXbqA78
qBaLcqBZTNLOg/BQXmwDRqtMDoAqJseqK6Av09ppg4Hv0bQbYE2Wi601IDqLQZoGoofoqV8A
fMSIV8G2xLbTaARaDi1BewvsF+zn7b+CeoDbSgJxmaqqJahw+Zl1HMwwM8U8B2q1fKAag/8H
a6i/PKQv8k4z54C5xBpDMOhP9TXGeMBAiDfA38L/prkN/DP986yDoKorp7UOzJ7mHv91yPgl
o3XK9xBb5/Hpe20hYX78oJjZkNE5tWXcI5Cp/tJpmyA9V3rb5COQ0iglb3InSHen38j4ADzv
e3P670JqsfS+mWGQ6kmrlToaks+m9UxLAf9xq4VvKzja6TPkpT8uUH9K+Cnhp4QXM8Gt87bO
2zovtJzQckLLCbBpzKYxm8a8KJ+UlJSUlAQjR44cOXIkNNnUZFOTTS/Kj3pj1Buj3nhRbkzM
mJgxMS/q96/Sv0r/Kv91e99TfU/1PQVdu3bt2rUrXHn1yqtXXn2xv3fv3r1794ZJkyZNmjTp
xfYtj7Y82vIIPmnySZNPmsDOnTt37twJ7dq1a9eu3Qt/mjVr1qxZM1hyfsn5Jef/qw7PZ2JW
XF5xecVl6JTaKbVTKqSlpaWlpcGQIUOGDBkCzXM2z9k8JwxcPHDxwMUv/Pxb/NF2xeeNzxuf
FwboA/QBOrRq1apVq1Yv9l9afmn5peW/bc+UZ1OeTXkGLba12NZiG8wpO6fsnLL/tVyNZTWW
1Vj22/31e/X5vXb/1nF/L8/9eG7P8ysgDRo0aNCgwYvxO/f43ONzj7+o94/2//N+m+Wd5Z3l
fdH+vHnz5s2b9/f797f0n7h94vaJ22Hr1q1bt259sd86bh23jkPjB40fNH4Az3Y/2/1s99+v
1++N8//s9+zDsw/PPvyiXreS3Up2KwkPsz3M9jDbn6/ry/b7n6XTy54H/tb2vzde/t74z+J/
lpdOnP0lrZjgCeCPT3DaBkJAhPSFtIVs591Efw0loqM2RN4BV7YAW1J/SL2r9X/SGIwV9ooJ
04C7aUPjDfBWNHultgCSxBcZHrBmBVZJPgeBG50+1xMIiNbr24cCFcyNnq3g2BnUyzMKfB/5
ytueQUyTmCvaSfB8mDnbUxOMeiHNI3+CRdU33Bk2A1JnxfS7fBSMEY73Au6DjDL7+Q8Ah4wh
WggkNLxT+nZleHDvUfDDfZCYlBnprwbWU62qfgRsmfYTtn7gSfP19j6BjPH+Mt4WICoKj5gG
qoB1QT4GSzMbmCVBNqed3AmqjPWBvAMkyYbyXdCGiJtCA9FMfSxWgiwkXTIfcJDj6k2Ql+QF
qxqIoaKnAPQ4PVPEgmZRmzagnlqFrNfAOm4m+g6B+Uyuki1B5VZ+lRcYqgqwHFwNHIYzHuwb
bR1t4WDPY1P2SLC3s5Wy1wVRTD5TlYHXVSnmg95XH6i3AXFH+0IsBC1Bq6KNBr2nFq5tB74j
mJsgB8rbMhhoTi56gTyvNqtFwA/iAvuAJDGFWmBgeOwFwXjbqOxwgqORwxGQCa7PXXFBtcDl
dfUNvgiuBu4tQQ3A8bG9uHsLBNcO3BdWHIJaBN8Jbw7WeCvCugfyPFfZBUHLQqaEzwCjg6OS
cxeo0tzmR/AHmp3MaLCOWcWkF2ScrKVqgics43J6D/B/4gvNtIPZ0Zsvow94NqXeTOoMT1yx
kx9dgrvv3Vl0wwl3Pn8w4N5JiGkTNz9pGqR0927wl4Dk5d5jpEDMoMS+mdUgbn9ma38kJLZO
TzEPQ3x48lvenyDzkK+ttQu029hkoz8uUCfknpB7Qm6Y3ml6p+mdYMP9Dfc33If5fef3nd8X
DnQ50OVAlxflp+6eunvqboi6H3U/6j5sfbT10dZHsPHBxgcbH0DOcTnH5RwHn3X4rMNnHWBC
rgm5JuR6UX9BxQUVF1T87e3V7dXt1e1wcv7J+Sfng2+2b7ZvNsTHx8fHx8O5xecWn1v8ot7p
/qf7n+4PNS7UuFDjAqy+vvr66uvQp0KfCn0qvPBn6fml55eeh7kn5p6Ye+Jv67Jq5aqVq1a+
+EJ+/gX1PFGvvar2qtqr4Ktfvvrlq1/+dnt/tF2fFf6s8GeF4dUrr1559Qps3Lhx48aN8O6S
d5e8uwS+LPZlsS//P09LqVunbp26dWBx1cVVF1eFFStXrFyx8v8zTn6jv36vPr/X7t867j/K
84QhNDQ0NDT0RSKzIWpD1IYoSO2U2im104vyL9v/lUVlUVnAojOLziw6A8tqLqu5rObv9++3
yjVq1KhRo0awu8DuArsLvNh/9OjRo0ePQvEuxbsU7wIRb0S8EfHG36/T743z/0xkw8iGkQ1h
e8vtLbe3hHpr6q2ptwam/Tzt52k///m6vmy//1k6/VHngd/i7x1Pvzf+s/if4aUTZ+dE/1v+
nRC+MHhtQAuIdAXvtPUArYhcbVWF5BVWumsfGM3lDdUQQkcbuyJygWOhY4V1CjwntTyxm8BX
3r85KRl8qel5giIg36ng/jlSwVlN3TKbgO1m2jw9HlwnrYKOCmCb7Ppe3YOIJzkm2stCZGRE
ZXM45PSGzw4oARnH4m2aHWLaeqZmHoFV19Z1+LAfkJSukmqDmGcb5m4FxlZVk1YQe+JB0+vF
4VmxxFZpHkh6am6Rh0HPZhNGfxDjRRVtJqQXynyc2hm8y8xU3zQQI6wW8jvApK5YAXwnh4gq
oA/lfe0NUOeYZp4CK7f8zIwDq6Plt34EFjCayiCbyS5qNWgOLVULB+1D8TorwNbbeFe8Cmo6
e7VyoBc0Ttj6gbikjdQjwLoh8zIViCZJ7QXRXjTSagFDxUR9Ilj11Dx6gPpKTsEJ1nrzY/8P
oD0Vm8QW0AfoH+sVgS405jqIHqKD6Ab6ct2rXwS6i2B2gDZXr673A+5qScIGYra4RgvQ1nGc
haCb+iyOgLFW26FdBHFVVRRDwGhj/9o4C9FTczXKPwJyXM7RqogbgiaE3I/MD6FrItOyNYAo
b/Zf8tWCqNw5S+UNhtBz2cpFF4Do5jmiCowG53n3+LB0iP46x8xCHUFbYrj0j8Habc7yTgRz
pD/WlCA/sQ6bn4H81Nrm3wNqlbVPngW5jqlaeRAFSZZDwUy3gs3G4C4XfD10L9hHOwa6WoPV
WFW3akP6rdRdyefA955nRUZFkNPkF9YqsO207XaMB1crd52wOeBc4igVkgPkG6Kd6x6kjzIP
OH6AtLW+7EwDFaK9pw/+4wL1+RfQmC1jtozZAkuXLl26dCnExsbGxsbCl198+cWXX7wof7jH
4R6He0Cvo72O9joK2jvaO9o7IBaKhWIh9JjdY3aP2XDorUNvHfoHLpE+T4BPLTi14NQCuDz4
8uDLg6GyVlmrrIFxzjhnnIOEqQlTE6bCGe2MdkaDatWqVatWDRZXW1xtcTUI/z78+/DvYe2I
tSPWjoA5J+acmHMC5Fw5V8797eO3b9e+Xft2L/x6vsSk5baW21pue1GuTVybuDZxcGzOsTnH
5vxtv/5ou54nRv/ZrppLay6tuRTm9JzTc07P327vecISGRkZGRkJ/p7+nv7/T/nf4vfq87J2
vyzPL90/n/E2DMMwjBe6Pk9o/lH//ovO/Sr1q9QPojZEbYja8I/r/FtUnF9xfsX5cPvD2x/e
/hBSPk/5POVz2DZ+2/ht46HF4xaPWzz+B3R6yThvnqN5juY5/oNe8W3i28TD6X6n+53u9z+v
6+/t9z9Lp5c9D/xR/FHxn8Ufy0s/VcMxzjirVYS0A95gWxuQIUaw3QueGeZjKx0Mp2Nb+hhQ
O8wjagaISvKa5xtwF8DGWIgdaN109gHHYGNv5kJwjNe+ti+A1PXJIwgGedTbKn0bWJO1du4c
EDQyZ2VHIqReSasYUB2e/Ox5nN4fQu45V+nfQ0gjjgUcBOeFnMOS48DTLqVHUByc7Boz/tEy
KNV5d7vFVeDV4g2b9t0I4j3dL0ZATN7rU+5FQ6InM8PzKngvmhvMguAqF/ihqxTI02qQGg6e
YZ5Ezy3gHhvFEbAqq8nWFKC3Gqc9ALlZnVbzQYzge5YDe3Cq9aC2yuWqPfBUNFFrQOzWfGIp
GP2Mxsb7IOfImSoMdGW0Nt4B+bFMlztBDBBuURr0lfo6rQ3Io/KoOgiMUbspCtpIduufgZZb
aJofjNPGM1EfzGfmaPMBiOJ6ET0VtAxRSXwF2lTtJ/EUeCzc+kXgfTGAJ6ALo6KRF7TblrBO
AD+qx0SC2qvlUvdAVFX99QEgSooQcRi0A1QiP6g5RIkWIO4Kv80Dgd+G3Ag5A87jASp4C5i5
zWPWdUh+N3ndk7PAWis+vSp4v06vHD8FhE3P5XwE6pC8YHYGc7pZzDcZ9IF6zqTxEDQ5cKdz
IHjbZg7IdEJq1ZT3E/uDPOUr558BVmkzyjsc1OtUlW+CGi+maMuBs2K0dgXEzzxRVcAMsd4R
YeD4wZ0YIsExz/1F8CjIeDODOBuYZ60Qf20IuxfsyZYAoZ+G9cwRCeITvQB9QJQycF4Go7qt
kqs8qAxVmoZgpBtljEtgFJYzMt8A85rv7YyzYHa0NIYC6/+YQJ1ebHqx6cXg2q1rt67dgvND
zw89PxQW/7r418W/AkMYwhCYxSxmAaqCqqAqgLHT2Gns/K/tiVPilDgF8oF8IB8AXehCl7/f
njJHyhwpcwSub7u+7fo2OFn6ZOmTpaH8lvJbym8B+wn7CfsJ2NV2V9tdbSFoRdCKoBUQdjns
cthleK/GezXeqwFRO6N2Ru18MbNSq1atWrVqwWY2s/n/c3znZedl5+UXn+PyxeWLywd1t9fd
Xnc7UIlKVALs2LGDmCqmiql/26/nl6T/KLusudZcay7ItrKt/G/eIfn8h09+8pP/v2nPtsS2
xLbkJQbOP6jPy9r9sojT4rQ4DTSlKU3/m/3/Pn4JJ5zwl+//P0rn3+J5olZvRr0Z9WbA5jc3
v7n5TTi7+Ozis4thwicTPpnwye9v94+Oc22htlBb+KLd/2ldf2+//1k6DZFD5BD5j58HnvP8
Stw/yp89LrP4x3jpGedEd+rrVneQY/UIXw/wv2N2JgUeb4obnvk5mNPThZ4HwmrohyNvQnRE
yM00N+gx1nGxCLLtCWwSMhmyNY14X8wEWz1bvfgBEBUVvsdWEtxvBWVz9IPAjxyN2QTxc9IP
Jx4FM1uwL3kJRA3JPTVTQcQrIYvcJUDb5BzFl5BWOLkbk8DzxBvsfxd8+13XMtvBmpDj3df2
gJ2lt4QtWgzeVx+vuhMEj5rfcz3MCcmdfSH+IpCxzfpUjgO9ua2b7Wvw9zQL+neDZ5Qv0zcc
VEmG6rOAVXTVqoJ0qFlyBKi+JKn+oALVCXULrHoyTq0DJmgPtbYgftY3a++DWkBpPgCtLfNE
XRBz1VNug1nEPG4eBzlUBak7oM6qX9RBsFZZ0+QCwE0GCuRJuV/uBNVb9ZZvgz5Rn60NA62t
1lE0BH20Pl77BrTvxALxFuhP9Bh9M2g7tZ3aVNCmi0miCNgq2AbZPgOjjbZJLwxGKX2aEQ+G
23jNqAdGupFoKwf2GvZLjl1gW28UtgeDmipiRU6w53YE2Q0IaBB8P+gc2Ac5dzrzgWoip8ov
Ia3Qs8Wxp4Be/pnplUG7JnIbhYFJ6pL2APQLnPANAK2ammeNA9t1rbdWHOw9bM90HQJmBDvD
TkJ4vciz2ZZBvugCQ4s9hejWeX4oDOQpXej6K6GQ93ThORWqQc6pBd4t+yHkulJwVtlZkOPr
vN+U+BnyVCqUUr4iFDCKzK+wCvT69gKh1SDwSviQbF4oUvWVIa8egrDsOYNLXAfXwvBnkekQ
EBbcN6wEiNeNNrYSYN1nNR+AvtRYrm8DFZLeLm4PpOVP+OLhF5DZNX1I5nawqlsLVMAfF6gd
Pu/weYfPX8yAtE9sn9g+ET689eGtD2/BuW/PfXvu2xfln68ZXDZo2aBlg0D1UX1Unxd/lyxd
snTJ0hdfBH8vz+s/nwkqkV4ivUQ6/Njwx4Y/NoTysrwsL1/MsC2vtbzW8lpQ/UL1C9UvvGjn
7NmzZ8+ehYHnBp4beO7FkoAH2R5ke5DtPxywAhX4O2aYco3PNT7XeFhec3nN5TXh5MmTJ0+e
hM1NNzfd3BRGjRw1ctTIv93OH23X8xmj/7wG/YQ6oU4o+CT7J9k/yf7HjZPf6q/fq8/L2v38
uM+J2RyzOebvyTT+nZqDag6qOejFmlbTNE3TfDHTt0AsEAvEi/J/VP//Xl1/b7nnSzbmWHOs
ORbUu1HvRr0bYJw3zhv/zZrZv6Xby8b5lsdbHm/5DzPd66PWR62PggonK5yscPJ/Xtff2+9/
lk7/6HnAdt523nb+xZK1U/1O9TvV7/ePk9/L742vLF6Ol1+qcSU6JrEy2N911X8WDWKpMM0P
Ie0D7/DkkmDP9N21rYWi7ULm5RwOxVLDfIXXQ1Bsjp729eBJSV8jj4I4lvZLSGcQE0RGQH14
siz9kZUGvjeTqtjXQ1jX8JWOvhBUOedc7yhIvPisemYZoHVSA/c0SH+q5/PPh/TU9N7O0uD8
RfiCN0BEVKTI1gIC3OoLx3lIOupf8SQ//Fr1ety+YrBr084bB5ZCzOiUUp4ckF7N28C/FaRN
5JN3wKhtvG60Am8ns5JfA39Zq57/UzBLqy1qJljDzS/lcZCNVQajQN6UE0kBfwdrvCVBXVb5
2ApWa6u39S74VvgO+46DGqjmq49AbBPPxIcgJ8t5VjGQuVUfuQ98hX07/XvBdJmrzQZg9jV3
+4eA+Zb5k382UJWJFAbLrc5bESCvqhFqM1h31TjmghymfqQDsJpDKiewkomMAoE4LZ4CDanD
M7AKmI/NFcAHapzcBFqi1kdEgzZRe6QdAu0N7ouFoLUQc/RzoDc1mtvqg1M4xwakg+MbV4ng
dkA/Ldn5GWjhYqxRFbwT0vOmDQA5nR99NlAV9HtaOgilee3zwPhBvytqg7FZtxvfgauke0/I
Ogg4Hro2m4LwT6O25e4HIbmCPggbDgFRAT8HfQ6unoGlgltD6HtR83MOgpDKEYNyVITwbdne
zmOHyC+yF8m7CcJfyfZurrWQLWfOhfkdkF3L3S1PZXAMd9SznQH3r44tWn+Izpbtg9zfQsB4
9xT3Tghs43bb74OejcosBGuUFOo1EO+zTq6EkGmBJ+znwL5CvKHugHzXGGk/Bq6BkU1z2sCW
O2hWrvogJoqhAeYfF6hvHXrr0FuHoHf53uV7l4fWca3jWsfB4OWDlw9eDh9//PHHH/+Hx9+N
jhgdMToC7n1076N7H0HLVi1btWz14u/zE+3zm2L+FiUOljhY4iB06dqla5euL7bXuFjjYo2L
L2aKcsTkiMkRAxVOVDhR4QTE5Y3LG5f3xdKO5zy/uej5zYQ9/T39Pf1wQp6QJ+SL483oPqP7
jO5/275x48aNGzcOJu6YuGPijhc38wyrN6zesHqQr22+tvna/u12/mi7Rr8++vXRr8P+/fv3
79//4uaqLzp90emLTi9uVvqj+c/99Xv1+Uft/q1x0mV6l+ldpv/99j9vP6F9QvuE9tA4W+Ns
jbO9GPc5tuTYkmPLH9//v1fX31uu5MGSB0seBKfT6XQ6//YSjb+l28vG+e3Xb79++/UXNyfu
zr87/+78MCJkRMiIkP85Xf/Rfv+zdPpHzwPdSnQr0a0E9JrTa06vOXDEf8R/xP/y4+lv8Xvj
K4uXQ/zbWjalqlatWrVq1d/fQM9XxtwoswMqhBbeWqUheOLNk75f4PjRqw8Pn4WQte5BAR9B
9orBVXM/BvlE22F7C549fPJG7Em4Ov9O2eTGEPVV9kO2y1D2YvSb+Y7DvZbPenv9ENya2nIA
xLUxJqQMgwBH+FCzDWgXrapqPjxakVzBWxfCeos9ueeBvJ82LuMARE/N8VFEEgRfsm/NvApJ
5dJdHi/4Nxi7k6ZBgfPh5ar1haJ3wz0NXLDpzKK+i5bA2Qr3y949D5nvqs72RZDzaO5xBRIh
LSH9++Qf4cHUR43u7QCriChs3AZ50HKo7oBGQXUBREcusQRklJKyBKid6pjqASK/aCU6gjwk
d8stoOXTh2jVQVstzurzQV21PlCPAZfopx6BfIdPxSSQB+Ql6xhon+OhGVBZrRGtQNTQToqR
ILzaNUywFTNwNgFxRyymL2gfa7HqImh9td36etBi9A2OiWD8atzSB4ARaVx1dAU1mQJyHaiL
KlN5wHnQedZ9F+yGI5u7PegPtVJ6edCy6UPsx8CWZn/fkQO0ROOR3g2sXeItNoFWSdyx7QOu
yCh5DbyxntfSZwJbmWC9A66+zu7OJyBXWMd8bcD82DMy8wswqhmb7UNAVLZtsX8MYrq+wj4b
1DxW6G+BtGROuRLUYRFpaCAeaEu1HSC3yb3mPPAsybyf2gm0QLarFFD1CNa6gj9WNtPLQeb4
1HyJp8A7wJ+Z+S6E9w6vHvkeBE4PTIv8BLyzvQGZpcA8Jh9njAfbEm2TvhNshVwjwuuDN8Hb
wbcSQj9wYcwHbTdf+8dAUp1UX9rnoK+z3w+6D3phrSkJoP3EObMQ5K2ULdkRCIuci88sPPBX
h3kWWfy19OjRo0ePHi/W5v9f4/mM6Rn9jH5Gf/EDZHXQ6qDVQb9d78/S7fkVheczyP/q/F8f
X//X/f+f4tixY8eOHfsD1jg/+SqpoO6Ho1/fynnlKKhtvnupoyFyYMDn7iDQzKBftWMQ/9R+
PW4DnEo9FvfsFARWdR0Wh8DRVlXV20PEbMIixoNeJDCfHA8Fz7p12xl4eOz+vYRkMDfaJ6fn
huQBGd/4a4NRUB4MiAL3UF3ZvgFfYW+qWgHujaFDxD5IKySWPm4NT4KSLpslwLHV0S+wNASN
kHkDp0DlkUW3v/YQLC2pjWMyJOZJOZA6FjwfWJWs+qD9aFQXr4PYqh9TR8Br877hbw5WdXOJ
soGKM0pLAWqpHC9bgIpUudU5UFUZorKDPKb2qwTQL4lvdBuQm720AlVY3SEeeFv2Ej+BNUb9
aAmgDh4FcFU1Fl+BOiHCcYA2SNtPO9CixHv6QeCeuiISQQWpw3IJ0EZUEFXBekXllbnB1dtx
2h0O+hTjbV0H+1jnuwE3IXhuyOPImyB+Eu8pD2gjRH+bBtJudfetACmts/JXcNx02p3zwSji
GOZcAuqe6GRrCXqGPlIXYDuqbzDeADNZlvTVAOG1GvjeAFVDWdZroL1qBOo+CDga9FFAGshB
/jXWaCBBdvF1ByF4wDBwXAlsG+oHI7vR0ogEvZfxnfMeyF+tb9VwEEdFc3UFZBv2q4lgNjbf
tF4DedE8kVkC5EpvyYx9YG+oAqxL4LtthZEE3k/88818kKQlfJtYAtK/yvg5MQcYA2muPgZT
8/RM/wVkzRw3ZBdwlnUVc/rB3OOz1AYQlbSNag74f0jPkTwG1FT1tj4Mnu3w1kr3gFwqi5mt
QbxtP2nfAfYc1iTPj2CNMW+qJxCaN/DLwApg9MetXwGW/tWhnkUWfz3/17/Qt03YNmHbBJie
Pj19ejpMmT1l9pTZwAUucOG36/1f1+3v5f+6Tv/X/f+f5qUT57xPopdq70JyD8/h2N4Qsltf
4a4PEZ2NANdySLRl5E5rDN7RxgHzfSgti4YFWpBR2VqkBoCRov/onAyOp6mXbB+BrJLp8TeA
UBl6LvBTcGZ62lmTICBIfJlrNHjXOt97+hi856yZmYeAXf7GrjYg5jM4MRY8VczuxgUwNmhl
DA3ChkZ2CP8VPFfc5z1DQH6cONh1FiI/CbHnj4RfLh/utn8v+A4zhx1gdjK/kOPA9qO9tOgA
zBftCQX/FGuQGQ72UJcMmAG2i+6woCQwY/3D1FXgDC4RAs4JLqf7JDiGOy44y4Asat00+4J/
n6n8OUG7po/X+4FQ9Na+A+sbq5P5DmjntNdVBtiu2uOCaoG0i9uyErBKxYrvwZhra+BYATxT
hdgHVrg/p/cA6ENERassGEtsfntRMOKMavaCoH9o2G0GsFgT2odgK2wb624O8heUtQuMwdo2
4x0QXemlOoNeRZ+jh4H1jjxp5gU+4Y7WF8Q4sY6zwEZVWz0E1VL1NV8FowPn1W7QXfa3XRXB
SlLttfsgZukt9ONgvuOv7e8J6msSqQ7292zDHKXBtdf5pv0UeK+ac1VjkEtkqmkDNVh+bkWB
dlO0xQsigRtWMFivkK71BOuW1Ut2Ao6pV1UBCDwcEO5+BGquuVl+DrEn4pxxoyDB9WzQk27g
a+t9Ne02yF+tn2QLyDzlzy0fglzMXi0I4k/GtY0dCQGz3YNC8oGjkysi8CYkH039NCE/OF93
++3lQTzQJzjXgT/Vu99bFxxj9CBbF7D9bP6iHYOMRH+u9DngLhhYMmQZJM9O7ZYWAIGn9VDb
lL86vLPIIot/Bpo/bv64+WNoTnOa/9XGABvvb7y/8f5fbUUWWfxr8vLPcd6dGuHJBfm6ha/J
DgQWdZRw34O08nqKGQ76fPOmHg8RMUbBgDoQni/fWes9cFZ1ZtcaQWTzXDlzHoR43RaTVAKe
FHpS3H4ACt0ILlM2ErLp0UVDl0CEJ+iaV0JEJ0d6dC/QPqGPvTFwi9VqC/ifZbZXv4JjjG2u
0RfcBRxN9K/Au81Z6+l8SGgZd/XObnilRIFb5TeAGKMF0RgelIw9dWsA+D+UFywXyMvyNb4F
8YHWWEsGWVAWEL1Aize66o8htErkoagtEFUg+9ICgZCrW4EbRYMh5958FQubENYl24PcjSDA
ExYUvRQCv4l4L8ctCNajrudpDqEHoivld0GwGfVa3nchpFXE1zmXQWBoaMMoNwR1DduVfT0E
RYa2jz4AwWfCLkZVAle1oEthD8H1flCn8KMQVCRseLa94B4dMj26CNgXBFwOWw96Tler4Hog
ytk7B+QD+25nucDdoP9sT3HNBns9x7WAFaCPtXtcQUATx1z3LyDXanX0WaBV1ffZe4PWRn9o
s4HjXdt9xypwPnTGuXaD1U4elTlBTDSqGl+DqKn/pO0AI9aWU98MIk7EamHgnOY84x4HAa0D
sgemgtMdYAvpA+ptkcu2FbRBVi/5EIx7Io4EYJt8xaODL8ZbNLkpeLJn9k37BtJfS16QNBg8
nTM7pgeC9kBbqs0Cbbmx3T4arHlyiq8mRHUKPetaAtmLRBYNqwPau9pShwHOe86urs6Q/Ua+
wHx2yHY2z/E8H0Fo09CqoVshOCC4ZGA1sD103DEiILRRaIXwRxBZPrRndD2wW9oF+TMYRYyT
WjmQZzWfSAJrhhhoDgdHP3t9Yxkwno9oDubHojffg38oW8h6ZWoWWWTxT0jup7mf5n76V1uR
RRb/mrz0jLPtPfPz0DEg2yX8bGsBTzt6l2SuASMyzJNZDlILstvaDta+2C+8eyGssnu+kQSO
jfp3WiAkjVGH7qSBKyKkt3sPpB/0TElZDccXXTxxEjA+sE/Q+4Jrd3A9+oBnXGqy2RzMilTn
WwiID3ys1QFbA89hdyT4O2Xc82WAN3tYB6MJ2CZmBAe+DpE24xvVCYoVy52rWlNQgzNHaJlg
7JA/i1rgbWr2tfKBv6R6qN4FV0t9NI9AFWWlqgAU5JgxFozj9qXB74BVU67zPwX/wowhGedB
tVfN1AXQvjYG2/uBfsx+KzAX6Iv1Mq7FoA3U23hNUIPMC1YzEJVoarUD0ULPTw2wpenLAtyg
Vqvv/OVAVpV1ZGnQGgmbsRBkJqWthsBEUV/bD850Z58gGwiHWiuPgqX4gADgc1FKjgHjlX97
6oY+RUxUnYEnuL0WiHas0FeAuEy8ag1Ga9nK/A6k6UtJmwE01z6w3wGtsJ5kvAvWJDMnfpDt
aUpvYKIaoJoBDdQuEQHWOauJlQ2sauatzMFgNTY3Mxx8V/yPPZMhY2ZyYkI2cFxyfuXoAs4e
zgGu/RBghGyM7AUiWEwzJoPWV3b2jgI5XG0VBUGeVgPpA46JejZtP2RU9dby94NEe/L61HTA
E9TKNQVsl/Xv9HkQeCLoQOgFCNkVOT37GdBd7ifRg0G7Z0TTFPRXHENtVUCfbY1SgKovKqjJ
oM0yAm3xgKUPcA0Df1jmovQN4DmW0TLVAWGTgloGbQS9iF7K3gMyxni/yFgDVkdi9Z1gFjMt
PgW9kF7DKUBfYp9BCaCksdnoD8BL3PKRRRZZZJFFFln8M/HSifPj0wnfps6BO2P0vQkdQP8x
qBTvgbN7RsPALiDdnrfUz5C2wWfLTAbp8Tx1dobo8a67+dwQ/1la4tXzUKiW4y1nIciIMF41
ckPSWG9hqytYaak9MvZBUOk8vXwTwNXM+Z33MqQfODfBswX8Ne2lDBOiVwU9CxsA7tY0cq6F
iE76GvcBSHvg6x/bCmpvrOBteB0KbIsYWux7uOu88vBqdvC+q85KDaxoMdIqAdZyVphXQNWT
w4zdoAqpYaIh4BHBeiHQXrctctUE9baWz7gEjnKuWUHXwb/GX9A3FYxG9mjjVdCqi/tGY5Bl
zBqZDYBQYq2mwCcyTXwE2hW9negIxIiZRi8wfrU3dvUDa51KZCvYC9kn2TRQV80U6xqob632
3APDZ6wQy8H3rXkiIxbkLPXAMRSMaQxT34Jqbw3JrAH+KvK8vy/4xpnjPXlANNIOqm/AOdix
IbAveL705swYBXTVCtAQjM9405EAFDJy+AuCCLDeogfopp7DGA7WEMvrfxNkH/MV/w3QyzJD
XgFPz4zSac0heU1yrWd7wfu2d5qnOFhLzdc8BcCey9bJGAHead6LojykRyaP0EaC94p3bGZP
kD7NckwGmskB/l6Q2TgtJW0lBD0K/jVoETjuBRG+BxzLHNccFcAWbitgk2DuU9WsiuAq4hrg
/BCMRq63Au+AOV3tJy9E3shRz/4VeBdlbPe/B/7a/jjPDyBihNdfHrwdM+um1QI5nl/FYdB+
0A6ktgfvq5n1U+tAUKWwESE2cA8MnBJ4FNKLpDRPuwJiv5VqrgFjlbATCt4+XgcNwdcn83jy
DZA+PRuZEDRILx6Q4x8MqiyyyCKLLLLI4p+Sl06cnd3drdKagCPTWdz1PmQmmX3lLghp5GgY
UBYK7crfyF0Crud4cCnhGXgOZ3yt34G0Np7I2Otg3+z8XssJSXvTwo0fwWyWOcu6Aum3tNKZ
ucFVRC8V9CuIyw/WZzghpXPmE78B/ivmzsCD4HVa5TzZIG966Bbfbcj1VpVqYT+AdtrVIvF1
KNXXbF75HlRqUmx0x8bgrhBYOioOnIeUeT0G9HZneor7YC43h4inoO+SecVFsDqK0b6pIHOr
MrI/0EGtsvKCWiY3yetg+8xW1GgOvndlP6sM6I2c452JoG00GtneADFHzlFbQXQxc/iTwPzV
6iYvgNTUJPMU6BdVNtsAsP1q/85eFPzf+wdYE4B1Ypc2AMyDvjbmAtA6kF1bBVYf/6PkReAr
nVnU1wX0Lvoz90QQle1FtD0gK/vjvB+CGmcV9NcB6yoX5FLQ8qpMGQT2y7a19nHgsWUGpQeB
mdOsmbEHjLeNtbYo8K2xzqrPwbfZu81fCOzzDc0xFrTTWln9KFgLzbPePeAsbjuv7wRPYtrA
lGmQ1iW1RcI4kPPMRdZtMN/29c24CbpXSzRugixBQXEazLfNPZYTRAs11J8bMr582vixAY5o
9+qAe6DtYojwgxXjz/QnQ3yzZ88yt4K7g3+0FQbGTNurzlDQRmlbjKXg6OIYb3eCNUAsNoZD
ShXvRGskyDB1Ex/4Z5vj/dnBmGHfZDwAsdP6RKsGvk/8v5jXwTfQN8w3FryNMiun7gU9u7Hd
MRR0v5ZNNQPzfZ/yDYHHq55cexoK6WEpWlJrsBfVq6hC4FjjvBHYE2wNjY8C3OCtmnk18zMw
7uvdHIC2VR73VgFaACl/dZhnkUUWWWSRRRZ/BC+dOFvHzOW2shB10VXaKeFRUmo7/3owNOV0
tYbMdv6+cg9kfpo41yYg+ExwweB0uN03JtuD++Bvm5mmd4eggKBvzM6gdHlXHwnittU5aTbI
zfpY/SdI+OzRZK06RL8X9q1zCQTWybNcVgHtVupAdy8I6mCPSTPAX/BeWTkBOjVsVn1SHyj8
bb4adaaBL8QszKegF9AGWBEgDiZMDHoIbHt2wF8I7ANsle23wVqu31GPQbtgdTe6gdjFEHEI
5C052r8HMvemnoivCWaYr6YrFLS+WrweD/JH46GzCch7xjjHXFATrFdVMXAsdNZ3lgd7mD7V
/ilkFva0SzkMqjnDCAL/BWuHdQB0Yett5AXxpRzv6w2ynq+j9wLg0jvqo8CTkXY89QrIZtYN
8w7Y45wlVRL4/Gm3n9YAxxzna85HEDgluHtYb9D3aWVtK8Ecbd2yHOBr4FvjKQ76fVuS9hWI
ipyz9oA2x1jsuA7+VsqVeR6MBrTSOkFSs4RdsRlga6CnaMdBZpfXzfOQuYAVygbyNTnVKgT6
p3qqHgR046jWDUR3MRcTzJJylHUY9GDzhPgA/A3MeVZhkC3lFv9UkHHyrhgKMoYVYhRQjsZi
Jdgv2Lbb3wPrNgdVLPiHqrMo0AeLJto0UBkKVR1UjNqmZoOvhTfRPxtkey3W8oH9I/sxxx0w
Q311ZAp4F5uVkr4EEWuu91cFrZLeU9wF40vhNXKAMS2kZfh4cIeGeqP3Abfl+2oFqJHmNLMW
yOK+b61J4JrlXocE4aOa/yOgk/aLPR1oLpaJDRBUIOh2+Bfg3+O9bpWHlO7PnE+GA0l/dYhn
kUUWWWSRRRZ/FC99c6DR2HlR/QwpjaxxcX3BXOk77D0BidUTsmf2gAu+a8PTCkB6E8dmGsOz
O75Gj6ZAzhxh61VOyF4y4qq2GNKfuqdkXAN2slx1Ba2HHmK7C+HdbXv9k8HRSi8qx8LdV9NC
ky5C6pj0cNMF3i585S0PZe5HD6/3AAaWaffVmktQYELeQvWWQcYdz21/IPhy+19P/hYe3n74
2rklEN/qcq6YYZAtw/G5uzI4DP0r3QHaEO0Qt0HdEu2s4yBWa1u1WaAMGcs9UNus1uZsMEbo
q+33wb0t6FR0DAR+EvpJVEVw6QEZAQ3BftLts30EjuuOV/RyIFDutCvg+i5kX2gFCLweXCu8
DbjPuF5z5AdHmDHHrAT6UIT6BVJGJr/x7CCkVUrZkvAqaN/qj4wUMJuYs/wuyKycUvWJC+R2
s7H/NqjxIkYPBqudCpErwBxlvu05CXIaa9UNcFZ2nnTVBCOvrb59FxgHbD+5DoO6qH1newbq
Q5FkU+Dr5XnVNxbMBv5BvkqQliv1dvwp8DzOjEiJhozGnqlptUHdF6ZcCXK1uq7WgWgu1qsA
4CCtxXaQgVYbazXISVa43wTGmd19w8Ea6B9pOkA+lsv8rcG/x/+VtyuoMNlBXAVvRf9kX0Ow
D3WeCRwAxibtQ/v3wCPlJw/om42GRnfwHzd7mdPBF+Nbk/kRyIFWonkNZBU+pzrYfnGMcsWC
fsj+aVB5YJfzhO0+OCu6iwbWA/eC0AcRDyDgteAiUbnA0cuW4igGtvG2J45e4A30FbF+AeNd
rYXeEdw/uO8420JAoaA2YfEQUjvcHtkdAuJDXg1OAVsHZwvHQTB+Uq39JUBf6ahhG/5Xh/f/
Pp4/f/bPYlqhaYWmFfqrvfyf58/WNYssssjifwsvPePscThGp+yAyKDQ4kERkH7XX95qB2lx
3iqJ9yHlveTPfWuhtC13jULH4frbCcUzwiA6X9iuHPFg5BXfJK6HnPlC5wcmQOIBFa4tgMi+
Rv9oB/h6iv3pn4DtjG+hvTUYt/zekB8h/njKtcfNoMmXJaLK54IOV3tem3IUvF8Kw1YfvF97
EtNmgfiCZPEmJGc8Dn/SFPSZ6npIWdBWpea05kH2qjnuBKeD1lzckLlAX67fcawCNdTq5W8D
orS6Z74BzsGOe/aZIL4KPBLRDYJ+iZiTYwWIJnozezZQF7jHEdC6Cw9rwbXTcAYPhvQpSXMe
lYH0u8mvPLkDwSf0OVo38HW2VujzQA6RCf6eYO2Un1hzwWGz9XcbEGgGqbBR4L/k65T6CmhX
7OX10mB343UFgL7Q2mGvBrblgYkh98Ax3hFozwayl+m1okEVNQbYxoOx0LillwY53nzbFwHp
w9I/SakLLFf75ERIu588MDkBUoumhzx7CAF6wL2A3eC95OmSOQ0YJXda58B4bETzC+jperr+
Nfje9rXw/Qh6RU2T3UC7pZXTCoI2QIvSmoGoKWzSD7IjVcQ0wK0laQMBXa6Xr4AxRT9sewra
SGETbvBb/rMZr4DjA/eRwPvgCHLkCzgPegm9hrEeRGmhiVjQOhjNjH1AJ32Ftgtsd7iuRYF6
WysgPgJVynxkhoDoxy2ugi3OkaFL0LKJstkGg9XCap4eDNqb9jn6EbC9pYXpU8D6wXfKVwC8
pzwbMs4A36t1ZhEgntH+meC95mmW0Q7UDjH935+icdKsCdYjc5L2GOiv5VVJ4Hjg/sT2CkQ8
Ccod/TnQDPjkrw7zLP5e1oWtC1sXBiMYwYi/2pgsssgiiyz+6XjpGecA6e2fbRKEykB7viuQ
s3LwoZxNod61fKsqFYdGm2rfqXIUwoeH3RaZUPHTwntydwO1y2hg+SDwdsCn4TfgfuG0Gemt
ILlAZoCtFViVxIjMAqD9KNY4MyDb0tBi2RtA7kt6UOKr0ORM8c3lhsDbQf3OzWoEnjDVWdYC
65zvduZAMGYZic6DkDk+vUxKCLh6ORdpxyAx4UGRR2XAMdfutMdDicEV4ioKcLxtfC1eAaO0
2GirBaqVjKUzWHGiqf4FaNL4xbkctI3abXEV1CMrj+8mWAE+Z0Z3sH7xNEx9CuZ+T7u0uuDL
ldEqrSkoy8puWwruOQEyfDl4c2T0T78GmdkyniVbYH1uvqKOgtZGa2SvCN6L1seZH4Nx27HC
eADuQqG2yFRwnAi4HzQJgm6EJ0ffAld62HfRC8G22fHMZYKZbmpmH5DDrJPWIhBS3pafAhOs
clZ18Pk8az0jwT7AUcdWF4wzxmZbCgSNDd8U2R9y1s3tKvERBA0NuBn9AcivzVGZjcF6xfrR
Pw+8g3xh3gvg031Hva3A2mguNA+C9CtlVgT/CLO7fyKYgXKPBVg9qKsegJVpLvLNBPnIOuVb
BXq6tl18Bdo5fbutLRgF7EmBKyEoPKJGticQJiPfyZ0N7C2dM4OKgVjg/Mr9Pug57DkdycBJ
63PxLti78op9JKg8Il7/AdRE3HoR0O8YB2wHQJVX+8Q10A5Zhc2noMr4h/oNoLrV0PoF9PVa
OS0CSNbfcxYEfYr9okMH51r3wYCxENUn26zsNcA5wPVpSE4I7B3yU3R1CFkVciY6CrR4o5n7
KohzegHbN2A/5zgS0B7kamOUqyDYSjq/d7/2xwfsb80M/q3tX3b+svOXnV+8OvnzfZ/v+3zf
i1fMPn/O7KxSs0rNKvWi/s6dO3fu3Ant2rVr167di1fuNmvWrFmzZrDk/JLzS86/vD+zD88+
PPswNNnUZFOTTdCtZLeS3UrCw2wPsz3M9l/rTXk25dmUZ9BiW4ttLbbBnLJzys4p+2J/UlJS
UlLSi1f4Pm+35YSWE1pOeOH383JjYsbEjIl5Ub/vqb6n+p76/e3ExsbGxsa+eEVvq1atWrVq
9ULXv9VPKy6vuLziMnRK7ZTaKfUf1//P0jUtLS0tLQ2GDBkyZMiQF+Pp+SuKn+vw9/qXRRZZ
ZPGvxksnziH5Q35y54e0uLRfY1eA70z61fgOYJ4E/9cwZvBb6WuqQJ/2zbYNXAtR2YKCMzOg
cN9cDXMMhxzzjHeDjkD2pu429mUQkTdbV+sQPLZ8YfbLcP/1tGvxk0Ar7K14vT801ivb3qwD
3Tr302aXAq11SLlgAaKc/1O9NIiOeph+EcxLarR1CFSw7OO7B+kD/As90yHp7cdPY0dBvi/K
HXr1KQTMj8qXdwy4Um2rjWhwFjICbaFgdVOb5RzQXARYb4A+QQwQB8F7J6OR5xl4i3h2mQ9A
zZEX8ICpvOHedaAc5mv+GWDtND/zXQQjj1hn9Qd22mu6EsG46gwOtIEL92vBLuB1+1FtD9g3
u2q5DkBgVHBqeHlwnQzYFjoRHGOd0wNjwRajGomCYF7NvOmdDWK0UdXmB32nvaGrFtgIdISH
g/27wGJhv4J4V99o+xB8s+RKvTXYWrlTQsqB/Rf3vojh4LYHD8h5CAL3BhXNVhwCO4dVjCoL
7o5hY6PnQK5BBSeW/xCi0nLNKxgD4VuiR+YNhvCN0b/m/RYC3wyLz14bbCUc6YGhoKXZGgbM
gqCGIbujq0LY/Igauc+Dq2/gsmgDgm6HF87zHUR2zP1RyaUQWTBvxzI/QLjIHl7oc4jMHT2q
8F1wtgs4lG0SiPpaJb0M2OrrB0Qf0GYrt/ULWDusGhnlIfNeZpekd8D/YWaPlNnADLOOpytY
kb43M3KClluFyrpg1THXanlA5iHcNx9kG1XFpoGvmi+3FQ/+1b656b3A6u/zZU4ErZgqLhuA
mM9VvgGuCKneBF8Z71ZfMzA3++PNlaDySp+cBVqA9rH6Gsyi3h+s70G3EyBOgTufzaZi/+rw
fkH9EfVH1B/xItFaO2LtiLUjoOO0jtM6ToPFAxYPWDwAVq9ZvWb1mhf1Vl9ffX31dehToU+F
PhVgw/0N9zfch6Xnl55feh7mnph7Yu6Jl7cvsmFkw8iGsL3l9pbbW0K9NfXW1FsD036e9vO0
n/9r+bp16tapWwcWV11cdXFVWLFyxcoVK1/sn7p76u6puyHqftT9qPuw9dHWR1sfwcYHGx9s
fAA5x+Ucl3McfNbhsw6fdYAJuSbkmpDrRf0FFRdUXFDx97czLXla8rRkeOPOG3feuAMbN27c
uHEj5NmRZ0eeHX+/HqtWrlq5auXL6/9H6zpv3rx58+a9SIS3PNryaMsjqL2q9qraq+CrX776
5atf/n7/ssgiiyz+1XjppRpidfhP8UvAWcO2OawDZHyftMX3EByPmOcKgG0Tto6csR/kes/b
qaOgyL3sF+pOA3u6d4lvBNwxrV8vToJSl5wfv5oTMj4VvsQa8HPOE7UTCkCx6pEf5R8B3Vd2
7/hhfshxrMjqSg7w9fd/5v8WzO6+zeYi0G7rT9Uh0PIRrSeAucaf0xMKYriMs/wQuMK5Nvw1
KHy10revloDgnbncYWUhvWPcDO8kiGgWuiuoGhgN47/OGACqkXeN1wvqjlxNJdAuGMP1ISBm
Ze717IPMd1LrJ8wDn9/+tvsg2MoYj/kGPDLzS88aMJoY52znQI9XZ1V+kGOU12oIYquIFBvA
fGw28P0CNrvtnMMF1geeNamrwPwsPckaCsLU7xlrwD7Y+XbgXBDD9Cu2UqCnOqZrS8G8Zi72
DgCqWxesacA8ddMqCCJGizaWgHVNPdPHglZYO2yNBvEK99kD1m1zuzgLWqS9i8oF7NCO6FNB
zjILWtfAuGofYP8CAvLY1kV/Ce42Mi4qHbS3bUF6e8Dv+ybzHPhn+p6kvwcctyapd0D3GT3E
AFBzxHdaJbBN1saKFaB8aq51Gqz6ShMVAISpVwMVzAOtC5iNZUdKgdXGdHvfBkdx+yOtNHDR
6mGTYBW2PN7K4Lxo5DQUWO/b9zqbgLaDIAk437A1FrPBOiXPqwZgKjNKxoMsI+KtSNAmamts
o0GvZBRzhYEuxRXjPBghWj0zBcwS/ie+oSDW8oEeA0ZFPa9tAHjf8J6zuoAnwXfV0kFrrzWx
zQJLl8XUJmCK8ogLIGrqfucXIM7aXpO9IMCvNzd/AKdl764n/nuQdPyrwxzKflP2m7LfgFgo
FoqF/832DWKD2AD+Sv5K/krASU5yEhZXW1xtcTU43e90v9P9YG3S2qS1SXDtxLUT106AbCqb
yqZAL3rR6x+3r3mO5jma/4fH97WJbxPfJh6+HfPtmG/HAL/yK7++2P88cbNF2iJtkeBv5G/k
b/TC7sM9Dvc43AO2ZN+SfUt20L7TvtO+e1G/R6cenXp0gqZvNX2r6Vu/bdfvbUeVV+VVeZiQ
e0LuCbmB61znOjT8seGPDX+EyUxm8v9Hh/bt2rdr3w60y9pl7TIsPr74+OLj/7j+f7SuP6f8
nPJzCqw5tebUmlNAV7rSFdrEtYlrEweL5yyes3gO0IIWtPjb/mWRRRZZ/Kvx0onzTfvNtj4D
cicEd7DeBOcU7UP5DRxZ+7D46cNwoN2dTvs3Q5Fz4ctyjoESYwtfKrkJnvYk+PFKOFPv2vGn
30BuV45OZjrgSg/0+OGVUkXfKTwB3szVcdngxhBmyxFWIQW8G9InZfwEVprtmToKWgdx1ngP
1KdyhdUYtOJGfnqD1cGTmnEdmGI8tp8Cbbe2KmA3WKc9M558A/4vMj9wjIfIqzmD8nWHPKl5
vsk9Hk7Ku9Pjd4B2xGdprUF2kf1kGhgNbJUcn4HY6c/rXwh6hHOCrRnYmmvdRQLwgVpqAWIL
JbT7YBi2L50/gD7b1dH9DERds4tfgDZKDpMOEN96zIzXwF/Ae98zC6Qh3/QvAb/DXO4xwEjR
u2grwXwiY+QpsNV0tQ0oAVp5/aLRC1Qp2UN1BfOKMFRRUNWtsv6F4KzimKFFgmuCs5NzBKg4
pYsegF0Fy4HgGeCflbkfzDKepqI9aPXt1Z3DQTsururrwVjDm0wG+xlHnIoBsZk5MgqSWqe+
np4beGw9VcvBOGPE2/eAltPeTL8B1vueSZnnQG2Vm7ylIWO2uM1PoFvquJkbbNv03UZxEOfV
FJkL9MdUs9qDdkNVtUqDHqK/57oM7gxjpF4XxFTjrrUHVBOS9K4Q8kpwqdAE8OQxq3ABrChr
o7wN9mzOdcZsUPNUEetj8Lf1LSATvPH+Zd4vwOV0jDVagPhVSO0GmLv8G61+YBzU64gNoBd1
vO10grijCqlnILpplcRTCEhTxbWbEDYhYF/QCPB8bz6y9oBZRXq0D0EVNe+piqBf0CfL+WBE
OPY5KkDwAdsxfRTYlSNcVAPgnT8zgH2zfbN9s/92uf+cMP+t7c95fkk+amfUzqidL2Yka9Wq
VatWLdjMZjb/CX5pC7WF2kJQFVQFVeG/7rctsS2xLfnt+s/rGTuNncbO/8bvU+KUOAXygXwg
HwBd6EKXl29HzpVz5VzQ9+h79D3/odxpcVqc/tt+Oy87Lzv/Q0L5R+v/srrG5YvLF5cP6m6v
u73udqASlagE2LFjBzFVTBVT/37/ssgiiyz+1XjpxNn3ffLntiKQ+ZPRJMUE+ydiamg5cA6z
WljPIPjzgIX5R8KzotrPVghcqHLn1qU0yFEg8mLoVxBcO/qdwEbwdIkv6nIa1JpfvFKjdtC5
2OtpQxLBnjO4VMFY8K/NfJJxA7RLukuUACOn+k7vC6qXymPWBrmdR9avoF1hhjgNvmX+PZmx
4J4VHBt5F+KGPop4fAVs39jaWEFg7+qOc04AzWdr6qoBOZfnrZ5rK7h/tj+6/DOkXvB1dAwE
a5xaKFLB/dRe2FEZUvcnl0j+Bkj0TPNUBdvQkC9c6eAN8eYyC4KjjTPU3RQYI14nO3hnJld6
egscjZzfBe4FsV7kNj4B4yvbN87HIIbo3xr3wIEjzDkKuCG2iSogVlrvWrnB+sKs5h0PehEt
XI8FXx5fXTMfOJYatYxGoH9mtzskqDfU5/oqoJj11GwGqYOTjPhHwKvWT95+4N1r1lAXwfkw
8HRwChj3HV8EtgFbA5thbACjrH7NfglYLNeaoSAWqfW+L8D4hQhbO3AdMCrJEuBo7jwpzoP7
mvu+Xh70FBXjLwBqiP2wLsFXx/ujVQAy3VZBFQTO0e7rQUUg86S/I8ngX80X2n7wnjQ3mAHg
aKMX0TuBfkP/1vY6qPnaRLURXJmuPc4WIOaqRvprYJZXOf0NIWSfK5ctFxhN9K72aDBXyp6M
AnFLVNMsUDNtmaIP+O+YSwkH29e2r4w0kLVldfUdaONdp2wHwd/Zv85TDvSWxke6DuI1tVTl
BdlSLrciQWTXnukKtAJsMUpAQB4SlQWiKh/JVmCfz6fad+ALNxfJa+C9ID+3coLjnnZdfQbu
UfY89qr/HiSv/3EBaztvO287D/Hx8fHx8XCj341+N/oBy1jGsj/+BHH27NmzZ8/CxnMbz208
BxFXIq5EXIGjR48ePXr0PxSsQAUqAKc5zWmI2RyzOWYz5GqRq0WuFn/7OFseb3m85TF0ohOd
gPVR66PWR0GFkxVOVjj5++2usazGshrLYNmgZYOWDYIB+gB9gP5i/5KlS5YuWQq1NtfaXOu/
yTxVH9VH9fn97aTPT5+fPh92BO0I2hEEbWhDG2BX211td7UFJjGJSX++/n+WrrnG5xqfazxM
bj259eTWUHJmyZklZ8KjsY/GPhoLR0ceHXl0JLCLXez6/e1nkUUWWfyz89KJs/tacMHImZCr
R3Dx/MWhfLXoNwo0gLDTIT/5g+CYvLnhbjqcGh3X7vJRMH+Mruv+HsIt32hfCJRc6/vGlQIN
Njb9aObPUDqsyNs1QsCzSIx19wcxTHxq7w8qTsw3GwKa+oEMUK+ISgwH0UkN07qDHqlN08uB
maxaaengaueYGdgZku88OZj0EG6eOpfnSBIUH1xhVtWnoEcYDxwrQO0CcR1ybc3TJPcKCAhz
LnUeBC1H5gDPDGCq9ZOWArZYW4RjNthTnT+41oFV0jZS7wNmFWLFaQiwB34TPA7M7f4YXyOw
hpgD/UXBldsdE7Ia/MPMOKaD9qrxSO8BelVbHL1Ae1d+KeaAKKpt17aBlWydM2uAb5e3euYt
0O9pV4ytoE6pEPUjkGS004JBbRcTVR/wr/XFZjQDLmoJ2jGwZnpP+jqBqqRuirogdHtU4Efg
fuweYgsGVvCZlRfkIt84axH4zkufdQf8zbUA73mwDptPrMugzpk11Vcgc9JX3gNbnE0aFtjf
pqhoDWkjUyek3wWrnBXDFLC9p/+kWoEpuSwtCLwfMjnkCXhi/EO0BFCpmmWOguiCofNDrkCQ
z/G2VhRsG4yVWikQUaK0Vhv8p3wzzD6gjySb9gaIVfoJTUF6Vd9qcxDYRmp35WrQBuuV9Glg
lVad5Bnw3/RN8A4FKrNBLwr+Mb7Dpgkyh/9db3NwTHDMMFqDcMp7/ADaY1qqxWCtMzuYd8FR
1P6pEQJ6OzHSNhbM16w58idQn4mvZG8Qd1VXywD9rH7FWABqv75WCwPP1vTtntfAuq4Fq3Zg
/Wo8EpfAGGRP0ncCc/7YgO1WoluJbiWg15xec3rNgdof1P6g9gd/3gni+U1fvXv37t27N4Te
Cr0VegsqyAqygoQSB0scLHEQZsyfMX/GfBjCEIYAXaZ3md5lOuxvsb/F/r8jcb79+u3Xb78O
jR80ftD4AYTnD88fnh8+vfHpjU9v/H67R0eMjhgdAVM+mvLRlI+g5dWWV1tefbG/5OaSm0tu
fnFz33Oe+9PleJfjXY7DnIg5EXN+RztpNdJqpNWAj9Z/tP6j9fBdu+/afdcOGjRo0KBBA9Cr
6FX0Kn++/n+WruPGjRs3bhxM/HTipxM/Bc8GzwbPBnCtcK1wrYAPcn2Q64Ncv7/dLLLIIot/
FcS/zVwoVbVq1apVq/7+Bmrl7/tR3t5Q7ft8Zyv9BB/+0uXOgKdwPteNdy/MgaUltnVc2Q+0
K4HDHQ3g8da4BQ+fQvc6lWvU3g5tU5oXmfAreL/zd3LOBm19wHHHDrAtDrgTGA1ioByovGB5
1Oa0YaDtEcNdk0E1E8uMKNBO86a5G/hFPtJvAUn2fMZdSG4X1/9+JCTsfHLqWRewhpqdn+WD
XCMKvf5KELh/cDWI3A76DsdYvTfcKn/kvb1pMNE7sfycT+H6e7GPnn4O9iOOgsFnIHRhzm55
S0Faw8StsW+B9xtrpmoMNlvAueCuIIKsXf7NwCTp9uUFMYuPtbWgNdLL2+aAPK7FG0ng7hbW
NPsDsA5m1szoDSljE/M+OQoqyirk3wG288YKIy/YfnUEBzwE+TM1tEtgmd645FMgF9hKu8+B
MUjboBcAZZMN1WLQjxvf2N4B5vGhOAnSoXLKA2Ast690SdB+VNnNa+AtkpEnpRz4k319PZPB
mKvvdfYAUVwvIQJBlNNGywdgbNdTA4LB6G7fYi8EKkqW848DMUOOlffBM8r7kWchyCeqqOUG
85bvjK8OBN5093L8Ag4CroUA5nmrrv4MXMtdP9sdEDrYHWHrCmKhP4evNtjX2G7oH4LtTf0N
UR6ceW03tbqgd9XSCANfWX9x1Qcy4jzrMlPBOKuc1idg5rVCvTr4wvx7/FXBdtU4aXOB1Um+
Q0Ogg9jIXlAfWEF8BJzWhnIMqKGCzOIQMCRQD88AeVbUM14BvYJxw6HA08PzcUZ2kNvNHf5y
YF9sL6r7QHTUDmjVwPSJsWI+yG1mXa0PECLd/plgv+coo8+DyLXumMCZEPJa+HvO0TD0w09O
fnLprw7z/3l69OjRo0cPWLp06dKlS3+73PM1tSdPnjx58h+YAf1n4/ka4PLlypcrXw5Cb4fe
Dr0NCVMTpiZMffE0iV1Tdk3ZNeXPs+N/m65ZZJFFFn81x44dO3bs2B8w48wTERp2Fi5XutXv
dHmYUW/V7c8bQ2Yl80LgZUidYfMoDbT9ySOe1Ie3ZkS9UfUgtHql/I9j2kLyxaQn6T3BE/K0
3fUDkOtIjYD6XcHXz/rBXATaeJXfTAZNioX2niCStdpiIIj3VYJaAPJV8amxCJjKbHMtONyi
jq0ieCfpNzLjIbnjiZ+3n4b0QTvnnnsPoj8b22BcDKiYMr9E3QQ1neraPoi+lbdw/tWQp3TY
rrA6cKvJs3ZpR8Fr82ueiSALKlNEg/HYfsvlgIwzyfUSOoJtrau4ywT9oX5ZXwJWe5qLbmBr
Zay3PwZruvxArw7Mtn7wPwT/nvTYZ4vAN8ez11cZXGedb7nyg3jCY4cN5DnVVTYGFcYYuRJ8
3/ire14BMQFT3wBiE3G2zWDO9V/03+P/tfeecVIVa7/2tULn7unJkRwlB0mKJMkgOYmAimRR
QFBUQAElg4oBUIKAgCgiQZScUXLOOQ4Dk1PnXuH94Jl3PLh5tnvDPj7nOX19qV/VqlX3vdaa
6vn33XfVgmS9V+B5kIeJ+foqCBwKnlfCQRwgjhaPg3hY/E2/CeIAY7TRAWHznWfCFeAp7Zlg
ErBFumYeAv5J3tr+fhBI8Q9xdwUtVk90nwbPSm9qzg9gqWCdYPOAf61STR0C6kVtsvo5WGfb
LhtHg9TeGm90gPGyYbxkBflj2csSMK6V3tO/A27zmXoOXL0DjcW3QWojBKWh4P4uUAYnGPaJ
u7kDQjt/VNACxuOGs4bVECju/y74AwRbBz5Wp4P0rqYqI0A6Kp0SE8E203o+rCTIC8Q2Yn/w
9/Ed93UF9ybvYt/noHQWh0oSBHZ6iqoWMHc3fGt4EaQP/AP8TSFYWf3IOwhUP4O9lUH8VB5n
Wg6KrJYQBoPL7nJ6OoDprPFHcz9QfwzMDpQA6yBLJ3kPaOHCMvNkUH9V94srQb5gPSScAMEn
r5bn/N3T/O/jnwnm/6ns8+7z7vPCGcsZyxkLDKw4sOLAirCy3sp6K+tBjdgasTViH91OiBAh
QoT4e3hk4WxZYarhfh7Csv3PRQPJy+95gt9C9Lb4odpEMJ3TUjNPQxdXzDd1jkH7Le2OjPfB
rd2+oWkaWC+nf+P5BaKKVZ7/ZFHQ5mtLOQ1CCX2C3h/UMH1+dheQ7OKhcA+wgYvCRdCv6bfF
uYBT/SnQFaQ061Lbs3C7yo0jB6rC3WGTPpqwGky9f/sptRdoJf37pNsgfuJLUluBrBCQq8Md
cV+HHVlgmxM91fEllBer+kp3gf2zbz2fegACif5a/hcg+Iy/qPIBGPqah0fsB2F/zrKsl0Av
FzAGUkD/xfibZSvQTy8pvQvKcmWd/iooG5RI9wXAL+YLmRBYl70j1QlSX8MMgwVMGy0/R9QA
7yu+095lYLlkbWs9BGoZtb92FkzV+UxqCNImabn8C/C6eJW9oG1U31fXg5amug37QSjNTbUK
SC8K7ym5ENAC6doYELprN4MfQXSbsFhbEvguer/1fgf5Yq41ayPQVX06MBL0NH6U1oClqW29
8w4IZaWtYh/QdWWZbyn42/nXewaC1MLQyNgGHJXt3S2nQSiteeS+oO7TXlJKgdKCiuoc8J/3
X827C/qH2nrtO5CvGiZaO4BwQ/jZ9AIwkbNCAKy/WDcbAOW6Nl0cAtTUmzEbfJH++oFvQTsh
7BP6g2GP8aa1Efhb+Lv6hoB3i+eY9y5ktXF1zKkOpkkGm3QZDJfkMYZhkL3P1TowGiK2Oz60
usGx0b5fbApqB7GH4V3I3uFa6/0BTG4hPBgJwUmaRXgH9MNCgnwF5I3SWOlLMB029ZVnQeAH
X3/fNRCNQiRHILBI8QfXg+JRo5QjYG9kfE+OBvMV8zCnA6RT4lfyswCMQ/27p/l/X9bdXnd7
3e2/24vHx+D5g+cPng+ja4+uPbo2NLI2sjayQqWXKr1U6SWYtHHSxkkb//N+/E+7ryFChAjx
34VHFs5Pdg9vXGQA5NwQp4bFQvgsW2vHFnBWNnUJrodelbpHvjkYKlcu1b/n56BtismP3gnh
T5zzHdwOtoyYtAoOMD0bviDyHvgjgj8FB4DURjsfaAviVH26vADEuRw3HQS1vz5H/xiEKlgC
HcHYxfSueT14YlxqWgM49fknVz8qAeUWHOyaEQBbjSd2ltUg/GtDvbBYsNaoMKTMPlC8QUHJ
B2tm0SZF14L1mK2dyQVFrNG3ojMhvLH9RPgOcB1xJ+RtA3cr14+eZAjPjWmS0AeMJc2zrasg
0EStpIaBeYx5iDUK9L3CVv1TUJ8LXAvYwHLAUMHwHCgvyW/ZyoP5CWt6MBYootYLfAX+S/7j
3hpg7GF4Vv4YggODbZWmIPSWlsstwPCeNEJNB0Vig/ItiNN0l7AXDNXkeIsf9ASpk3YU6K23
9XYCIVLoJE8Bw6emWcbXwDjBcM6YBb5+rnvZGyBVvvdqSlUQ+xraGNeBbDdUMcWCyW6aYdwK
8ih5vbEHBMb6jnqGgpgqnTD+DJLbeM8UDYZWcl8xEuTZXFEugqGH+U3pJtBZP2LSwD9RGRQY
D5zS4qQeQEfxgv4aBJb79gcWg/iZXjfvMsS0Co80yyDeVB0MBsN02WvaA4YNRqyDwDsg0CNo
hWBrtWLwDsh1lVGiCIZ2Qh19BkhbjQkkgOJXB4jfg/6x9kMwGYQxYpKxOUS8FD0wpikEBvmn
qi+DfjzQU70DqihulmqBeanpiKkcWOeZP7ckgL5XXyrWBtMWw0JpKxhqCZWlVFAvK1cCSRA8
LmdTBoRbpt8sL4HX6t+vFAWryXCS5yF2Y8QTxiEQ0SK8T0Q5UIPBAUptYPffPcX/e1MkrUha
kbS/24vHR+x7se/FvgdLWMKSf9ShLnX5N1Li/lX+p93XECFChPjvwiML5zDkpLjF4BvtbJmf
BkVuFq8b7Aqd5z15Z2guJMwqnVkrGjz7hPHibRDLepe6z4DzTJke1aYCN8S5hq0QlPxxvq/A
sEvcaKoLwQr5ZW/uBbGNlaRWoKfwoTQAhM85FHgHeEOMl++Db5HH474N+4svffOb+WB9OefD
aAkS579jaKtDdv8L08+UA/RLde9GgrZfed/9GUgHLQvMRcBZJelYSRuYLxkqittAjnb0tLwL
5r6WpnY3GO5a5jpywe1x985cA7aqEUXiR4DxBfPUsKGQ0+X+sRu1gLe1NkIDMB+yLbf/ClpZ
dUfgI9BEJgglQLJQRdgOilldyHUIvqndV8uBHqsOVsKAu5TWSwNm4WvpJsjr9a1CNmhN9P3B
L0DwCSM1P0iz5V2WdLAsNR4TXwTfcx7R8z2II2iobAVxtTzEVgfU58Sh0nxQtcBEz28QGBu0
+9+BmM+Kdi5dF0ybpHeNX4EkczTgB6mh5lW+BqVxYIl7NUhDjO3UCAim+z9UN4J/nnes3whq
c/FD0QlhVR1YF4F+nvmsBk+q5yVfKqg1tLq+kmCrb/pRugPhaY7XwkqB4tXe8N8GeZDewFAT
pONChhAE603TAv0r8D3rXy56If3z3K3+XmBpZFyqvQPmzqKdM+CzBNJ950CP0XcJfcC8yhBj
fAvIEs+Ko0C/rlYxvg+Zh9N7pc0Fisgm4wxQ6gsdpCchPM0RbXofIny2slG7wRsMGH0HIfe4
J0G9BWJVYa53CchPit+F/QbeYd5j/hZg6m8ZJF8DpbywRDwNWQcygjm7IXx7WKTtPpg3iJs1
P5Q8WVwIN4F9rWOdIx7cce7qvjsAdPm7J3mIECFChAgR4vHwyML5bhPXAGN7iMhM6Ke2Bn9K
+vs3nwfvczmHMsdD/nGhpLcrmFZLdSx9QbnKZ/rHIOXrrZgFTFIbBKaCuFTsZRwJqq7sz6oJ
+lD1R/1rED4xvRUeD/rzGJQZwETtonYCTNON5cxr4VDng0sPZ8OxV0/2ytwBfTJenvtiGwib
/Wx2LROkr+z30YiW4FZcRTI7Q07+horLXwOH+Zl7z78Eposlt8evg5x62U3cReBO+dyXLQkQ
tyL+RsxCSG+b18A3FTzd8623doLnFbffXRvsQxy9nXfAOtV00zYb9IxgZ3cfUMOCu/T7YIg2
GR1Pgu4TnOJc0NcSr88B9WmlaOAKGHobJ8jHweCyDo0cBnoJ7SMxBbimzVMugRYIrnbvgOAw
/ynvZZB/NtQSR4M/y3fNMwT0if4EwQaBTVQw/QjW16yHnUXB3ttWRnwbtKB3v6sKWFLtZ7UN
4J6pyOYO4J7u6+k5B4aq8ufeDaA7g7HeOJCGSj20J8HuMA83twdmSJmWjZB7Qdjnrw4OUV5s
mgSBUcFBvA8+n6eH7yq4h+bvSd8FUTui4qw/grmpIVN8HzJj89a5voLcstnz8v0Q/rHzDXsU
qKLwrtgI1LXEiC+BwZK3XekBaotA0/zrYHrSetswGnJr5L6v3oFAl+AYfy3gc7EL+0E+IS83
vAPKufxxeSNAnmWoZJgHfKwt1XuB8Wnr95b94K8aiPIlguktSgS7gPhi8LjmBLmlXts/D8IG
GFfKGSBdtXQ2DoagQTlmeB+0ukIbtRoYArY14jYILlH76g3A11pJ8FYCc4oxRRwCvp75sTm/
QZnVJY7aJXgivfKYYj9AXnR2B/EY6PeF18K8f/f0DhEiRIgQIUI8Th5ZOFe+WqV5sTOQPP7s
GU9raPrj097eKyHhw1rmesuAEaayVh206soWToDwnbBI3AhsE7IMc0A3qJmBF0CYKpYVM0F/
22XIygPDWL2l9QgwW/xabAeB466S+RVBmCDMVYuA1io4gI1w+/KdCfJgaGJ4oUXDNIju8FTp
iingrnl/SsorIAg5O/P2Q/jJIidLJoApv+TzlY9C5pOfdl/SCRKksZ0HXoecyi5r8EUwfm2N
jp0BZaeW2l0qHG62vh+dVwVyZ+Um2ieD52heMH0RWL5x2IpXBkudsFERAhgGcTuvBYStdHSR
ZXD94j3sCYCjgu12WEWgprBfKgLy7ojqEZ9A4I4QY/wC1G3KIn8U+Crn7M4YDnp1vZ/yIpAg
XpEEkHZKE4UmIG4VokUniOPMomkomCvartvXgbOo0WJJA+ubljXmIhDId73pmgzqvMBW71eQ
8WT+MS0eXPUCc7QtoB+R4sXq4Djr/MxcFeTd4nvaDTDskIrqXYGd1AmYwF0uf4HSBdTW+kr9
CmiqYDBuA62Hpmq7wNRC3i6mQ0ljmVKJ90FurZ/RRsPV7il6fk+QMAyX4yFwVmurlYPAJf1t
BkLEC87fwsMha0NOI09xyPDmHs3PBstZ80RtESiXXB2VBqDbMOqxIB8zTpA/BT2LNEyg/qTO
UieCcZ/psMkJ2mxNUBqCoa9psjEBlE6qRasPwTTtR/0XsL5ozTbdheBO9ZgwBTIOZ7XK2AP2
sfa3HBfBeNQw1Pg+SNFyf/NF8IqePu47gKI7lE9B3aTfFtYBqqeiOxmC4VJAvAfmqoErucug
sqW4KToIUfctSx3JkDM6dVDgKjg7xdgd2cDYv3uKhwgRIkSIECEeF4++q8YYX/3b16DGpZKT
yhWFyjSLeb4iaIo1SuwIgbaZXbIbgviNeYMpGkSF95VkUOcKgxQbGGubc+wvgLpcrK8PB7Vd
7veeMhCso9+z9wPLcwlh+gbI75y3wV8EnFr4xfDZ4G0a+ClQD+qfaPxuWTMkdE5SI5qBX8kz
pPUAVc3tltMMjIlunVwQW8aWNn8Oho8jwmLbANdtE8MrQOBk7v3c8hA9OW5m/PMQu9X+sVoG
pOTYoZYosB8NOy6sA2P18HGxqeC6lF7kZmfwFvO2S9gIZrNldcQyEO3uV30OCC9v3GWeD7bx
wo9KI5CtanqqCMI54ZxUHbQ3vdPz3wP1G3W7ZAFxsTZFag3+e8IctTUox7Qa+kzQvw6s8seA
3MLS2vYrCLW0EooHdI9S370d1CLeDdJmEBOEycbtwBGhtO8r0ItqWe7fQKhn2GGbAOpa9cfA
YHCqlgZyMbCes163dQLrecNSvQFYX5Onh0WCOjo4zN8GgqcDk9RfwF477JCwBCIdprmGVyGv
d2CAOBMCz3obB1ZBiZKxi00SKPHKAuky5K53l/IdgiLRsW9Zw8HzomdqsCxkFdf6Ct1Bve1P
8/YG5XtXXsZ1KPq1daDaCFzrbbvD9kC6MW9RsCtoyUpVVz9w1LSIxuVgqG0oZ0wE9pPCKNB+
0mOE0hBUtDj9BATfVzLFAyDMFg6KZ8F22NJeLg0xg53DLDKYNXOSPR2UdcFkYRjoOlf8gD5E
9WheCGT5dvlKgLDfsFlJgfzRrui8YSD4dI/2Nvjrar+oCgi11MbKAvCeDvRRP4NS1xNOmMZC
+Nik+iWTIKh7u4plwfiqrZ/lGbC1ivwx7MLfPb1DhAgRIkSIEI8T8VEHkG7qjfJEePpsS62z
AlyxzTMsgjxnar877WHvpJ96r4wA9847Z5LXgGdkZnb2W6BUyI/LfwHSa5/cf2QlqE97vnSl
Qm7lnFdUQH3Kctb5HShHArsUKyj31auWPBCWytcFCZxb7JJxO8RnxLUOew38Ddxl3e+BeMox
JzYD9JKuQ9oaECdlVsn8BcQVhpFWH0jzwvo5j4DwrO2crTLou6S9higQcgMfuzpAaXPxjGK7
Ifxe5DdaXXBss6r+fHBanF1jnSDJxlzzcPBMz5qeMhbUOKmqaRJ4DwnDbO/C+XnJH2WPhbzh
/kitDph+du5Nug52k+2ryA6Q3SV/pA/wf+2elb8Xsltnpae0Bc9bntu5S0A9HRjqPgXm90xB
qTFYixrb0glM1UxWyxBQL+vHxYmgXAy+4K4I2ZdyyyZfh3yXe4FrGGTczUlQB0NKx8zueRUg
amFYtG0aWMqZ3jPsBf209qT3Iggn9BdFBzjmWzTzaxC20zE8fBIYYsxPWoaBGCPVdKyHnNJ5
n4urwPVyrtU/FZRTgQXuA+Dv7X3L/y74Xwh874oE6xYpW1Mg7uOwZyzzQPlRXauHg2ua/03P
FPBEqO21w2DTja/olUBL41nJDuJYNUKNBEN5oYM4D6JfdRoiskH+1LTe2hGsKdaPrdtAeoaR
8kjQFwpPEwTTK6IqDwNTKcOr0jwQukhJhEMgN3hdXQSB6/4VWhXQygfwS2AaLiewHkytxfcM
n4FxqfS6XAqEVsJ04zVwX8t7NdAC3FneZq5t4M+hpR4AyWncaKwKYntLacsKCL8ZNsC+E0od
LZVWtBRofeQM5wZIm5S3yTcL4l9K6hnlAdMZrb9Y9O+e3iFChAgRIkSIx8kjR5yLua2tG70K
iQ1LqrWNkGfK/D41ES5XPl7r8FzIuB6zXBwKP8/ce27t01Ai15RcbDE0mNMzvJsA7DaMN9iB
Ju592REQ3JKzPn0DmFxPLKtcDbI7piYd3gNSW72+5TwY9prerj4LAk2CmxQFGKBe0aeCfFLI
MXwJQjVhoHQRlGMpC9NvgdJP+tmSCuaEqLKxdhAqxJ9KNIDxm/DUsPYgXNWq6XXAkGyrb2oB
2V/Z6l2YAhmf59Y7thme+PWJ65Ht4P6B/L6BIeCoH/1NsTzIKnN3+dWG4Nvi6pX/LJifs5nD
3SB8Fcj3vAm5Pf3l9B9BG5bmcm+EsC+NnTQVIt+LHRmzFfR5WphWEcyTXY3zx0PUSuec8Dqg
n8Agvg7uLwI3vfch/6inXeAT8Bq8ZXy1QEiVBprbgnaHgYIIYm29vToY3IJvRb4RhPZUYwEk
9Ima65gATqfpVaERuIf7FmrbQHhX7CPsBst2Y0fpOvhLBdvq/SHnRHZe1kAIlFIuMge8nygJ
ru9Av6O94Z8J9s+Ms5TOELzo9weLg3dW4FMGQ3yD8JExJ+Bm/4zlma9Ddh/3PO1JCH6jFxe/
BMtM09hgFbCnGl+TywIj1G3Kh8AoY3epKuSv9FViHOQ28szx2cG4TIqSfoL4b8NrmCeCmCzu
lBqAMs3c1WQCY5XA7kBb0A4KG3gDxGFKslAK9Gyluj4RTG6TSHHwt/NN808BaZkwWUyBnF55
QfdWCFZVJ+n1IBirrVK+A8MG01GrFXxn/GnuY+B8yXk4YgEol5WA9gUo4/RNCiCu1WcafoFi
MeGnxKNQ+WpZQ4keYPnAUNY2AqTe8mZ7S4gsEZkZocDx5b/1vdQcqvP0dvb/3dM8RIgQIUKE
CPE4eOSI85OTms7t8hoEvGo3ZSFIJwwmiwyMivxK3gQ5nTwr8upAxjh5qrsshIUnLdArQ7BJ
xkfX0sH4TlSFqNHALO+xzGEQ/VxcMccNkOqapxiHQ1TlmJpPXIDoVfHPlu4PyknlR304CNFs
1GuD+IN+jtWgXxV8LAJtJ+gZoH+mlhPCgHW2Jo5NoNv8S7RXwDDIYDFsAslcYn74YmCjPlVc
BwHRc9fzKZTdXiQ++jPIn6Gn6E7wTM6alfElFHNGbhcrg2GTY2p0SzDXdESGXwf/xOxmaRVB
SNQ+NE4D83zbV7ZW4L3i7yb8DHlj9Q6yA3K8Qox5Bni/UMYL/UDbqnWSxoNhu3m7zQvaG9oo
NQ3cp9w33T1BOqtmBnZC4vMRMXYnFEuOvRLxHhiD2kK/BlJQPRpMB0d183zbN2DeaFxq6ACW
2YbD0i4w35MPG3rBjdZp2ZlHIWDTB6tfg62bdaqjNHgmuFv7wuHuKxlJmUshp6L7bN7H4HnO
VyN7Gnhne6LT64LyXbCfKx/cN71NtXCQYqST2gIoVj9mRXQanIu48WJ6JCQ3yw7z9Yfs3u6h
3rkgzNUVdT04TVJDcTXEzrU1FDuCsNbYWCoNWRZXLSkfAiuCP6rvQkxUeGvLOrAtNB8wWICg
/qq2AdLPZkl5DSF7Zu47bhv4anmt3s/Aty3fn/8deDa5W+V2Bel5PvV9CKrBlyGeAj1b7yS3
h+yzroX+tpA5zlXM2xbSruU0zMmF7NGusZ5lkH04t2VOZzCeMXqZA8Zy4mZhF4SttD1t/ATC
F9ojbFvAEDTkMAOS9hVPid4OCbfie8VHgnOtKcJ2D4peLnOh7FcQrOMZrpngmu+4+WLjv3t6
hwgRIkSIECEeJ48ccXaciA5PrAXa6/pSEkHUjZGGk5D+Ws6P2c+BW7tjuW+DWiMq3Kl+Eyp/
U21pkzGgHDfNle+C1FA7pFtAre3Lc/8IHBC60hL4Xl3uLgPa/fxfvG1ALB/ZLvEuSFODq5Tr
oP0qrmIrUEp8CR0Cn6ot/K+AaVRgQOAWqO2VY9Ii0HNN+fYRIGzwDJAnAfdB2g7G1Um14yoC
PyjJwc8g0C6j0d2ikDfA0S0tC8q3rGl8sh6cPXLuwHw/1OtQ9esKL4K9q74wdjn8ttK3oWhf
yDl8d8jFMuAdkfda6kqwtI94JfIwSEOCb/o/BS1JGaSNB22c8XJMVch7Uq+v/gDKO/5G7lZg
uK5+p+0H9wveQ56yYOtqXeg4DmFzhabSIbB+ZOho+AWkHczVDkCJQwmzooaA+6hfUJaAd0r+
spwWUGRK3LGYSHBV9DnV2iDWlT+SLVCkjf2LYrdANOj4VPBO91x2LQPXfW9q7hbwHfUu8/rA
vNV0wuQEZgt7TR+D/aJ1fZgNLINlp/AGWOZI1ZVFYJpg/MRqhKvT7l5zzQT3fC3HPxAsuwxv
ma5DzKawiqaFkDIxdfi9cIiZ7+hrfR7sLW0dnNXhXPDOxPvPgukDU7R9BDieM8w0lwfZoCS6
B4HWXUsT90CyKXeU0hL0ZHVd4CZo1XjO2A1ymqjDgimgib6uyirQ2igX3FvANU3+Vs8A0S7U
0HtDRDCmVvw7EJykNCQL5AjxvnoeHGmWT8RToOfqg/UkMK6Xd2lPQdhts4UioO4J3vL3BvN2
+54IE+jfB7boXSD857hS9hiIvlBmX/m14M3WdFM/iElPKBXbAiKMiWtjUuBIwpohv9ngxtr7
r9wJA7r+PRM7JycnJyfnz2/wK3gVdnh4eHh4+N/jW4gQIUKECPF/K48snPXLQpK+EFSbu27+
WMhS7s+8Egslp6k2S2UoP6ma/Ex/SCpSbdPTz4D2Y2yLpHIg3gjc8CeCeFUPExaA671bbU8N
BWt6nK9qBdBdnsH5rwMfegZm1wHuRX6bWA30S2ITPRP0+sI9ZJD26WnC96DXpkTwJPg+8ke4
+0Kw1vWVyVtBW6D1pxfk9JfteS+A49Sd7y/OAN+mY72PVQPLk0/sLHkOzFWqa2UOgn7fVyds
Ejz5ZpHPLF7wj2i28fY1qFSh4nvtoqDlp/UG+2pD6qnpT37XFU4t8oyI94Lnk8wrd0+A3NiS
7ngTTFPNx8J/Bf+d/F+yN4Fncs6R7I/A4DfZjW1BKC7ME3qD57BeQv4ELM8a3eEVwLdCXcJe
yGklLRFbgj8quI0+ELPR8ZxNAJPJXMH2PuS3d+V67kIw0jzZ1BycC6xPW09CXP2IznIa+Jr5
p+rjwEVefu4VkF4WbuofgPS5vZRhHNium9s5PwbfWH8Ty0Cgs/JJsBqIMQbdeA2yu3m2KT9A
cEFAEKYAO+WRYmU4+/HNpLR0CF6R47VPwWE0bTSVBT5V6maUh7ud0seKvcD+pOUbkxdIE9O8
AmSYsn42L4Lw38KnxQyHeGNEinUU5Mo5NfPuQ8AdqKC/ABljcu+4PgP/WvWEehmiV4b9am4K
JtH0vv462N4IDhIPQobGUXkfyPGSGnEJYvaGHTfFgamcvFjNgkDbQD1xB3ifZZtaHqSeRsGg
g7RZO2qpAXoVvXHwJ1A3aN302ZC/1FNFdYD0imm3cSHk9XDt840CxwnzJsP3kLg28VjsdhAq
iAesS0Ftp1aXL4L9SNzW+EsQHOde7H4bDvoPeI6Z4GSNm81u6H/fxG7cuHHjxo0LBXQBBUL6
5MmTJ0+e/Pv8CxEiRIj/KbhcbrffDzNnLlz4229w+fLNm9nZ/zl75cqVKBERAW+91b9//fpg
t9tsJtMf/fH7g0GYNm337gsX4PLlrCyf7z/pT2Sk2QzvvNO4cYUKYLebTAZD4XGfT9M0Dfbs
yczMy4PcXEVRlP+cP06nLMsyNGoUFRUWBmazKIqPnF9RyKPvqrHNvcG9Bnz5nks5i8FWO3xV
3HAo2qxt0bqVQJvKOf0wBMspb6mpoM/zqb5bQH8xXG8HqjH4ptsI5oiIV6Jqg1yr6IIKlUCa
aW8Q1gT0bbaoiHGgaapdeBv03sIPtAZhLueFWNAq0oMfwLRWcDhmgtrAZotYDxGb61RPrAOn
jtxt4gvA8TqxX1y6BD3GSlm3IuD+pgr63Y8g8WrJt4tFgO0t08sJr4BU1vx5+McgobcLfAjN
X28WGFMJ9M/0bPqB8G7iEd6CLrVaxF/sCDcHr2l3egXkRLoP5lQA1/tZTe5lQrgYV67o+2Aq
a4sKWwze3vnHs3dBcLa3hXYIhHbiPnaA8JvhU9EO4q3gJMs3oDjlqsaPwLPN3F9OAOl7/2fe
3uDPU19kBeQvcHfI/QjMp1RH3rOQPSzjzv2fgHnmbyIGArODbZUNII6SF6rTwPy9ZZVpPQgj
6CyfAD0/6PSdhrA+pjtSPdCMksPWGpR0McOcAJ5ozzilOrg7ew3e+sAqbYivH4hthCPWLRCe
G3nLbgD3E3nbcxzgve/5OncjJJhiDNHvQGZuRvUrvSGsa/jiEtXBucgxNu5tyL7r7xE4B4Gc
nDfVs5Dxli8rZRaYt1q+Nn0DWSfyf/PdBm8nX5y/BBTJSpgTeQYM+w21rJ8DL6hdfDEQccL5
jLkJqBMDLfMGQmqsO8LdDTI1YYU8CPSPSNM+Aq0PpWkGpm8NbmMSqAeFZ/UjEPxF+0ibC/6J
wc+1X0F5UnnN2wukytpnQi3Qh9HWK4JjjbWEfBJKVirmKqtB5IDoi1G1wfBR4CUtHSJ+jnHF
7ATTbXGJ6IQDB9euPrYMfj190XX5Y0hLUAzalf/cB8PD2L179+7du+HUqVOnTp2CGzdu3Lhx
o/B4yZIlS5YsWdivQGCHCBEiRIh/j2nTvvpqzx7IzMzLCwahbNnSpaOjQRAEQRAenx1d13Vd
h7S0jAyXq9DupEkjR7ZoUdhv0qRt286eBa9X0wQBnn66WLHIyN/9eZzX/bs3cONGZqbLVWh3
2rTnnqtRo7Dfjh0ZGTk5YLVKkiRB9epOp90Oj9cb0P9XsOruXa/X7y+027ZtbGxk5OOz88jC
2VPeVTz7KTBeMM43zwEpN2xSxD7wunztvcVAKKbdFlJBXSlvZQIIT4it9LEgxRNm2Aj6NvVt
zwtgbFP8h0rnwHjEtt1xDdQ6/Mx1IJYhYlEwmPQ+gacg+IzgZyNwUG8q5oLuEw7rd4B21FXD
QbwZ2GMoBtYKjV+v/Trkn80qsSUbcsom7wp0hrzm7PLsBnVG6SNFq8FvHS6f25sBLfaGnSz/
AvjC046aj8L9j29bMhUw1jMsyRoJ2d1TFt8/AdkL7w+6kgKn+t96PjkarO87moT9Cp7n+Lp8
J/ANv3ng2CbIH529N70dhN2KiozdBMaGFnOgLgRd/uK5L4I0QOwkDAd7H2tkWFtgpsFiHAHG
Z+VkcTI4c8X52jkwlDTedhyCuzfyJulx4O/i/s7/AmSd0gcZ8kBpYMyJ1qHI3LBSxo8gc0LW
Ys9IkOZzS8+BPLfnF90C/tJqQ78Z5JLyEiEdfBW00tqzILcSw3LfgHtazjn3HpBEY01HJTDW
NviNjcE0xVDZ8TxYj3PDtw/8971fZqWCepIZuhVMw8zbtDBQjqvvalWhyLNxlctNh4gGkXG2
M+B93n1Bngt5KdkXvZ3B3VubEOgKjpr2c5bj4GsaTNbKgq+PupXOEPd67ILo02Cda21nKQJ3
HfcmZnsgOCQ40HsMOKp/GlwJOQbf2oAbhC/ll6yNIbhYu009MH9u+cq4AowH5GzpOChjtQix
CyjG4H1fMbDNMowUVoNlkeyQy4D8k7Qy4grkbgycDnYF+1TjZrEjlB9etEFcKhQbWGx6sftg
+F64K70BcZFRwyOuQXRE1KLo7nDpjd9KXP4B1rXfVHq3E5Lv+su5c0HuIm6zv/m/JsnWx/vh
8F9RvXr16tWrF9Znz549e/bsf94vRIgQIUL8e5w7d+VKVhYkJCQlhYfDzZv37uXl/efs2e0W
i8FQaPdBzpxJScnNhTJl4uPDw+HAgdu3MzL+c/7Ex9tsZnOh3QdJTw8EFAVKlbLbDQa4cMHr
9f4HXxAWESFJsgzp6b8L6MfNIwvnlNevGq+/BH5r6p2sSVD9Rre1XTIgEOkvF3wJ9JOyme9A
Oqud4CgILYVBwnzQE8VTvA36Rf2cvwmIpcRo+QvQfhHuyEnAVa1fsBkILwgLBQ8EpwividNA
vKjdFRsBccJJRQdhhL5fPAJaGA7ZCnwtfB0sC2oFz4vKN1B2VOLrVT+BW6rPu/dDyIiQD+Tv
hCSTdtXRCVKeU7+Vv4CsWvdfvrcbPnG8df2TpXDTlGYIvg9R40xT82aDflD53DUaMmPdC72v
gPdL+/riNSChV9GfSyQCc8PaODdD+t3o3GKHwHcgvWtyHPjOGJ817wFHmPOtsNsg3OJLvQSY
s8X5QQnCgwZdvQr6u+pVlwuc3YwviqXBvEsKD0bD1bbJL+acBH8nLc/aANT9DJDcoHehljYC
5J+FbvpZSE3NDQvsBltTRwVze5CHyNUsA8FX05vpfQ+cmXJfVQIxyEvCdTCWk7vbToM53Bxh
jgXjPPsWbwYIRWjNDRC3CcnCE6AW1T4I/gC2ZXK6dA3MLxpLR88E39P+LrnVQOhAK+Nh8OcE
n1DmgH+765n8HAg2N621esBt9MzKnQz6fOEt5UMo7ot4WagJRrcQJU2EbLN3vnYPYrs7d1jy
wXnSlK6dgJwS+Yvze4NH1b7QPUA86YZPQMumL83BfNFWxZoDlpcMTxuOgtpcP6L2ADVW3SZ0
A7WffkS8AfJaSQ/WAVN/c0M5ABHrnZ86OoNvua+EfBk8H/lr+yuD7YjBLk2G4pvjzjrPQ5yx
2PLib4BeVPjIEgT7QbGH8RSUeL+0Jak1uIPZNz0zYPNzv2zYdwPudM+9daMuWIrzsS8elE91
hGjgmf/ch8M/oiB3efHixYsXL4a+ffv27du38HhBeyjHOUSIECEeD4qiaaoKubm/p2w8+njB
oM8HPp/b/cdUO7s9PDw+vtBOgd0HCQQCgWAQbt/OyXG5CttTU0+dOnCgsB4XV63aU089ur8F
dgrs/vl6VFXXISNDUf7R8R07tmw5ehT27Ttw4MYNaNDgqadKloSmTVu2rFXrX/enwE6B3cfN
I2d9ZAfUJhkTISNIh7z2IH8nKNJ1EHrou7QYoCSrOAbCZGGVsAVI1/cKh0H4SFgm1IBAkath
v5pA2Zmdl7MbxBtyshwELUroKb4B+la8QlkQbgtf0BsYI1TTrgGdGSZUAl2ksl4dhPFCS6EY
iMuJYQb4FeEdfR0UnVjmy8YXoXlS7ZldWoP9GXP5hFpweXOGfL4smM2Wk85s2Jd88OkDFeDm
RYv5zlsQsFpreXeAvVW5L8ucgurVn3uvTQ6UblK9bL0hMLzMwNrdu0MDR0U99kOIe49VeXPB
Oj+2eZGVIAfCf47qBN69Oc+mlgZPH09L33tgbGqvEdYJtExdlI+Bt493tncKGJ+U7wTzwYfv
E89PcD7hxmv3v4NkS/p3GbfAl+0d4y4N0j2jxfgLmP3WV2zdgVOCT+oP0jmD17gXlIFahmE3
5A1wV/VZwbTY/JxxIYRbwupYv4HoSmE1wlqA+bgYqRwChgT9rr4Qdsd8lqch4evIT8KTIfaG
LWCvB0kf2Xo5loJREFvYcyCwRZkdCIf8b3OfyU+ClEP3v0yeBqpDfTk4C/LDlHDfi3D9aOaU
kwtBbiDc8s0GdumXck+D57fAskBpuHck80amFQxfSFGBnWB/wlpSehNSjBnFXfPANcV7O7AD
/JV81X0/gPdz/+agC5T7rBLmg1Saz3QZjLHGnfJ4sFewx5hagq28+Xvb+yDXNGaKIgS76nvF
TMj8KC9LuwNX5tx8OT0RMjZm6kgXlQAANJlJREFUl8i8AsoO5QfvzxDzTfTz1mWQsKd4/cTr
IH4nDzO1Bt+OQBXtA3A0jm8T1w3yJrjShFdgy73NR45Ew+Ffr3x9oSuk783bk9YZXPWyut5v
B4FR3hn3f3z8E/avUrAI8K+2Pyq1atWqVavWPy+77+i+o/uOv+++PG66TOkypcuUwut72H0p
6PffhZWOlY6Vjr/+3ArKy6Muj7o86u/2vpApmVMyp2TCVwO/GvjVwH/9/Pye+T3ze8JTxqeM
TxkLr/NO6zut77T+u6/uv+/fT4j/HVVVFFUFVVVVTfv3S7/f5/N4YMqUYcOaNoX16+fNGzSo
sPzzeb/bfZBAwO8PBCAQCAYVpbDcv/+jj956q7B88Pijl7/bfZBgUNMANO13GftgeeDAqVOZ
mWA2R0UlJRXWH9b/r5YFdh83jxxxluuWscbOAHNGxPcRn4K+gycZB3pTevIqCDu1uEAiqN/q
t/U3QeggvmlYDeKzQhkpCcSDQi/DcpB22mNjl4L6jv4jCSB6eVKpAEJznpXMoB/Qx9EY9EYY
eRmIQRBagtBdeEp/Heig19FPg57BarE3iD+LmuUAKAflYsFPoahWVG90C8TVMtJlyMwUx1y+
BdddqWnXf4KL6dfPeOtA+e+bptR/Ds5+/FPXEwMhfHDxzo4UqBBTdmnlzfD8sZ43Xq4E1q22
YqY2sKvbzjLfFYOme2Jv54+DsBPHc7WNcLZS4PXSdyDrQ+2wMhn8CzOKpMwHY19pZtFyII+y
PxkRDf6PA7PyPoQcf97KvFngKRecJXSB7IO+u3oWmI4ZPjE0A8O3wrpgRRB7K0c9AgTDfW45
GczTLD+b2kBwRuAlvxVyDuW9kH0ObEUscyzjQKmvWSxnwHXJV0T6EIyl5eLGkxAw6nO0I6Cc
Dw73XgbbFMOntm3g7Zi/OjgNAl/722VdA/cHys3LRkg9lbY/YyVIv8hNuQSGZcJ0y1jwrfeJ
UjfQV0kx5nBgkVg1PwjuQKBb1kkQazPT/ivklc8fkRcDZ+/feM9dAkodTBgTrULsGet+RxKk
PJv2VP5+8PUgKzAeLLUZI68Bc1k5lWwIX+GsYl4IwgphnukYKHvFi9JSkPca1kvvgRofvCv+
ArkR+W9nZwK1iJbag3Wo9Zi1EsTODeuktwI1N9DHtAoMnczdjU9AkWkRa8P3QuTNYlL8fJA3
Weo6roFayzeU0RDzdYIl6jzIqq1vuA4HXvj110s1YG/S0Xannof0RmwI/gzal8bZ0TL4nqbn
3U9A6CQ1lyoB9/4T0/bhFOQs79mzZ8+ePX8+XpBz16hRo0aNGhXmOj8uolpEtYhqAa+99tpr
r7325+OOy47Ljsv/Z+/J38n4n8b/NP4nsNvtdrv97/amkHr16tWrVw/GLx2/dPzSwvaJ7Se2
n9j+4c8xfkX8ivgVf7f3haxpuablmpZQvHPxzsU7wyAGMehfOH/79u3bt2+HYNVg1WDVwvYt
XbZ02dIF+tOf/n/3RYb4b4+iFAjZAsn27zFt2htvNG8OpUsXKxYd/efjD45fYPdBAgGvNxiE
QMBq/a8W4QUCv6dQKIrX63YXtsuyxWKzga6rqqJAMOh25+f/3m61gigaDH9cjPig3QcJBn9f
HKiqhXnIf0SWLRaH48/1h/X/qxTYfdw8snDOst5NTH4Z4kdGbC37IQifqAl6FjCU17AAfj1X
ugDiOvFZ4XMgyCdSLGhfaK20fiC1Kjqy3GIQD1iHxuwFIVId6t8L2nr9hnwaGC2OZTEIFn29
PgL0FJyYQSiJm1pALf0jwQD6FUrqNuCebtR/BL0l57T+IHWW60qJoNRXv1B+Bem+YZp1Jzyx
O650o14Qmav/EnYSooMlD5u3w+rTi7M2x0PpjpVOR7qhRm71Q6bGkBx2N+5cZUhskHZM2w5R
b9jL2DtD2erhKy1vgNBBa5X4HKQskFMufQL3Eu0bnM+CXpvwcj+Aa+m9FedkyLNn/pLsh4gZ
UQuT1oM+2zrb4YOcqsGeWg1QR/scaSfB0EoeLn4HsWsji0c/D4bOpKjjIXV/VqM7FcFZ01kx
8hnQivpPSgfBGR2mh88G+w7LbWkHuH71/OoZCYHWviP5e0C4bOhqjAPS9T7+++DO8d7xzgDL
WNML8j5QRyiTfG7w3PHlu4uALy/YKtML2ibjDn9vkNcb2tqng2eE5+mcZ0DMNc+R2oN1sXkP
J0FuJLyrnwYRfZztKYiPiImpegTyp7jb5FyFIneimsZdB+lrcVl6f0jc7IwOmwxZ5TOXeL+H
u19nkvMLlH4p4Un7JgjGCfnB2iBOMs+yTAJlDt35GOwJTFN8YFomntIvgsEldpSrQeauvOYZ
KyAm0Z5gmAbxF6Pfjf0ZzG+bv5GPQUr9zF6eCnBzfGrLe8Oh3AtllhU5B45NRd6JKQWGBcbu
tpPg7ZR/LfgyRDeILRG7F8KWxc6Jbgw33j7X9q4fDr9+IuNkdbh/Ua+mHwF1lPxZ9DVgZiAm
5SAY51pnyjfB1MFSIuH5xz9h/xkFEeUCAT1x4sSJEycWHh8/fvz48eOhRIkSJUqUePz2CwRi
u8R2ie0S/0GHRBJJBG2eNk+bB4vqLqq7qC6sW7du3bp1kJGRkZGRAdHR0dHR0dCxY8eOHTtC
v0P9DvU7BOIQcYg4pDASVyCYfhzz45gfxxRG5m6tubXm1ho4evTo0aNHC80XnBcfHx8fHw+W
ZZZllmXgKu8q7yoPIy+OvDjyIjSPbB7ZPBKUqkpVpSrMyJ2ROyMXNhbdWHRjUShTpkyZMmXA
28nbydsJWMMa1vz5cgtyzIumFU0rmgZNljRZ0mTJ4/OjhlZDq6HB7Va3W91uBXd/uvvT3Z/+
fN0PUnJbyW0lt0FJSlLyD+0TmcjE/+o5vsVbvFXof7HJxSYXmwx1F9VdVHcRZHXN6prVFXbM
2DFjx4y//nyurbq26toqmF56eunppeHs2bNnz54tNFv+hfIvlH8Bhp8bfm74Ofh8/+f7P//D
i4UKxhuRNiJtRNrDc/sfZGPaxrSNaVD+k/KflP8EjEuMS4xL/iCca/av2b8mcJzjHH/0v6PP
/J/5P/PDpvRN6ZvSweVyuVwuqPllzS9rfgkTJ0ycMHECRN+Ovh19u9Cef79/v38/9JjRY0aP
GZA3K29W3iwYdnbY2WFnoXVs69jWsY9vXj3suU7vPr379O6P/3Pj/3YU5XeBqSiPJtTKlPnf
BXOnTiNHrl79z+0+SCDg9xdEgv8Yka5SZfDgSZMK65GRFSvWrg3x8T7fH3Ogb9zIzs7MBIPB
48nJgVq1ypYtWhQuXrxz58YNyMuzWqOjwWh0OCIi/mz3QYLB3wX/w75WyLLZbDb/uX369GnT
Nmx4+PXXrVurVpEi0LBh06Z/XIz4oN3HzSOnahjyA87gbYioZloaNhqCJagivA56Q+ED4RkQ
lokrDRuApwSflAmsFHZjAvoon3omgDY8t1XaOKCidls8DbTjbWEZCE3FAboHkGmhfw6IZBED
GAQzEpBKPrdAb0NnPRmE6kI13QF8RxvlW9AFbVhAAr0vM429QZonOKWWoPZVznlPQkQJh7XC
VahQtdT4tjPBd1v+wdAUzGLZdrb+0Nvx/KT2LcDRzDs6ciAE7t4fnrsfXMK5Q6nJEDbXcDt8
JxRfGhWM7wH6YHmAVAScI4quNPWHqJG2Knl2iBprXyQlg3lw/M7y28C43zDRshI8jbIcdyVQ
O3kv+F0QNjPsGWdzcLSOPV3kAsTVjr4emwpx8dGxMZMgyud0xuhQpn/RiDJnIfJn25mwvRC9
z9HHUAlMO/SRnk9Aaup7K2sTlEiJGiTvAWdPQ1llOths0he+jWBYQwVXEli/NpY2NwbfQK89
WAKyv81U074A737PDr8GmLVExwowxWtHq2gQftLUv1QYWJsYblr6A3dVu3kBOPaY9hbPh+wW
7mD6CAg8r8+gKGQ1Se3pVsDwlv5KWDPwfO9Lzm8KpVNjjxafB7b35bSIveBu4f/cdxTilkcm
WW+AfbdpoWkHJJSP7BgRD0mNwotavwBfy/yzQTs4NlhUcQwYW+kfKyUgo8r9V273h8BPgc2p
gyA3ybssoytc+T6twqnecDHxTkTyUsg9kHfWUxwqHqt4tkgilOxaRij5HZgOmF52KuAu5tmp
/QDWY47K4c0hnNh3o3Ph3vVb32aVhqNPHss+dRtulMrf5zkMvoa6V+wP3vHeDbmvgesL1920
JDBkWe5FLwPPNH2j+cvHN1ELto+bMGHChAkTHt6vQDg/rF+BkL558+bNmzcfPk7B+f/qtnUF
AuZhP/VvKrqp6KaisOzCsgvLLhT+xF5ud7nd5XbDzNyZuTNzC+sFx1eMXDFyxcjHdz9TP0z9
MPVD6Dq169SuUyFnR86OnB0wc9fMXTN3FfZb+szSZ5Y+A2ti1sSsiYEWN1rcaHGj8Kf9tA/T
Pkz78OF2cnfm7szdCfnl8svll/v3/Vi2fNnyZcsL/Wg5puWYlmOg3Kxys8rNKhTM/6dJTk5O
Tk4uFO7PDH9m+DPD//Vxpm6dunXqVjg+6Pig44Ng0sZJGydthOndpneb3g2S45LjkuMKI+KT
J02eNPkPAiBhQ8KGhA3wbot3W7zb4p/bu594P/F+IpyofaL2idqFArd5RPOI5hFwo/mN5jea
w9WrV69evfrwcf7q8/va8LXhawN86/jW8a0DmjiaOJo4YErxKcWnFIeLFy9evHgRPq38aeVP
Kz/cTscPO37Y8cP/4u/kMc2rx/Vc/1/h303VyMvLyrp3r7B8kAeP/9VUjWDQ7/f7fxfOv0ee
fy/PnPnyy3HjCsuC9u+/HzOmX7/C8uWX69UrWxY2b5406dVX4dNPBw/u1g22bJk8+bXXoE6d
uDiL5c/jF9h9kEDg91xjVf19H44HS0kymczmP5c2W1JSmTIPL0+evHrV73/4uAV2HzePLJyN
C80Zxicgop/zQGQsaG/okxQPCPlCmJAKpGHSGwPb9SrCMhDeFz+RJoHwsX9m7qegXsqrmxcG
4pfCPPNeUAcIGfoqEOro3zAbqKyPFiJB91ASAZAQAPQ8MvCBMIc5QiPQVyAJc0HPUmd4JRC7
eq94XwZe9vh96wATn2spINQQqpIFYgPpTabD/e+zaqTfA3H3taeupsN4S89Vw9+AqscqNmx3
Fao3qPt8247QNuuF5l0HgGFCxY+SIuDn73e23bEatnfcm3V6ExhPBedoeVCpqSMiohEkOPRE
77tQOmCKyX0SKjwde9nYAcJKxPcvK4C017LP0Qv8m7NeSTsDgRGui+6+YEyWLc5yoLcxmaLO
QNqGvEFaVbhbNXemvwlkbnOVVTtA6vbMgx4R0hdlD3EvgnutMrbkfAvm4+bqkguE24E0bQTI
3ZmqDofobOtLQhWI+c76pbkmOM7JNrUsWM+YXjcmQCBWeY2G4Buu3shNhVwxuOdEFKS9mlPr
3BnI2hHsc2kkuGr7v/HEgXSHHQYZPO2CYd6vgAhpoOEeePr4jTmVIH97cH/yAkgfkHPs5izI
+CDnG+89yFjrMqa9C4bnwq87+kOY4MiO3gKOjqZvsEO4IeywsSIILyrTTRMg/0J+ovcZMJ6Q
zihe4CnRTkdQe4l221rQPjc39w8BoZNtYE4y5F4KFk/vBpcb3nNei4f0KO+ZexehyOjS3cJn
QbHDxdqV6QeCIiRYB4KnWH7xYDpY4hxDwl4F5+rYO7FVIP2zZGfePjgTd+SbUwLcfD73YG44
qPUMIw2ngG6aX+gOrBaaCXVAei4itWg8KBtkZ4IAQpY4UvgL/8D/KgX7MRcI34KI0YP7NP8z
ClIzHsx1LhinYNwCO//q+AUCZvXq1atXr/5z2eBCgwsNLsD26dunb59eeN64cePGjRsHDVc0
XNFwBYxdM3bN2D9EcB/s/6gU6VCkQ5EOhRG8gshh1tSsqVlTC/vt6bWn155ehfXhy4YvG74M
Bh0ddHTQUYi4HnE94vp/3o8HU2qGmYeZh5nhtcWvLX5tMYS9FfZW2FuP7/78VZzPOp91Pguf
+z/3f+6Hdvfa3Wv3b6QnFVx3ATNnzZw1cxZsy96WvS0bhpmGmYaZYJl5mXmZGeJT4lPiUwr7
GxcbFxsXQ1ybuDZxbf65vc1TNk/Z/Iec4WbNmjVr1gyavt307aZvF7Zv6bql65b/4iVGf/X5
7ft136/7fi2sF6TANLnS5EqTK7DwxMITC09A7969e/fu/Wc7SROTJiZNhJ75PfN75hfayZuZ
NzNvZmG/xzWvHtdz/X+FB1M1/mq5Y8eSJa+/Xlg+yIPHHzz/4akav+/jXBBxfjDyXNjvH7d3
7Pj00zVqgMNhsfyjSHCvXg0aVKv25/EL7D5IYcT59/qDZUHE+V8tn3uuSZNKlR4+7n8q4vzI
qRrFP4/qW+xLMNw0H7U6QFupZ2vlQUjghn4bdKveQ9gMYiLTlEbAKGGe9TvwP5UzO+86BI57
JedhMBoMvaXeIHZTLweXAmv1cHkjsFzso/tA+ESfSz7o+/UL/AbCAKE7y0CN0ttriSD10EoJ
V8E/KP8tvwBCitfluwuCLpczzQeprWmdtgaEZ2RRbgX6Qu2IOgYMG3zfe+OgsfNJf6caEHHd
dqt0IvgjAtm+QWDvGTOi+ChwGIVGJRtDtK+ER/kZIr2Rb4Q/AXv67Rmx/UNYlXrpQGYliJ3h
baBfgNIXwifbOoAxQdzti4YiPcJFtRmsfUKrTB4csxnqlh4M2u6s/nfWQfDDvPXpe4G31D56
H7BUD2sacQC0hfI64XMIPBvopW0Bz/280ek5EIzyh+V3BHsNc2tpKES9bFPNm8B+1nDAWg68
n+hN9XCIrhex2DAVIgeFJ4XnQtrXGT94l4JtqPyFew2YNsqZ0j5IK5YlpO6AxHei+sf3hPQd
/uExwyF9kb/hlUFgj7I2dIwFfaL0rlmF9DUe7dY6EBbnxcknIOy45bu4oiD9bP3JswFsFR3t
nPNA7Kn8GPkZGH8T7xiTQZtOCffPcKvh3UkZ5cD/ii/dtRqKNo1dbC8FN/emVdVfAE+isip9
IBTJiWgt94PgHOVL8yHwtPI+G4yA7PuegdosiCpr/7bIOXC/EhxMabDFmOYbx0DJLrHbyp+A
IreLflzqEIS/FjEyYQkE2ganSo3BUztQ0e8E57GIzpFx4LgcUymyC2Q/lb7FtRRunj4Vd349
3HFkv5E6CLQZxijncGCe+pLwJmg9WO8/C2JFU9NwEwjTtSPBSNCe9lfMPgDS/aDujgVKPZ6J
+mBqxfr169evX18YEf6r+zEX5DY/SME4BeM+zO4/o0DAlBhTYkyJMf9FRy9e/rAdkXBMOCYc
A1rQghYgHBeOC3/4aVwboA3QBvx5mAfb1cPqYfXwP/dTHCwOFgf/ob5AXCAu+HM/fYA+QB8A
WLFi/YOfBRzjGMeAbnSj21+/T/+qH8FqwWrBaoV1abA0WBoMgl2wC3aQxkhjpDH/3N7jJmxl
2MqwlSCOEceI/8D+X30+HyR9kPRBEnT8suOXHb+Ew88dfu7wc3Co36F+h/rBxqSNSRuTYNn0
ZdOXTYdVrGLVv+NwTWpSEzbO3Dhz4x8EZ8EXxgcpSNkYWnNozaH/IGXjrz6/ghSKP/X7X6kv
/wypjlRHqvPP7TzIvzuv/tlzDfG/U5iq8Y+F7OO088fxH5aqEQz6fH9cHPgwHnZ8+fJDhy5f
hmXLjhy5cQPef79162rVoFu3WrXKlIE6dcqXL1Hi9/OPHfuz3T/b+d8jzg/ysFSNiRO7di1e
/OH+37mTl5efDx7PPx73v23E2XzU3UBuBoZq9JKKAuhzuQ1cFyoLV0H0y6/Kt0FFmKqvBUYI
h/QjoL7nmyVdBH8LqVbcpyAOkRagAGW1s8wHfbjwLjeA8/pKPQr0dLxEAntwcR70HnpdvgLD
QOmg/B0YmhtnGauCdMiRFFsPktf7JxmLwqXFmWP0eZAz019MGAbST2I72oOyUdkV2AlhRRKK
l/sRnPaYEkW7gO9Hxee5D8JnYkcGg/KmmulbCsH6wSW+kaCd9L2hzoPEvvEVaxyGjmvqSE9X
goafVakYmQfhw0rWNdQDZY1xkP8jKGmJ2RkZC+Wjy9UPOwHVdaszpyY8Mdooaa0gXIkJK74M
JMKbFmsNahP/jZx64E7IOZIyCbik1WQaOE84f40aA3HjkvwlciHpbtHXSg4Dp99WObI0CNcN
s+QK4NwfMz8yCA6TZZrpG0jdm9Yx5yqc2X6xXNqHkLvZFxZYDra+9laR2WD/yibZOkC1PiW2
Fl8MZXtHxheLBoOd9v5FUCw/+lDJX6DCkPDsBm9D0Uv2xkW/AdtVi8XSAMokljxfpRVE2sJf
jjoOkZOcpvjJIE+TpMjy4O2hHvMqoIzU7bl7wCSaZ5p7QsRa+/OEQ+JH8RvD9oEq4rZWh+g3
on9xfAtPnilXNvEsOCNsHzkHgDRViJJbgc1pSbb0AavH9rLRCmILUwfzYYi7HZ5Q4iso26N4
RjkZKhyoWL9Wc7Anh/2Q9Cvk9nRP1fMhZ5jPpNwHa92onKhaYJoY9XlUHuTqd/vnVoVbZ4+9
cOIEpB7I6nf9MKiR5mqWVNBfkmKM50FT9FV6WxBKCl9QBLivbvc1AMXmX+e6D0pl9Rn3dVCs
PKvsfnwTtUDAFi9evPgfP0gK/uE/+Grtv0rBeQ8KhwI7/6lc6KbfN/2+6feF9Q83fbjpw02w
r8K+CvsqwKRJkyb9MRevebPmzZo3K6wX5OCmbkzdmLoRVjVd1XRVU7g7/u74u+Mfn5/1h9Uf
Vn9YYX32i7NfnP0izBfmC/MFyO6W3S373xDM/yp1TtQ5UedEYf2zA58d+OwAzD0y98jcI//n
/Pir/KvP5w3bG7Y3bIU5zjWO1DhS4wgMqTOkzpA6YH3D+ob1jT9HWIUFwgJhQWGucEGKwcO4
4rzivOKE629ff/v624XjP/jLSEFEOGV8yviU8XD2m7PfnP3m378f9ZfWX1r/D4swP9738b6P
98HOHjt77OwBr8x9Ze4rc2Hl5ZWXVz7C4tlHnVch/j0KUyf+tYhzs2aDB3/7bWH5IA8e//M4
/1ioB4O/bwv34K4XD/Kw9t27r1xJTS08vnjxgQNXrjz8/IKywO6f+xUsDvzHKRWy/HtqxoPl
3r3Xr6ekwPnzbrfX++cyP//3/Zofnqrx33RxoO23qPHxC0HvLNU1XAJxOeN5D5SUwO7gy+B/
wrvKUxVMLzmxfwbGYsJY/QycnXMtN7MfOBuX6FWiHRjHMksbAb4PhA7ifBB+4RfdD/rbHNeS
QZwl9JIOg1CVjcJq0M9Sm7LgetWVl3MNVs9ac3aDBfxfqObI7VB921PtG24DvYjhLrtA6i2n
yWdBjNG2KSVBGyCeMLwMvEht4QsIPhW4oZ8FMSC1YzuwXu9BJggreVOcCswVS6gvAkW0obIV
gr1JE98E8fukt6uVhCqHxfft66Hka6b5pz+FrNIRqTmjQbyQd9RrA/HjpHee8ELlcZX3Bi9A
0uq0NNd0OFUiy6+sgzNzxcv2t+FOBXOzEndAu5m3M20M+LtmNk8dCFpR+yLnVrC/G7YoTAHT
L5bmpiQQP7Z/bT8DWlDpGmgOadtzYoQB4C7mPa/mgnuW/rxhJ4ixcin1BjBcW6RHw51X005n
+IBN6qsGJ4S3dBa3nAHleemMfz+U3hbWr/hzICca5kUWhbwzbq93MeizhK3+d8C8RRscvhNo
pzVlEJimyJ3Er8F4ibaRaWDob+ufcxG8P3ilrIuQacztxpegjg9MTj4PZUvHxlUIgnOitC/h
JbCtC5+FH5TK7lMuCe6PSlbdYyHtZVeq2wLmF82q6TSIzYWd6hFwpJmn2nqDs3xkg7B5YB/v
MISvBPMH9tmWSuDP95cSdoPrfdeQgADSO6a3TREQpcYtjl0C5m7mnYYxkD/59supn0D6mpsD
rpogr1mudqsMeDEaIj4DdTjjjK+BPk2bo/7+9zdEvQD6Hf2QXhm0UcTpVYBIIUtdB6KdGONb
wDO01qv/r0nS6fFN2ILc44L9mXNzc3NzcwvrBeXDIsv/bNeNB+38p3jR+6L3RS8E9IAe0GHd
qHWj1o2CURmjMkZlQMytmFsxt2BwscHFBheD3sHewd5/+EAeaRtpG2mD2ebZ5tlm+G70d6O/
Gw0xt2Nux9yGNNJIewx+9q3at2rfqnD/ufvP3X8OtkzeMnnLZCi2u9juYrshamrU1KipkLk1
c2vmf/BFNwP1gfpAHe6Nvjf63mjYkLIhZUMKVI6sHFk5sjBFoUCo/t38q8+nQMDOXDlz5cyV
MMo2yjbKBuoh9ZB6qHAx5qjio4qP+sMXx87pndM7p8NPPX/q+VPPwkWDD1vEVrCokvOc5zy0
fb/t+23f/3OqSMFiuy/4gi+ALVO2TNkyBSp/W/nbyt/yL9O/f//+/fuDa7Zrtms2bN69effm
3bDx1sZbG29BnUCdQJ1A4eLHf5dHnVch/j1U9fdXSD9MyP774/7X4xXYfZBgMBAIBECSft81
42EU7KrxIBcu3L37xxerPFh/2PkFdv/sz++R34clTthsdrvFAn6/ovyxx/btBw8mJ4OmBYOp
qX8+74knSpQwm6F69Sef/EcBngK7jxvh4MGDBw8e1PW6devWrVv3Xx/Ag7tRdi3gsuGkvQcI
WXygVQWtQeDLwCHwx3p6ev1gM0bMjVwI6mX9TX8/OD9ta9Tx3lAqqu7YGtfB+krEccMQUM+r
mXoJ4Kjq0rcB2/SV6isg9DE8aSgP10vcTT63HIpvjq1dph4o/ZSOejzsydjrOlIDXL+5LWoU
0NbxQ9FeUCqztL/Ir1DhXsI6QzJYu1uLsh/UCmor8R5InYUJnASlgrrZtwfEgNBLPgrCq1Jl
8VPQ39I6SfuANeLHWhD0ZxGERBD366LyDgRquirmdQZjiqG9ugDU59xTM14H7auMFzO/A8kd
NTO8G/juZG687wB9avr09NdB2iXrrARfqnTHmwZZJa7vzEmH1df2lLzfCo6PyP5ZSofAEt+E
rM8hkOlplT0VhOryaMtlCH8jrG7kJnC85dxg3ggmh+FV/R4wWO0VkMFXyb3e9y34swPbg5+B
sky/qI2AQFzgqi8d/IPdlpwDYHZZ1lmHQmR21Ovhb4Lvjmecrwd4i3myXL9AZrWsnNSmoM4U
Nrpug9ZJeNFSFFzdAtuz0yEsz7FSrAqBNM824QPIbejJdfeB8mkJE4p+BvIFMdpSBW5GZNy8
exQM9eTtlpchek24GtcJovaYz5vKgLZHH6N0h7tD7ozwbQPNZxzCOnBMckpWAcwvySusNyE2
N2GDTYHIllHFozPBMMR8LewcaO8ruw1vgDvVVUHJB1+muiE4EixK+LnwY+BcFjEn/B6IlbRf
DDvAFX0/53438K/IHnQnFbx+5YvcqZAdcL8VPAB52/Qx4T1ALyPOMx+D4CRmSc+C/77yHq9C
8OVgr2A7CB5QvvefBmVWsKvvHLBAveedDlJlfYm/DxxL3ffJhlOPf+IWCNuC3QMKBPS/i9Pp
dDqdMGLEiBEjRvznhXOIf42CXwZS2qW0S2kH7RPaJ7RPKMxtfmHPC3te2FNY39hhY4eNHf5u
r0OE+H+DKlXatJkxA6pWrVWrQoV/f5wVKz74oF27wnqvXu+//1/tKnH69NGjFy7AmTMbN44e
XdgeE9Ot27RpYDIVK5aQUNienPzRRy+9VFgvUmTUqKVLH97+IP+sn99/+/a9e5Ce/sMP77xT
2D506NGjN25A5cqJiVbrn8dNS7t/32CAEyfu3ftXvngEAvn5WVnQrl3Dhk7nn4+fPZuS4vHA
nDm1apUs+dfHfRiHDh06dOjQY4g4a6r3J99AMHxrbG45Alp77SO9C8jljN8aaoC8xKSYk0AN
00dqPwBLvOsDk8DxhWO/bRcYv7R8ZegL4mapnmgC8QnhovAMaB14Xv0RpBg5w/AapOZlf56S
D9dfvz7/0BYo3j6+e3wzyPzSU8czBFwu0yTTC1Ds+7ILKhWFQBHPm3jg1qz7L7qHQqInor/9
JliP2MsZskGvrQ1lOHBcb6mfB3GysEAMgLBE7Cp/CXpR/UttGmgD+dGXBVRS16kjQVosnrCM
Bv2IOMR4D+TPHeuiokELqB2DTtA7G2ao34OywFLN1RLkDpY7ce+BOTyqoflzoE9sUpn+wFRH
+9ipYLknmeUYiFxc41PfEXj9dM13z30Hvy3bc+HEz7Buzv6y6tdw71XTaWcJUA7ldU3fB9kH
Mqvcfw98eZ6NlsUQsS38ZmRDCD/tLGe3gaVV1C1LPuj19SXqINA3KL7AaghU9U8wbQf3CEsD
w2kwnZfjpCGQeTF7ke8H8D2j7A6+A/J548TgMchZ4uuXPQys7c17LJPBHmVZZ7sHpsOWjv7W
IK8xTNC2gPtOXphnNoQXi5wdXgLy6wSM/iOQszK/S05fEA5Lo8RNYPzSMMnwIlwed7PxtRyw
vWo9ZOgIzi3hTYwBiB5T7GKR9RA1IywqojlE3A73O7qCaZbJ5dTBUN623T4BgobgSmkEuCfm
/ux/EvLX+S8G24BktuYYxkPEsdircRJYdlgPOUygvJR30bcPMrLv3L41HDLW3K16YT0EE/Sm
efNA+1h/W3gP8kt4qmkrwNVLlfNqQjBbK6IthUB19Tt9FCjb9M76E6DuV/qrmyFQI/hGMAr0
idpWdTroJ9X+wfqgBoPN/O89+kR9GAXCtkDoFgjoAoF169atW7duPfz8glSMgkWCBeOE3ij4
35OCbed2rdi1YtcKGMAABgDMZCYzC7dreyPzjcw3Mv9ub0OE+H8LTfs9Mpyfn5WVnw8mk9X6
j/Y5/lcJBP5xzrDf7/H4/YV2HyQY/P3Nebqel+dygSj+40V+/2oKx8P6aZrX6/OBovzjNwP6
/b/7mZ3t8SgKOJ0Wi/wH9Vm6dHS01/v7/tBhYXDhQmamIMB/HS+Hp58uWTIh4fdItsdT2J6b
6/UqSqHdx80jC2dlqjtf/xkMDcJXiPGgLg1sVGuB/1P9q+AyMDY2NSMW5HZyY0MSeA8Fv/a3
APG8sESbA4Zl5m6Gt+H+uPu3b64DZbvyW+AHMCF9rfcBx1Hb8IiDkP9UTs88P9hfMV+LHAem
Mub19sEQHWHfbI4E12pXkTMaXFmZ0jF3ESRVjJoVnQa2HZYX1IaQ8m3a3kBZKNYkoojpFKjN
BT9FQBmrlAoeBmGK2EFsAhRlgRAOwnbuy9+DbhM92RNAqENNsRoQpbjUZ0C563LnPAWGpvbm
RdqBWkW4p14C2eW4Hl8TDGft4fFVQHtGOeLKBrW972B+RTA2MDeI+QXUHYbVtmdA/UJ7UZdA
s8ovmg+DrUaFYw3fhTblKvR7uh+Un1y2+oZvYH6PH78+XA8ub7XKpU+Cr5K7RcYq8A7Ov5Yb
B4EdaRvvDgP3V3mbzRPBuciRHx0DYclhK00HwXbZ+pL5O3C+E/ahQ4Ho89G11TQInPWucT8D
BsWWlFcegruV/mIZUJJ8mr4J5E9K5RfrAnn9ct/0aWBqZnjdXB2ku+qasFTwGDy1AvPBvt8y
UCgNCT9FVoo5DXYMzyROhbSZxrYpL0HYLvsB22SI3he2KmY3uLoWfcvbDwyfGq+xGxwpEVbb
ALBcM7vCvwZjY9lsHwrBgLZdegoCRYMmYiEnJ/1L33MQ/EbNYStovxm7mzuB5WvnaMs7YK8W
sTayDUjF/AdxQ27jm8fTN4C7Y9b95L6gnFUWpH8Etu72RdpX4N+iXLHMB1+5wJ5AT7CLlhLa
IZDWB+d5ioL/A6WiXgb0hnJF8kG5rfVXnaA/ZYrnA1D66yb9adCOaZs0EYRLgsEYAEVUVsqP
8JPrX6VA6BYI6Qe3kSvYx7WAglzm6tWrV69e/T/vX4jHQ7VXqr1S7RVYylKWAgxjGMMeddQQ
IUI8Dp54onTpyEi4cyclJSMD4uMTE6OjH5+ALqBAMN+//7udArsPUqlS8eKRkXD69K1bmZkg
ik5nWBiEhw8Z8tVXf+7/sPZ/1k/XvV6vFzQtNzcvD6pWLV48KurP5zmdRqMs//5q7kAAEhN/
T6AID7dYJAmyskRRkqB4caczLw/q1UtKstlAkgRB/C9W4t269bvd/Hxdl2XIyfF6VRVSUnJz
A4FCu4+bR07VuNfo4js3tkDU+iemFRsFwXRvV7UkKJlqXHAMmPoaWxuOgy4rbr8Nckfv7nEo
DPI+1b+Wq0GRy89Wq98esr053nsNwb9cGaGMBVO2cYVYHc6+fjnxtxTIvaS+mv8ilC0ds7x0
D0hUo9ZUyoXTXS+4jufBuffuBi5cgotn7p6W6kLVNyp92Po5qDupcmaxsfDEsegNQmsQShm6
iMVA3Khv0VeCPk1rod4GPVVsL6SB2FMobmgKQqq4R28Dqabs65cGQXp336c3ykHkiMiOYS+D
9onLnT0NIiwmV6X3wTnH8XL5BuDvqFX0XADeF2RRBmEXKfLLIH6pRQZHgDJL/0VrD6IuVjO8
DiTpMVoqCF/r8/TToKbrjYREoBL7pGiwfWmpKjeBVc5Z/T6+C+s6HDXe6Ad6om1m9EXwTPU1
DTYAdb2nZO5voF/0zs67BqKsnQosBeu7cp40C8y77N3t+eCwOCzWzyFslPUF82kwzzSbDDIY
Rslj1GdB+40UzQCBMupHig/0k1pppRdo87TTwZ4QNClPqxp4q/teC4wF4Xs5WWgD0lwhXqwF
0gxhvnAJtPlaK0EAk8f0nnEPaBuFltqvYKoq1je+AIZ888/WJ0GLYI1wDrQpwcZiKviq+Fpo
FcC111csEITgmODWYAaoDaSFwpsgxRqP2I6DcaIlwpgPMWXD6lmAIv64IbZLcCd4//WMXyBf
yamY/iVk10lNvNgNcvPTvIGZoB5jU/A3kOOV9loJEE3i96ZGwGqjWY4E+QNxnVQU9Ld5W3ob
ApPUcrwD+sfk6+MBgSbCSdAThV/FlcD74hbpK9Bl7ZReG7Q3hRviTtAzxHPyDPip5y+jf9j2
+CduiBAhQoT470FWVk6OywV9+7799jffwPnzV66kPY5FFg+hYsWyZWNjYfHi6dNffBEiI8PD
//hm0vT03FyXC557buzYBQvg5MkrV/7RPtGPi+rVy5ZNSICff548ecAAiIlxOv/oT3b277Hj
998/cyY5GdLSfo88/6eIjbVaZRk++KBKlSJFICLi8Qjox5aqIU9wfGdcC8GZOfXyPaC/lP1t
zi4QJrpT3FbQx5abV7o1qGU8/TzLwVV887nf3oJw8/NvdcwHYZ8lUTgOiZONLxUdBNlDPFXz
7HAi47h2YBZYyhmNzhfAu8+2Rr8F0TuspRIag+FtY/mIerAjbVfEnb5wb5Tw491u4ImU1gVv
wNZju87/cAH8XQP0+AZKJzVdX7wBWNym8/QBdb/2mugF4ZR4V5gD4mhhj9QFtFw+CCSCPJ8G
5jPgqZPnzxoIl1df6XO8NCiH9ZmGr0BfYBqp+SHmVGRU8kWotL3IF/4SEJNsbZq0C7CIQw1e
0FeIaI2BKcJmMQwEaG1sC8IHeg21Iujr6M0GYLuwVJgMYoRwm2KgzaarEoSgphTRDoJQKZCb
r4O4IaPZdUCeoM1V3wO5n7mHfQNoz4WXjLoEyq9h1SKvgvpyQHD9AIGB/s35nUGJCY7TakFw
Q9aMrIuQ48qqL3cCU0PjB+LbYLaYdlg6gamyYaSpDIgRpnnSBpBuSLJ8EKR6hvLWnWDcIzcT
O4HBHLaXICDzrJYCgo9J4hIQwnRJ3wBac/0W5UAZrqdq/UAtr0SxEPJbKmV5Cfxrc/r54sDX
NzhNESEoBksqF0A9yl7OgrzGlGyeB8al1pW26WDsbG5kPQjxY+zLjUuhZrfys6PXQM3var1Y
ZRbEf1biculpsPmdrZ9+UwpSX8+bcrMM1GhUy9+hPazetObeL8NA3+x9xVAKmn9XtXbDdLgS
f7ZzRjk49u2x8ucrwp2FWZFZ48DfRhmqdAfLeNMy88sgHzO8YhgAWiW1iP4OqLW1RcoJ0L8R
BonfgthS7yU6Qbus39UMoB3X96ljgJ7/uQ+HECFChAjx91MgXNev/+qrV1/9u70pFK6HDn3x
xRtv/N3eFArXzz//x4v4/m/jkYWz5StlaqAtBJffzLu3Hojyt/JWBa2+r0jgeTDuFtqXWgM4
3Z+6fwG2BK4Hl4Dp49iosOpgWM4MeSNkvulZmyHA8fXHR+77FBJnG7fFvwnuZHNLdwSEpwmj
HEkQtym+ZPGX4dSpa4vSRBBPhw1Nmg/6wsw1KU4oWqTCyKodIKXm9X5X5sKF+Vd91zLgyJYS
nSIT4dnulWbbX4bgquAy/xSQt5kiLc+Aelhb70sB4ZQwx1QU6K+XFSLA8L5lsmkXxJasqJUF
kg+f8l4ZAaV3S5Hx34P9kjvK0gGupW7evSoe7HPLpFVvD8I6oYtUAvTbrJc7gWFU0e1le4D8
dkx2yadB3643Zh6wUuhDNugL9PPoICQzhqMg1tJjhNJgaKwnqu+D8I22WO0B7q9dT2beB/kV
Zbe3DIhdzbsdG0COteyPjAFjnuVC1CUQa1rm2H4C0y9OT4QA2jTXwKw48KHEaXMh+J5+T8sB
7ZBeXNPB1dK71nscxBfdgfzLoEjqLv0i0FL3cAaEVcIZcQoYF/CEcB70nWI/+oH+irBQcIPQ
mMVCIuhf8bO4GvQpwgLCQBuoP6PsAz1ceFcsC/qrQlH5Lghrpe1yK5BOGo4ZDoJ8MqxR+C2w
zLDMsP0CZodxjfkgxGdaPdpOqNm8eB2LHaq3rVO1Wn2I311OrimBslA4Z46B4El9Njuh8TsN
Pd0ngKuIK9jkHYh8OfHVMl9AjKXXgnJ7wL7AUbasDM5L4X2LvwsVM2vNuDsASmyt0ePccPjB
s/zWhtsQeDc/55wXkrukfpNdCdQ+4gzJBUaHWbMeBUOStMTwFchmaYFYH+iJS+wG+io1QTsD
2mDluP4ZAOVp8ndP8xAhQoQIESLE4+CRhbO0QT4inQbd42ho+wmETbFpcWNA6MwFIROoLAfk
ZuBffif++g2Qu0e/EjEO5PdiI+O+BW9Y8H5+Dcgbm5d8bwjU2FqlXr0FEDMwYmaCDQ6kn2+6
YSxExNh6xU4BvaN83fAGnBt8vMaOXWCcbe1QfDEUn21bVCEGam8rd/UpG1xoFNWnFCC0URdp
T0O1jHLeKAH8Y93PpL8LwpveplmtQVslq7biIC63DrT5QW9iyDP+CNIl80YxBlIGn5CvVoaU
s7nvXugItvkJH5iyIDI1ummJ2VDhvSr+1sPAa65U/W4A9OSs2veKgH/+vW43fgS9hPvdnGqg
ShEVHGvB8ExkQkwe8IQwwlkdOMsAZR7obTjHWOAUyXwPWmvhJz4A/8eBznoL8OcHNuACbZB8
19ANfLeDCz3LAIPvsGc7CHm5qzJ/BVO+Kfu+Dayt7ePCA1BsS7Gk6BToFNO/YYuqcD/93u3s
F+D2ymsJd/Ph9sCMoe4+kPmZp2RwOuSfDCwQ6oInRz+nnAShnRqlj4agU0VLAM8JNV3rBTwh
TNDXgx4j7GEesJYPyAQxVhwuPgVitOF9w48gbJCiDCtAXmdoZ2wE0iw5Q54M8iiD1/geGEqI
b8rLgYl04xkwxKjWYDpoMzIa368BzxZv07l0S3j6mfZ0KgW+d8V20TfB/1VwvC8G9MPil/4W
IMZJl8VuID1vDrcthOgxckVLPujjqGZeDEnFiu5tNgGCJmW6shUCmYHLgeNgfM+229wKgufV
oeEd4OlXanSs6oeEOeEZxV6B5IOebfoLsP3clk/2uiFlTubrd3eB12w4K68Hi6B8bToOpu9N
tYwbQDwk7hOPghxpeFL+ffucUMw5RIgQIUKE+B/CI+c4hwgRIkSIECFChAjxP5mCHOdHfnNg
iBAhQoQIESJEiBD/LxASziFChAgRIkSIECFC/AVCwjlEiBAhQoQIESJEiL9ASDiHCBEiRIgQ
IUKECPEXCAnnECFChAgRIkSIECH+Av//dnQFqwVDhAgRIkSIECFChAjxZ/4/obLWe3CTKPsA
AAAASUVORK5CYII=
--------------090706020406020401090908
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part25.08030105.09010802@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------090706020406020401090908--

--------------060603090208030100080502--

From jricher@mitre.org  Tue Aug 13 08:08:31 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BE7121E813B for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:08:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.223
X-Spam-Level: 
X-Spam-Status: No, score=-6.223 tagged_above=-999 required=5 tests=[AWL=-0.225, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqcoZkE9Wn4E for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:08:23 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9BAAD11E80A2 for <oauth@ietf.org>; Tue, 13 Aug 2013 08:08:22 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 4AD7C1F0490; Tue, 13 Aug 2013 11:08:22 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 31D441F093C; Tue, 13 Aug 2013 11:08:22 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 13 Aug 2013 11:08:21 -0400
Message-ID: <520A4B32.8000103@mitre.org>
Date: Tue, 13 Aug 2013 11:05:22 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com>
In-Reply-To: <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com>
Content-Type: multipart/alternative; boundary="------------050802010701060906000305"
X-Originating-IP: [129.83.31.56]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 15:08:31 -0000

--------------050802010701060906000305
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8bit

You can definitely issue or use other kinds of secrets with both dyn reg 
and the scim variant -- this was the reason we made a registry for the 
token_endpoint_auth_method at your (Phil's) request. Thing is, there 
weren't documents that described the authentication mechanisms that we 
could directly point to. OIDC has a method of using a client's own 
public key (which gets registered with jwks_uri), but that wasn't 
general enough to include here so we left it in the OIDC extension 
document, where it belongs. In that case, the client wouldn't get a 
client_secret. The same is true if you issue a client_assertion as part 
of the registration process.

It would get a registration_access_token, though, so that it can manage 
its own registration if needed. But that's just a very basic OAuth2 
Bearer token, and if your OAuth server can't handle issuing and 
validating OAuth tokens, you probably shouldn't be letting clients 
register themselves anyway. ;)

  -- Justin


On 08/13/2013 11:00 AM, Phil Hunt wrote:
> Dyn reg and the scim reg variant depend too much/biased towards 
>  passwords expressed as client secrets.
>
> A signed token approach has many advantages for service providers like 
> not having to maintain a secure database of secrets/passwords.
>
> Finally issuing both a client secret and registration token is costly 
> and confusing to client developers.  I relented somewhat when I 
> realized kerberos does this--but i still feel it is a bad design at 
> cloud scale.
>
> Phil
>
> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org 
> <mailto:jricher@mitre.org>> wrote:
>
>> The spec doesn't care where you deploy at -- if URL space is at a 
>> premium for you, then switch based on input parameters and other 
>> things. And you're still not clear on which "secrets" you're taking 
>> issue with.
>>
>>  -- Justin
>>
>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>
>>> #1, its yet another endpoint to have to manage secrets at, yes this 
>>> is an OAuth item but it’s growing out of control, we are trying to 
>>> move away from secrets and management of these endpoints as this 
>>> would be just another one we have to support, monitor and report on
>>>
>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>
>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>> *To:* Anthony Nadalin
>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please 
>>> don't remove!
>>>
>>> Hi Tony,
>>>
>>> Could you please explain a little more?
>>>
>>> For issue 1:
>>> * Which "secret" are you referring to? OAuth2 by default allows for 
>>> an optional client_secret. I'm not sure why this would cause 
>>> management issues? Or are you referring to the "Registration Access 
>>> Token"?
>>> * Why is a separate endpoint an issue? Any client is going to be 
>>> talking to more than just the /authorize and /token endpoints anyway 
>>> so I'm confused regarding the extra complexity?
>>>
>>> For issue 2:
>>> * What specifically do you mean by "multi-tenant"? Is this one 
>>> server acting on behalf of multiple tenants and so appearing as 
>>> multiple Authorization Servers?
>>>
>>> Thanks,
>>> George
>>>
>>> On 8/13/13 10:34 AM, Anthony Nadalin wrote:
>>>
>>>     So, (1) Management of the secret causes us management issues, yet another endpoint to manage, there may be ways around this issue with assertions. (2) The schema/data model are not useable as defined. Internationalization is an issue. Multi-tenant issues, this also goes back to schema/data model.
>>>
>>>       
>>>
>>>       
>>>
>>>     -----Original Message-----
>>>
>>>     From:mike@gluu.org  <mailto:mike@gluu.org>  [mailto:mike@gluu.org]
>>>
>>>     Sent: Tuesday, August 13, 2013 7:22 AM
>>>
>>>     To: Anthony Nadalin
>>>
>>>     Cc: Justin Richer; George Fletcher;oauth@ietf.org  <mailto:oauth@ietf.org>
>>>
>>>     Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
>>>
>>>       
>>>
>>>     Anthony,
>>>
>>>       
>>>
>>>     As I mentioned, we are using it as part of the OX UMA implementation.
>>>
>>>     Can you be more specific?
>>>
>>>         1) What parts of it would cause add'l management?
>>>
>>>         2) What parts do not meet your requirements that could not be satisfied with a
>>>
>>>            supplemental profile?
>>>
>>>       
>>>
>>>     - Mike
>>>
>>>       
>>>
>>>       
>>>
>>>       
>>>
>>>     On 2013-08-13 09:15, Anthony Nadalin wrote:
>>>
>>>         Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in
>>>
>>>         production (of some sort) ? We have no plans to implement as it does
>>>
>>>         not meet our requirements/use cases and causes additional management
>>>
>>>         and thus I believe would not serve as a valid core document to expand
>>>
>>>         upon.
>>>
>>>           
>>>
>>>         FROM:oauth-bounces@ietf.org  <mailto:oauth-bounces@ietf.org>  [mailto:oauth-bounces@ietf.org] ON BEHALF
>>>
>>>         OF Justin Richer
>>>
>>>           SENT: Tuesday, August 13, 2013 6:59 AM
>>>
>>>           TO: George Fletcher
>>>
>>>           CC:mike@gluu.org  <mailto:mike@gluu.org>;oauth@ietf.org  <mailto:oauth@ietf.org>
>>>
>>>           SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't
>>>
>>>         remove!
>>>
>>>           
>>>
>>>         +1
>>>
>>>           
>>>
>>>         On 08/13/2013 09:34 AM, George Fletcher wrote:
>>>
>>>           
>>>
>>>             I know I wasn't at the IETF meeting but I'm confused regarding all
>>>
>>>             this talk of "lack of consensus". It seems to me there is a lot of
>>>
>>>             consensus regarding the existing spec (given all the current
>>>
>>>             implementations). Couple that with the fact that the current spec
>>>
>>>             doesn't exclude the additional use cases that you've raised, I don't
>>>
>>>             see why we don't establish the current spec as the core document and
>>>
>>>             then develop profiles for the additional use cases. It is unlikely
>>>
>>>             that there is going to be a true single solution because to cover all
>>>
>>>             the use cases it will have to be so flexible that profiles will arise
>>>
>>>             regardless. In that case, let's build off the solid core that we have
>>>
>>>             and add these additional profiles providing a win-win for
>>>
>>>             implementers.
>>>
>>>               
>>>
>>>             My 2 cents:)
>>>
>>>               
>>>
>>>             Thanks,
>>>
>>>             George
>>>
>>>               
>>>
>>>             On 8/12/13 7:55 PM, Phil Hunt wrote:
>>>
>>>               
>>>
>>>                 I don't think there is a call to stop work. However there is a lack
>>>
>>>                 of consensus on the current draft moving forward.
>>>
>>>                   
>>>
>>>                 I too want a single, simple solution.
>>>
>>>                   
>>>
>>>                 Phil
>>>
>>>                   
>>>
>>>                 On 2013-08-08, at 13:22,mike@gluu.org  <mailto:mike@gluu.org>  wrote:
>>>
>>>                   
>>>
>>>                     OAuth WG,
>>>
>>>                       
>>>
>>>                     As some of you may know, the OX open source project provides an
>>>
>>>                     implementation of Enterprise UMA, which enables organizations to
>>>
>>>                     control which people and clients can access web resources.
>>>
>>>                       
>>>
>>>                     I rarely weigh in, because you all are doing such great job.
>>>
>>>                     However, I was quite distressed to learn about the suggestion to
>>>
>>>                     stop work on the dynamic client registration spec. This proposed
>>>
>>>                     change would have a negative impact on OX, and the varied adopters
>>>
>>>                     of our software from around the world.
>>>
>>>                       
>>>
>>>                     No standard for dynamic client registration would make OX less
>>>
>>>                     "standard" by creating a bigger delta between UMA and other OAuth2
>>>
>>>                     implementations. As OX also implements the OpenID Connect OP
>>>
>>>                     endpoints, and dropping this effort would also makes a convergence
>>>
>>>                     path for client registration less likely.
>>>
>>>                       
>>>
>>>                     Please leave dynamic client registration!
>>>
>>>                       
>>>
>>>                     Thanks for all your great work!
>>>
>>>                       
>>>
>>>                     - Mike Schwartz
>>>
>>>                       
>>>
>>>                     Founder / CEO
>>>
>>>                       
>>>
>>>                     Gluu
>>>
>>>                       
>>>
>>>                     http://gluu.org  [1]
>>>
>>>                       
>>>
>>>                     PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD
>>>
>>>                     :http://www.gluu.co/uma-apache  [2]
>>>
>>>                       
>>>
>>>                     _______________________________________________
>>>
>>>                       
>>>
>>>                     OAuth mailing list
>>>
>>>                       
>>>
>>>                     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>                       
>>>
>>>                     https://www.ietf.org/mailman/listinfo/oauth  [3]
>>>
>>>                   
>>>
>>>                 _______________________________________________
>>>
>>>                   
>>>
>>>                 OAuth mailing list
>>>
>>>                   
>>>
>>>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>                   
>>>
>>>                 https://www.ietf.org/mailman/listinfo/oauth  [3]
>>>
>>>               
>>>
>>>             --
>>>
>>>             [4]
>>>
>>>               
>>>
>>>             _______________________________________________
>>>
>>>               
>>>
>>>             OAuth mailing list
>>>
>>>               
>>>
>>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>               
>>>
>>>             https://www.ietf.org/mailman/listinfo/oauth  [3]
>>>
>>>           
>>>
>>>           
>>>
>>>           
>>>
>>>         Links:
>>>
>>>         ------
>>>
>>>         [1]http://gluu.org
>>>
>>>         [2]http://www.gluu.co/uma-apache
>>>
>>>         [3]https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>         [4]http://connect.me/gffletch
>>>
>>>         [5]http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/
>>>
>>>       
>>>
>>> -- 
>>> <mime-attachment.png> <http://connect.me/gffletch>
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth


--------------050802010701060906000305
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    You can definitely issue or use other kinds of secrets with both dyn
    reg and the scim variant -- this was the reason we made a registry
    for the token_endpoint_auth_method at your (Phil's) request. Thing
    is, there weren't documents that described the authentication
    mechanisms that we could directly point to. OIDC has a method of
    using a client's own public key (which gets registered with
    jwks_uri), but that wasn't general enough to include here so we left
    it in the OIDC extension document, where it belongs. In that case,
    the client wouldn't get a client_secret. The same is true if you
    issue a client_assertion as part of the registration process. <br>
    <br>
    It would get a registration_access_token, though, so that it can
    manage its own registration if needed. But that's just a very basic
    OAuth2 Bearer token, and if your OAuth server can't handle issuing
    and validating OAuth tokens, you probably shouldn't be letting
    clients register themselves anyway. ;)<br>
    <br>
     -- Justin<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 08/13/2013 11:00 AM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote
      cite="mid:D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <div>Dyn reg and the scim reg variant depend too much/biased
        towards  passwords expressed as client secrets. </div>
      <div><br>
      </div>
      <div>A signed token approach has many advantages for service
        providers like not having to maintain a secure database of
        secrets/passwords. </div>
      <div><br>
      </div>
      <div>Finally issuing both a client secret and registration token
        is costly and confusing to client developers.  I relented
        somewhat when I realized kerberos does this--but i still feel it
        is a bad design at cloud scale. </div>
      <div><br>
      </div>
      <div>Phil</div>
      <div><br>
        On 2013-08-13, at 7:48, Justin Richer &lt;<a
          moz-do-not-send="true" href="mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
        wrote:<br>
        <br>
      </div>
      <div><span></span></div>
      <blockquote type="cite">
        <div> The spec doesn't care where you deploy at -- if URL space
          is at a premium for you, then switch based on input parameters
          and other things. And you're still not clear on which
          "secrets" you're taking issue with.<br>
          <br>
           -- Justin<br>
          <br>
          <div class="moz-cite-prefix">On 08/13/2013 10:46 AM, Anthony
            Nadalin wrote:<br>
          </div>
          <blockquote
cite="mid:a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com"
            type="cite">
            <meta name="Generator" content="Microsoft Word 15 (filtered
              medium)">
            <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
            <style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
            <div class="WordSection1">
              <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#1,

                  its yet another endpoint to have to manage secrets at,
                  yes this is an OAuth item but it’s growing out of
                  control, we are trying to move away from secrets and
                  management of these endpoints as this would be just
                  another one we have to support, monitor and report on<o:p></o:p></span></p>
              <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#2

                  yes, 1 physical endpoint acting as multiple
                  authorization servers<o:p></o:p></span></p>
              <p class="MsoNormal"><a moz-do-not-send="true"
                  name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></a></p>
              <div>
                <div style="border:none;border-top:solid #E1E1E1
                  1.0pt;padding:3.0pt 0in 0in 0in">
                  <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">
                      George Fletcher [<a moz-do-not-send="true"
                        class="moz-txt-link-freetext"
                        href="mailto:gffletch@aol.com">mailto:gffletch@aol.com</a>]
                      <br>
                      <b>Sent:</b> Tuesday, August 13, 2013 7:40 AM<br>
                      <b>To:</b> Anthony Nadalin<br>
                      <b>Cc:</b> <a moz-do-not-send="true"
                        class="moz-txt-link-abbreviated"
                        href="mailto:mike@gluu.org">mike@gluu.org</a>;
                      Justin Richer; <a moz-do-not-send="true"
                        class="moz-txt-link-abbreviated"
                        href="mailto:oauth@ietf.org">oauth@ietf.org</a><br>
                      <b>Subject:</b> Re: [OAUTH-WG] OX needs Dynamic
                      Registration: please don't remove!<o:p></o:p></span></p>
                </div>
              </div>
              <p class="MsoNormal"><o:p> </o:p></p>
              <p class="MsoNormal" style="margin-bottom:12.0pt"><span
                  style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Hi

                  Tony,<br>
                  <br>
                  Could you please explain a little more? <br>
                  <br>
                  For issue 1:<br>
                  * Which "secret" are you referring to? OAuth2 by
                  default allows for an optional client_secret. I'm not
                  sure why this would cause management issues? Or are
                  you referring to the "Registration Access Token"?<br>
                  * Why is a separate endpoint an issue? Any client is
                  going to be talking to more than just the /authorize
                  and /token endpoints anyway so I'm confused regarding
                  the extra complexity?<br>
                  <br>
                  For issue 2:<br>
                  * What specifically do you mean by "multi-tenant"? Is
                  this one server acting on behalf of multiple tenants
                  and so appearing as multiple Authorization Servers? <br>
                  <br>
                  Thanks,<br>
                  George</span><o:p></o:p></p>
              <div>
                <p class="MsoNormal">On 8/13/13 10:34 AM, Anthony
                  Nadalin wrote:<o:p></o:p></p>
              </div>
              <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                <pre>So, (1) Management of the secret causes us management issues, yet another endpoint to manage, there may be ways around this issue with assertions. (2) The schema/data model are not useable as defined. Internationalization is an issue. Multi-tenant issues, this also goes back to schema/data model.<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>-----Original Message-----<o:p></o:p></pre>
                <pre>From: <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a> [<a moz-do-not-send="true" href="mailto:mike@gluu.org">mailto:mike@gluu.org</a>] <o:p></o:p></pre>
                <pre>Sent: Tuesday, August 13, 2013 7:22 AM<o:p></o:p></pre>
                <pre>To: Anthony Nadalin<o:p></o:p></pre>
                <pre>Cc: Justin Richer; George Fletcher; <a moz-do-not-send="true" href="mailto:oauth@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
                <pre>Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>Anthony,<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>As I mentioned, we are using it as part of the OX UMA implementation. <o:p></o:p></pre>
                <pre>Can you be more specific?<o:p></o:p></pre>
                <pre>   1) What parts of it would cause add'l management?<o:p></o:p></pre>
                <pre>   2) What parts do not meet your requirements that could not be satisfied with a<o:p></o:p></pre>
                <pre>      supplemental profile?<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>- Mike<o:p></o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre><o:p> </o:p></pre>
                <pre>On 2013-08-13 09:15, Anthony Nadalin wrote:<o:p></o:p></pre>
                <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                  <pre>Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in <o:p></o:p></pre>
                  <pre>production (of some sort) ? We have no plans to implement as it does <o:p></o:p></pre>
                  <pre>not meet our requirements/use cases and causes additional management <o:p></o:p></pre>
                  <pre>and thus I believe would not serve as a valid core document to expand <o:p></o:p></pre>
                  <pre>upon.<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>FROM: <a moz-do-not-send="true" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a moz-do-not-send="true" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] ON BEHALF <o:p></o:p></pre>
                  <pre>OF Justin Richer<o:p></o:p></pre>
                  <pre> SENT: Tuesday, August 13, 2013 6:59 AM<o:p></o:p></pre>
                  <pre> TO: George Fletcher<o:p></o:p></pre>
                  <pre> CC: <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a>; <a moz-do-not-send="true" href="mailto:oauth@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
                  <pre> SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't <o:p></o:p></pre>
                  <pre>remove!<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>+1<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>On 08/13/2013 09:34 AM, George Fletcher wrote:<o:p></o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <blockquote
                    style="margin-top:5.0pt;margin-bottom:5.0pt">
                    <pre>I know I wasn't at the IETF meeting but I'm confused regarding all <o:p></o:p></pre>
                    <pre>this talk of "lack of consensus". It seems to me there is a lot of <o:p></o:p></pre>
                    <pre>consensus regarding the existing spec (given all the current <o:p></o:p></pre>
                    <pre>implementations). Couple that with the fact that the current spec <o:p></o:p></pre>
                    <pre>doesn't exclude the additional use cases that you've raised, I don't <o:p></o:p></pre>
                    <pre>see why we don't establish the current spec as the core document and <o:p></o:p></pre>
                    <pre>then develop profiles for the additional use cases. It is unlikely <o:p></o:p></pre>
                    <pre>that there is going to be a true single solution because to cover all <o:p></o:p></pre>
                    <pre>the use cases it will have to be so flexible that profiles will arise <o:p></o:p></pre>
                    <pre>regardless. In that case, let's build off the solid core that we have <o:p></o:p></pre>
                    <pre>and add these additional profiles providing a win-win for <o:p></o:p></pre>
                    <pre>implementers.<o:p></o:p></pre>
                    <pre><o:p> </o:p></pre>
                    <pre>My 2 cents:)<o:p></o:p></pre>
                    <pre><o:p> </o:p></pre>
                    <pre>Thanks,<o:p></o:p></pre>
                    <pre>George<o:p></o:p></pre>
                    <pre><o:p> </o:p></pre>
                    <pre>On 8/12/13 7:55 PM, Phil Hunt wrote:<o:p></o:p></pre>
                    <pre><o:p> </o:p></pre>
                    <blockquote
                      style="margin-top:5.0pt;margin-bottom:5.0pt">
                      <pre>I don't think there is a call to stop work. However there is a lack <o:p></o:p></pre>
                      <pre>of consensus on the current draft moving forward.<o:p></o:p></pre>
                      <pre><o:p> </o:p></pre>
                      <pre>I too want a single, simple solution.<o:p></o:p></pre>
                      <pre><o:p> </o:p></pre>
                      <pre>Phil<o:p></o:p></pre>
                      <pre><o:p> </o:p></pre>
                      <pre>On 2013-08-08, at 13:22, <a moz-do-not-send="true" href="mailto:mike@gluu.org">mike@gluu.org</a> wrote:<o:p></o:p></pre>
                      <pre><o:p> </o:p></pre>
                      <blockquote
                        style="margin-top:5.0pt;margin-bottom:5.0pt">
                        <pre>OAuth WG,<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>As some of you may know, the OX open source project provides an <o:p></o:p></pre>
                        <pre>implementation of Enterprise UMA, which enables organizations to <o:p></o:p></pre>
                        <pre>control which people and clients can access web resources.<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>I rarely weigh in, because you all are doing such great job. <o:p></o:p></pre>
                        <pre>However, I was quite distressed to learn about the suggestion to <o:p></o:p></pre>
                        <pre>stop work on the dynamic client registration spec. This proposed <o:p></o:p></pre>
                        <pre>change would have a negative impact on OX, and the varied adopters <o:p></o:p></pre>
                        <pre>of our software from around the world.<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>No standard for dynamic client registration would make OX less <o:p></o:p></pre>
                        <pre>"standard" by creating a bigger delta between UMA and other OAuth2 <o:p></o:p></pre>
                        <pre>implementations. As OX also implements the OpenID Connect OP <o:p></o:p></pre>
                        <pre>endpoints, and dropping this effort would also makes a convergence <o:p></o:p></pre>
                        <pre>path for client registration less likely.<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>Please leave dynamic client registration!<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>Thanks for all your great work!<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>- Mike Schwartz<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>Founder / CEO<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>Gluu<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre><a moz-do-not-send="true" href="http://gluu.org">http://gluu.org</a> [1]<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD<o:p></o:p></pre>
                        <pre>: <a moz-do-not-send="true" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a> [2]<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>_______________________________________________<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre>OAuth mailing list<o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                        <pre><o:p> </o:p></pre>
                        <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<o:p></o:p></pre>
                      </blockquote>
                      <pre><o:p> </o:p></pre>
                      <pre>_______________________________________________<o:p></o:p></pre>
                      <pre><o:p> </o:p></pre>
                      <pre>OAuth mailing list<o:p></o:p></pre>
                      <pre><o:p> </o:p></pre>
                      <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                      <pre><o:p> </o:p></pre>
                      <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<o:p></o:p></pre>
                    </blockquote>
                    <pre><o:p> </o:p></pre>
                    <pre>--<o:p></o:p></pre>
                    <pre>[4]<o:p></o:p></pre>
                    <pre><o:p> </o:p></pre>
                    <pre>_______________________________________________<o:p></o:p></pre>
                    <pre><o:p> </o:p></pre>
                    <pre>OAuth mailing list<o:p></o:p></pre>
                    <pre><o:p> </o:p></pre>
                    <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                    <pre><o:p> </o:p></pre>
                    <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a> [3]<o:p></o:p></pre>
                  </blockquote>
                  <pre><o:p> </o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre><o:p> </o:p></pre>
                  <pre>Links:<o:p></o:p></pre>
                  <pre>------<o:p></o:p></pre>
                  <pre>[1] <a moz-do-not-send="true" href="http://gluu.org">http://gluu.org</a><o:p></o:p></pre>
                  <pre>[2] <a moz-do-not-send="true" href="http://www.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a><o:p></o:p></pre>
                  <pre>[3] <a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
                  <pre>[4] <a moz-do-not-send="true" href="http://connect.me/gffletch">http://connect.me/gffletch</a><o:p></o:p></pre>
                  <pre>[5] <a moz-do-not-send="true" href="http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/">http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/</a><o:p></o:p></pre>
                </blockquote>
                <pre><o:p> </o:p></pre>
              </blockquote>
              <p class="MsoNormal"><o:p> </o:p></p>
              <div>
                <p class="MsoNormal">-- <br>
                  <a moz-do-not-send="true"
                    href="http://connect.me/gffletch" title="View full
                    card on Connect.Me"><span
                      style="text-decoration:none">&lt;mime-attachment.png&gt;</span></a><o:p></o:p></p>
              </div>
            </div>
          </blockquote>
          <br>
        </div>
      </blockquote>
      <blockquote type="cite">
        <div><span>_______________________________________________</span><br>
          <span>OAuth mailing list</span><br>
          <span><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a></span><br>
          <span><a moz-do-not-send="true"
              href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></span><br>
        </div>
      </blockquote>
    </blockquote>
    <br>
  </body>
</html>

--------------050802010701060906000305--

From phil.hunt@oracle.com  Tue Aug 13 08:16:35 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6610921E8188 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:16:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.602
X-Spam-Level: 
X-Spam-Status: No, score=-4.602 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_31=0.6, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pRiOsgLEQloF for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:16:30 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 3C27021E808C for <oauth@ietf.org>; Tue, 13 Aug 2013 08:16:30 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7DFGRaB023093 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 13 Aug 2013 15:16:28 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7DFGQQm029580 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 13 Aug 2013 15:16:27 GMT
Received: from abhmt115.oracle.com (abhmt115.oracle.com [141.146.116.67]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7DFGPB8011842; Tue, 13 Aug 2013 15:16:25 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 13 Aug 2013 08:16:25 -0700
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A4B32.8000103@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <520A4B32.8000103@mitre.org>
Content-Type: multipart/alternative; boundary=Apple-Mail-B87DCD60-2EC1-482D-889E-0621609CDB17
Content-Transfer-Encoding: 7bit
Message-Id: <1B37B5E8-1890-4159-9962-730C6006F5CD@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Tue, 13 Aug 2013 08:16:22 -0700
To: Justin Richer <jricher@mitre.org>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 15:16:35 -0000

--Apple-Mail-B87DCD60-2EC1-482D-889E-0621609CDB17
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

You missed both my points entirely.=20

Phil

On 2013-08-13, at 8:05, Justin Richer <jricher@mitre.org> wrote:

> You can definitely issue or use other kinds of secrets with both dyn reg a=
nd the scim variant -- this was the reason we made a registry for the token_=
endpoint_auth_method at your (Phil's) request. Thing is, there weren't docum=
ents that described the authentication mechanisms that we could directly poi=
nt to. OIDC has a method of using a client's own public key (which gets regi=
stered with jwks_uri), but that wasn't general enough to include here so we l=
eft it in the OIDC extension document, where it belongs. In that case, the c=
lient wouldn't get a client_secret. The same is true if you issue a client_a=
ssertion as part of the registration process.=20
>=20
> It would get a registration_access_token, though, so that it can manage it=
s own registration if needed. But that's just a very basic OAuth2 Bearer tok=
en, and if your OAuth server can't handle issuing and validating OAuth token=
s, you probably shouldn't be letting clients register themselves anyway. ;)
>=20
>  -- Justin
>=20
>=20
> On 08/13/2013 11:00 AM, Phil Hunt wrote:
>> Dyn reg and the scim reg variant depend too much/biased towards  password=
s expressed as client secrets.=20
>>=20
>> A signed token approach has many advantages for service providers like no=
t having to maintain a secure database of secrets/passwords.=20
>>=20
>> Finally issuing both a client secret and registration token is costly and=
 confusing to client developers.  I relented somewhat when I realized kerber=
os does this--but i still feel it is a bad design at cloud scale.=20
>>=20
>> Phil
>>=20
>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org> wrote:
>>=20
>>> The spec doesn't care where you deploy at -- if URL space is at a premiu=
m for you, then switch based on input parameters and other things. And you'r=
e still not clear on which "secrets" you're taking issue with.
>>>=20
>>>  -- Justin
>>>=20
>>> On 08/13/2013 10:46 AM, Anthony             Nadalin wrote:
>>>> #1, its yet another endpoint to have to manage secrets at, yes this is a=
n OAuth item but it=E2=80=99s growing out of control, we are trying to move a=
way from secrets and management of these endpoints as this would be just ano=
ther one we have to support, monitor and report on
>>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>> =20
>>>> From: George Fletcher [mailto:gffletch@aol.com]=20
>>>> Sent: Tuesday, August 13, 2013 7:40 AM
>>>> To: Anthony Nadalin
>>>> Cc: mike@gluu.org; Justin Richer; oauth@ietf.org
>>>> Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't rem=
ove!
>>>> =20
>>>> Hi Tony,
>>>>=20
>>>> Could you please explain a little more?=20
>>>>=20
>>>> For issue 1:
>>>> * Which "secret" are you referring to? OAuth2 by default allows for an o=
ptional client_secret. I'm not sure why this would cause management issues? O=
r are you referring to the "Registration Access Token"?
>>>> * Why is a separate endpoint an issue? Any client is going to be talkin=
g to more than just the /authorize and /token endpoints anyway so I'm confus=
ed regarding the extra complexity?
>>>>=20
>>>> For issue 2:
>>>> * What specifically do you mean by "multi-tenant"? Is this one server a=
cting on behalf of multiple tenants and so appearing as multiple Authorizati=
on Servers?=20
>>>>=20
>>>> Thanks,
>>>> George
>>>>=20
>>>> On 8/13/13 10:34 AM, Anthony Nadalin wrote:
>>>> So, (1) Management of the secret causes us management issues, yet anoth=
er endpoint to manage, there may be ways around this issue with assertions. (=
2) The schema/data model are not useable as defined. Internationalization is=
 an issue. Multi-tenant issues, this also goes back to schema/data model.
>>>> =20
>>>> =20
>>>> -----Original Message-----
>>>> From: mike@gluu.org [mailto:mike@gluu.org]=20
>>>> Sent: Tuesday, August 13, 2013 7:22 AM
>>>> To: Anthony Nadalin
>>>> Cc: Justin Richer; George Fletcher; oauth@ietf.org
>>>> Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't rem=
ove!
>>>> =20
>>>> Anthony,
>>>> =20
>>>> As I mentioned, we are using it as part of the OX UMA implementation.=20=

>>>> Can you be more specific?
>>>>    1) What parts of it would cause add'l management?
>>>>    2) What parts do not meet your requirements that could not be satisf=
ied with a
>>>>       supplemental profile?
>>>> =20
>>>> - Mike
>>>> =20
>>>> =20
>>>> =20
>>>> On 2013-08-13 09:15, Anthony Nadalin wrote:
>>>> Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in=20
>>>> production (of some sort) ? We have no plans to implement as it does=20=

>>>> not meet our requirements/use cases and causes additional management=20=

>>>> and thus I believe would not serve as a valid core document to expand=20=

>>>> upon.
>>>> =20
>>>> FROM: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] ON BEHALF=20=

>>>> OF Justin Richer
>>>>  SENT: Tuesday, August 13, 2013 6:59 AM
>>>>  TO: George Fletcher
>>>>  CC: mike@gluu.org; oauth@ietf.org
>>>>  SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't=20=

>>>> remove!
>>>> =20
>>>> +1
>>>> =20
>>>> On 08/13/2013 09:34 AM, George Fletcher wrote:
>>>> =20
>>>> I know I wasn't at the IETF meeting but I'm confused regarding all=20
>>>> this talk of "lack of consensus". It seems to me there is a lot of=20
>>>> consensus regarding the existing spec (given all the current=20
>>>> implementations). Couple that with the fact that the current spec=20
>>>> doesn't exclude the additional use cases that you've raised, I don't=20=

>>>> see why we don't establish the current spec as the core document and=20=

>>>> then develop profiles for the additional use cases. It is unlikely=20
>>>> that there is going to be a true single solution because to cover all=20=

>>>> the use cases it will have to be so flexible that profiles will arise=20=

>>>> regardless. In that case, let's build off the solid core that we have=20=

>>>> and add these additional profiles providing a win-win for=20
>>>> implementers.
>>>> =20
>>>> My 2 cents:)
>>>> =20
>>>> Thanks,
>>>> George
>>>> =20
>>>> On 8/12/13 7:55 PM, Phil Hunt wrote:
>>>> =20
>>>> I don't think there is a call to stop work. However there is a lack=20
>>>> of consensus on the current draft moving forward.
>>>> =20
>>>> I too want a single, simple solution.
>>>> =20
>>>> Phil
>>>> =20
>>>> On 2013-08-08, at 13:22, mike@gluu.org wrote:
>>>> =20
>>>> OAuth WG,
>>>> =20
>>>> As some of you may know, the OX open source project provides an=20
>>>> implementation of Enterprise UMA, which enables organizations to=20
>>>> control which people and clients can access web resources.
>>>> =20
>>>> I rarely weigh in, because you all are doing such great job.=20
>>>> However, I was quite distressed to learn about the suggestion to=20
>>>> stop work on the dynamic client registration spec. This proposed=20
>>>> change would have a negative impact on OX, and the varied adopters=20
>>>> of our software from around the world.
>>>> =20
>>>> No standard for dynamic client registration would make OX less=20
>>>> "standard" by creating a bigger delta between UMA and other OAuth2=20
>>>> implementations. As OX also implements the OpenID Connect OP=20
>>>> endpoints, and dropping this effort would also makes a convergence=20
>>>> path for client registration less likely.
>>>> =20
>>>> Please leave dynamic client registration!
>>>> =20
>>>> Thanks for all your great work!
>>>> =20
>>>> - Mike Schwartz
>>>> =20
>>>> Founder / CEO
>>>> =20
>>>> Gluu
>>>> =20
>>>> http://gluu.org [1]
>>>> =20
>>>> PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD
>>>> : http://www.gluu.co/uma-apache [2]
>>>> =20
>>>> _______________________________________________
>>>> =20
>>>> OAuth mailing list
>>>> =20
>>>> OAuth@ietf.org
>>>> =20
>>>> https://www.ietf.org/mailman/listinfo/oauth [3]
>>>> =20
>>>> _______________________________________________
>>>> =20
>>>> OAuth mailing list
>>>> =20
>>>> OAuth@ietf.org
>>>> =20
>>>> https://www.ietf.org/mailman/listinfo/oauth [3]
>>>> =20
>>>> --
>>>> [4]
>>>> =20
>>>> _______________________________________________
>>>> =20
>>>> OAuth mailing list
>>>> =20
>>>> OAuth@ietf.org
>>>> =20
>>>> https://www.ietf.org/mailman/listinfo/oauth [3]
>>>> =20
>>>> =20
>>>> =20
>>>> Links:
>>>> ------
>>>> [1] http://gluu.org
>>>> [2] http://www.gluu.co/uma-apache
>>>> [3] https://www.ietf.org/mailman/listinfo/oauth
>>>> [4] http://connect.me/gffletch
>>>> [5] http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/
>>>> =20
>>>> =20
>>>> --=20
>>>> <mime-attachment.png>
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>=20

--Apple-Mail-B87DCD60-2EC1-482D-889E-0621609CDB17
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>You missed both my points entirely.&nb=
sp;<br><br>Phil</div><div><br>On 2013-08-13, at 8:05, Justin Richer &lt;<a h=
ref=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; wrote:<br><br></d=
iv><blockquote type=3D"cite"><div>
 =20
    <meta content=3D"text/html; charset=3DUTF-8" http-equiv=3D"Content-Type"=
>
 =20
 =20
    You can definitely issue or use other kinds of secrets with both dyn
    reg and the scim variant -- this was the reason we made a registry
    for the token_endpoint_auth_method at your (Phil's) request. Thing
    is, there weren't documents that described the authentication
    mechanisms that we could directly point to. OIDC has a method of
    using a client's own public key (which gets registered with
    jwks_uri), but that wasn't general enough to include here so we left
    it in the OIDC extension document, where it belongs. In that case,
    the client wouldn't get a client_secret. The same is true if you
    issue a client_assertion as part of the registration process. <br>
    <br>
    It would get a registration_access_token, though, so that it can
    manage its own registration if needed. But that's just a very basic
    OAuth2 Bearer token, and if your OAuth server can't handle issuing
    and validating OAuth tokens, you probably shouldn't be letting
    clients register themselves anyway. ;)<br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <br>
    <div class=3D"moz-cite-prefix">On 08/13/2013 11:00 AM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote cite=3D"mid:D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com"=
 type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DUTF-=
8">
      <div>Dyn reg and the scim reg variant depend too much/biased
        towards &nbsp;passwords expressed as client secrets.&nbsp;</div>
      <div><br>
      </div>
      <div>A signed token approach has many advantages for service
        providers like not having to maintain a secure database of
        secrets/passwords.&nbsp;</div>
      <div><br>
      </div>
      <div>Finally issuing both a client secret and registration token
        is costly and confusing to client developers. &nbsp;I relented
        somewhat when I realized kerberos does this--but i still feel it
        is a bad design at cloud scale.&nbsp;</div>
      <div><br>
      </div>
      <div>Phil</div>
      <div><br>
        On 2013-08-13, at 7:48, Justin Richer &lt;<a moz-do-not-send=3D"true=
" href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
        wrote:<br>
        <br>
      </div>
      <div><span></span></div>
      <blockquote type=3D"cite">
        <div> The spec doesn't care where you deploy at -- if URL space
          is at a premium for you, then switch based on input parameters
          and other things. And you're still not clear on which
          "secrets" you're taking issue with.<br>
          <br>
          &nbsp;-- Justin<br>
          <br>
          <div class=3D"moz-cite-prefix">On 08/13/2013 10:46 AM, Anthony
            Nadalin wrote:<br>
          </div>
          <blockquote cite=3D"mid:a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB=
189.namprd03.prod.outlook.com" type=3D"cite">
            <meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered
              medium)">
            <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
            <style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
            <div class=3D"WordSection1">
              <p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-fa=
mily:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#1,

                  its yet another endpoint to have to manage secrets at,
                  yes this is an OAuth item but it=E2=80=99s growing out of
                  control, we are trying to move away from secrets and
                  management of these endpoints as this would be just
                  another one we have to support, monitor and report on<o:p>=
</o:p></span></p>
              <p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-fa=
mily:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#2

                  yes, 1 physical endpoint acting as multiple
                  authorization servers<o:p></o:p></span></p>
              <p class=3D"MsoNormal"><a moz-do-not-send=3D"true" name=3D"_Ma=
ilEndCompose"><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot=
;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></a></p>
              <div>
                <div style=3D"border:none;border-top:solid #E1E1E1
                  1.0pt;padding:3.0pt 0in 0in 0in">
                  <p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;=
font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:=
</span></b><span style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&=
quot;sans-serif&quot;;color:windowtext">
                      George Fletcher [<a moz-do-not-send=3D"true" class=3D"=
moz-txt-link-freetext" href=3D"mailto:gffletch@aol.com">mailto:gffletch@aol.=
com</a>]
                      <br>
                      <b>Sent:</b> Tuesday, August 13, 2013 7:40 AM<br>
                      <b>To:</b> Anthony Nadalin<br>
                      <b>Cc:</b> <a moz-do-not-send=3D"true" class=3D"moz-tx=
t-link-abbreviated" href=3D"mailto:mike@gluu.org">mike@gluu.org</a>;
                      Justin Richer; <a moz-do-not-send=3D"true" class=3D"mo=
z-txt-link-abbreviated" href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a><br=
>
                      <b>Subject:</b> Re: [OAUTH-WG] OX needs Dynamic
                      Registration: please don't remove!<o:p></o:p></span></=
p>
                </div>
              </div>
              <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
              <p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span st=
yle=3D"font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Hi

                  Tony,<br>
                  <br>
                  Could you please explain a little more? <br>
                  <br>
                  For issue 1:<br>
                  * Which "secret" are you referring to? OAuth2 by
                  default allows for an optional client_secret. I'm not
                  sure why this would cause management issues? Or are
                  you referring to the "Registration Access Token"?<br>
                  * Why is a separate endpoint an issue? Any client is
                  going to be talking to more than just the /authorize
                  and /token endpoints anyway so I'm confused regarding
                  the extra complexity?<br>
                  <br>
                  For issue 2:<br>
                  * What specifically do you mean by "multi-tenant"? Is
                  this one server acting on behalf of multiple tenants
                  and so appearing as multiple Authorization Servers? <br>
                  <br>
                  Thanks,<br>
                  George</span><o:p></o:p></p>
              <div>
                <p class=3D"MsoNormal">On 8/13/13 10:34 AM, Anthony
                  Nadalin wrote:<o:p></o:p></p>
              </div>
              <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
                <pre>So, (1) Management of the secret causes us management i=
ssues, yet another endpoint to manage, there may be ways around this issue w=
ith assertions. (2) The schema/data model are not useable as defined. Intern=
ationalization is an issue. Multi-tenant issues, this also goes back to sche=
ma/data model.<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>-----Original Message-----<o:p></o:p></pre>
                <pre>From: <a moz-do-not-send=3D"true" href=3D"mailto:mike@g=
luu.org">mike@gluu.org</a> [<a moz-do-not-send=3D"true" href=3D"mailto:mike@=
gluu.org">mailto:mike@gluu.org</a>] <o:p></o:p></pre>
                <pre>Sent: Tuesday, August 13, 2013 7:22 AM<o:p></o:p></pre>=

                <pre>To: Anthony Nadalin<o:p></o:p></pre>
                <pre>Cc: Justin Richer; George Fletcher; <a moz-do-not-send=3D=
"true" href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
                <pre>Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: p=
lease don't remove!<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>Anthony,<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>As I mentioned, we are using it as part of the OX UMA i=
mplementation. <o:p></o:p></pre>
                <pre>Can you be more specific?<o:p></o:p></pre>
                <pre>&nbsp;&nbsp; 1) What parts of it would cause add'l mana=
gement?<o:p></o:p></pre>
                <pre>&nbsp;&nbsp; 2) What parts do not meet your requirement=
s that could not be satisfied with a<o:p></o:p></pre>
                <pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; supplemental profile?<o:=
p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>- Mike<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>On 2013-08-13 09:15, Anthony Nadalin wrote:<o:p></o:p><=
/pre>
                <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
                  <pre>Who has implemented draft-ietf-oauth-dyn-reg-14 [5] a=
nd is in <o:p></o:p></pre>
                  <pre>production (of some sort) ? We have no plans to imple=
ment as it does <o:p></o:p></pre>
                  <pre>not meet our requirements/use cases and causes additi=
onal management <o:p></o:p></pre>
                  <pre>and thus I believe would not serve as a valid core do=
cument to expand <o:p></o:p></pre>
                  <pre>upon.<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>FROM: <a moz-do-not-send=3D"true" href=3D"mailto:oaut=
h-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a moz-do-not-send=3D"true" h=
ref=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] ON B=
EHALF <o:p></o:p></pre>
                  <pre>OF Justin Richer<o:p></o:p></pre>
                  <pre> SENT: Tuesday, August 13, 2013 6:59 AM<o:p></o:p></p=
re>
                  <pre> TO: George Fletcher<o:p></o:p></pre>
                  <pre> CC: <a moz-do-not-send=3D"true" href=3D"mailto:mike@=
gluu.org">mike@gluu.org</a>; <a moz-do-not-send=3D"true" href=3D"mailto:oaut=
h@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
                  <pre> SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registratio=
n: please don't <o:p></o:p></pre>
                  <pre>remove!<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>+1<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>On 08/13/2013 09:34 AM, George Fletcher wrote:<o:p></=
o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt"=
>
                    <pre>I know I wasn't at the IETF meeting but I'm confuse=
d regarding all <o:p></o:p></pre>
                    <pre>this talk of "lack of consensus". It seems to me th=
ere is a lot of <o:p></o:p></pre>
                    <pre>consensus regarding the existing spec (given all th=
e current <o:p></o:p></pre>
                    <pre>implementations). Couple that with the fact that th=
e current spec <o:p></o:p></pre>
                    <pre>doesn't exclude the additional use cases that you'v=
e raised, I don't <o:p></o:p></pre>
                    <pre>see why we don't establish the current spec as the c=
ore document and <o:p></o:p></pre>
                    <pre>then develop profiles for the additional use cases.=
 It is unlikely <o:p></o:p></pre>
                    <pre>that there is going to be a true single solution be=
cause to cover all <o:p></o:p></pre>
                    <pre>the use cases it will have to be so flexible that p=
rofiles will arise <o:p></o:p></pre>
                    <pre>regardless. In that case, let's build off the solid=
 core that we have <o:p></o:p></pre>
                    <pre>and add these additional profiles providing a win-w=
in for <o:p></o:p></pre>
                    <pre>implementers.<o:p></o:p></pre>
                    <pre><o:p>&nbsp;</o:p></pre>
                    <pre>My 2 cents:)<o:p></o:p></pre>
                    <pre><o:p>&nbsp;</o:p></pre>
                    <pre>Thanks,<o:p></o:p></pre>
                    <pre>George<o:p></o:p></pre>
                    <pre><o:p>&nbsp;</o:p></pre>
                    <pre>On 8/12/13 7:55 PM, Phil Hunt wrote:<o:p></o:p></pr=
e>
                    <pre><o:p>&nbsp;</o:p></pre>
                    <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0p=
t">
                      <pre>I don't think there is a call to stop work. Howev=
er there is a lack <o:p></o:p></pre>
                      <pre>of consensus on the current draft moving forward.=
<o:p></o:p></pre>
                      <pre><o:p>&nbsp;</o:p></pre>
                      <pre>I too want a single, simple solution.<o:p></o:p><=
/pre>
                      <pre><o:p>&nbsp;</o:p></pre>
                      <pre>Phil<o:p></o:p></pre>
                      <pre><o:p>&nbsp;</o:p></pre>
                      <pre>On 2013-08-08, at 13:22, <a moz-do-not-send=3D"tr=
ue" href=3D"mailto:mike@gluu.org">mike@gluu.org</a> wrote:<o:p></o:p></pre>
                      <pre><o:p>&nbsp;</o:p></pre>
                      <blockquote style=3D"margin-top:5.0pt;margin-bottom:5.=
0pt">
                        <pre>OAuth WG,<o:p></o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>As some of you may know, the OX open source pro=
ject provides an <o:p></o:p></pre>
                        <pre>implementation of Enterprise UMA, which enables=
 organizations to <o:p></o:p></pre>
                        <pre>control which people and clients can access web=
 resources.<o:p></o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>I rarely weigh in, because you all are doing su=
ch great job. <o:p></o:p></pre>
                        <pre>However, I was quite distressed to learn about t=
he suggestion to <o:p></o:p></pre>
                        <pre>stop work on the dynamic client registration sp=
ec. This proposed <o:p></o:p></pre>
                        <pre>change would have a negative impact on OX, and t=
he varied adopters <o:p></o:p></pre>
                        <pre>of our software from around the world.<o:p></o:=
p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>No standard for dynamic client registration wou=
ld make OX less <o:p></o:p></pre>
                        <pre>"standard" by creating a bigger delta between U=
MA and other OAuth2 <o:p></o:p></pre>
                        <pre>implementations. As OX also implements the Open=
ID Connect OP <o:p></o:p></pre>
                        <pre>endpoints, and dropping this effort would also m=
akes a convergence <o:p></o:p></pre>
                        <pre>path for client registration less likely.<o:p><=
/o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>Please leave dynamic client registration!<o:p><=
/o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>Thanks for all your great work!<o:p></o:p></pre=
>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>- Mike Schwartz<o:p></o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>Founder / CEO<o:p></o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>Gluu<o:p></o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre><a moz-do-not-send=3D"true" href=3D"http://gluu=
.org">http://gluu.org</a> [1]<o:p></o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>PS: Help us crowd fund open source OAuth2 plugi=
ns for Apache HTTPD<o:p></o:p></pre>
                        <pre>: <a moz-do-not-send=3D"true" href=3D"http://ww=
w.gluu.co/uma-apache">http://www.gluu.co/uma-apache</a> [2]<o:p></o:p></pre>=

                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>_______________________________________________=
<o:p></o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre>OAuth mailing list<o:p></o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre><a moz-do-not-send=3D"true" href=3D"mailto:OAut=
h@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                        <pre><o:p>&nbsp;</o:p></pre>
                        <pre><a moz-do-not-send=3D"true" href=3D"https://www=
.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oaut=
h</a> [3]<o:p></o:p></pre>
                      </blockquote>
                      <pre><o:p>&nbsp;</o:p></pre>
                      <pre>_______________________________________________<o=
:p></o:p></pre>
                      <pre><o:p>&nbsp;</o:p></pre>
                      <pre>OAuth mailing list<o:p></o:p></pre>
                      <pre><o:p>&nbsp;</o:p></pre>
                      <pre><a moz-do-not-send=3D"true" href=3D"mailto:OAuth@=
ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                      <pre><o:p>&nbsp;</o:p></pre>
                      <pre><a moz-do-not-send=3D"true" href=3D"https://www.i=
etf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth<=
/a> [3]<o:p></o:p></pre>
                    </blockquote>
                    <pre><o:p>&nbsp;</o:p></pre>
                    <pre>--<o:p></o:p></pre>
                    <pre>[4]<o:p></o:p></pre>
                    <pre><o:p>&nbsp;</o:p></pre>
                    <pre>_______________________________________________<o:p=
></o:p></pre>
                    <pre><o:p>&nbsp;</o:p></pre>
                    <pre>OAuth mailing list<o:p></o:p></pre>
                    <pre><o:p>&nbsp;</o:p></pre>
                    <pre><a moz-do-not-send=3D"true" href=3D"mailto:OAuth@ie=
tf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                    <pre><o:p>&nbsp;</o:p></pre>
                    <pre><a moz-do-not-send=3D"true" href=3D"https://www.iet=
f.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a=
> [3]<o:p></o:p></pre>
                  </blockquote>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>Links:<o:p></o:p></pre>
                  <pre>------<o:p></o:p></pre>
                  <pre>[1] <a moz-do-not-send=3D"true" href=3D"http://gluu.o=
rg">http://gluu.org</a><o:p></o:p></pre>
                  <pre>[2] <a moz-do-not-send=3D"true" href=3D"http://www.gl=
uu.co/uma-apache">http://www.gluu.co/uma-apache</a><o:p></o:p></pre>
                  <pre>[3] <a moz-do-not-send=3D"true" href=3D"https://www.i=
etf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth<=
/a><o:p></o:p></pre>
                  <pre>[4] <a moz-do-not-send=3D"true" href=3D"http://connec=
t.me/gffletch">http://connect.me/gffletch</a><o:p></o:p></pre>
                  <pre>[5] <a moz-do-not-send=3D"true" href=3D"http://datatr=
acker.ietf.org/doc/draft-ietf-oauth-dyn-reg/">http://datatracker.ietf.org/do=
c/draft-ietf-oauth-dyn-reg/</a><o:p></o:p></pre>
                </blockquote>
                <pre><o:p>&nbsp;</o:p></pre>
              </blockquote>
              <p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
              <div>
                <p class=3D"MsoNormal">-- <br>
                  <a moz-do-not-send=3D"true" href=3D"http://connect.me/gffl=
etch" title=3D"View full
                    card on Connect.Me"><span style=3D"text-decoration:none"=
>&lt;mime-attachment.png&gt;</span></a><o:p></o:p></p>
              </div>
            </div>
          </blockquote>
          <br>
        </div>
      </blockquote>
      <blockquote type=3D"cite">
        <div><span>_______________________________________________</span><br=
>
          <span>OAuth mailing list</span><br>
          <span><a moz-do-not-send=3D"true" href=3D"mailto:OAuth@ietf.org">O=
Auth@ietf.org</a></span><br>
          <span><a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mai=
lman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></span><=
br>
        </div>
      </blockquote>
    </blockquote>
    <br>
 =20

</div></blockquote></body></html>=

--Apple-Mail-B87DCD60-2EC1-482D-889E-0621609CDB17--

From hannes.tschofenig@gmx.net  Tue Aug 13 08:29:40 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDCFE21E8179 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:29:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.299
X-Spam-Level: 
X-Spam-Status: No, score=-102.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GA4CzAOGMorY for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:29:36 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 293F521E8172 for <oauth@ietf.org>; Tue, 13 Aug 2013 08:29:36 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.114.247]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0M4WNA-1W3QSE3KNI-00yfvO for <oauth@ietf.org>; Tue, 13 Aug 2013 17:29:31 +0200
Message-ID: <520A50E8.5070400@gmx.net>
Date: Tue, 13 Aug 2013 17:29:44 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> " <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>" <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A4A66.7040707@aol.com>
In-Reply-To: <520A4A66.7040707@aol.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:a/bsG8K+UpYRiUV9I3k2WOXhE87oMjIpSDw09vO/dizLm6VBcCx +TWR31uFr5GLBatxXUoFJsKKavrSxBhpuyiO3QAim/eYqyobOkhKSuS+0r7CFIOE264KN95 r57SsP7NWHoS6BDiTzZiaAaucpJRsdUd5+aHHbUNhlltMkE8S4dTVZzHuQuHteau+bDVib2 YWCRxYP4R8OSBNBklhh2g==
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 15:29:40 -0000

The "Registration Access Token" is, of course, a secret.

If you look at Figure 1 of 
http://tools.ietf.org/id/draft-ietf-oauth-dyn-reg-14.txt you will see 
that the client obtains this secret during step C of the exchange and 
presents it to the Client Registration Endpoint in step D.

Of course, one could argue that the client could as well be given a 
client secret (instead of the Registration Access Token) and that would 
work equally fine.

On 08/13/2013 05:01 PM, George Fletcher wrote:
>
> On 8/13/13 10:46 AM, Anthony Nadalin wrote:
>>
>> #1, its yet another endpoint to have to manage secrets at, yes this is
>> an OAuth item but it’s growing out of control, we are trying to move
>> away from secrets and management of these endpoints as this would be
>> just another one we have to support, monitor and report on
>>
> So I don't see the "Registration Access Token" as a "secret" but if you
> mean that the client has to keep it protected in some way then I at
> least understand what you are referring to:) However, from what I've
> seen with all these protocols (OAuth2, Dyn Reg, OIDC, ..) the client HAS
> to protect some value anyway. Once the client has determine what that
> mechanism is... it's not hard to store another value so I don't get the
> argument.
>
> If the plan is to leverage on device trusted hardware to sign "data" for
> proof of the client, then that still works with this spec. It's just the
> "Initial Access Token" and potentially the "Registration Access Token"
> can be self-asserted by the "client" rather than storing a value. I
> don't see the complexity.
>
>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>
> This same requirement came up in OIDC and the solution was to use a
> specific path on the host to represent the tenant. That same solution
> will work here with out any changes. Each tenant has it's own
> registration URL.
>
> Am I missing something?
>
> Thanks,
> George
>>
>> *From:*George Fletcher [mailto:gffletch@aol.com]
>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>> *To:* Anthony Nadalin
>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please don't
>> remove!
>>
>> Hi Tony,
>>
>> Could you please explain a little more?
>>
>> For issue 1:
>> * Which "secret" are you referring to? OAuth2 by default allows for an
>> optional client_secret. I'm not sure why this would cause management
>> issues? Or are you referring to the "Registration Access Token"?
>> * Why is a separate endpoint an issue? Any client is going to be
>> talking to more than just the /authorize and /token endpoints anyway
>> so I'm confused regarding the extra complexity?
>>
>> For issue 2:
>> * What specifically do you mean by "multi-tenant"? Is this one server
>> acting on behalf of multiple tenants and so appearing as multiple
>> Authorization Servers?
>>
>> Thanks,
>> George
>>
>> On 8/13/13 10:34 AM, Anthony Nadalin wrote:
>>
>>     So, (1) Management of the secret causes us management issues, yet another endpoint to manage, there may be ways around this issue with assertions. (2) The schema/data model are not useable as defined. Internationalization is an issue. Multi-tenant issues, this also goes back to schema/data model.
>>
>>
>>
>>
>>
>>     -----Original Message-----
>>
>>     From:mike@gluu.org  <mailto:mike@gluu.org>  [mailto:mike@gluu.org]
>>
>>     Sent: Tuesday, August 13, 2013 7:22 AM
>>
>>     To: Anthony Nadalin
>>
>>     Cc: Justin Richer; George Fletcher;oauth@ietf.org  <mailto:oauth@ietf.org>
>>
>>     Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
>>
>>
>>
>>     Anthony,
>>
>>
>>
>>     As I mentioned, we are using it as part of the OX UMA implementation.
>>
>>     Can you be more specific?
>>
>>         1) What parts of it would cause add'l management?
>>
>>         2) What parts do not meet your requirements that could not be satisfied with a
>>
>>            supplemental profile?
>>
>>
>>
>>     - Mike
>>
>>
>>
>>
>>
>>
>>
>>     On 2013-08-13 09:15, Anthony Nadalin wrote:
>>
>>         Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in
>>
>>         production (of some sort) ? We have no plans to implement as it does
>>
>>         not meet our requirements/use cases and causes additional management
>>
>>         and thus I believe would not serve as a valid core document to expand
>>
>>         upon.
>>
>>
>>
>>         FROM:oauth-bounces@ietf.org  <mailto:oauth-bounces@ietf.org>  [mailto:oauth-bounces@ietf.org] ON BEHALF
>>
>>         OF Justin Richer
>>
>>           SENT: Tuesday, August 13, 2013 6:59 AM
>>
>>           TO: George Fletcher
>>
>>           CC:mike@gluu.org  <mailto:mike@gluu.org>;oauth@ietf.org  <mailto:oauth@ietf.org>
>>
>>           SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't
>>
>>         remove!
>>
>>
>>
>>         +1
>>
>>
>>
>>         On 08/13/2013 09:34 AM, George Fletcher wrote:
>>
>>
>>
>>             I know I wasn't at the IETF meeting but I'm confused regarding all
>>
>>             this talk of "lack of consensus". It seems to me there is a lot of
>>
>>             consensus regarding the existing spec (given all the current
>>
>>             implementations). Couple that with the fact that the current spec
>>
>>             doesn't exclude the additional use cases that you've raised, I don't
>>
>>             see why we don't establish the current spec as the core document and
>>
>>             then develop profiles for the additional use cases. It is unlikely
>>
>>             that there is going to be a true single solution because to cover all
>>
>>             the use cases it will have to be so flexible that profiles will arise
>>
>>             regardless. In that case, let's build off the solid core that we have
>>
>>             and add these additional profiles providing a win-win for
>>
>>             implementers.
>>
>>
>>
>>             My 2 cents:)
>>
>>
>>
>>             Thanks,
>>
>>             George
>>
>>
>>
>>             On 8/12/13 7:55 PM, Phil Hunt wrote:
>>
>>
>>
>>                 I don't think there is a call to stop work. However there is a lack
>>
>>                 of consensus on the current draft moving forward.
>>
>>
>>
>>                 I too want a single, simple solution.
>>
>>
>>
>>                 Phil
>>
>>
>>
>>                 On 2013-08-08, at 13:22,mike@gluu.org  <mailto:mike@gluu.org>  wrote:
>>
>>
>>
>>                     OAuth WG,
>>
>>
>>
>>                     As some of you may know, the OX open source project provides an
>>
>>                     implementation of Enterprise UMA, which enables organizations to
>>
>>                     control which people and clients can access web resources.
>>
>>
>>
>>                     I rarely weigh in, because you all are doing such great job.
>>
>>                     However, I was quite distressed to learn about the suggestion to
>>
>>                     stop work on the dynamic client registration spec. This proposed
>>
>>                     change would have a negative impact on OX, and the varied adopters
>>
>>                     of our software from around the world.
>>
>>
>>
>>                     No standard for dynamic client registration would make OX less
>>
>>                     "standard" by creating a bigger delta between UMA and other OAuth2
>>
>>                     implementations. As OX also implements the OpenID Connect OP
>>
>>                     endpoints, and dropping this effort would also makes a convergence
>>
>>                     path for client registration less likely.
>>
>>
>>
>>                     Please leave dynamic client registration!
>>
>>
>>
>>                     Thanks for all your great work!
>>
>>
>>
>>                     - Mike Schwartz
>>
>>
>>
>>                     Founder / CEO
>>
>>
>>
>>                     Gluu
>>
>>
>>
>>                     http://gluu.org  [1]
>>
>>
>>
>>                     PS: Help us crowd fund open source OAuth2 plugins for Apache HTTPD
>>
>>                     :http://www.gluu.co/uma-apache  [2]
>>
>>
>>
>>                     _______________________________________________
>>
>>
>>
>>                     OAuth mailing list
>>
>>
>>
>>                     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>
>>
>>
>>                     https://www.ietf.org/mailman/listinfo/oauth  [3]
>>
>>
>>
>>                 _______________________________________________
>>
>>
>>
>>                 OAuth mailing list
>>
>>
>>
>>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>
>>
>>
>>                 https://www.ietf.org/mailman/listinfo/oauth  [3]
>>
>>
>>
>>             --
>>
>>             [4]
>>
>>
>>
>>             _______________________________________________
>>
>>
>>
>>             OAuth mailing list
>>
>>
>>
>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>
>>
>>
>>             https://www.ietf.org/mailman/listinfo/oauth  [3]
>>
>>
>>
>>
>>
>>
>>
>>         Links:
>>
>>         ------
>>
>>         [1]http://gluu.org
>>
>>         [2]http://www.gluu.co/uma-apache
>>
>>         [3]https://www.ietf.org/mailman/listinfo/oauth
>>
>>         [4]http://connect.me/gffletch
>>
>>         [5]http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/
>>
>>
>>
>> --
>> George Fletcher <http://connect.me/gffletch>
>>
>
> --
> George Fletcher <http://connect.me/gffletch>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From jricher@mitre.org  Tue Aug 13 08:35:45 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C025411E8183 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:35:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.179
X-Spam-Level: 
X-Spam-Status: No, score=-6.179 tagged_above=-999 required=5 tests=[AWL=-0.180, BAYES_00=-2.599, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C124z2-8LCKH for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 08:35:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id D8FBB11E8138 for <oauth@ietf.org>; Tue, 13 Aug 2013 08:35:40 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 58E361F097D; Tue, 13 Aug 2013 11:35:40 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id E4ED61F0944; Tue, 13 Aug 2013 11:35:38 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 13 Aug 2013 11:35:38 -0400
Message-ID: <520A5196.90904@mitre.org>
Date: Tue, 13 Aug 2013 11:32:38 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> " <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>" <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A4A66.7040707@aol.com> <520A50E8.5070400@gmx.net>
In-Reply-To: <520A50E8.5070400@gmx.net>
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [129.83.31.56]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 15:35:45 -0000

Except that not all clients get client secrets (clients using the 
implicit flow, clients using assertions). OpenID Connect tried to use 
client_secret for everything, but it turned out to be one of those 
things that seems simple but was really a mess to implement. That's when 
we struck on using an OAuth bearer token and treating the configuration 
endpoint as an OAuth protected resource. It simplifies things 
tremendously, and it lets the client_secret remain for what it's 
intended for, and lets us use OAuth tokens for what they're good at -- 
protecting API resources.

This is all discussed in section 1.4, though I'd be glad to know how we 
could make this more clear.

  -- Justin

On 08/13/2013 11:29 AM, Hannes Tschofenig wrote:
> The "Registration Access Token" is, of course, a secret.
>
> If you look at Figure 1 of 
> http://tools.ietf.org/id/draft-ietf-oauth-dyn-reg-14.txt you will see 
> that the client obtains this secret during step C of the exchange and 
> presents it to the Client Registration Endpoint in step D.
>
> Of course, one could argue that the client could as well be given a 
> client secret (instead of the Registration Access Token) and that 
> would work equally fine.
>
> On 08/13/2013 05:01 PM, George Fletcher wrote:
>>
>> On 8/13/13 10:46 AM, Anthony Nadalin wrote:
>>>
>>> #1, its yet another endpoint to have to manage secrets at, yes this is
>>> an OAuth item but it’s growing out of control, we are trying to move
>>> away from secrets and management of these endpoints as this would be
>>> just another one we have to support, monitor and report on
>>>
>> So I don't see the "Registration Access Token" as a "secret" but if you
>> mean that the client has to keep it protected in some way then I at
>> least understand what you are referring to:) However, from what I've
>> seen with all these protocols (OAuth2, Dyn Reg, OIDC, ..) the client HAS
>> to protect some value anyway. Once the client has determine what that
>> mechanism is... it's not hard to store another value so I don't get the
>> argument.
>>
>> If the plan is to leverage on device trusted hardware to sign "data" for
>> proof of the client, then that still works with this spec. It's just the
>> "Initial Access Token" and potentially the "Registration Access Token"
>> can be self-asserted by the "client" rather than storing a value. I
>> don't see the complexity.
>>
>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>
>> This same requirement came up in OIDC and the solution was to use a
>> specific path on the host to represent the tenant. That same solution
>> will work here with out any changes. Each tenant has it's own
>> registration URL.
>>
>> Am I missing something?
>>
>> Thanks,
>> George
>>>
>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>> *To:* Anthony Nadalin
>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please don't
>>> remove!
>>>
>>> Hi Tony,
>>>
>>> Could you please explain a little more?
>>>
>>> For issue 1:
>>> * Which "secret" are you referring to? OAuth2 by default allows for an
>>> optional client_secret. I'm not sure why this would cause management
>>> issues? Or are you referring to the "Registration Access Token"?
>>> * Why is a separate endpoint an issue? Any client is going to be
>>> talking to more than just the /authorize and /token endpoints anyway
>>> so I'm confused regarding the extra complexity?
>>>
>>> For issue 2:
>>> * What specifically do you mean by "multi-tenant"? Is this one server
>>> acting on behalf of multiple tenants and so appearing as multiple
>>> Authorization Servers?
>>>
>>> Thanks,
>>> George
>>>
>>> On 8/13/13 10:34 AM, Anthony Nadalin wrote:
>>>
>>>     So, (1) Management of the secret causes us management issues, 
>>> yet another endpoint to manage, there may be ways around this issue 
>>> with assertions. (2) The schema/data model are not useable as 
>>> defined. Internationalization is an issue. Multi-tenant issues, this 
>>> also goes back to schema/data model.
>>>
>>>
>>>
>>>
>>>
>>>     -----Original Message-----
>>>
>>>     From:mike@gluu.org  <mailto:mike@gluu.org> [mailto:mike@gluu.org]
>>>
>>>     Sent: Tuesday, August 13, 2013 7:22 AM
>>>
>>>     To: Anthony Nadalin
>>>
>>>     Cc: Justin Richer; George Fletcher;oauth@ietf.org 
>>> <mailto:oauth@ietf.org>
>>>
>>>     Subject: RE: [OAUTH-WG] OX needs Dynamic Registration: please 
>>> don't remove!
>>>
>>>
>>>
>>>     Anthony,
>>>
>>>
>>>
>>>     As I mentioned, we are using it as part of the OX UMA 
>>> implementation.
>>>
>>>     Can you be more specific?
>>>
>>>         1) What parts of it would cause add'l management?
>>>
>>>         2) What parts do not meet your requirements that could not 
>>> be satisfied with a
>>>
>>>            supplemental profile?
>>>
>>>
>>>
>>>     - Mike
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>     On 2013-08-13 09:15, Anthony Nadalin wrote:
>>>
>>>         Who has implemented draft-ietf-oauth-dyn-reg-14 [5] and is in
>>>
>>>         production (of some sort) ? We have no plans to implement as 
>>> it does
>>>
>>>         not meet our requirements/use cases and causes additional 
>>> management
>>>
>>>         and thus I believe would not serve as a valid core document 
>>> to expand
>>>
>>>         upon.
>>>
>>>
>>>
>>>         FROM:oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> 
>>> [mailto:oauth-bounces@ietf.org] ON BEHALF
>>>
>>>         OF Justin Richer
>>>
>>>           SENT: Tuesday, August 13, 2013 6:59 AM
>>>
>>>           TO: George Fletcher
>>>
>>>           CC:mike@gluu.org <mailto:mike@gluu.org>;oauth@ietf.org 
>>> <mailto:oauth@ietf.org>
>>>
>>>           SUBJECT: Re: [OAUTH-WG] OX needs Dynamic Registration: 
>>> please don't
>>>
>>>         remove!
>>>
>>>
>>>
>>>         +1
>>>
>>>
>>>
>>>         On 08/13/2013 09:34 AM, George Fletcher wrote:
>>>
>>>
>>>
>>>             I know I wasn't at the IETF meeting but I'm confused 
>>> regarding all
>>>
>>>             this talk of "lack of consensus". It seems to me there 
>>> is a lot of
>>>
>>>             consensus regarding the existing spec (given all the 
>>> current
>>>
>>>             implementations). Couple that with the fact that the 
>>> current spec
>>>
>>>             doesn't exclude the additional use cases that you've 
>>> raised, I don't
>>>
>>>             see why we don't establish the current spec as the core 
>>> document and
>>>
>>>             then develop profiles for the additional use cases. It 
>>> is unlikely
>>>
>>>             that there is going to be a true single solution because 
>>> to cover all
>>>
>>>             the use cases it will have to be so flexible that 
>>> profiles will arise
>>>
>>>             regardless. In that case, let's build off the solid core 
>>> that we have
>>>
>>>             and add these additional profiles providing a win-win for
>>>
>>>             implementers.
>>>
>>>
>>>
>>>             My 2 cents:)
>>>
>>>
>>>
>>>             Thanks,
>>>
>>>             George
>>>
>>>
>>>
>>>             On 8/12/13 7:55 PM, Phil Hunt wrote:
>>>
>>>
>>>
>>>                 I don't think there is a call to stop work. However 
>>> there is a lack
>>>
>>>                 of consensus on the current draft moving forward.
>>>
>>>
>>>
>>>                 I too want a single, simple solution.
>>>
>>>
>>>
>>>                 Phil
>>>
>>>
>>>
>>>                 On 2013-08-08, at 13:22,mike@gluu.org 
>>> <mailto:mike@gluu.org>  wrote:
>>>
>>>
>>>
>>>                     OAuth WG,
>>>
>>>
>>>
>>>                     As some of you may know, the OX open source 
>>> project provides an
>>>
>>>                     implementation of Enterprise UMA, which enables 
>>> organizations to
>>>
>>>                     control which people and clients can access web 
>>> resources.
>>>
>>>
>>>
>>>                     I rarely weigh in, because you all are doing 
>>> such great job.
>>>
>>>                     However, I was quite distressed to learn about 
>>> the suggestion to
>>>
>>>                     stop work on the dynamic client registration 
>>> spec. This proposed
>>>
>>>                     change would have a negative impact on OX, and 
>>> the varied adopters
>>>
>>>                     of our software from around the world.
>>>
>>>
>>>
>>>                     No standard for dynamic client registration 
>>> would make OX less
>>>
>>>                     "standard" by creating a bigger delta between 
>>> UMA and other OAuth2
>>>
>>>                     implementations. As OX also implements the 
>>> OpenID Connect OP
>>>
>>>                     endpoints, and dropping this effort would also 
>>> makes a convergence
>>>
>>>                     path for client registration less likely.
>>>
>>>
>>>
>>>                     Please leave dynamic client registration!
>>>
>>>
>>>
>>>                     Thanks for all your great work!
>>>
>>>
>>>
>>>                     - Mike Schwartz
>>>
>>>
>>>
>>>                     Founder / CEO
>>>
>>>
>>>
>>>                     Gluu
>>>
>>>
>>>
>>>                     http://gluu.org  [1]
>>>
>>>
>>>
>>>                     PS: Help us crowd fund open source OAuth2 
>>> plugins for Apache HTTPD
>>>
>>>                     :http://www.gluu.co/uma-apache  [2]
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>
>>>
>>>                     OAuth mailing list
>>>
>>>
>>>
>>>                     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>
>>>
>>>
>>> https://www.ietf.org/mailman/listinfo/oauth  [3]
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>
>>>
>>>                 OAuth mailing list
>>>
>>>
>>>
>>>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>
>>>
>>>                 https://www.ietf.org/mailman/listinfo/oauth [3]
>>>
>>>
>>>
>>>             --
>>>
>>>             [4]
>>>
>>>
>>>
>>>             _______________________________________________
>>>
>>>
>>>
>>>             OAuth mailing list
>>>
>>>
>>>
>>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>
>>>
>>>             https://www.ietf.org/mailman/listinfo/oauth  [3]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>         Links:
>>>
>>>         ------
>>>
>>>         [1]http://gluu.org
>>>
>>>         [2]http://www.gluu.co/uma-apache
>>>
>>>         [3]https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>         [4]http://connect.me/gffletch
>>>
>>> [5]http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/
>>>
>>>
>>>
>>> -- 
>>> George Fletcher <http://connect.me/gffletch>
>>>
>>
>> -- 
>> George Fletcher <http://connect.me/gffletch>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From gffletch@aol.com  Tue Aug 13 10:21:24 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B909911E818C for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 10:21:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.298
X-Spam-Level: 
X-Spam-Status: No, score=-2.298 tagged_above=-999 required=5 tests=[AWL=0.300,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id da4L39DnJtWe for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 10:21:20 -0700 (PDT)
Received: from omr-m10.mx.aol.com (omr-m10.mx.aol.com [64.12.143.86]) by ietfa.amsl.com (Postfix) with ESMTP id 475DE11E8150 for <oauth@ietf.org>; Tue, 13 Aug 2013 10:21:20 -0700 (PDT)
Received: from mtaout-ma03.r1000.mx.aol.com (mtaout-ma03.r1000.mx.aol.com [172.29.41.3]) by omr-m10.mx.aol.com (Outbound Mail Relay) with ESMTP id 0CBEB70102820; Tue, 13 Aug 2013 13:21:19 -0400 (EDT)
Received: from ping-audit-10-181-176-212-20120320.ops.aol.com (ping-audit-10-181-176-212-20120320.ops.aol.com [10.181.176.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 97CF3E0001D6; Tue, 13 Aug 2013 13:21:18 -0400 (EDT)
Message-ID: <520A6B0D.7070103@aol.com>
Date: Tue, 13 Aug 2013 13:21:17 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com>
In-Reply-To: <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com>
Content-Type: multipart/alternative; boundary="------------090200030306020802040802"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1376414478; bh=jasB/KzMs93ohhX5/ecHG2GIXlScqoj6mYRBHTw1V28=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=CcopoFP8PUiAeBfkOUYsP9C6plVNwtDxAYp4YZx7Xv71iaH3umaZMBjzRT6LAuyKn RwFwKM9W7k74/bPdD5Kxz/vrgoDpj3wPpuOjBWs1zvoPMY5aN7N/4vTIpA8tOXYfzC kFpbrfM6FnfA1KHrcrozeGSW2MSmSETRty8iHUUE=
x-aol-sid: 3039ac1d2903520a6b0d167b
X-AOL-IP: 10.181.176.212
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 17:21:24 -0000

This is a multi-part message in MIME format.
--------------090200030306020802040802
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi Phil,

I'm sorry for not following completely. Some questions inline...

On 8/13/13 11:00 AM, Phil Hunt wrote:
> Dyn reg and the scim reg variant depend too much/biased towards 
>  passwords expressed as client secrets.
I'm not sure what you mean in regards to "client secrets". There are 
OAuth2 bearer tokens that need to be protected because they are bearer 
tokens. That said, there is nothing in the spec that requires these to 
be opaque blobs vs signed tokens. So both the "Initial Access Token" and 
the "Registration Access Token" can be signed tokens. However, the 
client still has to protect them as if they were a "secret" because they 
are a bearer token and can be replayed. So it's the same amount of work 
on the client either way.

>
> A signed token approach has many advantages for service providers like 
> not having to maintain a secure database of secrets/passwords.
If the concern here is the amount of data the Authorization Server has 
to store to manage these clients, then the current spec doesn't preclude 
using a "signed token". Both OAuth2 bearer tokens identified in the 
current spec can be signed tokens.
>
> Finally issuing both a client secret and registration token is costly 
> and confusing to client developers.  I relented somewhat when I 
> realized kerberos does this--but i still feel it is a bad design at 
> cloud scale.
Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm 
not sure how you abstract the client developer from having to deal with 
them. The client developer is going to be dealing with multiple OAuth2 
tokens to multiple endpoints regardless so I don't see another token as 
costly or complex. At a minimum there is the refresh_token and 
access_token. Where is the added client developer complexity?

Thanks,
George

>
> Phil
>
> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org 
> <mailto:jricher@mitre.org>> wrote:
>
>> The spec doesn't care where you deploy at -- if URL space is at a 
>> premium for you, then switch based on input parameters and other 
>> things. And you're still not clear on which "secrets" you're taking 
>> issue with.
>>
>>  -- Justin
>>
>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>
>>> #1, its yet another endpoint to have to manage secrets at, yes this 
>>> is an OAuth item but it’s growing out of control, we are trying to 
>>> move away from secrets and management of these endpoints as this 
>>> would be just another one we have to support, monitor and report on
>>>
>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>
>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>> *To:* Anthony Nadalin
>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please 
>>> don't remove!
>>>
>>> Hi Tony,
>>>
>>> Could you please explain a little more?
>>>
>>> For issue 1:
>>> * Which "secret" are you referring to? OAuth2 by default allows for 
>>> an optional client_secret. I'm not sure why this would cause 
>>> management issues? Or are you referring to the "Registration Access 
>>> Token"?
>>> * Why is a separate endpoint an issue? Any client is going to be 
>>> talking to more than just the /authorize and /token endpoints anyway 
>>> so I'm confused regarding the extra complexity?
>>>
>>> For issue 2:
>>> * What specifically do you mean by "multi-tenant"? Is this one 
>>> server acting on behalf of multiple tenants and so appearing as 
>>> multiple Authorization Servers?
>>>
>>> Thanks,
>>> George
>>>
>>> [snip...]
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 

--------------090200030306020802040802
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">Hi Phil,<br>
      <br>
      I'm sorry for not following completely. Some questions inline...<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/13/13 11:00 AM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com"
      type="cite">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <div>Dyn reg and the scim reg variant depend too much/biased
        towards  passwords expressed as client secrets. <br>
      </div>
    </blockquote>
    I'm not sure what you mean in regards to "client secrets". There are
    OAuth2 bearer tokens that need to be protected because they are
    bearer tokens. That said, there is nothing in the spec that requires
    these to be opaque blobs vs signed tokens. So both the "Initial
    Access Token" and the "Registration Access Token" can be signed
    tokens. However, the client still has to protect them as if they
    were a "secret" because they are a bearer token and can be replayed.
    So it's the same amount of work on the client either way.<br>
    <br>
    <blockquote
      cite="mid:D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com"
      type="cite">
      <div><br>
      </div>
      <div>A signed token approach has many advantages for service
        providers like not having to maintain a secure database of
        secrets/passwords. <br>
      </div>
    </blockquote>
    If the concern here is the amount of data the Authorization Server
    has to store to manage these clients, then the current spec doesn't
    preclude using a "signed token". Both OAuth2 bearer tokens
    identified in the current spec can be signed tokens.<br>
    <blockquote
      cite="mid:D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com"
      type="cite">
      <div><br>
      </div>
      <div>Finally issuing both a client secret and registration token
        is costly and confusing to client developers.  I relented
        somewhat when I realized kerberos does this--but i still feel it
        is a bad design at cloud scale. <br>
      </div>
    </blockquote>
    Given that client_secrets are OPTIONAL in OAuth2 for some use cases,
    I'm not sure how you abstract the client developer from having to
    deal with them. The client developer is going to be dealing with
    multiple OAuth2 tokens to multiple endpoints regardless so I don't
    see another token as costly or complex. At a minimum there is the
    refresh_token and access_token. Where is the added client developer
    complexity?<br>
    <br>
    Thanks,<br>
    George<br>
    <br>
    <blockquote
      cite="mid:D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com"
      type="cite">
      <div><br>
      </div>
      <div>Phil</div>
      <div><br>
        On 2013-08-13, at 7:48, Justin Richer &lt;<a
          moz-do-not-send="true" href="mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
        wrote:<br>
        <br>
      </div>
      <div><span></span></div>
      <blockquote type="cite">
        <div>
          <meta content="text/html; charset=UTF-8"
            http-equiv="Content-Type">
          The spec doesn't care where you deploy at -- if URL space is
          at a premium for you, then switch based on input parameters
          and other things. And you're still not clear on which
          "secrets" you're taking issue with.<br>
          <br>
           -- Justin<br>
          <br>
          <div class="moz-cite-prefix">On 08/13/2013 10:46 AM, Anthony
            Nadalin wrote:<br>
          </div>
          <blockquote
cite="mid:a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com"
            type="cite">
            <meta http-equiv="Content-Type" content="text/html;
              charset=UTF-8">
            <meta name="Generator" content="Microsoft Word 15 (filtered
              medium)">
            <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
            <style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
            <div class="WordSection1">
              <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#1,

                  its yet another endpoint to have to manage secrets at,
                  yes this is an OAuth item but it’s growing out of
                  control, we are trying to move away from secrets and
                  management of these endpoints as this would be just
                  another one we have to support, monitor and report on<o:p></o:p></span></p>
              <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">#2

                  yes, 1 physical endpoint acting as multiple
                  authorization servers<o:p></o:p></span></p>
              <p class="MsoNormal"><a moz-do-not-send="true"
                  name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p> </o:p></span></a></p>
              <div>
                <div style="border:none;border-top:solid #E1E1E1
                  1.0pt;padding:3.0pt 0in 0in 0in">
                  <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">
                      George Fletcher [<a moz-do-not-send="true"
                        class="moz-txt-link-freetext"
                        href="mailto:gffletch@aol.com">mailto:gffletch@aol.com</a>]
                      <br>
                      <b>Sent:</b> Tuesday, August 13, 2013 7:40 AM<br>
                      <b>To:</b> Anthony Nadalin<br>
                      <b>Cc:</b> <a moz-do-not-send="true"
                        class="moz-txt-link-abbreviated"
                        href="mailto:mike@gluu.org">mike@gluu.org</a>;
                      Justin Richer; <a moz-do-not-send="true"
                        class="moz-txt-link-abbreviated"
                        href="mailto:oauth@ietf.org">oauth@ietf.org</a><br>
                      <b>Subject:</b> Re: [OAUTH-WG] OX needs Dynamic
                      Registration: please don't remove!<o:p></o:p></span></p>
                </div>
              </div>
              <p class="MsoNormal"><o:p> </o:p></p>
              <p class="MsoNormal" style="margin-bottom:12.0pt"><span
                  style="font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Hi

                  Tony,<br>
                  <br>
                  Could you please explain a little more? <br>
                  <br>
                  For issue 1:<br>
                  * Which "secret" are you referring to? OAuth2 by
                  default allows for an optional client_secret. I'm not
                  sure why this would cause management issues? Or are
                  you referring to the "Registration Access Token"?<br>
                  * Why is a separate endpoint an issue? Any client is
                  going to be talking to more than just the /authorize
                  and /token endpoints anyway so I'm confused regarding
                  the extra complexity?<br>
                  <br>
                  For issue 2:<br>
                  * What specifically do you mean by "multi-tenant"? Is
                  this one server acting on behalf of multiple tenants
                  and so appearing as multiple Authorization Servers? <br>
                  <br>
                  Thanks,<br>
                  George</span><o:p></o:p></p>
              [snip...]<br>
            </div>
          </blockquote>
        </div>
      </blockquote>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- </div>
  </body>
</html>

--------------090200030306020802040802--

From hannes.tschofenig@gmx.net  Tue Aug 13 23:32:14 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D9D411E8124 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 23:32:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.499
X-Spam-Level: 
X-Spam-Status: No, score=-102.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZarPASYCy-wq for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 23:32:09 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 0555611E8122 for <oauth@ietf.org>; Tue, 13 Aug 2013 23:32:09 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.114.247]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0M6SJX-1W1trr3z8F-00yPQE for <oauth@ietf.org>; Wed, 14 Aug 2013 08:32:05 +0200
Message-ID: <520B2472.4040104@gmx.net>
Date: Wed, 14 Aug 2013 08:32:18 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com>
In-Reply-To: <520A6B0D.7070103@aol.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:JbWO1a5Cnk9nQ+w11KQ/wgfL/i06NRzFIzlaY/O4thqrA5INLaV h1tW08XRGq5Pv05rPoti7Os/eWaq8LI8/iWOdMVAVOTsPOfCGuCZoRriIGYMHhGr0Xkon9q 098c8pagTdhWVkD4DzXkrFwnarKe5aPkQNK83MFBZBqa1JD3u2DmdK2YUFmggkP4wVi3dwU SE2aAlQ/x+3q/H0Gj+ybg==
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 06:32:14 -0000

George is correct with his statements. There is, however, a difference 
between a shared secret and an assertion as Phil pointed out. For the 
assertion the server does not need to maintain state on a per-client 
basis. On the other hand since the client secret isn't really used in 
the classical sense of a password either but rather as a "cookie" (if 
used in the style of Section 2.3.1 of RFC6749) one could easy apply the 
concept of stateless tokens to them:
http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01


On 08/13/2013 07:21 PM, George Fletcher wrote:
> Hi Phil,
>
> I'm sorry for not following completely. Some questions inline...
>
> On 8/13/13 11:00 AM, Phil Hunt wrote:
>> Dyn reg and the scim reg variant depend too much/biased towards
>>  passwords expressed as client secrets.
> I'm not sure what you mean in regards to "client secrets". There are
> OAuth2 bearer tokens that need to be protected because they are bearer
> tokens. That said, there is nothing in the spec that requires these to
> be opaque blobs vs signed tokens. So both the "Initial Access Token" and
> the "Registration Access Token" can be signed tokens. However, the
> client still has to protect them as if they were a "secret" because they
> are a bearer token and can be replayed. So it's the same amount of work
> on the client either way.
>
>>
>> A signed token approach has many advantages for service providers like
>> not having to maintain a secure database of secrets/passwords.
> If the concern here is the amount of data the Authorization Server has
> to store to manage these clients, then the current spec doesn't preclude
> using a "signed token". Both OAuth2 bearer tokens identified in the
> current spec can be signed tokens.
>>
>> Finally issuing both a client secret and registration token is costly
>> and confusing to client developers.  I relented somewhat when I
>> realized kerberos does this--but i still feel it is a bad design at
>> cloud scale.
> Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm
> not sure how you abstract the client developer from having to deal with
> them. The client developer is going to be dealing with multiple OAuth2
> tokens to multiple endpoints regardless so I don't see another token as
> costly or complex. At a minimum there is the refresh_token and
> access_token. Where is the added client developer complexity?
>
> Thanks,
> George
>
>>
>> Phil
>>
>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>> <mailto:jricher@mitre.org>> wrote:
>>
>>> The spec doesn't care where you deploy at -- if URL space is at a
>>> premium for you, then switch based on input parameters and other
>>> things. And you're still not clear on which "secrets" you're taking
>>> issue with.
>>>
>>>  -- Justin
>>>
>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>
>>>> #1, its yet another endpoint to have to manage secrets at, yes this
>>>> is an OAuth item but it’s growing out of control, we are trying to
>>>> move away from secrets and management of these endpoints as this
>>>> would be just another one we have to support, monitor and report on
>>>>
>>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>>
>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>> *To:* Anthony Nadalin
>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>> don't remove!
>>>>
>>>> Hi Tony,
>>>>
>>>> Could you please explain a little more?
>>>>
>>>> For issue 1:
>>>> * Which "secret" are you referring to? OAuth2 by default allows for
>>>> an optional client_secret. I'm not sure why this would cause
>>>> management issues? Or are you referring to the "Registration Access
>>>> Token"?
>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>> talking to more than just the /authorize and /token endpoints anyway
>>>> so I'm confused regarding the extra complexity?
>>>>
>>>> For issue 2:
>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>> server acting on behalf of multiple tenants and so appearing as
>>>> multiple Authorization Servers?
>>>>
>>>> Thanks,
>>>> George
>>>>
>>>> [snip...]
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> --
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From sberyozkin@gmail.com  Tue Aug 13 23:55:27 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3167A21F9ACA for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 23:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level: 
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[AWL=1.300,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WvzvcqZgE453 for <oauth@ietfa.amsl.com>; Tue, 13 Aug 2013 23:55:25 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id D525A21E809B for <oauth@ietf.org>; Tue, 13 Aug 2013 23:55:22 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id q55so7393395wes.16 for <oauth@ietf.org>; Tue, 13 Aug 2013 23:55:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=ptSZKpbF9zqaNo/zRGo17Y84soWgY3YCy1MIJti2fAg=; b=xNKfHt3nt/Jb0UYQPBuzqxMGyFPy95FDX448eMOTIZJc4QU6bKuhOuItJ1yfJREmZV Cx5EYR7X7B+FnqgwRbESsNKp8OiBL5dGmbiRHtdJYShyviIRno3GToXqrNJAJkjLVB2E DjwV27xQK2RozdYg52aNAmXMhnC3uFkILvpWeKmF2/jMJDXBouYQPEO6MYsJgdiB7UcZ ypQR5m+Th+LnJFFkco5zw7jcbEu1BrKOeqLUyTxTyv6qTbXSd/EyXhIi8GVXX+MhwRPr eBy3VZMvfCJw2JY5iQ3Z9Y4WVtngclkqEj6tlLGRY7VMdjA8xKRypKjLnpZ1JXT6iy8B WUHw==
X-Received: by 10.194.201.202 with SMTP id kc10mr5572908wjc.1.1376463322012; Tue, 13 Aug 2013 23:55:22 -0700 (PDT)
Received: from [10.39.0.31] ([87.252.227.100]) by mx.google.com with ESMTPSA id jf9sm894136wic.5.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 13 Aug 2013 23:55:21 -0700 (PDT)
Message-ID: <520B29D7.9040408@gmail.com>
Date: Wed, 14 Aug 2013 09:55:19 +0300
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <52016822.2090703@mitre.org> <5208AC1A.5060606@mnt.se> <5208EC80.3060707@mitre.org> <0C7A9772-5D04-4CF6-8723-42AEF0877B43@oracle.com> <520937F2.5060700@mitre.org> <5209E3F9.9090402@gmail.com> <99291d0fdd4742ef9e7ae01aa3eea8b5@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <99291d0fdd4742ef9e7ae01aa3eea8b5@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 06:55:27 -0000

Hi Tony,
On 13/08/13 17:38, Anthony Nadalin wrote:
> so the CRUD operations are not an overlap, the provisioning aspects are not an overlap, Interesting view
>
The texts are different, that was really my point, yes, both talk CRUD 
and I guess provisioning, but SCIM text appears to be much more generic 
to me

Cheers, Sergey

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Sergey Beryozkin
> Sent: Tuesday, August 13, 2013 12:45 AM
> To: oauth@ietf.org
> Subject: Re: [OAUTH-WG] A Proposal for Dynamic Registration
>
> For whatever it is worth, let me add my 2c, I've briefly looked through the latest Dynamic Registration Draft, and also briefly looked at SCIM - interesting specification, did not know it even exists :-).
>
> IMHO these are 2 rather different texts, SCIM looks very useful, look forward to understanding it better :-), but it appears to be at a higher level than Dyn Reg Draft is - the latter is centric around a specific use case as far as I can see and the whole language of the latter is about addressing this specific use case. Appears to me SCIM and DynReq of OAuth2 Clients texts complement each other as opposed to 'compete'
> with each other, and they intersect simply because they use some similar terminology. I may be repeating some of what is said below.
>
> Re the use of assertions: I'd like to think that getting the assertions flowing in OAuth2 applications is useful only when we have a task of integrating with existing IDPs or some other involved scenarios. Using them as the central pieces of the protocol will raise the complexity bar.
>
> Apologies for not commenting inline - the above is just the comments after a brief overview of the documents :-)
>
> Cheers, Sergey
>
> On 12/08/13 22:30, Justin Richer wrote:
>> I think you're misunderstanding what I'm saying with regard to the
>> various protocols -- the different registration systems weren't
>> incompatible for any deep seated assumptions or different data models.
>> They were incompatible because of different names, different formats,
>> different things being used to do the same thing. Small, stupid
>> differences that none of the groups were particularly tied to at the
>> time, but getting them all to agree to call something "foo" and not
>> "bar" is where the draft that we have came in. Now you're suggesting
>> that we go back to all these groups and say "well we know we told you
>> to use 'foo' for this field, but now instead we're going to change it
>> to 'bar', except that 'bar' isn't exactly 'bar', it's more like 'baz',
>> and you need to throw out half your use cases". Ridiculous, is it not?
>>
>> All of your questions about what's required or not for supporting
>> dynamic client registration have been brought up and discussed in the
>> history of the document in its various forms over the past couple years.
>> It started out as a one-way registration, no CRUD ops or lifecycle
>> management. Then people started to use it and realized that we needed
>> those things, so we've added them. Once we were in that direction, we
>> realized we were doing CRUD-like operations but weren't being RESTful
>> where it made sense to be, so now it's a JSON-based RESTful API. We
>> used to force client secrets to be used (even by public clients using
>> things like the implicit or assertion flows) to access this API, but
>> then we realized we could eat our own dogfood and use OAuth tokens,
>> and that's where we got the registration access token. We used to have
>> registration be an open POST only, but then there were very real use
>> cases, real deployments, and real extension mechanisms that could be
>> enabled by having the initial registration optionally be protected as
>> an OAuth2 protected resource as well, so that's where we got the
>> initial access token. We originally had a fixed set of client
>> parameters, but groups quickly wanted to add more, so we made that
>> extensible. We originally had simple string values, but people wanted
>> to be able to have localized text as well, so that was added.
>>
>> All of these are visible in the document history, particularly if you
>> look at it across the IETF, UMA, and OpenID specs as a whole. You make
>> it sound as if we simply waved our hands and grabbed a bunch of
>> features out of thin air and implemented them, and that's absolutely
>> not the case. Everything in that draft is the result of lots of
>> discussion, implementation, and deployment. Do I need to mention again
>> that people are actively running this code today?
>>
>> Also, I don't intend to disparage the SCIM protocol -- it's a great
>> protocol for what it does, and in user and group provisioning it's
>> exactly what I look toward. We're looking to potentially deploy it on
>> some of my projects as well, so I'm certainly not against it. However,
>> I'm not one to see it as a silver bullet for solving all RESTful API
>> problems in the world, and that's exactly what I see it being
>> positioned as here. Every function in the Dyn Reg spec that you claim "duplicates"
>> SCIM are actually just things that it gets from being RESTful. So in
>> other words, the similarities are from similar genetics, not from
>> direct competition. Quite frankly, I think that what's happening here
>> is that by taking the SCIM-hammer in hand you're seeing OAuth Dyn Reg as a nail.
>> Also, I still think that you're ignoring the cost of implementing SCIM
>> for people who aren't already doing so, especially when compared to
>> the cost of implementing another (smaller, simpler, fit-to-purpose)
>> RESTful API.
>>
>> As to the direct assertions, I'm interested in seeing where it goes,
>> but I don't yet (today) see how it can work in practice. And in any
>> case it needs a lot more work. Take the code flow, for example -- how
>> does the client present the assertion to the authorization endpoint?
>> And what does it use for client_id (a required parameter)? Also, to
>> the question that I asked at the IETF meeting, what about the case
>> where you've got hundreds of thousands of auth servers protecting the
>> same kind of API -- where does a client go to get its assertion then?
>>
>> As to the "dynamic" nature of the clients, it's the *relationship*
>> that's dynamic. You're once again conflating the code that executes
>> with the instance of the code as seen by a particular authorization server.
>> Also, in my own personal experience, there are things that change for
>> a given piece of code depending on its deployment circumstances -- the
>> redirect_uris for a web client, for instance, are going to be
>> different depending on *where* that client software is served from.
>>
>> Judging by our past conversations, I think that your model of what
>> makes up a client and what makes up an auth server is valid, but
>> limited, and this is continuing to color your view of what this
>> protocol needs. I'd rather have something that works across the many
>> ways that OAuth is being used today and can be used in the future.
>>
>>    -- Justin
>>
>> On 08/12/2013 02:43 PM, Phil Hunt wrote:
>>> Inline...
>>>
>>> Phil
>>>
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>>
>>>
>>>
>>>
>>>
>>> On 2013-08-12, at 4:09 PM, Justin Richer <jricher@mitre.org> wrote:
>>>
>>>> I think it's very important that we put *some* stake in the ground
>>>> for the likes of OIDC, BB+, UMA, and the other higher-level
>>>> protocols and systems that are looking toward us for Dyn Reg now.
>>>> They weren't, previously -- all of these had mutually incompatible
>>>> registration systems, but the work we've done so far with Dyn Reg
>>>> has made a system that everyone can use. If we don't declare a
>>>> baseline, and do so soon, then I fully believe that these groups
>>>> will either fracture unnecessarily, or they'll ignore the IETF. Or both.
>>> [PH] Your position here indicates to me that there is not a lot of
>>> natural consensus between OIDC, BB+, UMA and others. If these groups
>>> are aligning solely because of moral pressure to have a single
>>> standard -- which you seem to imply by the need to "put a stake in
>>> the ground", it suggests the technical proposal is not right yet.
>>>
>>> Despite your disparaging of SCIM, I don't think that's the issue.
>>> Whether SCIM or custom API, the Dyn Reg model places too much
>>> complexity solely on the client to registration endpoint relationship.
>>>
>>> For example, the information content of what the client is asserting
>>> is *not* dynamic - only the act of registration is. The client app is
>>> for the most part, "fixed", coded in a particular way for use with a
>>> specific set of APIs. Dyn Reg (and the SCIM variant) go well beyond
>>> just issuing a client_id and exchange all oauth protocol information
>>> on the assumption any value might change.  This is a very complex
>>> approach.
>>>
>>> Then there is the issue of needing full CRUD support, I have not
>>> bought into the need for apps to be able to update registration.  Why
>>> would they do this?  We do we need de-registration, wouldn't
>>> Torsten's revocation draft suffice?
>>>
>>> The reason I think the assertion model might be a better path, is
>>> that it assumes a larger multi-party flow which moves complexity away
>>> from the registration endpoint to the point that in most cases a
>>> simple cert swap is all that is needed from the clients perspective.
>>>
>>> When Tony and I put forward the SCIM variant, we thought that might
>>> be a compromise.  Still after putting it forward, I now feel the same
>>> way about it as I do the Dyn Reg draft.  What is useful from it, is
>>> the notion of defining a software statement which can be used to
>>> simplify the registration process greatly.
>>>
>>>> I'll leave it to the chairs to decide if this gets tagged
>>>> "experimental" or "standards", but I think that we're doing the
>>>> world a disservice by not shipping what we have.
>>>>
>>>> -- Justin
>>>>
>>>> On 08/12/2013 05:34 AM, Leif Johansson wrote:
>>>>> On 08/06/2013 11:18 PM, Justin Richer wrote:
>>>>>
>>>>> <snip>
>>>>>>    - OAuth Dynamic Registration
>>>>>>    - SCIM-based OAuth Dynamic Registration
>>>>>>    - Software Statements for OAuth Dynamic Registration
>>>>>>
>>>>> This thread makes me think we should break out the EXPERIMENTAL
>>>>> track: spin two or more proposed solutions as EXPERIMENTAL. Let the
>>>>> various groups do what they're gona do (which they'll do anyway)
>>>>> and the the chips fall where they may.
>>>>>
>>>>> Tony is right in interpreting the discussions in Berlin as quite
>>>>> fractured.
>>>>> Pushing for standards track seems premature.
>>>>>
>>>>> OTOH the transition from EXPERIMENTAL to STANDARDS TRACK can be as
>>>>> quick as a couple of I-Ds describing the outcome of the
>>>>> implementation and deployment work that will happen anyway (as you
>>>>> so correctly observe) after which the WG decides how to move
>>>>> forward.
>>>>>
>>>>> Since bb+ and openidc will do dynreg anyway the document track
>>>>> doesn't really matter which means the usual "vendors won't
>>>>> implement unless its a real RFC"-argument doesn't apply here anyway.
>>>>>
>>>>>           Cheers Leif
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From phil.hunt@oracle.com  Wed Aug 14 02:29:19 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A20EB21F9B90 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 02:29:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.235
X-Spam-Level: 
X-Spam-Status: No, score=-5.235 tagged_above=-999 required=5 tests=[AWL=-0.032, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aMAQzypOgqr3 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 02:29:13 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 0333721F9B18 for <oauth@ietf.org>; Wed, 14 Aug 2013 02:29:12 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7E9T5bM017218 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 14 Aug 2013 09:29:06 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7E9T3TZ018641 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Aug 2013 09:29:04 GMT
Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7E9T3Xs015338; Wed, 14 Aug 2013 09:29:03 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 14 Aug 2013 02:29:02 -0700
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net>
Mime-Version: 1.0 (1.0)
In-Reply-To: <520B2472.4040104@gmx.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-Id: <D28D9D59-4A04-4C15-9357-BF30FD42900B@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Wed, 14 Aug 2013 02:29:01 -0700
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 09:29:20 -0000

+1 to Hannes comments. I was referring to the server issues.=20

George, I believe only in the openid case and a few others would a client ho=
ld tokens to multiple endpoints of the same api.=20

For the vast majority of apps, clients would be permanently associated to a s=
ingle endpoint for the resource endpoint.=20

That said, having multiple tokens for multiple endpoints isn't that confusin=
g. But, having multiple tokens for EACH of multiple endpoints is confusing.=20=


Compound that with the fact that each api endpoint and each reg endpoint may=
 use different types of credentials (passwords, tokens, hoks) and the client=
 has to he pretty darn smart dealing with all the options and permutations.=20=


1. We need to eliminate reg access tokens as long term retained tokens. If w=
e must have crud than use normal access tokens issued in the normal way.=20

2. We need to look to change the design to reduce options at the registratio=
n endpoint The assertion swap method is one possibility.=20

3. We should also consider amending 6749. For example make client id optiona=
l for implicit flow or javascript based on service provider choice. Or depen=
d on a developer issued client id, etc. Dyn reg isn't actually improving sec=
urity in these cases anyway. Why go through this much work for an identifier=
 if it doesn't help client or server other than the ability to make a confor=
ming call?

Phil

On 2013-08-13, at 23:32, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote=
:

> George is correct with his statements. There is, however, a difference bet=
ween a shared secret and an assertion as Phil pointed out. For the assertion=
 the server does not need to maintain state on a per-client basis. On the ot=
her hand since the client secret isn't really used in the classical sense of=
 a password either but rather as a "cookie" (if used in the style of Section=
 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens to t=
hem:
> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>=20
>=20
> On 08/13/2013 07:21 PM, George Fletcher wrote:
>> Hi Phil,
>>=20
>> I'm sorry for not following completely. Some questions inline...
>>=20
>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>> Dyn reg and the scim reg variant depend too much/biased towards
>>> passwords expressed as client secrets.
>> I'm not sure what you mean in regards to "client secrets". There are
>> OAuth2 bearer tokens that need to be protected because they are bearer
>> tokens. That said, there is nothing in the spec that requires these to
>> be opaque blobs vs signed tokens. So both the "Initial Access Token" and
>> the "Registration Access Token" can be signed tokens. However, the
>> client still has to protect them as if they were a "secret" because they
>> are a bearer token and can be replayed. So it's the same amount of work
>> on the client either way.
>>=20
>>>=20
>>> A signed token approach has many advantages for service providers like
>>> not having to maintain a secure database of secrets/passwords.
>> If the concern here is the amount of data the Authorization Server has
>> to store to manage these clients, then the current spec doesn't preclude
>> using a "signed token". Both OAuth2 bearer tokens identified in the
>> current spec can be signed tokens.
>>>=20
>>> Finally issuing both a client secret and registration token is costly
>>> and confusing to client developers.  I relented somewhat when I
>>> realized kerberos does this--but i still feel it is a bad design at
>>> cloud scale.
>> Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm
>> not sure how you abstract the client developer from having to deal with
>> them. The client developer is going to be dealing with multiple OAuth2
>> tokens to multiple endpoints regardless so I don't see another token as
>> costly or complex. At a minimum there is the refresh_token and
>> access_token. Where is the added client developer complexity?
>>=20
>> Thanks,
>> George
>>=20
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>> <mailto:jricher@mitre.org>> wrote:
>>>=20
>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>> premium for you, then switch based on input parameters and other
>>>> things. And you're still not clear on which "secrets" you're taking
>>>> issue with.
>>>>=20
>>>> -- Justin
>>>>=20
>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>=20
>>>>> #1, its yet another endpoint to have to manage secrets at, yes this
>>>>> is an OAuth item but it=E2=80=99s growing out of control, we are tryin=
g to
>>>>> move away from secrets and management of these endpoints as this
>>>>> would be just another one we have to support, monitor and report on
>>>>>=20
>>>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>>>=20
>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>> *To:* Anthony Nadalin
>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>> don't remove!
>>>>>=20
>>>>> Hi Tony,
>>>>>=20
>>>>> Could you please explain a little more?
>>>>>=20
>>>>> For issue 1:
>>>>> * Which "secret" are you referring to? OAuth2 by default allows for
>>>>> an optional client_secret. I'm not sure why this would cause
>>>>> management issues? Or are you referring to the "Registration Access
>>>>> Token"?
>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>> talking to more than just the /authorize and /token endpoints anyway
>>>>> so I'm confused regarding the extra complexity?
>>>>>=20
>>>>> For issue 2:
>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>> multiple Authorization Servers?
>>>>>=20
>>>>> Thanks,
>>>>> George
>>>>>=20
>>>>> [snip...]
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> --
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20

From phil.hunt@oracle.com  Wed Aug 14 11:08:38 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CEDA21E80B6 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 11:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.06
X-Spam-Level: 
X-Spam-Status: No, score=-6.06 tagged_above=-999 required=5 tests=[AWL=0.539,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Km5GkzwLkux4 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 11:08:33 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 6025E21E80C6 for <oauth@ietf.org>; Wed, 14 Aug 2013 11:08:30 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7EI8KsV003194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 14 Aug 2013 18:08:23 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7EI8FN1010215 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Aug 2013 18:08:20 GMT
Received: from abhmt109.oracle.com (abhmt109.oracle.com [141.146.116.61]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7EI8EPC007656; Wed, 14 Aug 2013 18:08:14 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 14 Aug 2013 11:08:14 -0700
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <D28D9D59-4A04-4C15-9357-BF30FD42900B@oracle.com>
Date: Wed, 14 Aug 2013 11:08:13 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <82AB4E5E-344B-40AC-AC2C-B55D40D97D43@oracle.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <D28D9D59-4A04-4C15-9357-BF30FD42900B@oracle.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Observations about registration types (was: OX needs Dynamic Registration: please don't remove!)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Aug 2013 18:08:38 -0000

I'm just thinking off the top of my head trying to break through on some =
simplification possibilities.  The spec so far is driven by OIDC, but =
the more I think about it, it is a special case of a clients that want =
to be able to connect to many different OIDC service providers based on =
an event trigger of some kind (truly dynamic).

When I hear Justin and others describe the drive behind dyn reg, the =
primary reason stated is because 6749 requires that clients have a =
client_id. The requirement for client_id to be issued by the AS =
protecting the endpoint seems to arise from the assumption that =
client_id must be an identifier the AS accepts.

Yet, 6749 does not make this restriction.

An assertion (e.g. software statement) could serve the same purpose as =
long as the AS trusts the signer.  So for example, javascript clients =
could pass a software assertion and avoid the need to register.

Per my previous comment, I am of course assuming that there is little or =
no value in being able to track execution instances of javascript.

If I were to separate the Software Statement into a separate spec, it =
could define multiple uses:

1.  [No Reg] As a client_id for javascript / implicit clients

2. [Static Reg] For native clients (ones that use a fixed redirect), a =
certificate swap per the JWT Bearer spec to exchange for a client =
assertion.  (would client_id be assigned or would software statement be =
used?).  These clients are "fixed" and more often than not, tend to =
associate with one service provider at a time.

3.  [Offline Reg] For web clients -- is registration needed? Why not use =
an OOB administrative process.  These are large apps with significant =
trust and network issues that would preclude automatic registration. =
They tend to connect to one endpoint at a time.

5. [Dyn Reg] Dynamic association clients - There a category of clients =
that would need full CRUD because of registration time changes in values =
like redirect_url? Further, the clients may connect randomly to =
different service providers of the same API. OpenID Connect seems to be =
one of them. Do these clients need permanent registration? =20

Does categorization of clients give a proper justification for having a =
dyn reg draft plus some other methods for registration?  Or is OIDC so =
specialized the draft should remain an OIDF draft?  If so, how can we =
best align?

The one observation I have here about registration and the dynamic =
registration case is that a hacker could simply keep re-registering and =
endpoint to change the redirect_url at will. It seems like this is a bad =
thing.So is the idea to ensure that every time a client returns to an =
endpoint it somehow MUST use the same registration as before? Honest =
players might do that (especially incentivized by saving the =
registration step).  But Dyn Reg would seem not to do this, but rather =
make it easier to keep registering and thereby dynamically change the =
redirect_url every time.

Of course a *big* negative about this thinking is that different clients =
are treated very differently.  I don't like this. Yet, for each =
treatment, the options are more restrictive and simplified.  I'm not =
sure this is progress, but thought I would throw the idea out there for =
discussion.  Maybe someone can take this to another step?

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-14, at 2:29 AM, Phil Hunt <phil.hunt@oracle.com> wrote:

> +1 to Hannes comments. I was referring to the server issues.=20
>=20
> George, I believe only in the openid case and a few others would a =
client hold tokens to multiple endpoints of the same api.=20
>=20
> For the vast majority of apps, clients would be permanently associated =
to a single endpoint for the resource endpoint.=20
>=20
> That said, having multiple tokens for multiple endpoints isn't that =
confusing. But, having multiple tokens for EACH of multiple endpoints is =
confusing.=20
>=20
> Compound that with the fact that each api endpoint and each reg =
endpoint may use different types of credentials (passwords, tokens, =
hoks) and the client has to he pretty darn smart dealing with all the =
options and permutations.=20
>=20
> 1. We need to eliminate reg access tokens as long term retained =
tokens. If we must have crud than use normal access tokens issued in the =
normal way.=20
>=20
> 2. We need to look to change the design to reduce options at the =
registration endpoint The assertion swap method is one possibility.=20
>=20
> 3. We should also consider amending 6749. For example make client id =
optional for implicit flow or javascript based on service provider =
choice. Or depend on a developer issued client id, etc. Dyn reg isn't =
actually improving security in these cases anyway. Why go through this =
much work for an identifier if it doesn't help client or server other =
than the ability to make a conforming call?
>=20
> Phil
>=20
> On 2013-08-13, at 23:32, Hannes Tschofenig <hannes.tschofenig@gmx.net> =
wrote:
>=20
>> George is correct with his statements. There is, however, a =
difference between a shared secret and an assertion as Phil pointed out. =
For the assertion the server does not need to maintain state on a =
per-client basis. On the other hand since the client secret isn't really =
used in the classical sense of a password either but rather as a =
"cookie" (if used in the style of Section 2.3.1 of RFC6749) one could =
easy apply the concept of stateless tokens to them:
>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>=20
>>=20
>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>> Hi Phil,
>>>=20
>>> I'm sorry for not following completely. Some questions inline...
>>>=20
>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>> passwords expressed as client secrets.
>>> I'm not sure what you mean in regards to "client secrets". There are
>>> OAuth2 bearer tokens that need to be protected because they are =
bearer
>>> tokens. That said, there is nothing in the spec that requires these =
to
>>> be opaque blobs vs signed tokens. So both the "Initial Access Token" =
and
>>> the "Registration Access Token" can be signed tokens. However, the
>>> client still has to protect them as if they were a "secret" because =
they
>>> are a bearer token and can be replayed. So it's the same amount of =
work
>>> on the client either way.
>>>=20
>>>>=20
>>>> A signed token approach has many advantages for service providers =
like
>>>> not having to maintain a secure database of secrets/passwords.
>>> If the concern here is the amount of data the Authorization Server =
has
>>> to store to manage these clients, then the current spec doesn't =
preclude
>>> using a "signed token". Both OAuth2 bearer tokens identified in the
>>> current spec can be signed tokens.
>>>>=20
>>>> Finally issuing both a client secret and registration token is =
costly
>>>> and confusing to client developers.  I relented somewhat when I
>>>> realized kerberos does this--but i still feel it is a bad design at
>>>> cloud scale.
>>> Given that client_secrets are OPTIONAL in OAuth2 for some use cases, =
I'm
>>> not sure how you abstract the client developer from having to deal =
with
>>> them. The client developer is going to be dealing with multiple =
OAuth2
>>> tokens to multiple endpoints regardless so I don't see another token =
as
>>> costly or complex. At a minimum there is the refresh_token and
>>> access_token. Where is the added client developer complexity?
>>>=20
>>> Thanks,
>>> George
>>>=20
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>> <mailto:jricher@mitre.org>> wrote:
>>>>=20
>>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>>> premium for you, then switch based on input parameters and other
>>>>> things. And you're still not clear on which "secrets" you're =
taking
>>>>> issue with.
>>>>>=20
>>>>> -- Justin
>>>>>=20
>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>=20
>>>>>> #1, its yet another endpoint to have to manage secrets at, yes =
this
>>>>>> is an OAuth item but it=92s growing out of control, we are trying =
to
>>>>>> move away from secrets and management of these endpoints as this
>>>>>> would be just another one we have to support, monitor and report =
on
>>>>>>=20
>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization =
servers
>>>>>>=20
>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>> *To:* Anthony Nadalin
>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>>> don't remove!
>>>>>>=20
>>>>>> Hi Tony,
>>>>>>=20
>>>>>> Could you please explain a little more?
>>>>>>=20
>>>>>> For issue 1:
>>>>>> * Which "secret" are you referring to? OAuth2 by default allows =
for
>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>> management issues? Or are you referring to the "Registration =
Access
>>>>>> Token"?
>>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>>> talking to more than just the /authorize and /token endpoints =
anyway
>>>>>> so I'm confused regarding the extra complexity?
>>>>>>=20
>>>>>> For issue 2:
>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>>> multiple Authorization Servers?
>>>>>>=20
>>>>>> Thanks,
>>>>>> George
>>>>>>=20
>>>>>> [snip...]
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>> --
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From sakimura@gmail.com  Wed Aug 14 19:42:51 2013
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACFE321E8106 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 19:42:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.203
X-Spam-Level: 
X-Spam-Status: No, score=-1.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9T5jQdgtMxO2 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 19:42:50 -0700 (PDT)
Received: from mail-pa0-x230.google.com (mail-pa0-x230.google.com [IPv6:2607:f8b0:400e:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id D1A7C21E80ED for <oauth@ietf.org>; Wed, 14 Aug 2013 19:42:50 -0700 (PDT)
Received: by mail-pa0-f48.google.com with SMTP id kp13so315421pab.35 for <oauth@ietf.org>; Wed, 14 Aug 2013 19:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=Pi4F3Oirx0HEGW1ZeCtN/Iyva48/ncOz48fSauvBJV8=; b=jrZCI/0kqkUzsLX7cLUFuT7DX65/3VjaQxljP/ZBnyR7eucEATCMRxN6kIJg7MYNu4 m4HyVOH8kQydUVHyxAf5X8G2ON/kH4BPoJKW3nW/MW126Gfo4X3jOlQ1zx3gPWHwLlMf a8pW61Y3iQJK9jOj5lfqFTcgdGJE3kRvIx+NtQzQ5CMVebOGBBXaMHG5ZR2wPZBuzfwq Tmht7mvRutsSn/L6LM747sDmegeA9OQTA0aj0yphk48JcgI/1g1ZCq8I1cbC8nD+oK8F oUC1O7vhlfB7VrRC3+KCIvcskSKD4hAFhX94XEaomzXkZGqEIHpU7bvYbLLdyAOUWMoN 67Vg==
X-Received: by 10.66.231.42 with SMTP id td10mr6079724pac.144.1376534569468; Wed, 14 Aug 2013 19:42:49 -0700 (PDT)
Received: from [10.70.59.132] (pw126205152238.3.panda-world.ne.jp. [126.205.152.238]) by mx.google.com with ESMTPSA id xs1sm8705171pac.7.2013.08.14.19.42.46 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 Aug 2013 19:42:48 -0700 (PDT)
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net>
Mime-Version: 1.0 (1.0)
In-Reply-To: <520B2472.4040104@gmx.net>
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: quoted-printable
Message-Id: <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com>
X-Mailer: iPhone Mail (10B350)
From: Nat Sakimura <sakimura@gmail.com>
Date: Thu, 15 Aug 2013 11:42:43 +0900
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 02:42:51 -0000

Right. A Bearer Token does not have to be a shared secret. It may have some s=
tructure that allows the server to validate it statelessly, e.g. JWS-JWT.=20=


=3Dnat via iPhone

Aug 14, 2013 15:32=1B$B!"=1B(BHannes Tschofenig <hannes.tschofenig@gmx.net> =1B=
$B$N%a%C%;!<%8=1B(B:

> George is correct with his statements. There is, however, a difference bet=
ween a shared secret and an assertion as Phil pointed out. For the assertion=
 the server does not need to maintain state on a per-client basis. On the ot=
her hand since the client secret isn't really used in the classical sense of=
 a password either but rather as a "cookie" (if used in the style of Section=
 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens to t=
hem:
> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>=20
>=20
> On 08/13/2013 07:21 PM, George Fletcher wrote:
>> Hi Phil,
>>=20
>> I'm sorry for not following completely. Some questions inline...
>>=20
>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>> Dyn reg and the scim reg variant depend too much/biased towards
>>> passwords expressed as client secrets.
>> I'm not sure what you mean in regards to "client secrets". There are
>> OAuth2 bearer tokens that need to be protected because they are bearer
>> tokens. That said, there is nothing in the spec that requires these to
>> be opaque blobs vs signed tokens. So both the "Initial Access Token" and
>> the "Registration Access Token" can be signed tokens. However, the
>> client still has to protect them as if they were a "secret" because they
>> are a bearer token and can be replayed. So it's the same amount of work
>> on the client either way.
>>=20
>>>=20
>>> A signed token approach has many advantages for service providers like
>>> not having to maintain a secure database of secrets/passwords.
>> If the concern here is the amount of data the Authorization Server has
>> to store to manage these clients, then the current spec doesn't preclude
>> using a "signed token". Both OAuth2 bearer tokens identified in the
>> current spec can be signed tokens.
>>>=20
>>> Finally issuing both a client secret and registration token is costly
>>> and confusing to client developers.  I relented somewhat when I
>>> realized kerberos does this--but i still feel it is a bad design at
>>> cloud scale.
>> Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm
>> not sure how you abstract the client developer from having to deal with
>> them. The client developer is going to be dealing with multiple OAuth2
>> tokens to multiple endpoints regardless so I don't see another token as
>> costly or complex. At a minimum there is the refresh_token and
>> access_token. Where is the added client developer complexity?
>>=20
>> Thanks,
>> George
>>=20
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>> <mailto:jricher@mitre.org>> wrote:
>>>=20
>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>> premium for you, then switch based on input parameters and other
>>>> things. And you're still not clear on which "secrets" you're taking
>>>> issue with.
>>>>=20
>>>> -- Justin
>>>>=20
>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>=20
>>>>> #1, its yet another endpoint to have to manage secrets at, yes this
>>>>> is an OAuth item but it=1B$B!G=1B(Bs growing out of control, we are tr=
ying to
>>>>> move away from secrets and management of these endpoints as this
>>>>> would be just another one we have to support, monitor and report on
>>>>>=20
>>>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>>>=20
>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>> *To:* Anthony Nadalin
>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>> don't remove!
>>>>>=20
>>>>> Hi Tony,
>>>>>=20
>>>>> Could you please explain a little more?
>>>>>=20
>>>>> For issue 1:
>>>>> * Which "secret" are you referring to? OAuth2 by default allows for
>>>>> an optional client_secret. I'm not sure why this would cause
>>>>> management issues? Or are you referring to the "Registration Access
>>>>> Token"?
>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>> talking to more than just the /authorize and /token endpoints anyway
>>>>> so I'm confused regarding the extra complexity?
>>>>>=20
>>>>> For issue 2:
>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>> multiple Authorization Servers?
>>>>>=20
>>>>> Thanks,
>>>>> George
>>>>>=20
>>>>> [snip...]
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> --
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From phil.hunt@oracle.com  Wed Aug 14 20:47:32 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 527D511E81C8 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 20:47:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.452
X-Spam-Level: 
X-Spam-Status: No, score=-5.452 tagged_above=-999 required=5 tests=[AWL=-0.249, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 98lt2eJNLXW6 for <oauth@ietfa.amsl.com>; Wed, 14 Aug 2013 20:47:26 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id C57F011E81CC for <oauth@ietf.org>; Wed, 14 Aug 2013 20:47:26 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7F3lJwA032362 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 15 Aug 2013 03:47:19 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7F3lIsR001112 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 15 Aug 2013 03:47:18 GMT
Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7F3lHTU001108; Thu, 15 Aug 2013 03:47:18 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 14 Aug 2013 20:47:17 -0700
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-Id: <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Wed, 14 Aug 2013 20:47:16 -0700
To: Nat Sakimura <sakimura@gmail.com>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 03:47:32 -0000

I am saying a bearer token is better than a password for the service provide=
r as Hannes explains.=20

Phil

On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:

> Right. A Bearer Token does not have to be a shared secret. It may have som=
e structure that allows the server to validate it statelessly, e.g. JWS-JWT.=
=20
>=20
> =3Dnat via iPhone
>=20
> Aug 14, 2013 15:32=E3=80=81Hannes Tschofenig <hannes.tschofenig@gmx.net> =E3=
=81=AE=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=82=B8:
>=20
>> George is correct with his statements. There is, however, a difference be=
tween a shared secret and an assertion as Phil pointed out. For the assertio=
n the server does not need to maintain state on a per-client basis. On the o=
ther hand since the client secret isn't really used in the classical sense o=
f a password either but rather as a "cookie" (if used in the style of Sectio=
n 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens to t=
hem:
>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>=20
>>=20
>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>> Hi Phil,
>>>=20
>>> I'm sorry for not following completely. Some questions inline...
>>>=20
>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>> passwords expressed as client secrets.
>>> I'm not sure what you mean in regards to "client secrets". There are
>>> OAuth2 bearer tokens that need to be protected because they are bearer
>>> tokens. That said, there is nothing in the spec that requires these to
>>> be opaque blobs vs signed tokens. So both the "Initial Access Token" and=

>>> the "Registration Access Token" can be signed tokens. However, the
>>> client still has to protect them as if they were a "secret" because they=

>>> are a bearer token and can be replayed. So it's the same amount of work
>>> on the client either way.
>>>=20
>>>>=20
>>>> A signed token approach has many advantages for service providers like
>>>> not having to maintain a secure database of secrets/passwords.
>>> If the concern here is the amount of data the Authorization Server has
>>> to store to manage these clients, then the current spec doesn't preclude=

>>> using a "signed token". Both OAuth2 bearer tokens identified in the
>>> current spec can be signed tokens.
>>>>=20
>>>> Finally issuing both a client secret and registration token is costly
>>>> and confusing to client developers.  I relented somewhat when I
>>>> realized kerberos does this--but i still feel it is a bad design at
>>>> cloud scale.
>>> Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm=

>>> not sure how you abstract the client developer from having to deal with
>>> them. The client developer is going to be dealing with multiple OAuth2
>>> tokens to multiple endpoints regardless so I don't see another token as
>>> costly or complex. At a minimum there is the refresh_token and
>>> access_token. Where is the added client developer complexity?
>>>=20
>>> Thanks,
>>> George
>>>=20
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>> <mailto:jricher@mitre.org>> wrote:
>>>>=20
>>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>>> premium for you, then switch based on input parameters and other
>>>>> things. And you're still not clear on which "secrets" you're taking
>>>>> issue with.
>>>>>=20
>>>>> -- Justin
>>>>>=20
>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>=20
>>>>>> #1, its yet another endpoint to have to manage secrets at, yes this
>>>>>> is an OAuth item but it=E2=80=99s growing out of control, we are tryi=
ng to
>>>>>> move away from secrets and management of these endpoints as this
>>>>>> would be just another one we have to support, monitor and report on
>>>>>>=20
>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>>>>=20
>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>> *To:* Anthony Nadalin
>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>>> don't remove!
>>>>>>=20
>>>>>> Hi Tony,
>>>>>>=20
>>>>>> Could you please explain a little more?
>>>>>>=20
>>>>>> For issue 1:
>>>>>> * Which "secret" are you referring to? OAuth2 by default allows for
>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>> management issues? Or are you referring to the "Registration Access
>>>>>> Token"?
>>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>>> talking to more than just the /authorize and /token endpoints anyway
>>>>>> so I'm confused regarding the extra complexity?
>>>>>>=20
>>>>>> For issue 2:
>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>>> multiple Authorization Servers?
>>>>>>=20
>>>>>> Thanks,
>>>>>> George
>>>>>>=20
>>>>>> [snip...]
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>> --
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From amirabdulahi@hotmail.com  Thu Aug 15 10:09:08 2013
Return-Path: <amirabdulahi@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BC5921E80B3 for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 10:09:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.819
X-Spam-Level: ****
X-Spam-Status: No, score=4.819 tagged_above=-999 required=5 tests=[AWL=1.601,  BAYES_60=1, TVD_SPACE_RATIO=2.219]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLEd6CXxsz6X for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 10:09:02 -0700 (PDT)
Received: from dub0-omc1-s18.dub0.hotmail.com (dub0-omc1-s18.dub0.hotmail.com [157.55.0.217]) by ietfa.amsl.com (Postfix) with ESMTP id 6C85721E8063 for <oauth@ietf.org>; Thu, 15 Aug 2013 10:09:02 -0700 (PDT)
Received: from DUB119-DS8 ([157.55.0.238]) by dub0-omc1-s18.dub0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);  Thu, 15 Aug 2013 10:09:01 -0700
X-TMN: [FqcRM34abT2IrxsOw4UJ/HLfN3aW3HDz]
X-Originating-Email: [amirabdulahi@hotmail.com]
Message-ID: <DUB119-DS8E6F44A5AD6217AE309EBC6460@phx.gbl>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
From: "amir abdulahi " <amirabdulahi@hotmail.com>
To: "oauth@ietf.org " <oauth@ietf.org>
Date: Thu, 15 Aug 2013 17:09:01 +0000
X-OriginalArrivalTime: 15 Aug 2013 17:09:01.0051 (UTC) FILETIME=[23103CB0:01CE99DA]
Subject: [OAUTH-WG] Amirabdulahi@hotmail .com
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 17:09:08 -0000

=0A=
=0A=
Amirabdulahi@gmail.com

From ve7jtb@ve7jtb.com  Thu Aug 15 12:59:46 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AE5311E80F5 for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 12:59:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.203
X-Spam-Level: 
X-Spam-Status: No, score=-2.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXFW5YqoC-dG for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 12:59:41 -0700 (PDT)
Received: from mail-ie0-f179.google.com (mail-ie0-f179.google.com [209.85.223.179]) by ietfa.amsl.com (Postfix) with ESMTP id 6F2D721F96B1 for <oauth@ietf.org>; Thu, 15 Aug 2013 12:59:41 -0700 (PDT)
Received: by mail-ie0-f179.google.com with SMTP id c11so1894062ieb.24 for <oauth@ietf.org>; Thu, 15 Aug 2013 12:59:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Nh8/bKcey/FqJ/uEgtvP+7EjA86ZHcHOHx6KpjDrzYU=; b=BfiLtoyi95x5CbxgsIdiIWWn9FSi3/6aJcX0uW3zA6FaZl8ffZnT+Zvyr2b9d468tu HF2UMUxhxuqhNS2sbDRLngQAQQbp1oxibKXQS7YLA9AyqFSBGHEm+K0gk5v21BjJ5A/5 B+uTTWUAbcH9cnAE08HQbFTQ+5VQmpTcLWcvSwRZYtxMtaavXtTlIfGkhPh7IHlylTpp SmaU2v+EeAECkbBCvjcKeaBM2a3LBNugoSaOCNgS4d+19jArs0DdLSyV2qDmW30gE71Z ssS6JoksWxZ3Z4TiL7IfmzJNF4Q9HzgroLPOkaOuOf5H3WrdezW0IkstPMs4m9SvjOaO H5mw==
X-Gm-Message-State: ALoCoQlHLII5FkLsJTCU2L47i/tyXUBAATvKpl/YzYriS95zprMEOxtNLP+/B1aMt47wgVXsnw4a
X-Received: by 10.50.45.34 with SMTP id j2mr2980468igm.13.1376596780868; Thu, 15 Aug 2013 12:59:40 -0700 (PDT)
Received: from [192.168.1.216] (190-20-43-104.baf.movistar.cl. [190.20.43.104]) by mx.google.com with ESMTPSA id e8sm5156056igy.1.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 15 Aug 2013 12:59:39 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_6E14E388-20CD-4B47-803D-2839973CE315"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com>
Date: Thu, 15 Aug 2013 15:59:28 -0400
Message-Id: <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1508)
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 19:59:46 -0000

--Apple-Mail=_6E14E388-20CD-4B47-803D-2839973CE315
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Yes a bearer token that is signed and or encrypted by the AS reduces the =
amount of state required for the AS to maintain.=20

In RFC 6749 there is information about the client that is tied to the =
client_id, and is required at the authorization endpoint. (eg =
redirect_uri)

I understand the goal of reducing state in the IdP.   Some of us have =
looked at storing information in a signed client_id that would work in =
the existing RFC 6749 flows.

It seems that some people are dissatisfied with RFC 6749 and would like =
to see changes like removing implicit flows.

The current Dynamic registration spec deals with the current state of =
OAuth.   If the WG decides to do a OAuth 3 that fully supports =
assertions and ditches secrets I would be OK with that.=20
However lets not cripple what we have as a standard now by crating =
dynamic registration that can only be fully implemented  in a future =
version of OAuth.

Some people want/need a client registration API now.  It is clearly a =
missing part of an entire OAuth system.  =20
Supporting existing OAuth while minimizing state at the AS is something =
I support, waiting for a OAuth redesign is not in my opinion a =
reasonable medium term goal.

John B.


On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> I am saying a bearer token is better than a password for the service =
provider as Hannes explains.=20
>=20
> Phil
>=20
> On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>=20
>> Right. A Bearer Token does not have to be a shared secret. It may =
have some structure that allows the server to validate it statelessly, =
e.g. JWS-JWT.=20
>>=20
>> =3Dnat via iPhone
>>=20
>> Aug 14, 2013 15:32=E3=80=81Hannes Tschofenig =
<hannes.tschofenig@gmx.net> =E3=81=AE=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=
=82=B8:
>>=20
>>> George is correct with his statements. There is, however, a =
difference between a shared secret and an assertion as Phil pointed out. =
For the assertion the server does not need to maintain state on a =
per-client basis. On the other hand since the client secret isn't really =
used in the classical sense of a password either but rather as a =
"cookie" (if used in the style of Section 2.3.1 of RFC6749) one could =
easy apply the concept of stateless tokens to them:
>>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>>=20
>>>=20
>>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>>> Hi Phil,
>>>>=20
>>>> I'm sorry for not following completely. Some questions inline...
>>>>=20
>>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>>> passwords expressed as client secrets.
>>>> I'm not sure what you mean in regards to "client secrets". There =
are
>>>> OAuth2 bearer tokens that need to be protected because they are =
bearer
>>>> tokens. That said, there is nothing in the spec that requires these =
to
>>>> be opaque blobs vs signed tokens. So both the "Initial Access =
Token" and
>>>> the "Registration Access Token" can be signed tokens. However, the
>>>> client still has to protect them as if they were a "secret" because =
they
>>>> are a bearer token and can be replayed. So it's the same amount of =
work
>>>> on the client either way.
>>>>=20
>>>>>=20
>>>>> A signed token approach has many advantages for service providers =
like
>>>>> not having to maintain a secure database of secrets/passwords.
>>>> If the concern here is the amount of data the Authorization Server =
has
>>>> to store to manage these clients, then the current spec doesn't =
preclude
>>>> using a "signed token". Both OAuth2 bearer tokens identified in the
>>>> current spec can be signed tokens.
>>>>>=20
>>>>> Finally issuing both a client secret and registration token is =
costly
>>>>> and confusing to client developers.  I relented somewhat when I
>>>>> realized kerberos does this--but i still feel it is a bad design =
at
>>>>> cloud scale.
>>>> Given that client_secrets are OPTIONAL in OAuth2 for some use =
cases, I'm
>>>> not sure how you abstract the client developer from having to deal =
with
>>>> them. The client developer is going to be dealing with multiple =
OAuth2
>>>> tokens to multiple endpoints regardless so I don't see another =
token as
>>>> costly or complex. At a minimum there is the refresh_token and
>>>> access_token. Where is the added client developer complexity?
>>>>=20
>>>> Thanks,
>>>> George
>>>>=20
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>=20
>>>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>>>> premium for you, then switch based on input parameters and other
>>>>>> things. And you're still not clear on which "secrets" you're =
taking
>>>>>> issue with.
>>>>>>=20
>>>>>> -- Justin
>>>>>>=20
>>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>>=20
>>>>>>> #1, its yet another endpoint to have to manage secrets at, yes =
this
>>>>>>> is an OAuth item but it=E2=80=99s growing out of control, we are =
trying to
>>>>>>> move away from secrets and management of these endpoints as this
>>>>>>> would be just another one we have to support, monitor and report =
on
>>>>>>>=20
>>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization =
servers
>>>>>>>=20
>>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>>> *To:* Anthony Nadalin
>>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>>>> don't remove!
>>>>>>>=20
>>>>>>> Hi Tony,
>>>>>>>=20
>>>>>>> Could you please explain a little more?
>>>>>>>=20
>>>>>>> For issue 1:
>>>>>>> * Which "secret" are you referring to? OAuth2 by default allows =
for
>>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>>> management issues? Or are you referring to the "Registration =
Access
>>>>>>> Token"?
>>>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>>>> talking to more than just the /authorize and /token endpoints =
anyway
>>>>>>> so I'm confused regarding the extra complexity?
>>>>>>>=20
>>>>>>> For issue 2:
>>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>>>> multiple Authorization Servers?
>>>>>>>=20
>>>>>>> Thanks,
>>>>>>> George
>>>>>>>=20
>>>>>>> [snip...]
>>>>>=20
>>>>>=20
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>> --
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_6E14E388-20CD-4B47-803D-2839973CE315
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODE1MTk1OTI5WjAjBgkqhkiG9w0BCQQxFgQU5M8QZ/mE
5i2Uf74zbG/WA9EDMzAwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAiewn5Iy94tO7MRcXphxolYWpbvUoPXvhI/X8X1s1
LhghENZYsQwmEcSbs+p/8CUpsr6eBeh9DfqgW5t4MCxw7PJSuBJ9CwJSYXt9k4NLWKno548xKv08
SlcvGQEF+N1Tj/6SnLjufXTEVE7Guc5yLMTbs3R0VErGOQF1YUYjKPFps5Je7r6KndohoL3wRW7q
3zsqz0yH842A9KQOlYrNCps3rkhhYer81Bw6rALBu/hHJoTSuIy6qjImN04Oo88iQ05iRC4Q6AJH
PbNsavXHGJ9ognImflhRpRXO5nMto1mOBHpLcqaB8tdDdm9Nr7denRq1P3UOUNJJl7PYOYEK4AAA
AAAAAA==

--Apple-Mail=_6E14E388-20CD-4B47-803D-2839973CE315--

From phil.hunt@oracle.com  Thu Aug 15 13:24:16 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CD0311E81D4 for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 13:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.389
X-Spam-Level: 
X-Spam-Status: No, score=-5.389 tagged_above=-999 required=5 tests=[AWL=-0.186, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rK0-lBNxiHDq for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 13:24:11 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 677A211E8177 for <oauth@ietf.org>; Thu, 15 Aug 2013 13:24:10 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7FKNxqT003521 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 15 Aug 2013 20:24:00 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7FKNwNa005797 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 15 Aug 2013 20:23:59 GMT
Received: from abhmt117.oracle.com (abhmt117.oracle.com [141.146.116.69]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7FKNwQu005787; Thu, 15 Aug 2013 20:23:58 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 15 Aug 2013 13:23:58 -0700
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com>
Date: Thu, 15 Aug 2013 13:23:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4A57809A-8B88-4D1E-A014-A4727A5B3E0E@oracle.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 20:24:16 -0000

John,

I agree a big part of the problem with Dyn Reg is it has to reflect the =
current state of 6749 (specifically that clients must have a client_id =
even though 6749 says nothing about its format or how to obtain one).

Regarding timing (the need to approve dyn reg now): a draft doesn't have =
to be final for people to implement it into operational production.  In =
fact, putting into production is a far better validation than mere =
implementation. The fact that 6749 changed substantially in draft stage =
did not prevent many from putting it into production.  Why is approval a =
barrier in this case?  My understanding is the IESG has the option force =
the draft to wait for operational use before it mores forward (see =
below).

I'm not sure an OAuth 3 is required here since 6749 is not yet final, =
rather it is "PROPOSED STANDARD".  In particular, section 4.1.1 of =
RFC2026 states:

>    A Proposed Standard specification is generally stable, has resolved
>    known design choices, is believed to be well-understood, has =
received
>    significant community review, and appears to enjoy enough community
>    interest to be considered valuable.  However, further experience
>    might result in a change or even retraction of the specification
>    before it advances.

>    Usually, neither implementation nor operational experience is
>    required for the designation of a specification as a Proposed
>    Standard.  However, such experience is highly desirable, and will
>    usually represent a strong argument in favor of a Proposed Standard
>    designation.

>=20
>    The IESG may require implementation and/or operational experience
>    prior to granting Proposed Standard status to a specification that
>    materially affects the core Internet protocols or that specifies
>    behavior that may have significant operational impact on the
>    Internet.


This would suggest to me, that some of OAuth issues that drove the =
design of Dyn-Reg can be more cleanly resolved by amending 6749. Such a =
change would be permissive, backward compatible, and greatly simplify =
registration if not eliminate it in many cases.

The subject of improper use of OAuth as an authenticator is also an =
issue that should be discussed when it comes to moving the proposed =
standard (OAuth 2) forward.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-15, at 12:59 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> Yes a bearer token that is signed and or encrypted by the AS reduces =
the amount of state required for the AS to maintain.=20
>=20
> In RFC 6749 there is information about the client that is tied to the =
client_id, and is required at the authorization endpoint. (eg =
redirect_uri)
>=20
> I understand the goal of reducing state in the IdP.   Some of us have =
looked at storing information in a signed client_id that would work in =
the existing RFC 6749 flows.
>=20
> It seems that some people are dissatisfied with RFC 6749 and would =
like to see changes like removing implicit flows.
>=20
> The current Dynamic registration spec deals with the current state of =
OAuth.   If the WG decides to do a OAuth 3 that fully supports =
assertions and ditches secrets I would be OK with that.=20
> However lets not cripple what we have as a standard now by crating =
dynamic registration that can only be fully implemented  in a future =
version of OAuth.
>=20
> Some people want/need a client registration API now.  It is clearly a =
missing part of an entire OAuth system.  =20
> Supporting existing OAuth while minimizing state at the AS is =
something I support, waiting for a OAuth redesign is not in my opinion a =
reasonable medium term goal.
>=20
> John B.
>=20
>=20
> On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>=20
>> I am saying a bearer token is better than a password for the service =
provider as Hannes explains.=20
>>=20
>> Phil
>>=20
>> On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>>=20
>>> Right. A Bearer Token does not have to be a shared secret. It may =
have some structure that allows the server to validate it statelessly, =
e.g. JWS-JWT.=20
>>>=20
>>> =3Dnat via iPhone
>>>=20
>>> Aug 14, 2013 15:32=E3=80=81Hannes Tschofenig =
<hannes.tschofenig@gmx.net> =E3=81=AE=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=
=82=B8:
>>>=20
>>>> George is correct with his statements. There is, however, a =
difference between a shared secret and an assertion as Phil pointed out. =
For the assertion the server does not need to maintain state on a =
per-client basis. On the other hand since the client secret isn't really =
used in the classical sense of a password either but rather as a =
"cookie" (if used in the style of Section 2.3.1 of RFC6749) one could =
easy apply the concept of stateless tokens to them:
>>>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>>>=20
>>>>=20
>>>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>>>> Hi Phil,
>>>>>=20
>>>>> I'm sorry for not following completely. Some questions inline...
>>>>>=20
>>>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>>>> passwords expressed as client secrets.
>>>>> I'm not sure what you mean in regards to "client secrets". There =
are
>>>>> OAuth2 bearer tokens that need to be protected because they are =
bearer
>>>>> tokens. That said, there is nothing in the spec that requires =
these to
>>>>> be opaque blobs vs signed tokens. So both the "Initial Access =
Token" and
>>>>> the "Registration Access Token" can be signed tokens. However, the
>>>>> client still has to protect them as if they were a "secret" =
because they
>>>>> are a bearer token and can be replayed. So it's the same amount of =
work
>>>>> on the client either way.
>>>>>=20
>>>>>>=20
>>>>>> A signed token approach has many advantages for service providers =
like
>>>>>> not having to maintain a secure database of secrets/passwords.
>>>>> If the concern here is the amount of data the Authorization Server =
has
>>>>> to store to manage these clients, then the current spec doesn't =
preclude
>>>>> using a "signed token". Both OAuth2 bearer tokens identified in =
the
>>>>> current spec can be signed tokens.
>>>>>>=20
>>>>>> Finally issuing both a client secret and registration token is =
costly
>>>>>> and confusing to client developers.  I relented somewhat when I
>>>>>> realized kerberos does this--but i still feel it is a bad design =
at
>>>>>> cloud scale.
>>>>> Given that client_secrets are OPTIONAL in OAuth2 for some use =
cases, I'm
>>>>> not sure how you abstract the client developer from having to deal =
with
>>>>> them. The client developer is going to be dealing with multiple =
OAuth2
>>>>> tokens to multiple endpoints regardless so I don't see another =
token as
>>>>> costly or complex. At a minimum there is the refresh_token and
>>>>> access_token. Where is the added client developer complexity?
>>>>>=20
>>>>> Thanks,
>>>>> George
>>>>>=20
>>>>>>=20
>>>>>> Phil
>>>>>>=20
>>>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>>=20
>>>>>>> The spec doesn't care where you deploy at -- if URL space is at =
a
>>>>>>> premium for you, then switch based on input parameters and other
>>>>>>> things. And you're still not clear on which "secrets" you're =
taking
>>>>>>> issue with.
>>>>>>>=20
>>>>>>> -- Justin
>>>>>>>=20
>>>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>>>=20
>>>>>>>> #1, its yet another endpoint to have to manage secrets at, yes =
this
>>>>>>>> is an OAuth item but it=E2=80=99s growing out of control, we =
are trying to
>>>>>>>> move away from secrets and management of these endpoints as =
this
>>>>>>>> would be just another one we have to support, monitor and =
report on
>>>>>>>>=20
>>>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization =
servers
>>>>>>>>=20
>>>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>>>> *To:* Anthony Nadalin
>>>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>>>>> don't remove!
>>>>>>>>=20
>>>>>>>> Hi Tony,
>>>>>>>>=20
>>>>>>>> Could you please explain a little more?
>>>>>>>>=20
>>>>>>>> For issue 1:
>>>>>>>> * Which "secret" are you referring to? OAuth2 by default allows =
for
>>>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>>>> management issues? Or are you referring to the "Registration =
Access
>>>>>>>> Token"?
>>>>>>>> * Why is a separate endpoint an issue? Any client is going to =
be
>>>>>>>> talking to more than just the /authorize and /token endpoints =
anyway
>>>>>>>> so I'm confused regarding the extra complexity?
>>>>>>>>=20
>>>>>>>> For issue 2:
>>>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>>>>> multiple Authorization Servers?
>>>>>>>>=20
>>>>>>>> Thanks,
>>>>>>>> George
>>>>>>>>=20
>>>>>>>> [snip...]
>>>>>>=20
>>>>>>=20
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>> --
>>>>>=20
>>>>>=20
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20


From ve7jtb@ve7jtb.com  Thu Aug 15 13:35:48 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D31011E8181 for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 13:35:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.203
X-Spam-Level: 
X-Spam-Status: No, score=-2.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbeKnWRdX4bP for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 13:35:41 -0700 (PDT)
Received: from mail-ie0-f179.google.com (mail-ie0-f179.google.com [209.85.223.179]) by ietfa.amsl.com (Postfix) with ESMTP id F047D11E80FF for <oauth@ietf.org>; Thu, 15 Aug 2013 13:35:40 -0700 (PDT)
Received: by mail-ie0-f179.google.com with SMTP id c11so1962449ieb.24 for <oauth@ietf.org>; Thu, 15 Aug 2013 13:35:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=OC3+2pgND4QEqn2A5vmDjDUq7E45ZZa/7fpaLtSYQfg=; b=WcPVFuawdJkGMJ2qJe8l3LTxSNkaABSutw1mVlfSn1E3m5A/Q+DPtw3UkKQcAd9bbR WqJxrmuL9uN+FDmo6XZnlQBKecAiwrImLt9DZ5f+mbT7aiW9RaX1zqchmCk8B/TzEzBG LWDG+kKHOq8nmsjypQy/tJMTuHJJqFfQjvq/M9sD93E0QduV6jCHdMxVfvVrSevKUxIb e+hlZTAKJx//fPGQxhlfeJZGR5yLTbBbr68ZQRhQnD56dv2tFS/KqvYt+1+lmlpc+yev kN1ivo4IAzV7fWH6YoMuX8HJ/IFF89YBizJmg1JCjltESjXyMG2Sp1Mjih4DPx79evAS WRPw==
X-Gm-Message-State: ALoCoQlTTMHMZukoxH+On96GtZ/Snz8tajYBI5hhKdwRJc/IDsKtMIunqpTL14W2ljJOwnhXAtEM
X-Received: by 10.50.178.133 with SMTP id cy5mr3066438igc.26.1376598937943; Thu, 15 Aug 2013 13:35:37 -0700 (PDT)
Received: from [192.168.1.216] (190-20-43-104.baf.movistar.cl. [190.20.43.104]) by mx.google.com with ESMTPSA id e8sm5348044igy.1.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 15 Aug 2013 13:35:36 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_50DD5C8D-145E-4DA6-BF13-02ECAB240CE9"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4A57809A-8B88-4D1E-A014-A4727A5B3E0E@oracle.com>
Date: Thu, 15 Aug 2013 16:35:30 -0400
Message-Id: <B574595A-CD44-4621-BD31-61141998EF20@ve7jtb.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com> <4A57809A-8B88-4D1E-A014-A4727A5B3E0E@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1508)
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 20:35:48 -0000

--Apple-Mail=_50DD5C8D-145E-4DA6-BF13-02ECAB240CE9
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I believe it is rare for RFC to move beyond the stage RFC 6749 is =
currently at so It is to most peoples minds finished.

I am not against doing future things to improve the spec.  I just =
suspect that opening that can of worms again will take time.

John B.

On 2013-08-15, at 4:23 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> John,
>=20
> I agree a big part of the problem with Dyn Reg is it has to reflect =
the current state of 6749 (specifically that clients must have a =
client_id even though 6749 says nothing about its format or how to =
obtain one).
>=20
> Regarding timing (the need to approve dyn reg now): a draft doesn't =
have to be final for people to implement it into operational production. =
 In fact, putting into production is a far better validation than mere =
implementation. The fact that 6749 changed substantially in draft stage =
did not prevent many from putting it into production.  Why is approval a =
barrier in this case?  My understanding is the IESG has the option force =
the draft to wait for operational use before it mores forward (see =
below).
>=20
> I'm not sure an OAuth 3 is required here since 6749 is not yet final, =
rather it is "PROPOSED STANDARD".  In particular, section 4.1.1 of =
RFC2026 states:
>=20
>>   A Proposed Standard specification is generally stable, has resolved
>>   known design choices, is believed to be well-understood, has =
received
>>   significant community review, and appears to enjoy enough community
>>   interest to be considered valuable.  However, further experience
>>   might result in a change or even retraction of the specification
>>   before it advances.
>=20
>>   Usually, neither implementation nor operational experience is
>>   required for the designation of a specification as a Proposed
>>   Standard.  However, such experience is highly desirable, and will
>>   usually represent a strong argument in favor of a Proposed Standard
>>   designation.
>=20
>>=20
>>   The IESG may require implementation and/or operational experience
>>   prior to granting Proposed Standard status to a specification that
>>   materially affects the core Internet protocols or that specifies
>>   behavior that may have significant operational impact on the
>>   Internet.
>=20
>=20
> This would suggest to me, that some of OAuth issues that drove the =
design of Dyn-Reg can be more cleanly resolved by amending 6749. Such a =
change would be permissive, backward compatible, and greatly simplify =
registration if not eliminate it in many cases.
>=20
> The subject of improper use of OAuth as an authenticator is also an =
issue that should be discussed when it comes to moving the proposed =
standard (OAuth 2) forward.
>=20
> Phil
>=20
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> On 2013-08-15, at 12:59 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>=20
>> Yes a bearer token that is signed and or encrypted by the AS reduces =
the amount of state required for the AS to maintain.=20
>>=20
>> In RFC 6749 there is information about the client that is tied to the =
client_id, and is required at the authorization endpoint. (eg =
redirect_uri)
>>=20
>> I understand the goal of reducing state in the IdP.   Some of us have =
looked at storing information in a signed client_id that would work in =
the existing RFC 6749 flows.
>>=20
>> It seems that some people are dissatisfied with RFC 6749 and would =
like to see changes like removing implicit flows.
>>=20
>> The current Dynamic registration spec deals with the current state of =
OAuth.   If the WG decides to do a OAuth 3 that fully supports =
assertions and ditches secrets I would be OK with that.=20
>> However lets not cripple what we have as a standard now by crating =
dynamic registration that can only be fully implemented  in a future =
version of OAuth.
>>=20
>> Some people want/need a client registration API now.  It is clearly a =
missing part of an entire OAuth system.  =20
>> Supporting existing OAuth while minimizing state at the AS is =
something I support, waiting for a OAuth redesign is not in my opinion a =
reasonable medium term goal.
>>=20
>> John B.
>>=20
>>=20
>> On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>=20
>>> I am saying a bearer token is better than a password for the service =
provider as Hannes explains.=20
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>>>=20
>>>> Right. A Bearer Token does not have to be a shared secret. It may =
have some structure that allows the server to validate it statelessly, =
e.g. JWS-JWT.=20
>>>>=20
>>>> =3Dnat via iPhone
>>>>=20
>>>> Aug 14, 2013 15:32=E3=80=81Hannes Tschofenig =
<hannes.tschofenig@gmx.net> =E3=81=AE=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=
=82=B8:
>>>>=20
>>>>> George is correct with his statements. There is, however, a =
difference between a shared secret and an assertion as Phil pointed out. =
For the assertion the server does not need to maintain state on a =
per-client basis. On the other hand since the client secret isn't really =
used in the classical sense of a password either but rather as a =
"cookie" (if used in the style of Section 2.3.1 of RFC6749) one could =
easy apply the concept of stateless tokens to them:
>>>>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>>>>=20
>>>>>=20
>>>>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>>>>> Hi Phil,
>>>>>>=20
>>>>>> I'm sorry for not following completely. Some questions inline...
>>>>>>=20
>>>>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>>>>> passwords expressed as client secrets.
>>>>>> I'm not sure what you mean in regards to "client secrets". There =
are
>>>>>> OAuth2 bearer tokens that need to be protected because they are =
bearer
>>>>>> tokens. That said, there is nothing in the spec that requires =
these to
>>>>>> be opaque blobs vs signed tokens. So both the "Initial Access =
Token" and
>>>>>> the "Registration Access Token" can be signed tokens. However, =
the
>>>>>> client still has to protect them as if they were a "secret" =
because they
>>>>>> are a bearer token and can be replayed. So it's the same amount =
of work
>>>>>> on the client either way.
>>>>>>=20
>>>>>>>=20
>>>>>>> A signed token approach has many advantages for service =
providers like
>>>>>>> not having to maintain a secure database of secrets/passwords.
>>>>>> If the concern here is the amount of data the Authorization =
Server has
>>>>>> to store to manage these clients, then the current spec doesn't =
preclude
>>>>>> using a "signed token". Both OAuth2 bearer tokens identified in =
the
>>>>>> current spec can be signed tokens.
>>>>>>>=20
>>>>>>> Finally issuing both a client secret and registration token is =
costly
>>>>>>> and confusing to client developers.  I relented somewhat when I
>>>>>>> realized kerberos does this--but i still feel it is a bad design =
at
>>>>>>> cloud scale.
>>>>>> Given that client_secrets are OPTIONAL in OAuth2 for some use =
cases, I'm
>>>>>> not sure how you abstract the client developer from having to =
deal with
>>>>>> them. The client developer is going to be dealing with multiple =
OAuth2
>>>>>> tokens to multiple endpoints regardless so I don't see another =
token as
>>>>>> costly or complex. At a minimum there is the refresh_token and
>>>>>> access_token. Where is the added client developer complexity?
>>>>>>=20
>>>>>> Thanks,
>>>>>> George
>>>>>>=20
>>>>>>>=20
>>>>>>> Phil
>>>>>>>=20
>>>>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>>>=20
>>>>>>>> The spec doesn't care where you deploy at -- if URL space is at =
a
>>>>>>>> premium for you, then switch based on input parameters and =
other
>>>>>>>> things. And you're still not clear on which "secrets" you're =
taking
>>>>>>>> issue with.
>>>>>>>>=20
>>>>>>>> -- Justin
>>>>>>>>=20
>>>>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>>>>=20
>>>>>>>>> #1, its yet another endpoint to have to manage secrets at, yes =
this
>>>>>>>>> is an OAuth item but it=E2=80=99s growing out of control, we =
are trying to
>>>>>>>>> move away from secrets and management of these endpoints as =
this
>>>>>>>>> would be just another one we have to support, monitor and =
report on
>>>>>>>>>=20
>>>>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization =
servers
>>>>>>>>>=20
>>>>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>>>>> *To:* Anthony Nadalin
>>>>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: =
please
>>>>>>>>> don't remove!
>>>>>>>>>=20
>>>>>>>>> Hi Tony,
>>>>>>>>>=20
>>>>>>>>> Could you please explain a little more?
>>>>>>>>>=20
>>>>>>>>> For issue 1:
>>>>>>>>> * Which "secret" are you referring to? OAuth2 by default =
allows for
>>>>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>>>>> management issues? Or are you referring to the "Registration =
Access
>>>>>>>>> Token"?
>>>>>>>>> * Why is a separate endpoint an issue? Any client is going to =
be
>>>>>>>>> talking to more than just the /authorize and /token endpoints =
anyway
>>>>>>>>> so I'm confused regarding the extra complexity?
>>>>>>>>>=20
>>>>>>>>> For issue 2:
>>>>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>>>>> server acting on behalf of multiple tenants and so appearing =
as
>>>>>>>>> multiple Authorization Servers?
>>>>>>>>>=20
>>>>>>>>> Thanks,
>>>>>>>>> George
>>>>>>>>>=20
>>>>>>>>> [snip...]
>>>>>>>=20
>>>>>>>=20
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>=20
>>>>>> --
>>>>>>=20
>>>>>>=20
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>=20


--Apple-Mail=_50DD5C8D-145E-4DA6-BF13-02ECAB240CE9
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODE1MjAzNTMxWjAjBgkqhkiG9w0BCQQxFgQUgUX9f6ot
0acKQ6KKVNvQNLKO950wgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEApCpcluCeTrq5MoCubm7JYzMeXZpBS9/QARhpWmTr
ONmXaHnNu0JlGUjMW3SzS7h8b4MdIkC7KXOOXtuaZqYQm0F+gCEcYg+d4Yei/cznjXA+b9aknWa6
cQj3fJtz3UF5OsioQaOpRFYoaP7R+l7uklzTrsLmBFXR3x+gLwQ4Z6AbqKVTO+gOgt5D9OUOnSrL
YF4Pn5RMRqNL0fqN+BHRNAVhq9DFUPcS7okg/UOMVtMmQuYONv49Y8qpS+IQKKy5Vc0nIiKFW+A1
CbAZsaKLZ9zRCkMsXOOxPHLtFsXiZtObgY9u589N0bXTy+ltqRc/uqeG3wlYF533VShLjymk7AAA
AAAAAA==

--Apple-Mail=_50DD5C8D-145E-4DA6-BF13-02ECAB240CE9--

From eve@xmlgrrl.com  Thu Aug 15 15:17:44 2013
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EF6411E817C for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 15:17:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.103
X-Spam-Level: 
X-Spam-Status: No, score=0.103 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, MIME_QP_LONG_LINE=1.396, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IrGL2KYJX6dw for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 15:17:40 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id 6DD9511E81B3 for <oauth@ietf.org>; Thu, 15 Aug 2013 15:17:40 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.promanage-inc.com (Postfix) with ESMTP id 947DD20D445A; Thu, 15 Aug 2013 15:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from mail.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPexsQ01_jNj; Thu, 15 Aug 2013 15:17:32 -0700 (PDT)
Received: from [192.168.168.107] (unknown [192.168.168.107]) by mail.promanage-inc.com (Postfix) with ESMTPSA id 7666020D4445; Thu, 15 Aug 2013 15:17:32 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Content-Type: text/plain; charset=utf-8
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <B574595A-CD44-4621-BD31-61141998EF20@ve7jtb.com>
Date: Thu, 15 Aug 2013 15:17:31 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4A85E3D4-BA2E-4DEE-97AA-FC18AAFA42F6@xmlgrrl.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com> <4A57809A-8B88-4D1E-A014-A4727A5B3E0E@oracle.com> <B574595A-CD44-4621-BD31-61141998EF20@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1508)
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 22:17:44 -0000

Agree with John that RFC 6749 is to all intents and purposes final. =
Also, when we have a dyn reg spec whose earliest drafts are several =
years old, whose current draft is implemented by a variety of OAuth, =
OpenID Connect, and UMA developers, whose current design reflects a good =
deal of healthy consolidation of disparate starting points, and for =
which there's been concrete demand expressed on this list, I'm a little =
surprised that there's this much contention about it at this juncture.

	Eve

On 15 Aug 2013, at 1:35 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> I believe it is rare for RFC to move beyond the stage RFC 6749 is =
currently at so It is to most peoples minds finished.
>=20
> I am not against doing future things to improve the spec.  I just =
suspect that opening that can of worms again will take time.
>=20
> John B.
>=20
> On 2013-08-15, at 4:23 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>=20
>> John,
>>=20
>> I agree a big part of the problem with Dyn Reg is it has to reflect =
the current state of 6749 (specifically that clients must have a =
client_id even though 6749 says nothing about its format or how to =
obtain one).
>>=20
>> Regarding timing (the need to approve dyn reg now): a draft doesn't =
have to be final for people to implement it into operational production. =
 In fact, putting into production is a far better validation than mere =
implementation. The fact that 6749 changed substantially in draft stage =
did not prevent many from putting it into production.  Why is approval a =
barrier in this case?  My understanding is the IESG has the option force =
the draft to wait for operational use before it mores forward (see =
below).
>>=20
>> I'm not sure an OAuth 3 is required here since 6749 is not yet final, =
rather it is "PROPOSED STANDARD".  In particular, section 4.1.1 of =
RFC2026 states:
>>=20
>>>  A Proposed Standard specification is generally stable, has resolved
>>>  known design choices, is believed to be well-understood, has =
received
>>>  significant community review, and appears to enjoy enough community
>>>  interest to be considered valuable.  However, further experience
>>>  might result in a change or even retraction of the specification
>>>  before it advances.
>>=20
>>>  Usually, neither implementation nor operational experience is
>>>  required for the designation of a specification as a Proposed
>>>  Standard.  However, such experience is highly desirable, and will
>>>  usually represent a strong argument in favor of a Proposed Standard
>>>  designation.
>>=20
>>>=20
>>>  The IESG may require implementation and/or operational experience
>>>  prior to granting Proposed Standard status to a specification that
>>>  materially affects the core Internet protocols or that specifies
>>>  behavior that may have significant operational impact on the
>>>  Internet.
>>=20
>>=20
>> This would suggest to me, that some of OAuth issues that drove the =
design of Dyn-Reg can be more cleanly resolved by amending 6749. Such a =
change would be permissive, backward compatible, and greatly simplify =
registration if not eliminate it in many cases.
>>=20
>> The subject of improper use of OAuth as an authenticator is also an =
issue that should be discussed when it comes to moving the proposed =
standard (OAuth 2) forward.
>>=20
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>> On 2013-08-15, at 12:59 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>=20
>>> Yes a bearer token that is signed and or encrypted by the AS reduces =
the amount of state required for the AS to maintain.=20
>>>=20
>>> In RFC 6749 there is information about the client that is tied to =
the client_id, and is required at the authorization endpoint. (eg =
redirect_uri)
>>>=20
>>> I understand the goal of reducing state in the IdP.   Some of us =
have looked at storing information in a signed client_id that would work =
in the existing RFC 6749 flows.
>>>=20
>>> It seems that some people are dissatisfied with RFC 6749 and would =
like to see changes like removing implicit flows.
>>>=20
>>> The current Dynamic registration spec deals with the current state =
of OAuth.   If the WG decides to do a OAuth 3 that fully supports =
assertions and ditches secrets I would be OK with that.=20
>>> However lets not cripple what we have as a standard now by crating =
dynamic registration that can only be fully implemented  in a future =
version of OAuth.
>>>=20
>>> Some people want/need a client registration API now.  It is clearly =
a missing part of an entire OAuth system.  =20
>>> Supporting existing OAuth while minimizing state at the AS is =
something I support, waiting for a OAuth redesign is not in my opinion a =
reasonable medium term goal.
>>>=20
>>> John B.
>>>=20
>>>=20
>>> On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>=20
>>>> I am saying a bearer token is better than a password for the =
service provider as Hannes explains.=20
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>>>>=20
>>>>> Right. A Bearer Token does not have to be a shared secret. It may =
have some structure that allows the server to validate it statelessly, =
e.g. JWS-JWT.=20
>>>>>=20
>>>>> =3Dnat via iPhone
>>>>>=20
>>>>> Aug 14, 2013 15:32=E3=80=81Hannes Tschofenig =
<hannes.tschofenig@gmx.net> =E3=81=AE=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=
=82=B8:
>>>>>=20
>>>>>> George is correct with his statements. There is, however, a =
difference between a shared secret and an assertion as Phil pointed out. =
For the assertion the server does not need to maintain state on a =
per-client basis. On the other hand since the client secret isn't really =
used in the classical sense of a password either but rather as a =
"cookie" (if used in the style of Section 2.3.1 of RFC6749) one could =
easy apply the concept of stateless tokens to them:
>>>>>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>>>>>=20
>>>>>>=20
>>>>>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>>>>>> Hi Phil,
>>>>>>>=20
>>>>>>> I'm sorry for not following completely. Some questions inline...
>>>>>>>=20
>>>>>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>>>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>>>>>> passwords expressed as client secrets.
>>>>>>> I'm not sure what you mean in regards to "client secrets". There =
are
>>>>>>> OAuth2 bearer tokens that need to be protected because they are =
bearer
>>>>>>> tokens. That said, there is nothing in the spec that requires =
these to
>>>>>>> be opaque blobs vs signed tokens. So both the "Initial Access =
Token" and
>>>>>>> the "Registration Access Token" can be signed tokens. However, =
the
>>>>>>> client still has to protect them as if they were a "secret" =
because they
>>>>>>> are a bearer token and can be replayed. So it's the same amount =
of work
>>>>>>> on the client either way.
>>>>>>>=20
>>>>>>>>=20
>>>>>>>> A signed token approach has many advantages for service =
providers like
>>>>>>>> not having to maintain a secure database of secrets/passwords.
>>>>>>> If the concern here is the amount of data the Authorization =
Server has
>>>>>>> to store to manage these clients, then the current spec doesn't =
preclude
>>>>>>> using a "signed token". Both OAuth2 bearer tokens identified in =
the
>>>>>>> current spec can be signed tokens.
>>>>>>>>=20
>>>>>>>> Finally issuing both a client secret and registration token is =
costly
>>>>>>>> and confusing to client developers.  I relented somewhat when I
>>>>>>>> realized kerberos does this--but i still feel it is a bad =
design at
>>>>>>>> cloud scale.
>>>>>>> Given that client_secrets are OPTIONAL in OAuth2 for some use =
cases, I'm
>>>>>>> not sure how you abstract the client developer from having to =
deal with
>>>>>>> them. The client developer is going to be dealing with multiple =
OAuth2
>>>>>>> tokens to multiple endpoints regardless so I don't see another =
token as
>>>>>>> costly or complex. At a minimum there is the refresh_token and
>>>>>>> access_token. Where is the added client developer complexity?
>>>>>>>=20
>>>>>>> Thanks,
>>>>>>> George
>>>>>>>=20
>>>>>>>>=20
>>>>>>>> Phil
>>>>>>>>=20
>>>>>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>>>>=20
>>>>>>>>> The spec doesn't care where you deploy at -- if URL space is =
at a
>>>>>>>>> premium for you, then switch based on input parameters and =
other
>>>>>>>>> things. And you're still not clear on which "secrets" you're =
taking
>>>>>>>>> issue with.
>>>>>>>>>=20
>>>>>>>>> -- Justin
>>>>>>>>>=20
>>>>>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>>>>>=20
>>>>>>>>>> #1, its yet another endpoint to have to manage secrets at, =
yes this
>>>>>>>>>> is an OAuth item but it=E2=80=99s growing out of control, we =
are trying to
>>>>>>>>>> move away from secrets and management of these endpoints as =
this
>>>>>>>>>> would be just another one we have to support, monitor and =
report on
>>>>>>>>>>=20
>>>>>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization =
servers
>>>>>>>>>>=20
>>>>>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>>>>>> *To:* Anthony Nadalin
>>>>>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: =
please
>>>>>>>>>> don't remove!
>>>>>>>>>>=20
>>>>>>>>>> Hi Tony,
>>>>>>>>>>=20
>>>>>>>>>> Could you please explain a little more?
>>>>>>>>>>=20
>>>>>>>>>> For issue 1:
>>>>>>>>>> * Which "secret" are you referring to? OAuth2 by default =
allows for
>>>>>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>>>>>> management issues? Or are you referring to the "Registration =
Access
>>>>>>>>>> Token"?
>>>>>>>>>> * Why is a separate endpoint an issue? Any client is going to =
be
>>>>>>>>>> talking to more than just the /authorize and /token endpoints =
anyway
>>>>>>>>>> so I'm confused regarding the extra complexity?
>>>>>>>>>>=20
>>>>>>>>>> For issue 2:
>>>>>>>>>> * What specifically do you mean by "multi-tenant"? Is this =
one
>>>>>>>>>> server acting on behalf of multiple tenants and so appearing =
as
>>>>>>>>>> multiple Authorization Servers?
>>>>>>>>>>=20
>>>>>>>>>> Thanks,
>>>>>>>>>> George
>>>>>>>>>>=20
>>>>>>>>>> [snip...]
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>=20
>>>>>>> --
>>>>>>>=20
>>>>>>>=20
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>=20
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl


From tonynad@microsoft.com  Thu Aug 15 15:27:03 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2331311E81B9 for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 15:27:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level: 
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[AWL=-0.003, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJZdKHRApprr for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 15:26:59 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0243.outbound.protection.outlook.com [207.46.163.243]) by ietfa.amsl.com (Postfix) with ESMTP id 42A2A11E81B6 for <oauth@ietf.org>; Thu, 15 Aug 2013 15:26:59 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Thu, 15 Aug 2013 22:26:56 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Thu, 15 Aug 2013 22:26:56 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Eve Maler <eve@xmlgrrl.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
Thread-Index: AQHOlScLf934cBBLpkeg6cyc2g+rW5mSRG2AgADk0ACAAAcFgIAAArgwgAADowCAAAGnEIAAA3KAgAAAraCAAAGTAIAAA1KAgAAnc4CAAN0CAIABUjCAgAASCQCAAQ+hAIAABtYAgAADOwCAAByBgIAAAddQ
Date: Thu, 15 Aug 2013 22:26:56 +0000
Message-ID: <e1c9ffef3b8748439e9feeaffef01c0c@BY2PR03MB189.namprd03.prod.outlook.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>	<520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com>	<520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net>	<F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com> <4A57809A-8B88-4D1E-A014-A4727A5B3E0E@oracle.com> <B574595A-CD44-4621-BD31-61141998EF20@ve7jtb.com> <4A85E3D4-BA2E-4DEE-97AA-FC18AAFA42F6@xmlgrrl.com>
In-Reply-To: <4A85E3D4-BA2E-4DEE-97AA-FC18AAFA42F6@xmlgrrl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::46]
x-forefront-prvs: 0939529DE2
x-forefront-antispam-report: SFV:NSPM; SFS:(377424004)(479174003)(377454003)(164054003)(51704005)(55885003)(199002)(13464003)(24454002)(189002)(77982001)(83322001)(59766001)(16406001)(19580395003)(54316002)(47976001)(47736001)(50986001)(76482001)(65816001)(15974865002)(54356001)(4396001)(19580385001)(49866001)(53806001)(33646001)(15202345003)(76796001)(76576001)(83072001)(81816001)(76786001)(56816003)(81686001)(77096001)(19580405001)(56776001)(80022001)(63696002)(74876001)(74366001)(74502001)(80976001)(74316001)(46102001)(551544002)(31966008)(47446002)(69226001)(51856001)(81342001)(74706001)(81542001)(79102001)(74662001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::46; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e0:ed43::46
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB192.namprd03.prod.outlook.com
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 22:27:03 -0000

VGhpcyBpcyBub3QgbmV3IGNvbnRlbnRpb24sIGxvb2sgYmFjayBpbiB0aGUgbWFpbGluZyBsaXN0
LCBiZWVuIGdvaW5nIG9uIGZvciBxdWl0ZSBhIHdoaWxlLiBTbyBmYXIgSSBoYXZlIG9ubHkgc2Vl
biAyIHJlcGxpZXMgZm9yIGltcGxlbWVudGF0aW9ucy4gVGhlIGlkZWEgaXMgdG8gZ2V0IHRoaW5n
cyByaWdodC4NCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IG9hdXRoLWJvdW5j
ZXNAaWV0Zi5vcmcgW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2Yg
RXZlIE1hbGVyDQpTZW50OiBUaHVyc2RheSwgQXVndXN0IDE1LCAyMDEzIDM6MTggUE0NClRvOiBK
b2huIEJyYWRsZXkNCkNjOiBtaWtlQGdsdXUub3JnOyBvYXV0aEBpZXRmLm9yZw0KU3ViamVjdDog
UmU6IFtPQVVUSC1XR10gT1ggbmVlZHMgRHluYW1pYyBSZWdpc3RyYXRpb246IHBsZWFzZSBkb24n
dCByZW1vdmUhDQoNCkFncmVlIHdpdGggSm9obiB0aGF0IFJGQyA2NzQ5IGlzIHRvIGFsbCBpbnRl
bnRzIGFuZCBwdXJwb3NlcyBmaW5hbC4gQWxzbywgd2hlbiB3ZSBoYXZlIGEgZHluIHJlZyBzcGVj
IHdob3NlIGVhcmxpZXN0IGRyYWZ0cyBhcmUgc2V2ZXJhbCB5ZWFycyBvbGQsIHdob3NlIGN1cnJl
bnQgZHJhZnQgaXMgaW1wbGVtZW50ZWQgYnkgYSB2YXJpZXR5IG9mIE9BdXRoLCBPcGVuSUQgQ29u
bmVjdCwgYW5kIFVNQSBkZXZlbG9wZXJzLCB3aG9zZSBjdXJyZW50IGRlc2lnbiByZWZsZWN0cyBh
IGdvb2QgZGVhbCBvZiBoZWFsdGh5IGNvbnNvbGlkYXRpb24gb2YgZGlzcGFyYXRlIHN0YXJ0aW5n
IHBvaW50cywgYW5kIGZvciB3aGljaCB0aGVyZSdzIGJlZW4gY29uY3JldGUgZGVtYW5kIGV4cHJl
c3NlZCBvbiB0aGlzIGxpc3QsIEknbSBhIGxpdHRsZSBzdXJwcmlzZWQgdGhhdCB0aGVyZSdzIHRo
aXMgbXVjaCBjb250ZW50aW9uIGFib3V0IGl0IGF0IHRoaXMganVuY3R1cmUuDQoNCglFdmUNCg0K
T24gMTUgQXVnIDIwMTMsIGF0IDE6MzUgUE0sIEpvaG4gQnJhZGxleSA8dmU3anRiQHZlN2p0Yi5j
b20+IHdyb3RlOg0KDQo+IEkgYmVsaWV2ZSBpdCBpcyByYXJlIGZvciBSRkMgdG8gbW92ZSBiZXlv
bmQgdGhlIHN0YWdlIFJGQyA2NzQ5IGlzIGN1cnJlbnRseSBhdCBzbyBJdCBpcyB0byBtb3N0IHBl
b3BsZXMgbWluZHMgZmluaXNoZWQuDQo+IA0KPiBJIGFtIG5vdCBhZ2FpbnN0IGRvaW5nIGZ1dHVy
ZSB0aGluZ3MgdG8gaW1wcm92ZSB0aGUgc3BlYy4gIEkganVzdCBzdXNwZWN0IHRoYXQgb3Blbmlu
ZyB0aGF0IGNhbiBvZiB3b3JtcyBhZ2FpbiB3aWxsIHRha2UgdGltZS4NCj4gDQo+IEpvaG4gQi4N
Cj4gDQo+IE9uIDIwMTMtMDgtMTUsIGF0IDQ6MjMgUE0sIFBoaWwgSHVudCA8cGhpbC5odW50QG9y
YWNsZS5jb20+IHdyb3RlOg0KPiANCj4+IEpvaG4sDQo+PiANCj4+IEkgYWdyZWUgYSBiaWcgcGFy
dCBvZiB0aGUgcHJvYmxlbSB3aXRoIER5biBSZWcgaXMgaXQgaGFzIHRvIHJlZmxlY3QgdGhlIGN1
cnJlbnQgc3RhdGUgb2YgNjc0OSAoc3BlY2lmaWNhbGx5IHRoYXQgY2xpZW50cyBtdXN0IGhhdmUg
YSBjbGllbnRfaWQgZXZlbiB0aG91Z2ggNjc0OSBzYXlzIG5vdGhpbmcgYWJvdXQgaXRzIGZvcm1h
dCBvciBob3cgdG8gb2J0YWluIG9uZSkuDQo+PiANCj4+IFJlZ2FyZGluZyB0aW1pbmcgKHRoZSBu
ZWVkIHRvIGFwcHJvdmUgZHluIHJlZyBub3cpOiBhIGRyYWZ0IGRvZXNuJ3QgaGF2ZSB0byBiZSBm
aW5hbCBmb3IgcGVvcGxlIHRvIGltcGxlbWVudCBpdCBpbnRvIG9wZXJhdGlvbmFsIHByb2R1Y3Rp
b24uICBJbiBmYWN0LCBwdXR0aW5nIGludG8gcHJvZHVjdGlvbiBpcyBhIGZhciBiZXR0ZXIgdmFs
aWRhdGlvbiB0aGFuIG1lcmUgaW1wbGVtZW50YXRpb24uIFRoZSBmYWN0IHRoYXQgNjc0OSBjaGFu
Z2VkIHN1YnN0YW50aWFsbHkgaW4gZHJhZnQgc3RhZ2UgZGlkIG5vdCBwcmV2ZW50IG1hbnkgZnJv
bSBwdXR0aW5nIGl0IGludG8gcHJvZHVjdGlvbi4gIFdoeSBpcyBhcHByb3ZhbCBhIGJhcnJpZXIg
aW4gdGhpcyBjYXNlPyAgTXkgdW5kZXJzdGFuZGluZyBpcyB0aGUgSUVTRyBoYXMgdGhlIG9wdGlv
biBmb3JjZSB0aGUgZHJhZnQgdG8gd2FpdCBmb3Igb3BlcmF0aW9uYWwgdXNlIGJlZm9yZSBpdCBt
b3JlcyBmb3J3YXJkIChzZWUgYmVsb3cpLg0KPj4gDQo+PiBJJ20gbm90IHN1cmUgYW4gT0F1dGgg
MyBpcyByZXF1aXJlZCBoZXJlIHNpbmNlIDY3NDkgaXMgbm90IHlldCBmaW5hbCwgcmF0aGVyIGl0
IGlzICJQUk9QT1NFRCBTVEFOREFSRCIuICBJbiBwYXJ0aWN1bGFyLCBzZWN0aW9uIDQuMS4xIG9m
IFJGQzIwMjYgc3RhdGVzOg0KPj4gDQo+Pj4gIEEgUHJvcG9zZWQgU3RhbmRhcmQgc3BlY2lmaWNh
dGlvbiBpcyBnZW5lcmFsbHkgc3RhYmxlLCBoYXMgcmVzb2x2ZWQgIA0KPj4+IGtub3duIGRlc2ln
biBjaG9pY2VzLCBpcyBiZWxpZXZlZCB0byBiZSB3ZWxsLXVuZGVyc3Rvb2QsIGhhcyANCj4+PiBy
ZWNlaXZlZCAgc2lnbmlmaWNhbnQgY29tbXVuaXR5IHJldmlldywgYW5kIGFwcGVhcnMgdG8gZW5q
b3kgZW5vdWdoIA0KPj4+IGNvbW11bml0eSAgaW50ZXJlc3QgdG8gYmUgY29uc2lkZXJlZCB2YWx1
YWJsZS4gIEhvd2V2ZXIsIGZ1cnRoZXIgDQo+Pj4gZXhwZXJpZW5jZSAgbWlnaHQgcmVzdWx0IGlu
IGEgY2hhbmdlIG9yIGV2ZW4gcmV0cmFjdGlvbiBvZiB0aGUgDQo+Pj4gc3BlY2lmaWNhdGlvbiAg
YmVmb3JlIGl0IGFkdmFuY2VzLg0KPj4gDQo+Pj4gIFVzdWFsbHksIG5laXRoZXIgaW1wbGVtZW50
YXRpb24gbm9yIG9wZXJhdGlvbmFsIGV4cGVyaWVuY2UgaXMgIA0KPj4+IHJlcXVpcmVkIGZvciB0
aGUgZGVzaWduYXRpb24gb2YgYSBzcGVjaWZpY2F0aW9uIGFzIGEgUHJvcG9zZWQgIA0KPj4+IFN0
YW5kYXJkLiAgSG93ZXZlciwgc3VjaCBleHBlcmllbmNlIGlzIGhpZ2hseSBkZXNpcmFibGUsIGFu
ZCB3aWxsICANCj4+PiB1c3VhbGx5IHJlcHJlc2VudCBhIHN0cm9uZyBhcmd1bWVudCBpbiBmYXZv
ciBvZiBhIFByb3Bvc2VkIFN0YW5kYXJkICANCj4+PiBkZXNpZ25hdGlvbi4NCj4+IA0KPj4+IA0K
Pj4+ICBUaGUgSUVTRyBtYXkgcmVxdWlyZSBpbXBsZW1lbnRhdGlvbiBhbmQvb3Igb3BlcmF0aW9u
YWwgZXhwZXJpZW5jZSAgDQo+Pj4gcHJpb3IgdG8gZ3JhbnRpbmcgUHJvcG9zZWQgU3RhbmRhcmQg
c3RhdHVzIHRvIGEgc3BlY2lmaWNhdGlvbiB0aGF0ICANCj4+PiBtYXRlcmlhbGx5IGFmZmVjdHMg
dGhlIGNvcmUgSW50ZXJuZXQgcHJvdG9jb2xzIG9yIHRoYXQgc3BlY2lmaWVzICANCj4+PiBiZWhh
dmlvciB0aGF0IG1heSBoYXZlIHNpZ25pZmljYW50IG9wZXJhdGlvbmFsIGltcGFjdCBvbiB0aGUg
IA0KPj4+IEludGVybmV0Lg0KPj4gDQo+PiANCj4+IFRoaXMgd291bGQgc3VnZ2VzdCB0byBtZSwg
dGhhdCBzb21lIG9mIE9BdXRoIGlzc3VlcyB0aGF0IGRyb3ZlIHRoZSBkZXNpZ24gb2YgRHluLVJl
ZyBjYW4gYmUgbW9yZSBjbGVhbmx5IHJlc29sdmVkIGJ5IGFtZW5kaW5nIDY3NDkuIFN1Y2ggYSBj
aGFuZ2Ugd291bGQgYmUgcGVybWlzc2l2ZSwgYmFja3dhcmQgY29tcGF0aWJsZSwgYW5kIGdyZWF0
bHkgc2ltcGxpZnkgcmVnaXN0cmF0aW9uIGlmIG5vdCBlbGltaW5hdGUgaXQgaW4gbWFueSBjYXNl
cy4NCj4+IA0KPj4gVGhlIHN1YmplY3Qgb2YgaW1wcm9wZXIgdXNlIG9mIE9BdXRoIGFzIGFuIGF1
dGhlbnRpY2F0b3IgaXMgYWxzbyBhbiBpc3N1ZSB0aGF0IHNob3VsZCBiZSBkaXNjdXNzZWQgd2hl
biBpdCBjb21lcyB0byBtb3ZpbmcgdGhlIHByb3Bvc2VkIHN0YW5kYXJkIChPQXV0aCAyKSBmb3J3
YXJkLg0KPj4gDQo+PiBQaGlsDQo+PiANCj4+IEBpbmRlcGVuZGVudGlkDQo+PiB3d3cuaW5kZXBl
bmRlbnRpZC5jb20NCj4+IHBoaWwuaHVudEBvcmFjbGUuY29tDQo+PiANCj4+IA0KPj4gDQo+PiAN
Cj4+IA0KPj4gDQo+PiANCj4+IE9uIDIwMTMtMDgtMTUsIGF0IDEyOjU5IFBNLCBKb2huIEJyYWRs
ZXkgPHZlN2p0YkB2ZTdqdGIuY29tPiB3cm90ZToNCj4+IA0KPj4+IFllcyBhIGJlYXJlciB0b2tl
biB0aGF0IGlzIHNpZ25lZCBhbmQgb3IgZW5jcnlwdGVkIGJ5IHRoZSBBUyByZWR1Y2VzIHRoZSBh
bW91bnQgb2Ygc3RhdGUgcmVxdWlyZWQgZm9yIHRoZSBBUyB0byBtYWludGFpbi4gDQo+Pj4gDQo+
Pj4gSW4gUkZDIDY3NDkgdGhlcmUgaXMgaW5mb3JtYXRpb24gYWJvdXQgdGhlIGNsaWVudCB0aGF0
IGlzIHRpZWQgdG8gDQo+Pj4gdGhlIGNsaWVudF9pZCwgYW5kIGlzIHJlcXVpcmVkIGF0IHRoZSBh
dXRob3JpemF0aW9uIGVuZHBvaW50LiAoZWcgDQo+Pj4gcmVkaXJlY3RfdXJpKQ0KPj4+IA0KPj4+
IEkgdW5kZXJzdGFuZCB0aGUgZ29hbCBvZiByZWR1Y2luZyBzdGF0ZSBpbiB0aGUgSWRQLiAgIFNv
bWUgb2YgdXMgaGF2ZSBsb29rZWQgYXQgc3RvcmluZyBpbmZvcm1hdGlvbiBpbiBhIHNpZ25lZCBj
bGllbnRfaWQgdGhhdCB3b3VsZCB3b3JrIGluIHRoZSBleGlzdGluZyBSRkMgNjc0OSBmbG93cy4N
Cj4+PiANCj4+PiBJdCBzZWVtcyB0aGF0IHNvbWUgcGVvcGxlIGFyZSBkaXNzYXRpc2ZpZWQgd2l0
aCBSRkMgNjc0OSBhbmQgd291bGQgbGlrZSB0byBzZWUgY2hhbmdlcyBsaWtlIHJlbW92aW5nIGlt
cGxpY2l0IGZsb3dzLg0KPj4+IA0KPj4+IFRoZSBjdXJyZW50IER5bmFtaWMgcmVnaXN0cmF0aW9u
IHNwZWMgZGVhbHMgd2l0aCB0aGUgY3VycmVudCBzdGF0ZSBvZiBPQXV0aC4gICBJZiB0aGUgV0cg
ZGVjaWRlcyB0byBkbyBhIE9BdXRoIDMgdGhhdCBmdWxseSBzdXBwb3J0cyBhc3NlcnRpb25zIGFu
ZCBkaXRjaGVzIHNlY3JldHMgSSB3b3VsZCBiZSBPSyB3aXRoIHRoYXQuIA0KPj4+IEhvd2V2ZXIg
bGV0cyBub3QgY3JpcHBsZSB3aGF0IHdlIGhhdmUgYXMgYSBzdGFuZGFyZCBub3cgYnkgY3JhdGlu
ZyBkeW5hbWljIHJlZ2lzdHJhdGlvbiB0aGF0IGNhbiBvbmx5IGJlIGZ1bGx5IGltcGxlbWVudGVk
ICBpbiBhIGZ1dHVyZSB2ZXJzaW9uIG9mIE9BdXRoLg0KPj4+IA0KPj4+IFNvbWUgcGVvcGxlIHdh
bnQvbmVlZCBhIGNsaWVudCByZWdpc3RyYXRpb24gQVBJIG5vdy4gIEl0IGlzIGNsZWFybHkgYSBt
aXNzaW5nIHBhcnQgb2YgYW4gZW50aXJlIE9BdXRoIHN5c3RlbS4gICANCj4+PiBTdXBwb3J0aW5n
IGV4aXN0aW5nIE9BdXRoIHdoaWxlIG1pbmltaXppbmcgc3RhdGUgYXQgdGhlIEFTIGlzIHNvbWV0
aGluZyBJIHN1cHBvcnQsIHdhaXRpbmcgZm9yIGEgT0F1dGggcmVkZXNpZ24gaXMgbm90IGluIG15
IG9waW5pb24gYSByZWFzb25hYmxlIG1lZGl1bSB0ZXJtIGdvYWwuDQo+Pj4gDQo+Pj4gSm9obiBC
Lg0KPj4+IA0KPj4+IA0KPj4+IE9uIDIwMTMtMDgtMTQsIGF0IDExOjQ3IFBNLCBQaGlsIEh1bnQg
PHBoaWwuaHVudEBvcmFjbGUuY29tPiB3cm90ZToNCj4+PiANCj4+Pj4gSSBhbSBzYXlpbmcgYSBi
ZWFyZXIgdG9rZW4gaXMgYmV0dGVyIHRoYW4gYSBwYXNzd29yZCBmb3IgdGhlIHNlcnZpY2UgcHJv
dmlkZXIgYXMgSGFubmVzIGV4cGxhaW5zLiANCj4+Pj4gDQo+Pj4+IFBoaWwNCj4+Pj4gDQo+Pj4+
IE9uIDIwMTMtMDgtMTQsIGF0IDE5OjQyLCBOYXQgU2FraW11cmEgPHNha2ltdXJhQGdtYWlsLmNv
bT4gd3JvdGU6DQo+Pj4+IA0KPj4+Pj4gUmlnaHQuIEEgQmVhcmVyIFRva2VuIGRvZXMgbm90IGhh
dmUgdG8gYmUgYSBzaGFyZWQgc2VjcmV0LiBJdCBtYXkgaGF2ZSBzb21lIHN0cnVjdHVyZSB0aGF0
IGFsbG93cyB0aGUgc2VydmVyIHRvIHZhbGlkYXRlIGl0IHN0YXRlbGVzc2x5LCBlLmcuIEpXUy1K
V1QuIA0KPj4+Pj4gDQo+Pj4+PiA9bmF0IHZpYSBpUGhvbmUNCj4+Pj4+IA0KPj4+Pj4gQXVnIDE0
LCAyMDEzIDE1OjMy44CBSGFubmVzIFRzY2hvZmVuaWcgPGhhbm5lcy50c2Nob2ZlbmlnQGdteC5u
ZXQ+IOOBruODoeODg+OCu+ODvOOCuDoNCj4+Pj4+IA0KPj4+Pj4+IEdlb3JnZSBpcyBjb3JyZWN0
IHdpdGggaGlzIHN0YXRlbWVudHMuIFRoZXJlIGlzLCBob3dldmVyLCBhIGRpZmZlcmVuY2UgYmV0
d2VlbiBhIHNoYXJlZCBzZWNyZXQgYW5kIGFuIGFzc2VydGlvbiBhcyBQaGlsIHBvaW50ZWQgb3V0
LiBGb3IgdGhlIGFzc2VydGlvbiB0aGUgc2VydmVyIGRvZXMgbm90IG5lZWQgdG8gbWFpbnRhaW4g
c3RhdGUgb24gYSBwZXItY2xpZW50IGJhc2lzLiBPbiB0aGUgb3RoZXIgaGFuZCBzaW5jZSB0aGUg
Y2xpZW50IHNlY3JldCBpc24ndCByZWFsbHkgdXNlZCBpbiB0aGUgY2xhc3NpY2FsIHNlbnNlIG9m
IGEgcGFzc3dvcmQgZWl0aGVyIGJ1dCByYXRoZXIgYXMgYSAiY29va2llIiAoaWYgdXNlZCBpbiB0
aGUgc3R5bGUgb2YgU2VjdGlvbiAyLjMuMSBvZiBSRkM2NzQ5KSBvbmUgY291bGQgZWFzeSBhcHBs
eSB0aGUgY29uY2VwdCBvZiBzdGF0ZWxlc3MgdG9rZW5zIHRvIHRoZW06DQo+Pj4+Pj4gaHR0cDov
L3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtcmVzY29ybGEtc3RhdGVsZXNzLXRva2Vucy0wMQ0K
Pj4+Pj4+IA0KPj4+Pj4+IA0KPj4+Pj4+IE9uIDA4LzEzLzIwMTMgMDc6MjEgUE0sIEdlb3JnZSBG
bGV0Y2hlciB3cm90ZToNCj4+Pj4+Pj4gSGkgUGhpbCwNCj4+Pj4+Pj4gDQo+Pj4+Pj4+IEknbSBz
b3JyeSBmb3Igbm90IGZvbGxvd2luZyBjb21wbGV0ZWx5LiBTb21lIHF1ZXN0aW9ucyBpbmxpbmUu
Li4NCj4+Pj4+Pj4gDQo+Pj4+Pj4+IE9uIDgvMTMvMTMgMTE6MDAgQU0sIFBoaWwgSHVudCB3cm90
ZToNCj4+Pj4+Pj4+IER5biByZWcgYW5kIHRoZSBzY2ltIHJlZyB2YXJpYW50IGRlcGVuZCB0b28g
bXVjaC9iaWFzZWQgdG93YXJkcyANCj4+Pj4+Pj4+IHBhc3N3b3JkcyBleHByZXNzZWQgYXMgY2xp
ZW50IHNlY3JldHMuDQo+Pj4+Pj4+IEknbSBub3Qgc3VyZSB3aGF0IHlvdSBtZWFuIGluIHJlZ2Fy
ZHMgdG8gImNsaWVudCBzZWNyZXRzIi4gVGhlcmUgDQo+Pj4+Pj4+IGFyZQ0KPj4+Pj4+PiBPQXV0
aDIgYmVhcmVyIHRva2VucyB0aGF0IG5lZWQgdG8gYmUgcHJvdGVjdGVkIGJlY2F1c2UgdGhleSBh
cmUgDQo+Pj4+Pj4+IGJlYXJlciB0b2tlbnMuIFRoYXQgc2FpZCwgdGhlcmUgaXMgbm90aGluZyBp
biB0aGUgc3BlYyB0aGF0IA0KPj4+Pj4+PiByZXF1aXJlcyB0aGVzZSB0byBiZSBvcGFxdWUgYmxv
YnMgdnMgc2lnbmVkIHRva2Vucy4gU28gYm90aCB0aGUgDQo+Pj4+Pj4+ICJJbml0aWFsIEFjY2Vz
cyBUb2tlbiIgYW5kIHRoZSAiUmVnaXN0cmF0aW9uIEFjY2VzcyBUb2tlbiIgY2FuIA0KPj4+Pj4+
PiBiZSBzaWduZWQgdG9rZW5zLiBIb3dldmVyLCB0aGUgY2xpZW50IHN0aWxsIGhhcyB0byBwcm90
ZWN0IHRoZW0gDQo+Pj4+Pj4+IGFzIGlmIHRoZXkgd2VyZSBhICJzZWNyZXQiIGJlY2F1c2UgdGhl
eSBhcmUgYSBiZWFyZXIgdG9rZW4gYW5kIA0KPj4+Pj4+PiBjYW4gYmUgcmVwbGF5ZWQuIFNvIGl0
J3MgdGhlIHNhbWUgYW1vdW50IG9mIHdvcmsgb24gdGhlIGNsaWVudCBlaXRoZXIgd2F5Lg0KPj4+
Pj4+PiANCj4+Pj4+Pj4+IA0KPj4+Pj4+Pj4gQSBzaWduZWQgdG9rZW4gYXBwcm9hY2ggaGFzIG1h
bnkgYWR2YW50YWdlcyBmb3Igc2VydmljZSANCj4+Pj4+Pj4+IHByb3ZpZGVycyBsaWtlIG5vdCBo
YXZpbmcgdG8gbWFpbnRhaW4gYSBzZWN1cmUgZGF0YWJhc2Ugb2Ygc2VjcmV0cy9wYXNzd29yZHMu
DQo+Pj4+Pj4+IElmIHRoZSBjb25jZXJuIGhlcmUgaXMgdGhlIGFtb3VudCBvZiBkYXRhIHRoZSBB
dXRob3JpemF0aW9uIA0KPj4+Pj4+PiBTZXJ2ZXIgaGFzIHRvIHN0b3JlIHRvIG1hbmFnZSB0aGVz
ZSBjbGllbnRzLCB0aGVuIHRoZSBjdXJyZW50IA0KPj4+Pj4+PiBzcGVjIGRvZXNuJ3QgcHJlY2x1
ZGUgdXNpbmcgYSAic2lnbmVkIHRva2VuIi4gQm90aCBPQXV0aDIgYmVhcmVyIA0KPj4+Pj4+PiB0
b2tlbnMgaWRlbnRpZmllZCBpbiB0aGUgY3VycmVudCBzcGVjIGNhbiBiZSBzaWduZWQgdG9rZW5z
Lg0KPj4+Pj4+Pj4gDQo+Pj4+Pj4+PiBGaW5hbGx5IGlzc3VpbmcgYm90aCBhIGNsaWVudCBzZWNy
ZXQgYW5kIHJlZ2lzdHJhdGlvbiB0b2tlbiBpcyANCj4+Pj4+Pj4+IGNvc3RseSBhbmQgY29uZnVz
aW5nIHRvIGNsaWVudCBkZXZlbG9wZXJzLiAgSSByZWxlbnRlZCBzb21ld2hhdCANCj4+Pj4+Pj4+
IHdoZW4gSSByZWFsaXplZCBrZXJiZXJvcyBkb2VzIHRoaXMtLWJ1dCBpIHN0aWxsIGZlZWwgaXQg
aXMgYSANCj4+Pj4+Pj4+IGJhZCBkZXNpZ24gYXQgY2xvdWQgc2NhbGUuDQo+Pj4+Pj4+IEdpdmVu
IHRoYXQgY2xpZW50X3NlY3JldHMgYXJlIE9QVElPTkFMIGluIE9BdXRoMiBmb3Igc29tZSB1c2Ug
DQo+Pj4+Pj4+IGNhc2VzLCBJJ20gbm90IHN1cmUgaG93IHlvdSBhYnN0cmFjdCB0aGUgY2xpZW50
IGRldmVsb3BlciBmcm9tIA0KPj4+Pj4+PiBoYXZpbmcgdG8gZGVhbCB3aXRoIHRoZW0uIFRoZSBj
bGllbnQgZGV2ZWxvcGVyIGlzIGdvaW5nIHRvIGJlIA0KPj4+Pj4+PiBkZWFsaW5nIHdpdGggbXVs
dGlwbGUgT0F1dGgyIHRva2VucyB0byBtdWx0aXBsZSBlbmRwb2ludHMgDQo+Pj4+Pj4+IHJlZ2Fy
ZGxlc3Mgc28gSSBkb24ndCBzZWUgYW5vdGhlciB0b2tlbiBhcyBjb3N0bHkgb3IgY29tcGxleC4g
QXQgDQo+Pj4+Pj4+IGEgbWluaW11bSB0aGVyZSBpcyB0aGUgcmVmcmVzaF90b2tlbiBhbmQgYWNj
ZXNzX3Rva2VuLiBXaGVyZSBpcyB0aGUgYWRkZWQgY2xpZW50IGRldmVsb3BlciBjb21wbGV4aXR5
Pw0KPj4+Pj4+PiANCj4+Pj4+Pj4gVGhhbmtzLA0KPj4+Pj4+PiBHZW9yZ2UNCj4+Pj4+Pj4gDQo+
Pj4+Pj4+PiANCj4+Pj4+Pj4+IFBoaWwNCj4+Pj4+Pj4+IA0KPj4+Pj4+Pj4gT24gMjAxMy0wOC0x
MywgYXQgNzo0OCwgSnVzdGluIFJpY2hlciA8anJpY2hlckBtaXRyZS5vcmcgDQo+Pj4+Pj4+PiA8
bWFpbHRvOmpyaWNoZXJAbWl0cmUub3JnPj4gd3JvdGU6DQo+Pj4+Pj4+PiANCj4+Pj4+Pj4+PiBU
aGUgc3BlYyBkb2Vzbid0IGNhcmUgd2hlcmUgeW91IGRlcGxveSBhdCAtLSBpZiBVUkwgc3BhY2Ug
aXMgDQo+Pj4+Pj4+Pj4gYXQgYSBwcmVtaXVtIGZvciB5b3UsIHRoZW4gc3dpdGNoIGJhc2VkIG9u
IGlucHV0IHBhcmFtZXRlcnMgDQo+Pj4+Pj4+Pj4gYW5kIG90aGVyIHRoaW5ncy4gQW5kIHlvdSdy
ZSBzdGlsbCBub3QgY2xlYXIgb24gd2hpY2ggDQo+Pj4+Pj4+Pj4gInNlY3JldHMiIHlvdSdyZSB0
YWtpbmcgaXNzdWUgd2l0aC4NCj4+Pj4+Pj4+PiANCj4+Pj4+Pj4+PiAtLSBKdXN0aW4NCj4+Pj4+
Pj4+PiANCj4+Pj4+Pj4+PiBPbiAwOC8xMy8yMDEzIDEwOjQ2IEFNLCBBbnRob255IE5hZGFsaW4g
d3JvdGU6DQo+Pj4+Pj4+Pj4+IA0KPj4+Pj4+Pj4+PiAjMSwgaXRzIHlldCBhbm90aGVyIGVuZHBv
aW50IHRvIGhhdmUgdG8gbWFuYWdlIHNlY3JldHMgYXQsIA0KPj4+Pj4+Pj4+PiB5ZXMgdGhpcyBp
cyBhbiBPQXV0aCBpdGVtIGJ1dCBpdOKAmXMgZ3Jvd2luZyBvdXQgb2YgY29udHJvbCwgd2UgDQo+
Pj4+Pj4+Pj4+IGFyZSB0cnlpbmcgdG8gbW92ZSBhd2F5IGZyb20gc2VjcmV0cyBhbmQgbWFuYWdl
bWVudCBvZiB0aGVzZSANCj4+Pj4+Pj4+Pj4gZW5kcG9pbnRzIGFzIHRoaXMgd291bGQgYmUganVz
dCBhbm90aGVyIG9uZSB3ZSBoYXZlIHRvIA0KPj4+Pj4+Pj4+PiBzdXBwb3J0LCBtb25pdG9yIGFu
ZCByZXBvcnQgb24NCj4+Pj4+Pj4+Pj4gDQo+Pj4+Pj4+Pj4+ICMyIHllcywgMSBwaHlzaWNhbCBl
bmRwb2ludCBhY3RpbmcgYXMgbXVsdGlwbGUgYXV0aG9yaXphdGlvbiANCj4+Pj4+Pj4+Pj4gc2Vy
dmVycw0KPj4+Pj4+Pj4+PiANCj4+Pj4+Pj4+Pj4gKkZyb206Kkdlb3JnZSBGbGV0Y2hlciBbbWFp
bHRvOmdmZmxldGNoQGFvbC5jb21dDQo+Pj4+Pj4+Pj4+ICpTZW50OiogVHVlc2RheSwgQXVndXN0
IDEzLCAyMDEzIDc6NDAgQU0NCj4+Pj4+Pj4+Pj4gKlRvOiogQW50aG9ueSBOYWRhbGluDQo+Pj4+
Pj4+Pj4+ICpDYzoqIG1pa2VAZ2x1dS5vcmc7IEp1c3RpbiBSaWNoZXI7IG9hdXRoQGlldGYub3Jn
DQo+Pj4+Pj4+Pj4+ICpTdWJqZWN0OiogUmU6IFtPQVVUSC1XR10gT1ggbmVlZHMgRHluYW1pYyBS
ZWdpc3RyYXRpb246IA0KPj4+Pj4+Pj4+PiBwbGVhc2UgZG9uJ3QgcmVtb3ZlIQ0KPj4+Pj4+Pj4+
PiANCj4+Pj4+Pj4+Pj4gSGkgVG9ueSwNCj4+Pj4+Pj4+Pj4gDQo+Pj4+Pj4+Pj4+IENvdWxkIHlv
dSBwbGVhc2UgZXhwbGFpbiBhIGxpdHRsZSBtb3JlPw0KPj4+Pj4+Pj4+PiANCj4+Pj4+Pj4+Pj4g
Rm9yIGlzc3VlIDE6DQo+Pj4+Pj4+Pj4+ICogV2hpY2ggInNlY3JldCIgYXJlIHlvdSByZWZlcnJp
bmcgdG8/IE9BdXRoMiBieSBkZWZhdWx0IA0KPj4+Pj4+Pj4+PiBhbGxvd3MgZm9yIGFuIG9wdGlv
bmFsIGNsaWVudF9zZWNyZXQuIEknbSBub3Qgc3VyZSB3aHkgdGhpcyANCj4+Pj4+Pj4+Pj4gd291
bGQgY2F1c2UgbWFuYWdlbWVudCBpc3N1ZXM/IE9yIGFyZSB5b3UgcmVmZXJyaW5nIHRvIHRoZSAN
Cj4+Pj4+Pj4+Pj4gIlJlZ2lzdHJhdGlvbiBBY2Nlc3MgVG9rZW4iPw0KPj4+Pj4+Pj4+PiAqIFdo
eSBpcyBhIHNlcGFyYXRlIGVuZHBvaW50IGFuIGlzc3VlPyBBbnkgY2xpZW50IGlzIGdvaW5nIHRv
IA0KPj4+Pj4+Pj4+PiBiZSB0YWxraW5nIHRvIG1vcmUgdGhhbiBqdXN0IHRoZSAvYXV0aG9yaXpl
IGFuZCAvdG9rZW4gDQo+Pj4+Pj4+Pj4+IGVuZHBvaW50cyBhbnl3YXkgc28gSSdtIGNvbmZ1c2Vk
IHJlZ2FyZGluZyB0aGUgZXh0cmEgY29tcGxleGl0eT8NCj4+Pj4+Pj4+Pj4gDQo+Pj4+Pj4+Pj4+
IEZvciBpc3N1ZSAyOg0KPj4+Pj4+Pj4+PiAqIFdoYXQgc3BlY2lmaWNhbGx5IGRvIHlvdSBtZWFu
IGJ5ICJtdWx0aS10ZW5hbnQiPyBJcyB0aGlzIA0KPj4+Pj4+Pj4+PiBvbmUgc2VydmVyIGFjdGlu
ZyBvbiBiZWhhbGYgb2YgbXVsdGlwbGUgdGVuYW50cyBhbmQgc28gDQo+Pj4+Pj4+Pj4+IGFwcGVh
cmluZyBhcyBtdWx0aXBsZSBBdXRob3JpemF0aW9uIFNlcnZlcnM/DQo+Pj4+Pj4+Pj4+IA0KPj4+
Pj4+Pj4+PiBUaGFua3MsDQo+Pj4+Pj4+Pj4+IEdlb3JnZQ0KPj4+Pj4+Pj4+PiANCj4+Pj4+Pj4+
Pj4gW3NuaXAuLi5dDQo+Pj4+Pj4+PiANCj4+Pj4+Pj4+IA0KPj4+Pj4+Pj4gX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4+Pj4+Pj4+IE9BdXRoIG1haWxp
bmcgbGlzdA0KPj4+Pj4+Pj4gT0F1dGhAaWV0Zi5vcmcNCj4+Pj4+Pj4+IGh0dHBzOi8vd3d3Lmll
dGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCj4+Pj4+Pj4gDQo+Pj4+Pj4+IC0tDQo+Pj4+
Pj4+IA0KPj4+Pj4+PiANCj4+Pj4+Pj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX18NCj4+Pj4+Pj4gT0F1dGggbWFpbGluZyBsaXN0DQo+Pj4+Pj4+IE9BdXRo
QGlldGYub3JnDQo+Pj4+Pj4+IGh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8v
b2F1dGgNCj4+Pj4+PiANCj4+Pj4+PiBfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fXw0KPj4+Pj4+IE9BdXRoIG1haWxpbmcgbGlzdA0KPj4+Pj4+IE9BdXRoQGll
dGYub3JnDQo+Pj4+Pj4gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9vYXV0
aA0KPj4+Pj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18N
Cj4+Pj4+IE9BdXRoIG1haWxpbmcgbGlzdA0KPj4+Pj4gT0F1dGhAaWV0Zi5vcmcNCj4+Pj4+IGh0
dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCj4+Pj4gX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4+Pj4gT0F1dGggbWFpbGlu
ZyBsaXN0DQo+Pj4+IE9BdXRoQGlldGYub3JnDQo+Pj4+IGh0dHBzOi8vd3d3LmlldGYub3JnL21h
aWxtYW4vbGlzdGluZm8vb2F1dGgNCj4+PiANCj4+IA0KPiANCj4gX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gT0F1dGggbWFpbGluZyBsaXN0DQo+IE9B
dXRoQGlldGYub3JnDQo+IGh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1
dGgNCg0KDQpFdmUgTWFsZXIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDov
L3d3dy54bWxncnJsLmNvbS9ibG9nDQorMSA0MjUgMzQ1IDY3NTYgICAgICAgICAgICAgICAgICAg
ICAgICAgaHR0cDovL3d3dy50d2l0dGVyLmNvbS94bWxncnJsDQoNCl9fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRo
QGlldGYub3JnDQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoDQo=

From prateek.mishra@oracle.com  Thu Aug 15 15:40:57 2013
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B0DD21F9A2D for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 15:40:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMPYkYRjeC6j for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 15:40:52 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 311A321F9A14 for <oauth@ietf.org>; Thu, 15 Aug 2013 15:40:52 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7FMehAN023981 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 15 Aug 2013 22:40:43 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7FMegUe011276 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 15 Aug 2013 22:40:42 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7FMefLG011250; Thu, 15 Aug 2013 22:40:41 GMT
Received: from [10.152.55.230] (/10.152.55.230) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 15 Aug 2013 15:40:40 -0700
Message-ID: <520D58E7.4090008@oracle.com>
Date: Thu, 15 Aug 2013 18:40:39 -0400
From: Prateek Mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <D28D9D59-4A04-4C15-9357-BF30FD42900B@oracle.com> <82AB4E5E-344B-40AC-AC2C-B55D40D97D43@oracle.com>
In-Reply-To: <82AB4E5E-344B-40AC-AC2C-B55D40D97D43@oracle.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Observations about registration types
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 22:40:57 -0000

Phil -

i like the taxonomy of clients you described here, my view is that this 
isn't a negative at all, its actually necessary to make progress and 
give good guidance in this area.

OAuth provides a flexible definition of "client" - so naturally, there 
are going to be all kinds of variations and use-cases for client 
registration and self-assertion.

Pretending that there is one flavor of client is actually quite 
confusing to the community (or at least  to me).

- prateek
> I'm just thinking off the top of my head trying to break through on some simplification possibilities.  The spec so far is driven by OIDC, but the more I think about it, it is a special case of a clients that want to be able to connect to many different OIDC service providers based on an event trigger of some kind (truly dynamic).
>
> When I hear Justin and others describe the drive behind dyn reg, the primary reason stated is because 6749 requires that clients have a client_id. The requirement for client_id to be issued by the AS protecting the endpoint seems to arise from the assumption that client_id must be an identifier the AS accepts.
>
> Yet, 6749 does not make this restriction.
>
> An assertion (e.g. software statement) could serve the same purpose as long as the AS trusts the signer.  So for example, javascript clients could pass a software assertion and avoid the need to register.
>
> Per my previous comment, I am of course assuming that there is little or no value in being able to track execution instances of javascript.
>
> If I were to separate the Software Statement into a separate spec, it could define multiple uses:
>
> 1.  [No Reg] As a client_id for javascript / implicit clients
>
> 2. [Static Reg] For native clients (ones that use a fixed redirect), a certificate swap per the JWT Bearer spec to exchange for a client assertion.  (would client_id be assigned or would software statement be used?).  These clients are "fixed" and more often than not, tend to associate with one service provider at a time.
>
> 3.  [Offline Reg] For web clients -- is registration needed? Why not use an OOB administrative process.  These are large apps with significant trust and network issues that would preclude automatic registration. They tend to connect to one endpoint at a time.
>
> 5. [Dyn Reg] Dynamic association clients - There a category of clients that would need full CRUD because of registration time changes in values like redirect_url? Further, the clients may connect randomly to different service providers of the same API. OpenID Connect seems to be one of them. Do these clients need permanent registration?
>
> Does categorization of clients give a proper justification for having a dyn reg draft plus some other methods for registration?  Or is OIDC so specialized the draft should remain an OIDF draft?  If so, how can we best align?
>
> The one observation I have here about registration and the dynamic registration case is that a hacker could simply keep re-registering and endpoint to change the redirect_url at will. It seems like this is a bad thing.So is the idea to ensure that every time a client returns to an endpoint it somehow MUST use the same registration as before? Honest players might do that (especially incentivized by saving the registration step).  But Dyn Reg would seem not to do this, but rather make it easier to keep registering and thereby dynamically change the redirect_url every time.
>
> Of course a *big* negative about this thinking is that different clients are treated very differently.  I don't like this. Yet, for each treatment, the options are more restrictive and simplified.  I'm not sure this is progress, but thought I would throw the idea out there for discussion.  Maybe someone can take this to another step?
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-14, at 2:29 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> +1 to Hannes comments. I was referring to the server issues.
>>
>> George, I believe only in the openid case and a few others would a client hold tokens to multiple endpoints of the same api.
>>
>> For the vast majority of apps, clients would be permanently associated to a single endpoint for the resource endpoint.
>>
>> That said, having multiple tokens for multiple endpoints isn't that confusing. But, having multiple tokens for EACH of multiple endpoints is confusing.
>>
>> Compound that with the fact that each api endpoint and each reg endpoint may use different types of credentials (passwords, tokens, hoks) and the client has to he pretty darn smart dealing with all the options and permutations.
>>
>> 1. We need to eliminate reg access tokens as long term retained tokens. If we must have crud than use normal access tokens issued in the normal way.
>>
>> 2. We need to look to change the design to reduce options at the registration endpoint The assertion swap method is one possibility.
>>
>> 3. We should also consider amending 6749. For example make client id optional for implicit flow or javascript based on service provider choice. Or depend on a developer issued client id, etc. Dyn reg isn't actually improving security in these cases anyway. Why go through this much work for an identifier if it doesn't help client or server other than the ability to make a conforming call?
>>
>> Phil
>>
>> On 2013-08-13, at 23:32, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>
>>> George is correct with his statements. There is, however, a difference between a shared secret and an assertion as Phil pointed out. For the assertion the server does not need to maintain state on a per-client basis. On the other hand since the client secret isn't really used in the classical sense of a password either but rather as a "cookie" (if used in the style of Section 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens to them:
>>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>>
>>>
>>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>>> Hi Phil,
>>>>
>>>> I'm sorry for not following completely. Some questions inline...
>>>>
>>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>>> passwords expressed as client secrets.
>>>> I'm not sure what you mean in regards to "client secrets". There are
>>>> OAuth2 bearer tokens that need to be protected because they are bearer
>>>> tokens. That said, there is nothing in the spec that requires these to
>>>> be opaque blobs vs signed tokens. So both the "Initial Access Token" and
>>>> the "Registration Access Token" can be signed tokens. However, the
>>>> client still has to protect them as if they were a "secret" because they
>>>> are a bearer token and can be replayed. So it's the same amount of work
>>>> on the client either way.
>>>>
>>>>> A signed token approach has many advantages for service providers like
>>>>> not having to maintain a secure database of secrets/passwords.
>>>> If the concern here is the amount of data the Authorization Server has
>>>> to store to manage these clients, then the current spec doesn't preclude
>>>> using a "signed token". Both OAuth2 bearer tokens identified in the
>>>> current spec can be signed tokens.
>>>>> Finally issuing both a client secret and registration token is costly
>>>>> and confusing to client developers.  I relented somewhat when I
>>>>> realized kerberos does this--but i still feel it is a bad design at
>>>>> cloud scale.
>>>> Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm
>>>> not sure how you abstract the client developer from having to deal with
>>>> them. The client developer is going to be dealing with multiple OAuth2
>>>> tokens to multiple endpoints regardless so I don't see another token as
>>>> costly or complex. At a minimum there is the refresh_token and
>>>> access_token. Where is the added client developer complexity?
>>>>
>>>> Thanks,
>>>> George
>>>>
>>>>> Phil
>>>>>
>>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>
>>>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>>>> premium for you, then switch based on input parameters and other
>>>>>> things. And you're still not clear on which "secrets" you're taking
>>>>>> issue with.
>>>>>>
>>>>>> -- Justin
>>>>>>
>>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>> #1, its yet another endpoint to have to manage secrets at, yes this
>>>>>>> is an OAuth item but it’s growing out of control, we are trying to
>>>>>>> move away from secrets and management of these endpoints as this
>>>>>>> would be just another one we have to support, monitor and report on
>>>>>>>
>>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>>>>>
>>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>>> *To:* Anthony Nadalin
>>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>>>> don't remove!
>>>>>>>
>>>>>>> Hi Tony,
>>>>>>>
>>>>>>> Could you please explain a little more?
>>>>>>>
>>>>>>> For issue 1:
>>>>>>> * Which "secret" are you referring to? OAuth2 by default allows for
>>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>>> management issues? Or are you referring to the "Registration Access
>>>>>>> Token"?
>>>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>>>> talking to more than just the /authorize and /token endpoints anyway
>>>>>>> so I'm confused regarding the extra complexity?
>>>>>>>
>>>>>>> For issue 2:
>>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>>>> multiple Authorization Servers?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> George
>>>>>>>
>>>>>>> [snip...]
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> --
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From Michael.Jones@microsoft.com  Thu Aug 15 18:21:24 2013
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 259BD11E8213 for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 18:21:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.486
X-Spam-Level: 
X-Spam-Status: No, score=-3.486 tagged_above=-999 required=5 tests=[AWL=0.112,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 89t+vilKpO3k for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 18:21:19 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0236.outbound.protection.outlook.com [207.46.163.236]) by ietfa.amsl.com (Postfix) with ESMTP id CD79A21F9A57 for <oauth@ietf.org>; Thu, 15 Aug 2013 18:21:18 -0700 (PDT)
Received: from BLUPR03CA037.namprd03.prod.outlook.com (10.141.30.30) by BLUPR03MB035.namprd03.prod.outlook.com (10.255.209.147) with Microsoft SMTP Server (TLS) id 15.0.745.25; Fri, 16 Aug 2013 01:21:16 +0000
Received: from BL2FFO11FD043.protection.gbl (2a01:111:f400:7c09::24) by BLUPR03CA037.outlook.office365.com (2a01:111:e400:879::30) with Microsoft SMTP Server (TLS) id 15.0.745.25 via Frontend Transport; Fri, 16 Aug 2013 01:21:16 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD043.mail.protection.outlook.com (10.173.161.139) with Microsoft SMTP Server (TLS) id 15.0.745.15 via Frontend Transport; Fri, 16 Aug 2013 01:21:15 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.178]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0136.001; Fri, 16 Aug 2013 01:20:32 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: POST to Authorization Endpoint
Thread-Index: Ac6aHtvpg4hiduGETuyxfmPVrmuTSQ==
Date: Fri, 16 Aug 2013 01:20:31 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B7832DC@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.71]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B7832DCTK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(189002)(199002)(164054003)(512954002)(51856001)(74366001)(19300405004)(76176001)(6806004)(65816001)(80022001)(77982001)(59766001)(55846006)(19580385001)(83072001)(83322001)(76796001)(16236675002)(44976005)(81686001)(33656001)(81816001)(76786001)(46102001)(63696002)(19580395003)(47976001)(50986001)(49866001)(20776003)(47736001)(79102001)(4396001)(15202345003)(16297215004)(81542001)(53806001)(16406001)(74876001)(69226001)(54356001)(54316002)(56816003)(77096001)(66066001)(74706001)(71186001)(74662001)(47446002)(76482001)(81342001)(56776001)(80976001)(74502001)(31966008); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB035; H:mail.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en; 
X-O365ENT-EOP-Header: Message processed by -  O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0940A19703
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 131.107.125.37
X-MS-Exchange-CrossPremises-AuthSource: BL2FFO11FD043.protection.gbl
X-MS-Exchange-CrossPremises-AuthAs: Anonymous
X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: BLUPR03MB035.namprd03.prod.outlook.com
Subject: [OAUTH-WG] POST to Authorization Endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 01:21:24 -0000

--_000_4E1F6AAD24975D4BA5B16804296739436B7832DCTK5EX14MBXC283r_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

http://tools.ietf.org/html/rfc6749#section-3.1 says:


   The authorization server MUST support the use of the HTTP "GET"

   method [RFC2616<http://tools.ietf.org/html/rfc2616>] for the authorizati=
on endpoint and MAY support the

   use of the "POST" method as well.

Unfortunately, it's missing any details (that I can find, anyway) on how to=
 pass the parameters in if POST is used.  If you follow the examples of how=
 "POST" is used at the token endpoint, they would be passed in the message =
body, per the example at http://tools.ietf.org/html/rfc6749#section-4.1.3. =
 However, it seems like it's also possible for them to be passed as query p=
arameters in the same manner as when using "GET".

Can anyone determine the intent of the spec on how to pass input parameters=
 when using POST to the Authorization Endpoint?

                                                                Thanks,
                                                                -- Mike


--_000_4E1F6AAD24975D4BA5B16804296739436B7832DCTK5EX14MBXC283r_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Courier New";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New";}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><a href=3D"http://tool=
s.ietf.org/html/rfc6749#section-3.1">http://tools.ietf.org/html/rfc6749#sec=
tion-3.1</a> says:<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p>&nbsp;</o:p></spa=
n></p>
<pre style=3D"page-break-before:always"><span lang=3D"EN">&nbsp;&nbsp; The =
authorization server MUST support the use of the HTTP &quot;GET&quot;<o:p><=
/o:p></span></pre>
<pre style=3D"page-break-before:always"><span lang=3D"EN">&nbsp;&nbsp; meth=
od [<a href=3D"http://tools.ietf.org/html/rfc2616" title=3D"&quot;Hypertext=
 Transfer Protocol -- HTTP/1.1&quot;">RFC2616</a>] for the authorization en=
dpoint and MAY support the<o:p></o:p></span></pre>
<pre style=3D"page-break-before:always"><span lang=3D"EN">&nbsp;&nbsp; use =
of the &quot;POST&quot; method as well.<o:p></o:p></span></pre>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p>&nbsp;</o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Unfortunately, it&#821=
7;s missing any details (that I can find, anyway) on how to pass the parame=
ters in if POST is used.&nbsp; If you follow the examples of how &#8220;POS=
T&#8221; is used at the token endpoint, they would be passed
 in the message body, per the example at <a href=3D"http://tools.ietf.org/h=
tml/rfc6749#section-4.1.3">
http://tools.ietf.org/html/rfc6749#section-4.1.3</a>.&nbsp; However, it see=
ms like it&#8217;s also possible for them to be passed as query parameters =
in the same manner as when using &#8220;GET&#8221;.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p>&nbsp;</o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">Can anyone determine t=
he intent of the spec on how to pass input parameters when using POST to th=
e Authorization Endpoint?<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p>&nbsp;</o:p></spa=
n></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Thanks,<o:p></o:p>=
</span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D">&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<o:p></o:p>=
</span></p>
<p class=3D"MsoNormal"><span style=3D"color:#1F497D"><o:p>&nbsp;</o:p></spa=
n></p>
</div>
</body>
</html>

--_000_4E1F6AAD24975D4BA5B16804296739436B7832DCTK5EX14MBXC283r_--

From torsten@lodderstedt.net  Thu Aug 15 22:32:18 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8368511E8253 for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 22:32:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level: 
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nZiqiWn8K+QC for <oauth@ietfa.amsl.com>; Thu, 15 Aug 2013 22:32:13 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.29.7]) by ietfa.amsl.com (Postfix) with ESMTP id B017B11E8113 for <oauth@ietf.org>; Thu, 15 Aug 2013 22:32:12 -0700 (PDT)
Received: from [80.187.106.108] (helo=[10.56.254.132]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VACdt-00081B-R3; Fri, 16 Aug 2013 07:32:10 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----HXLSZJ1FDTQ34SD33PUK4LZK71CH4V"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Fri, 16 Aug 2013 07:32:05 +0200
To: John Bradley <ve7jtb@ve7jtb.com>,Phil Hunt <phil.hunt@oracle.com>
Message-ID: <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 05:32:18 -0000

------HXLSZJ1FDTQ34SD33PUK4LZK71CH4V
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 8bit

+1 

Dyn reg should fit into the OAuth system as it is now, which uses client ids and secrets. A (probably) improved OAuth is a completely different topic. Let's handle it separately. 



John Bradley <ve7jtb@ve7jtb.com> schrieb:
>Yes a bearer token that is signed and or encrypted by the AS reduces
>the amount of state required for the AS to maintain. 
>
>In RFC 6749 there is information about the client that is tied to the
>client_id, and is required at the authorization endpoint. (eg
>redirect_uri)
>
>I understand the goal of reducing state in the IdP.   Some of us have
>looked at storing information in a signed client_id that would work in
>the existing RFC 6749 flows.
>
>It seems that some people are dissatisfied with RFC 6749 and would like
>to see changes like removing implicit flows.
>
>The current Dynamic registration spec deals with the current state of
>OAuth.   If the WG decides to do a OAuth 3 that fully supports
>assertions and ditches secrets I would be OK with that. 
>However lets not cripple what we have as a standard now by crating
>dynamic registration that can only be fully implemented  in a future
>version of OAuth.
>
>Some people want/need a client registration API now.  It is clearly a
>missing part of an entire OAuth system.   
>Supporting existing OAuth while minimizing state at the AS is something
>I support, waiting for a OAuth redesign is not in my opinion a
>reasonable medium term goal.
>
>John B.
>
>
>On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> I am saying a bearer token is better than a password for the service
>provider as Hannes explains. 
>> 
>> Phil
>> 
>> On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>> 
>>> Right. A Bearer Token does not have to be a shared secret. It may
>have some structure that allows the server to validate it statelessly,
>e.g. JWS-JWT. 
>>> 
>>> =nat via iPhone
>>> 
>>> Aug 14, 2013 15:32�Hannes Tschofenig <hannes.tschofenig@gmx.net>
>�メッセージ:
>>> 
>>>> George is correct with his statements. There is, however, a
>difference between a shared secret and an assertion as Phil pointed
>out. For the assertion the server does not need to maintain state on a
>per-client basis. On the other hand since the client secret isn't
>really used in the classical sense of a password either but rather as a
>"cookie" (if used in the style of Section 2.3.1 of RFC6749) one could
>easy apply the concept of stateless tokens to them:
>>>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>>> 
>>>> 
>>>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>>>> Hi Phil,
>>>>> 
>>>>> I'm sorry for not following completely. Some questions inline...
>>>>> 
>>>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>>>> passwords expressed as client secrets.
>>>>> I'm not sure what you mean in regards to "client secrets". There
>are
>>>>> OAuth2 bearer tokens that need to be protected because they are
>bearer
>>>>> tokens. That said, there is nothing in the spec that requires
>these to
>>>>> be opaque blobs vs signed tokens. So both the "Initial Access
>Token" and
>>>>> the "Registration Access Token" can be signed tokens. However, the
>>>>> client still has to protect them as if they were a "secret"
>because they
>>>>> are a bearer token and can be replayed. So it's the same amount of
>work
>>>>> on the client either way.
>>>>> 
>>>>>> 
>>>>>> A signed token approach has many advantages for service providers
>like
>>>>>> not having to maintain a secure database of secrets/passwords.
>>>>> If the concern here is the amount of data the Authorization Server
>has
>>>>> to store to manage these clients, then the current spec doesn't
>preclude
>>>>> using a "signed token". Both OAuth2 bearer tokens identified in
>the
>>>>> current spec can be signed tokens.
>>>>>> 
>>>>>> Finally issuing both a client secret and registration token is
>costly
>>>>>> and confusing to client developers.  I relented somewhat when I
>>>>>> realized kerberos does this--but i still feel it is a bad design
>at
>>>>>> cloud scale.
>>>>> Given that client_secrets are OPTIONAL in OAuth2 for some use
>cases, I'm
>>>>> not sure how you abstract the client developer from having to deal
>with
>>>>> them. The client developer is going to be dealing with multiple
>OAuth2
>>>>> tokens to multiple endpoints regardless so I don't see another
>token as
>>>>> costly or complex. At a minimum there is the refresh_token and
>>>>> access_token. Where is the added client developer complexity?
>>>>> 
>>>>> Thanks,
>>>>> George
>>>>> 
>>>>>> 
>>>>>> Phil
>>>>>> 
>>>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>> 
>>>>>>> The spec doesn't care where you deploy at -- if URL space is at
>a
>>>>>>> premium for you, then switch based on input parameters and other
>>>>>>> things. And you're still not clear on which "secrets" you're
>taking
>>>>>>> issue with.
>>>>>>> 
>>>>>>> -- Justin
>>>>>>> 
>>>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>>> 
>>>>>>>> #1, its yet another endpoint to have to manage secrets at, yes
>this
>>>>>>>> is an OAuth item but it’s growing out of control, we are trying
>to
>>>>>>>> move away from secrets and management of these endpoints as
>this
>>>>>>>> would be just another one we have to support, monitor and
>report on
>>>>>>>> 
>>>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization
>servers
>>>>>>>> 
>>>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>>>> *To:* Anthony Nadalin
>>>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>>>>> don't remove!
>>>>>>>> 
>>>>>>>> Hi Tony,
>>>>>>>> 
>>>>>>>> Could you please explain a little more?
>>>>>>>> 
>>>>>>>> For issue 1:
>>>>>>>> * Which "secret" are you referring to? OAuth2 by default allows
>for
>>>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>>>> management issues? Or are you referring to the "Registration
>Access
>>>>>>>> Token"?
>>>>>>>> * Why is a separate endpoint an issue? Any client is going to
>be
>>>>>>>> talking to more than just the /authorize and /token endpoints
>anyway
>>>>>>>> so I'm confused regarding the extra complexity?
>>>>>>>> 
>>>>>>>> For issue 2:
>>>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>>>>> multiple Authorization Servers?
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> George
>>>>>>>> 
>>>>>>>> [snip...]
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>>> --
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth

------HXLSZJ1FDTQ34SD33PUK4LZK71CH4V
Content-Type: text/html;
 charset=utf-8
Content-Transfer-Encoding: 8bit

<html><head></head><body>+1 <br>
<br>
Dyn reg should fit into the OAuth system as it is now, which uses client ids and secrets. A (probably) improved OAuth is a completely different topic. Let&#39;s handle it separately. <br><br><div class="gmail_quote"><br>
<br>
John Bradley &lt;ve7jtb@ve7jtb.com&gt; schrieb:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class="k9mail">Yes a bearer token that is signed and or encrypted by the AS reduces the amount of state required for the AS to maintain. <br /><br />In RFC 6749 there is information about the client that is tied to the client_id, and is required at the authorization endpoint. (eg redirect_uri)<br /><br />I understand the goal of reducing state in the IdP.   Some of us have looked at storing information in a signed client_id that would work in the existing RFC 6749 flows.<br /><br />It seems that some people are dissatisfied with RFC 6749 and would like to see changes like removing implicit flows.<br /><br />The current Dynamic registration spec deals with the current state of OAuth.   If the WG decides to do a OAuth 3 that fully supports assertions and ditches secrets I would be OK with that. <br />However lets not cripple what we have as a standard now by crating dynamic registration that can only be fully implemented  in a future version of OAuth.<br /><br />Some peopl
 e
want/need a client registration API now.  It is clearly a missing part of an entire OAuth system.   <br />Supporting existing OAuth while minimizing state at the AS is something I support, waiting for a OAuth redesign is not in my opinion a reasonable medium term goal.<br /><br />John B.<br /><br /><br />On 2013-08-14, at 11:47 PM, Phil Hunt &lt;phil.hunt@oracle.com&gt; wrote:<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">I am saying a bearer token is better than a password for the service provider as Hannes explains. <br /><br />Phil<br /><br />On 2013-08-14, at 19:42, Nat Sakimura &lt;sakimura@gmail.com&gt; wrote:<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">Right. A Bearer Token does not have to be a shared secret. It may have some structure that allows the server to validate it statelessly, e.g. JWS-JWT. <br
  /><br
/>=nat via iPhone<br /><br />Aug 14, 2013 15:32�Hannes Tschofenig &lt;hannes.tschofenig@gmx.net&gt; �メッセージ:<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;">George is correct with his statements. There is, however, a difference between a shared secret and an assertion as Phil pointed out. For the assertion the server does not need to maintain state on a per-client basis. On the other hand since the client secret isn't really used in the classical sense of a password either but rather as a "cookie" (if used in the style of Section 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens to them:<br /><a href="http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01">http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01</a><br /><br /><br />On 08/13/2013 07:21 PM, George Fletcher wrote:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex;
border-left: 1px solid #fcaf3e; padding-left: 1ex;">Hi Phil,<br /><br />I'm sorry for not following completely. Some questions inline...<br /><br />On 8/13/13 11:00 AM, Phil Hunt wrote:<br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">Dyn reg and the scim reg variant depend too much/biased towards<br />passwords expressed as client secrets.<br /></blockquote>I'm not sure what you mean in regards to "client secrets". There are<br />OAuth2 bearer tokens that need to be protected because they are bearer<br />tokens. That said, there is nothing in the spec that requires these to<br />be opaque blobs vs signed tokens. So both the "Initial Access Token" and<br />the "Registration Access Token" can be signed tokens. However, the<br />client still has to protect them as if they were a "secret" because they<br />are a bearer token and can be replayed. So it's the same amount of work<br />on the client either way
 .<br
/><br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">A signed token approach has many advantages for service providers like<br />not having to maintain a secure database of secrets/passwords.<br /></blockquote>If the concern here is the amount of data the Authorization Server has<br />to store to manage these clients, then the current spec doesn't preclude<br />using a "signed token". Both OAuth2 bearer tokens identified in the<br />current spec can be signed tokens.<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">Finally issuing both a client secret and registration token is costly<br />and confusing to client developers.  I relented somewhat when I<br />realized kerberos does this--but i still feel it is a bad design at<br />cloud scale.<br /></blockquote>Given that client_secrets are OPTIONAL in OAuth2 for some use 
 cases,
I'm<br />not sure how you abstract the client developer from having to deal with<br />them. The client developer is going to be dealing with multiple OAuth2<br />tokens to multiple endpoints regardless so I don't see another token as<br />costly or complex. At a minimum there is the refresh_token and<br />access_token. Where is the added client developer complexity?<br /><br />Thanks,<br />George<br /><br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">Phil<br /><br />On 2013-08-13, at 7:48, Justin Richer &lt;jricher@mitre.org<br />&lt;mailto:jricher@mitre.org&gt;&gt; wrote:<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left: 1ex;">The spec doesn't care where you deploy at -- if URL space is at a<br />premium for you, then switch based on input parameters and other<br />things. And you're still not clear on which "secrets" you're ta
 king<br
/>issue with.<br /><br />-- Justin<br /><br />On 08/13/2013 10:46 AM, Anthony Nadalin wrote:<br /><br /><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left: 1ex;">#1, its yet another endpoint to have to manage secrets at, yes this<br />is an OAuth item but it’s growing out of control, we are trying to<br />move away from secrets and management of these endpoints as this<br />would be just another one we have to support, monitor and report on<br /><br />#2 yes, 1 physical endpoint acting as multiple authorization servers<br /><br />*From:*George Fletcher [mailto:gffletch@aol.com]<br />*Sent:* Tuesday, August 13, 2013 7:40 AM<br />*To:* Anthony Nadalin<br />*Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org<br />*Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please<br />don't remove!<br /><br />Hi Tony,<br /><br />Could you please explain a little more?<br /><br />For issue 1:<br />* Which "secret" are you refe
 rring
to? OAuth2 by default allows for<br />an optional client_secret. I'm not sure why this would cause<br />management issues? Or are you referring to the "Registration Access<br />Token"?<br />* Why is a separate endpoint an issue? Any client is going to be<br />talking to more than just the /authorize and /token endpoints anyway<br />so I'm confused regarding the extra complexity?<br /><br />For issue 2:<br />* What specifically do you mean by "multi-tenant"? Is this one<br />server acting on behalf of multiple tenants and so appearing as<br />multiple Authorization Servers?<br /><br />Thanks,<br />George<br /><br />[snip...]</blockquote><br /><br /></blockquote><hr /><br />OAuth mailing list<br />OAuth@ietf.org<br /><a href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote><br />--<br /><br /><br /><hr /><br />OAuth mailing list<br />OAuth@ietf.org<br /><a
href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote><br /><hr /><br />OAuth mailing list<br />OAuth@ietf.org<br /><a href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br /></blockquote><hr /><br />OAuth mailing list<br />OAuth@ietf.org<br /><a href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br /></blockquote><hr /><br />OAuth mailing list<br />OAuth@ietf.org<br /><a href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote><br /></pre><p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />OAuth mailing list<br />OAuth@ietf.org<br /><a href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br /></pre></blockquote></div></body></html>
------HXLSZJ1FDTQ34SD33PUK4LZK71CH4V--


From jricher@mitre.org  Fri Aug 16 07:05:48 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A84E21F9CA2 for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:05:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.448
X-Spam-Level: 
X-Spam-Status: No, score=-6.448 tagged_above=-999 required=5 tests=[AWL=0.150,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IA0ji8wFOFFM for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:05:42 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9306A21F9B4B for <oauth@ietf.org>; Fri, 16 Aug 2013 07:05:37 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id AFD6C22600BC; Fri, 16 Aug 2013 10:05:36 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 9C1471F0ACC; Fri, 16 Aug 2013 10:05:36 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Fri, 16 Aug 2013 10:05:36 -0400
Message-ID: <520E315B.4060707@mitre.org>
Date: Fri, 16 Aug 2013 10:04:11 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436B7832DC@TK5EX14MBXC283.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436B7832DC@TK5EX14MBXC283.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------030400060108040703070403"
X-Originating-IP: [129.83.31.56]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] POST to Authorization Endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 14:05:48 -0000

--------------030400060108040703070403
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

 From what I recall, the intent was to use form parameters in the http 
entity body, in order to prevent query param leaking into logs (or 
something like that). But I don't think there was intended to be a 
prohibition on query parameters on POST. Since the auth endpoint is 
almost exclusively accessed via a 302-style redirect, GET is obviously 
far more useful in most cases.

As a data point, our implementation (based on Spring Security OAuth) 
will take things in either the query parameters or the body to either a 
GET or POST to the auth endpoint, but this is more of a side effect of 
the Spring framework than anything. However, most webapp frameworks 
(that I've used) go to great pains to abstract the method by which 
parameters get passed in, unless you take the effort to lock things down 
specifically yourself as the developer.

  -- Justin


On 08/15/2013 09:20 PM, Mike Jones wrote:
>
> http://tools.ietf.org/html/rfc6749#section-3.1 says:
>
>     The authorization server MUST support the use of the HTTP "GET"
>     method [RFC2616  <http://tools.ietf.org/html/rfc2616>] for the authorization endpoint and MAY support the
>     use of the "POST" method as well.
>
> Unfortunately, it's missing any details (that I can find, anyway) on 
> how to pass the parameters in if POST is used.  If you follow the 
> examples of how "POST" is used at the token endpoint, they would be 
> passed in the message body, per the example at 
> http://tools.ietf.org/html/rfc6749#section-4.1.3 
> <http://tools.ietf.org/html/rfc6749#section-4.1.3>. However, it seems 
> like it's also possible for them to be passed as query parameters in 
> the same manner as when using "GET".
>
> Can anyone determine the intent of the spec on how to pass input 
> parameters when using POST to the Authorization Endpoint?
>
> Thanks,
>
> -- Mike
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------030400060108040703070403
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    From what I recall, the intent was to use form parameters in the
    http entity body, in order to prevent query param leaking into logs
    (or something like that). But I don't think there was intended to be
    a prohibition on query parameters on POST. Since the auth endpoint
    is almost exclusively accessed via a 302-style redirect, GET is
    obviously far more useful in most cases. <br>
    <br>
    As a data point, our implementation (based on Spring Security OAuth)
    will take things in either the query parameters or the body to
    either a GET or POST to the auth endpoint, but this is more of a
    side effect of the Spring framework than anything. However, most
    webapp frameworks (that I've used) go to great pains to abstract the
    method by which parameters get passed in, unless you take the effort
    to lock things down specifically yourself as the developer. <br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 08/15/2013 09:20 PM, Mike Jones
      wrote:<br>
    </div>
    <blockquote
cite="mid:4E1F6AAD24975D4BA5B16804296739436B7832DC@TK5EX14MBXC283.redmond.corp.microsoft.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Courier New";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New";}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span style="color:#1F497D"><a
              moz-do-not-send="true"
              href="http://tools.ietf.org/html/rfc6749#section-3.1">http://tools.ietf.org/html/rfc6749#section-3.1</a>
            says:<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <pre style="page-break-before:always"><span lang="EN">&nbsp;&nbsp; The authorization server MUST support the use of the HTTP "GET"<o:p></o:p></span></pre>
        <pre style="page-break-before:always"><span lang="EN">&nbsp;&nbsp; method [<a moz-do-not-send="true" href="http://tools.ietf.org/html/rfc2616" title="&quot;Hypertext Transfer Protocol -- HTTP/1.1&quot;">RFC2616</a>] for the authorization endpoint and MAY support the<o:p></o:p></span></pre>
        <pre style="page-break-before:always"><span lang="EN">&nbsp;&nbsp; use of the "POST" method as well.<o:p></o:p></span></pre>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D">Unfortunately,
            it&#8217;s missing any details (that I can find, anyway) on how to
            pass the parameters in if POST is used.&nbsp; If you follow the
            examples of how &#8220;POST&#8221; is used at the token endpoint, they
            would be passed in the message body, per the example at <a
              moz-do-not-send="true"
              href="http://tools.ietf.org/html/rfc6749#section-4.1.3">
              http://tools.ietf.org/html/rfc6749#section-4.1.3</a>.&nbsp;
            However, it seems like it&#8217;s also possible for them to be
            passed as query parameters in the same manner as when using
            &#8220;GET&#8221;.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D">Can anyone
            determine the intent of the spec on how to pass input
            parameters when using POST to the Authorization Endpoint?<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            Thanks,<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
            -- Mike<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="color:#1F497D"><o:p>&nbsp;</o:p></span></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------030400060108040703070403--

From jricher@mitre.org  Fri Aug 16 07:08:25 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8BBF11E8109 for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:08:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.47
X-Spam-Level: 
X-Spam-Status: No, score=-6.47 tagged_above=-999 required=5 tests=[AWL=0.128,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hTRs8Pf-9GLR for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:08:02 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 2E7AF21F9CA2 for <oauth@ietf.org>; Fri, 16 Aug 2013 07:08:02 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C26F622600B7; Fri, 16 Aug 2013 10:08:01 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id A93B61F0AC4; Fri, 16 Aug 2013 10:08:01 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Fri, 16 Aug 2013 10:08:01 -0400
Message-ID: <520E31EC.1090600@mitre.org>
Date: Fri, 16 Aug 2013 10:06:36 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Torsten Lodderstedt <torsten@lodderstedt.net>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com> <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com>
In-Reply-To: <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com>
Content-Type: multipart/alternative; boundary="------------080506090206040405000408"
X-Originating-IP: [129.83.31.56]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 14:08:26 -0000

--------------080506090206040405000408
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

+1

Let's not shave a yak quite yet.

On 08/16/2013 01:32 AM, Torsten Lodderstedt wrote:
> +1
>
> Dyn reg should fit into the OAuth system as it is now, which uses 
> client ids and secrets. A (probably) improved OAuth is a completely 
> different topic. Let's handle it separately.
>
>
>
> John Bradley <ve7jtb@ve7jtb.com> schrieb:
>
>     Yes a bearer token that is signed and or encrypted by the AS reduces the amount of state required for the AS to maintain.
>
>     In RFC 6749 there is information about the client that is tied to the client_id, and is required at the authorization endpoint. (eg redirect_uri)
>
>     I understand the goal of reducing state in the IdP.   Some of us have looked at storing information in a signed client_id that would work in the existing RFC 6749 flows.
>
>     It seems that some people are dissatisfied with RFC 6749 and would like to see changes like removing implicit flows.
>
>     The current Dynamic registration spec deals with the current state of OAuth.   If the WG decides to do a OAuth 3 that fully supports assertions and ditches secrets I would be OK with that.
>     However lets not cripple what we have as a standard now by crating dynamic registration that can only be fully implemented  in a future version of OAuth.
>
>     Some peopl
>       e
>     want/need a client registration API now.  It is clearly a missing part of an entire OAuth system.
>     Supporting existing OAuth while minimizing state at the AS is something I support, waiting for a OAuth redesign is not in my opinion a reasonable medium term goal.
>
>     John B.
>
>
>     On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>         I am saying a bearer token is better than a password for the
>         service provider as Hannes explains. Phil On 2013-08-14, at
>         19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>
>             Right. A Bearer Token does not have to be a shared secret.
>             It may have some structure that allows the server to
>             validate it statelessly, e.g. JWS-JWT. =nat via iPhone Aug
>             14, 2013 15:32?Hannes Tschofenig
>             <hannes.tschofenig@gmx.net> ??????:
>
>                 George is correct with his statements. There is,
>                 however, a difference between a shared secret and an
>                 assertion as Phil pointed out. For the assertion the
>                 server does not need to maintain state on a per-client
>                 basis. On the other hand since the client secret isn't
>                 really used in the classical sense of a password
>                 either but rather as a "cookie" (if used in the style
>                 of Section 2.3.1 of RFC6749) one could easy apply the
>                 concept of stateless tokens to them:
>                 http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>                 On 08/13/2013 07:21 PM, George Fletcher wrote:
>
>                     Hi Phil, I'm sorry for not following completely.
>                     Some questions inline... On 8/13/13 11:00 AM, Phil
>                     Hunt wrote:
>
>                         Dyn reg and the scim reg variant depend too
>                         much/biased towards passwords expressed as
>                         client secrets. 
>
>                     I'm not sure what you mean in regards to "client
>                     secrets". There are OAuth2 bearer tokens that need
>                     to be protected because they are bearer tokens.
>                     That said, there is nothing in the spec that
>                     requires these to be opaque blobs vs signed
>                     tokens. So both the "Initial Access Token" and the
>                     "Registration Access Token" can be signed tokens.
>                     However, the client still has to protect them as
>                     if they were a "secret" because they are a bearer
>                     token and can be replayed. So it's the same amount
>                     of work on the client either way .
>
>                         A signed token approach has many advantages
>                         for service providers like not having to
>                         maintain a secure database of secrets/passwords. 
>
>                     If the concern here is the amount of data the
>                     Authorization Server has to store to manage these
>                     clients, then the current spec doesn't preclude
>                     using a "signed token". Both OAuth2 bearer tokens
>                     identified in the current spec can be signed tokens.
>
>                         Finally issuing both a client secret and
>                         registration token is costly and confusing to
>                         client developers. I relented somewhat when I
>                         realized kerberos does this--but i still feel
>                         it is a bad design at cloud scale. 
>
>                     Given that client_secrets are OPTIONAL in OAuth2
>                     for some use cases, I'm not sure how you abstract
>                     the client developer from having to deal with
>                     them. The client developer is going to be dealing
>                     with multiple OAuth2 tokens to multiple endpoints
>                     regardless so I don't see another token as costly
>                     or complex. At a minimum there is the
>                     refresh_token and access_token. Where is the added
>                     client developer complexity? Thanks, George
>
>                         Phil On 2013-08-13, at 7:48, Justin Richer
>                         <jricher@mitre.org <mailto:jricher@mitre.org>>
>                         wrote:
>
>                             The spec doesn't care where you deploy at
>                             -- if URL space is at a premium for you,
>                             then switch based on input parameters and
>                             other things. And you're still not clear
>                             on which "secrets" you're ta king issue
>                             with. -- Justin On 08/13/2013 10:46 AM,
>                             Anthony Nadalin wrote:
>
>                                 #1, its yet another endpoint to have
>                                 to manage secrets at, yes this is an
>                                 OAuth item but it's growing out of
>                                 control, we are trying to move away
>                                 from secrets and management of these
>                                 endpoints as this would be just
>                                 another one we have to support,
>                                 monitor and report on #2 yes, 1
>                                 physical endpoint acting as multiple
>                                 authorization servers *From:*George
>                                 Fletcher [mailto:gffletch@aol.com]
>                                 *Sent:* Tuesday, August 13, 2013 7:40
>                                 AM *To:* Anthony Nadalin *Cc:*
>                                 mike@gluu.org; Justin Richer;
>                                 oauth@ietf.org *Subject:* Re:
>                                 [OAUTH-WG] OX needs Dynamic
>                                 Registration: please don't remove! Hi
>                                 Tony, Could you please explain a
>                                 little more? For issue 1: * Which
>                                 "secret" are you refe rring to? OAuth2
>                                 by default allows for an optional
>                                 client_secret. I'm not sure why this
>                                 would cause management issues? Or are
>                                 you referring to the "Registration
>                                 Access Token"? * Why is a separate
>                                 endpoint an issue? Any client is going
>                                 to be talking to more than just the
>                                 /authorize and /token endpoints anyway
>                                 so I'm confused regarding the extra
>                                 complexity? For issue 2: * What
>                                 specifically do you mean by
>                                 "multi-tenant"? Is this one server
>                                 acting on behalf of multiple tenants
>                                 and so appearing as multiple
>                                 Authorization Servers? Thanks, George
>                                 [snip...]
>
>                         ------------------------------------------------------------------------
>                         OAuth mailing list OAuth@ietf.org
>                         https://www.ietf.org/mailman/listinfo/oauth
>
>                     -- 
>                     ------------------------------------------------------------------------
>                     OAuth mailing list OAuth@ietf.org
>                     https://www.ietf.org/mailman/listinfo/oauth
>
>                 ------------------------------------------------------------------------
>                 OAuth mailing list OAuth@ietf.org
>                 https://www.ietf.org/mailman/listinfo/oauth 
>
>             ------------------------------------------------------------------------
>             OAuth mailing list OAuth@ietf.org
>             https://www.ietf.org/mailman/listinfo/oauth 
>
>         ------------------------------------------------------------------------
>         OAuth mailing list OAuth@ietf.org
>         https://www.ietf.org/mailman/listinfo/oauth
>
>
>     ------------------------------------------------------------------------
>
>     OAuth mailing list
>     OAuth@ietf.org
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------080506090206040405000408
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    +1<br>
    <br>
    Let's not shave a yak quite yet. <br>
    <br>
    <div class="moz-cite-prefix">On 08/16/2013 01:32 AM, Torsten
      Lodderstedt wrote:<br>
    </div>
    <blockquote
      cite="mid:6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      +1 <br>
      <br>
      Dyn reg should fit into the OAuth system as it is now, which uses
      client ids and secrets. A (probably) improved OAuth is a
      completely different topic. Let's handle it separately. <br>
      <br>
      <div class="gmail_quote"><br>
        <br>
        John Bradley <a class="moz-txt-link-rfc2396E" href="mailto:ve7jtb@ve7jtb.com">&lt;ve7jtb@ve7jtb.com&gt;</a> schrieb:
        <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
          0.8ex; border-left: 1px solid rgb(204, 204, 204);
          padding-left: 1ex;">
          <pre class="k9mail">Yes a bearer token that is signed and or encrypted by the AS reduces the amount of state required for the AS to maintain. 

In RFC 6749 there is information about the client that is tied to the client_id, and is required at the authorization endpoint. (eg redirect_uri)

I understand the goal of reducing state in the IdP.   Some of us have looked at storing information in a signed client_id that would work in the existing RFC 6749 flows.

It seems that some people are dissatisfied with RFC 6749 and would like to see changes like removing implicit flows.

The current Dynamic registration spec deals with the current state of OAuth.   If the WG decides to do a OAuth 3 that fully supports assertions and ditches secrets I would be OK with that. 
However lets not cripple what we have as a standard now by crating dynamic registration that can only be fully implemented  in a future version of OAuth.

Some peopl
 e
want/need a client registration API now.  It is clearly a missing part of an entire OAuth system.   
Supporting existing OAuth while minimizing state at the AS is something I support, waiting for a OAuth redesign is not in my opinion a reasonable medium term goal.

John B.


On 2013-08-14, at 11:47 PM, Phil Hunt <a class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;">I am saying a bearer token is better than a password for the service provider as Hannes explains. 

Phil

On 2013-08-14, at 19:42, Nat Sakimura <a class="moz-txt-link-rfc2396E" href="mailto:sakimura@gmail.com">&lt;sakimura@gmail.com&gt;</a> wrote:

<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">Right. A Bearer Token does not have to be a shared secret. It may have some structure that allows the server to validate it statelessly, e.g. JWS-JWT. 

=nat via iPhone

Aug 14, 2013 15:32&#12289;Hannes Tschofenig <a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@gmx.net">&lt;hannes.tschofenig@gmx.net&gt;</a> &#12398;&#12513;&#12483;&#12475;&#12540;&#12472;:

<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #8ae234; padding-left: 1ex;">George is correct with his statements. There is, however, a difference between a shared secret and an assertion as Phil pointed out. For the assertion the server does not need to maintain state on a per-client basis. On the other hand since the client secret isn't really used in the classical sense of a password either but rather as a "cookie" (if used in the style of Section 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens to them:
<a moz-do-not-send="true" href="http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01">http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01</a>


On 08/13/2013 07:21 PM, George Fletcher wrote:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex;
border-left: 1px solid #fcaf3e; padding-left: 1ex;">Hi Phil,

I'm sorry for not following completely. Some questions inline...

On 8/13/13 11:00 AM, Phil Hunt wrote:
<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">Dyn reg and the scim reg variant depend too much/biased towards
passwords expressed as client secrets.
</blockquote>I'm not sure what you mean in regards to "client secrets". There are
OAuth2 bearer tokens that need to be protected because they are bearer
tokens. That said, there is nothing in the spec that requires these to
be opaque blobs vs signed tokens. So both the "Initial Access Token" and
the "Registration Access Token" can be signed tokens. However, the
client still has to protect them as if they were a "secret" because they
are a bearer token and can be replayed. So it's the same amount of work
on the client either way
 .


<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">A signed token approach has many advantages for service providers like
not having to maintain a secure database of secrets/passwords.
</blockquote>If the concern here is the amount of data the Authorization Server has
to store to manage these clients, then the current spec doesn't preclude
using a "signed token". Both OAuth2 bearer tokens identified in the
current spec can be signed tokens.

<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">Finally issuing both a client secret and registration token is costly
and confusing to client developers.  I relented somewhat when I
realized kerberos does this--but i still feel it is a bad design at
cloud scale.
</blockquote>Given that client_secrets are OPTIONAL in OAuth2 for some use 
 cases,
I'm
not sure how you abstract the client developer from having to deal with
them. The client developer is going to be dealing with multiple OAuth2
tokens to multiple endpoints regardless so I don't see another token as
costly or complex. At a minimum there is the refresh_token and
access_token. Where is the added client developer complexity?

Thanks,
George


<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">Phil

On 2013-08-13, at 7:48, Justin Richer &lt;<a class="moz-txt-link-abbreviated" href="mailto:jricher@mitre.org">jricher@mitre.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;mailto:jricher@mitre.org&gt;</a>&gt; wrote:

<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left: 1ex;">The spec doesn't care where you deploy at -- if URL space is at a
premium for you, then switch based on input parameters and other
things. And you're still not clear on which "secrets" you're ta
 king
issue with.

-- Justin

On 08/13/2013 10:46 AM, Anthony Nadalin wrote:

<blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left: 1ex;">#1, its yet another endpoint to have to manage secrets at, yes this
is an OAuth item but it&#8217;s growing out of control, we are trying to
move away from secrets and management of these endpoints as this
would be just another one we have to support, monitor and report on

#2 yes, 1 physical endpoint acting as multiple authorization servers

*From:*George Fletcher [<a class="moz-txt-link-freetext" href="mailto:gffletch@aol.com">mailto:gffletch@aol.com</a>]
*Sent:* Tuesday, August 13, 2013 7:40 AM
*To:* Anthony Nadalin
*Cc:* <a class="moz-txt-link-abbreviated" href="mailto:mike@gluu.org">mike@gluu.org</a>; Justin Richer; <a class="moz-txt-link-abbreviated" href="mailto:oauth@ietf.org">oauth@ietf.org</a>
*Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
don't remove!

Hi Tony,

Could you please explain a little more?

For issue 1:
* Which "secret" are you refe
 rring
to? OAuth2 by default allows for
an optional client_secret. I'm not sure why this would cause
management issues? Or are you referring to the "Registration Access
Token"?
* Why is a separate endpoint an issue? Any client is going to be
talking to more than just the /authorize and /token endpoints anyway
so I'm confused regarding the extra complexity?

For issue 2:
* What specifically do you mean by "multi-tenant"? Is this one
server acting on behalf of multiple tenants and so appearing as
multiple Authorization Servers?

Thanks,
George

[snip...]</blockquote>

</blockquote><hr>
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote>
--


<hr>
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote>
<hr>
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</blockquote><hr>
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</blockquote><hr>
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote>
</pre>
          <pre class="k9mail"><hr>
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
        </blockquote>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------080506090206040405000408--

From phil.hunt@oracle.com  Fri Aug 16 07:08:33 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E58911E8286 for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:08:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.368
X-Spam-Level: 
X-Spam-Status: No, score=-5.368 tagged_above=-999 required=5 tests=[AWL=-0.166, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLSQSaDm+gEN for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:08:26 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id D699911E8258 for <oauth@ietf.org>; Fri, 16 Aug 2013 07:08:25 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7GE8Fve016969 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 16 Aug 2013 14:08:15 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7GE8BbO013263 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 16 Aug 2013 14:08:13 GMT
Received: from abhmt119.oracle.com (abhmt119.oracle.com [141.146.116.71]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7GE8ACW008576; Fri, 16 Aug 2013 14:08:10 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 16 Aug 2013 07:08:09 -0700
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com> <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com>
Content-Type: multipart/alternative; boundary=Apple-Mail-0DB66E07-4B61-4039-9F8F-96EE63E87231
Content-Transfer-Encoding: 7bit
Message-Id: <359C5FC1-19AA-4063-AA4E-6BF239BCEEA1@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Fri, 16 Aug 2013 07:08:05 -0700
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 14:08:33 -0000

--Apple-Mail-0DB66E07-4B61-4039-9F8F-96EE63E87231
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

Before everyone gets excited, all John and was referring to was providing fu=
rther definition on client_id that allows scenarios where the id isn't issue=
d by the AS but rather a federated entity.=20

This in no way changes how 6749 works.=20

In particular for javascript clients it would avoid the incredible cost of r=
egistration for EVERY execution of a script.=20

Dyn Reg currently has to assume a client_id must be issued by the as the con=
trols access to the resource endpoint.=20

The change here is on the level of errata. Never-the-less we are permitted t=
o change as the standard is technically not final. (Yet as pointed out in pr=
actice it is)

Phil

On 2013-08-15, at 22:32, Torsten Lodderstedt <torsten@lodderstedt.net> wrote=
:

> +1=20
>=20
> Dyn reg should fit into the OAuth system as it is now, which uses client i=
ds and secrets. A (probably) improved OAuth is a completely different topic.=
 Let's handle it separately.=20
>=20
>=20
>=20
> John Bradley <ve7jtb@ve7jtb.com> schrieb:
>>=20
>> Yes a bearer token that is signed and or encrypted by the AS reduces the a=
mount of state required for the AS to maintain.=20
>>=20
>> In RFC 6749 there is information about the client that is tied to the cli=
ent_id, and is required at the authorization endpoint. (eg redirect_uri)
>>=20
>> I understand the goal of reducing state in the IdP.   Some of us have loo=
ked at storing information in a signed client_id that would work in the exis=
ting RFC 6749 flows.
>>=20
>> It seems that some people are dissatisfied with RFC 6749 and would like t=
o see changes like removing implicit flows.
>>=20
>> The current Dynamic registration spec deals with the current state of OAu=
th.   If the WG decides to do a OAuth 3 that fully supports assertions and d=
itches secrets I would be OK with that.=20
>> However lets not cripple what we have as a standard now by crating dynami=
c registration that can only be fully implemented  in a future version of OA=
uth.
>>=20
>> Some peop!
>>  le
>> want/need a client registration API now.  It is clearly a missing part of=
 an entire OAuth system.  =20
>> Supporting existing OAuth while minimizing state at the AS is something I=
 support, waiting for a OAuth redesign is not in my opinion a reasonable med=
ium term goal.
>>=20
>> John B.
>>=20
>>=20
>> On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>=20
>>> I am saying a bearer token is better than a password for the service pro=
vider as Hannes explains.=20
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>>>=20
>>>> Right. A Bearer Token does not have to be a shared secret. It may have s=
ome structure that allows the server to validate it statelessly, e.g. JWS-JW=
T.=20
>>>> =3Dnat via iPhone
>>>>=20
>>>> Aug 14, 2013 15:32=E3=80=81Hannes Tschofenig <hannes.tschofenig@gmx.net=
> =E3=81=AE=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=82=B8:
>>>>=20
>>>>> George is correct with his statements. There is, however, a difference=
 between a shared secret and an assertion as Phil pointed out. For the asser=
tion the server does not need to maintain state on a per-client basis. On th=
e other hand since the client secret isn't really used in the classical sens=
e of a password either but rather as a "cookie" (if used in the style of Sec=
tion 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens t=
o them:
>>>>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>>>>=20
>>>>>=20
>>>>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>>>>> Hi Phil,
>>>>>>=20
>>>>>> I'm sorry for not following completely. Some questions inline...
>>>>>>=20
>>>>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>>>>> passwords expressed as client secrets.
>>>>>> I'm not sure what you mean in regards to "client secrets". There are
>>>>>> OAuth2 bearer tokens that need to be protected because they are beare=
r
>>>>>> tokens. That said, there is nothing in the spec that requires these t=
o
>>>>>> be opaque blobs vs signed tokens. So both the "Initial Access Token" a=
nd
>>>>>> the "Registration Access Token" can be signed tokens. However, the
>>>>>> client still has to protect them as if they were a "secret" because t=
hey
>>>>>> are a bearer token and can be replayed. So it's the same amount of wo=
rk
>>>>>> on the client either wa!
>>>>>>  y.
>>>>>>=20
>>>>>>=20
>>>>>>> A signed token approach has many advantages for service providers li=
ke
>>>>>>> not having to maintain a secure database of secrets/passwords.
>>>>>> If the concern here is the amount of data the Authorization Server ha=
s
>>>>>> to store to manage these clients, then the current spec doesn't precl=
ude
>>>>>> using a "signed token". Both OAuth2 bearer tokens identified in the
>>>>>> current spec can be signed tokens.
>>>>>>=20
>>>>>>> Finally issuing both a client secret and registration token is costl=
y
>>>>>>> and confusing to client developers.  I relented somewhat when I
>>>>>>> realized kerberos does this--but i still feel it is a bad design at
>>>>>>> cloud scale.
>>>>>> Given that client_secrets are OPTIONAL in OAuth2 for some use!
>>>>>>   cases,
>>>>>> I'm
>>>>>> not sure how you abstract the client developer from having to deal wi=
th
>>>>>> them. The client developer is going to be dealing with multiple OAuth=
2
>>>>>> tokens to multiple endpoints regardless so I don't see another token a=
s
>>>>>> costly or complex. At a minimum there is the refresh_token and
>>>>>> access_token. Where is the added client developer complexity?
>>>>>>=20
>>>>>> Thanks,
>>>>>> George
>>>>>>=20
>>>>>>=20
>>>>>>> Phil
>>>>>>>=20
>>>>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>>>=20
>>>>>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>>>>>> premium for you, then switch based on input parameters and other
>>>>>>>> things. And you're still not clear on which "secrets" you're t!
>>>>>>>>  aking
>>>>>>>> issue with.
>>>>>>>>=20
>>>>>>>> -- Justin
>>>>>>>>=20
>>>>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>>>=20
>>>>>>>>> #1, its yet another endpoint to have to manage secrets at, yes thi=
s
>>>>>>>>> is an OAuth item but it=E2=80=99s growing out of control, we are t=
rying to
>>>>>>>>> move away from secrets and management of these endpoints as this
>>>>>>>>> would be just another one we have to support, monitor and report o=
n
>>>>>>>>>=20
>>>>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization serve=
rs
>>>>>>>>>=20
>>>>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>>>>> *To:* Anthony Nadalin
>>>>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>>>>>> don't remove!
>>>>>>>>>=20
>>>>>>>>> Hi Tony,
>>>>>>>>>=20
>>>>>>>>> Could you please explain a little more?
>>>>>>>>>=20
>>>>>>>>> For issue 1:
>>>>>>>>> * Which "secret" are you ref!
>>>>>>>>>  erring
>>>>>>>>> to? OAuth2 by default allows for
>>>>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>>>>> management issues? Or are you referring to the "Registration Acces=
s
>>>>>>>>> Token"?
>>>>>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>>>>>> talking to more than just the /authorize and /token endpoints anyw=
ay
>>>>>>>>> so I'm confused regarding the extra complexity?
>>>>>>>>>=20
>>>>>>>>> For issue 2:
>>>>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>>>>>> multiple Authorization Servers?
>>>>>>>>>=20
>>>>>>>>> Thanks,
>>>>>>>>> George
>>>>>>>>>=20
>>>>>>>>> [snip...]
>>>>>>>=20
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>=20
>>>>>> --
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>>=20
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>>=20
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-0DB66E07-4B61-4039-9F8F-96EE63E87231
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>Before everyone gets excited, all John=
 and was referring to was providing further definition on client_id that all=
ows scenarios where the id isn't issued by the AS but rather a federated ent=
ity.&nbsp;</div><div><br></div><div>This in no way changes how 6749 works.&n=
bsp;</div><div><br></div><div>In particular for javascript clients it would a=
void the incredible cost of registration for EVERY execution of a script.&nb=
sp;<br><br>Dyn Reg currently has to assume a client_id must be issued by the=
 as the controls access to the resource endpoint.&nbsp;</div><div><br></div>=
<div>The change here is on the level of errata. Never-the-less we are permit=
ted to change as the standard is technically not final. (Yet as pointed out i=
n practice it is)</div><div><br>Phil</div><div><br>On 2013-08-15, at 22:32, T=
orsten Lodderstedt &lt;<a href=3D"mailto:torsten@lodderstedt.net">torsten@lo=
dderstedt.net</a>&gt; wrote:<br><br></div><blockquote type=3D"cite"><div>+1 <=
br>
<br>
Dyn reg should fit into the OAuth system as it is now, which uses client ids=
 and secrets. A (probably) improved OAuth is a completely different topic. L=
et's handle it separately. <br><br><div class=3D"gmail_quote"><br>
<br>
John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&=
gt; schrieb:<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0=
.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre class=3D"k9mail">Yes a bearer token that is signed and or encrypted by t=
he AS reduces the amount of state required for the AS to maintain. <br><br>I=
n RFC 6749 there is information about the client that is tied to the client_=
id, and is required at the authorization endpoint. (eg redirect_uri)<br><br>=
I understand the goal of reducing state in the IdP.   Some of us have looked=
 at storing information in a signed client_id that would work in the existin=
g RFC 6749 flows.<br><br>It seems that some people are dissatisfied with RFC=
 6749 and would like to see changes like removing implicit flows.<br><br>The=
 current Dynamic registration spec deals with the current state of OAuth.   I=
f the WG decides to do a OAuth 3 that fully supports assertions and ditches s=
ecrets I would be OK with that. <br>However lets not cripple what we have as=
 a standard now by crating dynamic registration that can only be fully imple=
mented  in a future version of OAuth.<br><br>Some peop!
 le
want/need a client registration API now.  It is clearly a missing part of an=
 entire OAuth system.   <br>Supporting existing OAuth while minimizing state=
 at the AS is something I support, waiting for a OAuth redesign is not in my=
 opinion a reasonable medium term goal.<br><br>John B.<br><br><br>On 2013-08=
-14, at 11:47 PM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt@oracle.com">phil=
.hunt@oracle.com</a>&gt; wrote:<br><br><blockquote class=3D"gmail_quote" sty=
le=3D"margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-lef=
t: 1ex;">I am saying a bearer token is better than a password for the servic=
e provider as Hannes explains. <br><br>Phil<br><br>On 2013-08-14, at 19:42, N=
at Sakimura &lt;<a href=3D"mailto:sakimura@gmail.com">sakimura@gmail.com</a>=
&gt; wrote:<br><br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0p=
t 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">Right. A Be=
arer Token does not have to be a shared secret. It may have some structure t=
hat allows the server to validate it statelessly, e.g. JWS-JWT. <b! r=3D""><=
br>=3Dnat via iPhone<br><br>Aug 14, 2013 15:32=E3=80=81Hannes Tschofenig &lt=
;<a href=3D"mailto:hannes.tschofenig@gmx.net">hannes.tschofenig@gmx.net</a>&=
gt; =E3=81=AE=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=82=B8:<br><br><blockquo=
te class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border-left: 1p=
x solid #8ae234; padding-left: 1ex;">George is correct with his statements. T=
here is, however, a difference between a shared secret and an assertion as P=
hil pointed out. For the assertion the server does not need to maintain stat=
e on a per-client basis. On the other hand since the client secret isn't rea=
lly used in the classical sense of a password either but rather as a "cookie=
" (if used in the style of Section 2.3.1 of RFC6749) one could easy apply th=
e concept of stateless tokens to them:<br><a href=3D"http://tools.ietf.org/h=
tml/draft-rescorla-stateless-tokens-01">http://tools.ietf.org/html/draft-res=
corla-stateless-tokens-01</a><br><br><br>On 08/13/2013 07:21 PM, George Flet=
cher wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1e=
x 0.8ex;
border-left: 1px solid #fcaf3e; padding-left: 1ex;">Hi Phil,<br><br>I'm sorr=
y for not following completely. Some questions inline...<br><br>On 8/13/13 1=
1:00 AM, Phil Hunt wrote:<br><blockquote class=3D"gmail_quote" style=3D"marg=
in: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">D=
yn reg and the scim reg variant depend too much/biased towards<br>passwords e=
xpressed as client secrets.<br></blockquote>I'm not sure what you mean in re=
gards to "client secrets". There are<br>OAuth2 bearer tokens that need to be=
 protected because they are bearer<br>tokens. That said, there is nothing in=
 the spec that requires these to<br>be opaque blobs vs signed tokens. So bot=
h the "Initial Access Token" and<br>the "Registration Access Token" can be s=
igned tokens. However, the<br>client still has to protect them as if they we=
re a "secret" because they<br>are a bearer token and can be replayed. So it'=
s the same amount of work<br>on the client either wa!
 y.<br><br><br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1e=
x 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">A signed token a=
pproach has many advantages for service providers like<br>not having to main=
tain a secure database of secrets/passwords.<br></blockquote>If the concern h=
ere is the amount of data the Authorization Server has<br>to store to manage=
 these clients, then the current spec doesn't preclude<br>using a "signed to=
ken". Both OAuth2 bearer tokens identified in the<br>current spec can be sig=
ned tokens.<br><br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0p=
t 1ex 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">Finally iss=
uing both a client secret and registration token is costly<br>and confusing t=
o client developers.  I relented somewhat when I<br>realized kerberos does t=
his--but i still feel it is a bad design at<br>cloud scale.<br></blockquote>=
Given that client_secrets are OPTIONAL in OAuth2 for some use!
  cases,
I'm<br>not sure how you abstract the client developer from having to deal wi=
th<br>them. The client developer is going to be dealing with multiple OAuth2=
<br>tokens to multiple endpoints regardless so I don't see another token as<=
br>costly or complex. At a minimum there is the refresh_token and<br>access_=
token. Where is the added client developer complexity?<br><br>Thanks,<br>Geo=
rge<br><br><br><blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1e=
x 0.8ex; border-left: 1px solid #e9b96e; padding-left: 1ex;">Phil<br><br>On 2=
013-08-13, at 7:48, Justin Richer &lt;<a href=3D"mailto:jricher@mitre.org">j=
richer@mitre.org</a><br>&lt;<a href=3D"mailto:jricher@mitre.org">mailto:jric=
her@mitre.org</a>&gt;&gt; wrote:<br><br><blockquote class=3D"gmail_quote" st=
yle=3D"margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left:=
 1ex;">The spec doesn't care where you deploy at -- if URL space is at a<br>=
premium for you, then switch based on input parameters and other<br>things. A=
nd you're still not clear on which "secrets" you're t!
 aking<br>issue with.<br><br>-- Justin<br><br>On 08/13/2013 10:46 AM, Anthon=
y Nadalin wrote:<br><br><blockquote class=3D"gmail_quote" style=3D"margin: 0=
pt 0pt 1ex 0.8ex; border-left: 1px solid #ccc; padding-left: 1ex;">#1, its y=
et another endpoint to have to manage secrets at, yes this<br>is an OAuth it=
em but it=E2=80=99s growing out of control, we are trying to<br>move away fr=
om secrets and management of these endpoints as this<br>would be just anothe=
r one we have to support, monitor and report on<br><br>#2 yes, 1 physical en=
dpoint acting as multiple authorization servers<br><br>*From:*George Fletche=
r [<a href=3D"mailto:gffletch@aol.com">mailto:gffletch@aol.com</a>]<br>*Sent=
:* Tuesday, August 13, 2013 7:40 AM<br>*To:* Anthony Nadalin<br>*Cc:* <a hre=
f=3D"mailto:mike@gluu.org">mike@gluu.org</a>; Justin Richer; <a href=3D"mail=
to:oauth@ietf.org">oauth@ietf.org</a><br>*Subject:* Re: [OAUTH-WG] OX needs D=
ynamic Registration: please<br>don't remove!<br><br>Hi Tony,<br><br>Could yo=
u please explain a little more?<br><br>For issue 1:<br>* Which "secret" are y=
ou ref!
 erring
to? OAuth2 by default allows for<br>an optional client_secret. I'm not sure w=
hy this would cause<br>management issues? Or are you referring to the "Regis=
tration Access<br>Token"?<br>* Why is a separate endpoint an issue? Any clie=
nt is going to be<br>talking to more than just the /authorize and /token end=
points anyway<br>so I'm confused regarding the extra complexity?<br><br>For i=
ssue 2:<br>* What specifically do you mean by "multi-tenant"? Is this one<br=
>server acting on behalf of multiple tenants and so appearing as<br>multiple=
 Authorization Servers?<br><br>Thanks,<br>George<br><br>[snip...]</blockquot=
e><br><br></blockquote><hr><br>OAuth mailing list<br><a href=3D"mailto:OAuth=
@ietf.org">OAuth@ietf.org</a><br><a href=3D"https://www.ietf.org/mailman/lis=
tinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote><br=
>--<br><br><br><hr><br>OAuth mailing list<br><a href=3D"mailto:OAuth@ietf.or=
g">OAuth@ietf.org</a><br><a href=3D"https://www.ietf.org/mailman/listinfo/oa=
uth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote><br><hr><br=
>OAuth mailing list<br><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><=
br><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.=
org/mailman/listinfo/oauth</a><br></blockquote><hr><br>OAuth mailing list<br=
><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a href=3D"https://=
www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/o=
auth</a><br></b!></blockquote><hr><br>OAuth mailing list<br><a href=3D"mailt=
o:OAuth@ietf.org">OAuth@ietf.org</a><br><a href=3D"https://www.ietf.org/mail=
man/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a></blockqu=
ote><br></pre><p style=3D"margin-top: 2.5em; margin-bottom: 1em; border-bott=
om: 1px solid #000"></p><pre class=3D"k9mail"><hr><br>OAuth mailing list<br>=
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a href=3D"https://w=
ww.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oa=
uth</a><br></pre></blockquote></div></div></blockquote></body></html>=

--Apple-Mail-0DB66E07-4B61-4039-9F8F-96EE63E87231--

From phil.hunt@oracle.com  Fri Aug 16 07:14:06 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6B6E11E827B for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:14:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.352
X-Spam-Level: 
X-Spam-Status: No, score=-5.352 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0TUXRyLUvnHo for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:14:01 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id DA92E11E8109 for <oauth@ietf.org>; Fri, 16 Aug 2013 07:14:00 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7GEDpDq023047 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 16 Aug 2013 14:13:52 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7GEDoMo027061 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 16 Aug 2013 14:13:51 GMT
Received: from abhmt113.oracle.com (abhmt113.oracle.com [141.146.116.65]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7GEDnhB022944; Fri, 16 Aug 2013 14:13:50 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 16 Aug 2013 07:13:49 -0700
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com> <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com> <520E31EC.1090600@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <520E31EC.1090600@mitre.org>
Content-Type: multipart/alternative; boundary=Apple-Mail-F583E0F7-9F3F-4D40-831D-2D8250BBE7C5
Content-Transfer-Encoding: 7bit
Message-Id: <F7F4D386-E9AF-4E29-9ACE-40723127EBE2@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Fri, 16 Aug 2013 07:13:46 -0700
To: Justin Richer <jricher@mitre.org>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 14:14:06 -0000

--Apple-Mail-F583E0F7-9F3F-4D40-831D-2D8250BBE7C5
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

-1

I would say the analogy is this:

Clarify client_id =3D shave the yak to get the fur
Dyn reg =3D skin the yak to make access to the fur easier.=20

The yak in this case is the SP.=20

Dyn reg works but the sp dies under the load in the process.=20

Phil

On 2013-08-16, at 7:06, Justin Richer <jricher@mitre.org> wrote:

> +1
>=20
> Let's not shave a yak quite yet.=20
>=20
> On 08/16/2013 01:32 AM, Torsten Lodderstedt wrote:
>> +1=20
>>=20
>> Dyn reg should fit into the OAuth system as it is now, which uses client i=
ds and secrets. A (probably) improved OAuth is a completely different topic.=
 Let's handle it separately.=20
>>=20
>>=20
>>=20
>> John Bradley <ve7jtb@ve7jtb.com> schrieb:
>>>=20
>>> Yes a bearer token that is signed and or encrypted by the AS reduces the=
 amount of state required for the AS to maintain.=20
>>>=20
>>> In RFC 6749 there is information about the client that is tied to the cl=
ient_id, and is required at the authorization endpoint. (eg redirect_uri)
>>>=20
>>> I understand the goal of reducing state in the IdP.   Some of us have lo=
oked at storing information in a signed client_id that would work in the exi=
sting RFC 6749 flows.
>>>=20
>>> It seems that some people are dissatisfied with RFC 6749 and would like t=
o see changes like removing implicit flows.
>>>=20
>>> The current Dynamic registration spec deals with the current state of OA=
uth.   If the WG decides to do a OAuth 3 that fully supports assertions and d=
itches secrets I would be OK with that.=20
>>> However lets not cripple what we have as a standard now by crating dynam=
ic registration that can only be fully implemented  in a future version of O=
Auth.
>>>=20
>>> Some peopl
>>>  e
>>> want/need a client registration API now.  It is clearly a missing part o=
f an entire OAuth system.  =20
>>> Supporting existing OAuth while minimizing state at the AS is something I=
 support, waiting for a OAuth redesign is not in my opinion a reasonable med=
ium term goal.
>>>=20
>>> John B.
>>>=20
>>>=20
>>> On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>=20
>>>> I am saying a bearer token is better than a password for the service pr=
ovider as Hannes explains.=20
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>>>>=20
>>>>> Right. A Bearer Token does not have to be a shared secret. It may have=
 some structure that allows the server to validate it statelessly, e.g. JWS-=
JWT.=20
>>>>>=20
>>>>> =3Dnat via iPhone
>>>>>=20
>>>>> Aug 14, 2013 15:32=E3=80=81Hannes Tschofenig <hannes.tschofenig@gmx.ne=
t> =E3=81=AE=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=82=B8:
>>>>>=20
>>>>>> George is correct with his statements. There is, however, a differenc=
e between a shared secret and an assertion as Phil pointed out. For the asse=
rtion the server does not need to maintain state on a per-client basis. On t=
he other hand since the client secret isn't really used in the classical sen=
se of a password either but rather as a "cookie" (if used in the style of Se=
ction 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens=
 to them:
>>>>>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>>>>>=20
>>>>>>=20
>>>>>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>>>>>> Hi Phil,
>>>>>>>=20
>>>>>>> I'm sorry for not following completely. Some questions inline...
>>>>>>>=20
>>>>>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>>>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>>>>>> passwords expressed as client secrets.
>>>>>>> I'm not sure what you mean in regards to "client secrets". There are=

>>>>>>> OAuth2 bearer tokens that need to be protected because they are bear=
er
>>>>>>> tokens. That said, there is nothing in the spec that requires these t=
o
>>>>>>> be opaque blobs vs signed tokens. So both the "Initial Access Token"=
 and
>>>>>>> the "Registration Access Token" can be signed tokens. However, the
>>>>>>> client still has to protect them as if they were a "secret" because t=
hey
>>>>>>> are a bearer token and can be replayed. So it's the same amount of w=
ork
>>>>>>> on the client either way
>>>>>>>  .
>>>>>>>=20
>>>>>>>=20
>>>>>>>> A signed token approach has many advantages for service providers l=
ike
>>>>>>>> not having to maintain a secure database of secrets/passwords.
>>>>>>> If the concern here is the amount of data the Authorization Server h=
as
>>>>>>> to store to manage these clients, then the current spec doesn't prec=
lude
>>>>>>> using a "signed token". Both OAuth2 bearer tokens identified in the
>>>>>>> current spec can be signed tokens.
>>>>>>>=20
>>>>>>>> Finally issuing both a client secret and registration token is cost=
ly
>>>>>>>> and confusing to client developers.  I relented somewhat when I
>>>>>>>> realized kerberos does this--but i still feel it is a bad design at=

>>>>>>>> cloud scale.
>>>>>>> Given that client_secrets are OPTIONAL in OAuth2 for some use=20
>>>>>>>  cases,
>>>>>>> I'm
>>>>>>> not sure how you abstract the client developer from having to deal w=
ith
>>>>>>> them. The client developer is going to be dealing with multiple OAut=
h2
>>>>>>> tokens to multiple endpoints regardless so I don't see another token=
 as
>>>>>>> costly or complex. At a minimum there is the refresh_token and
>>>>>>> access_token. Where is the added client developer complexity?
>>>>>>>=20
>>>>>>> Thanks,
>>>>>>> George
>>>>>>>=20
>>>>>>>=20
>>>>>>>> Phil
>>>>>>>>=20
>>>>>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>>>>=20
>>>>>>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>>>>>>> premium for you, then switch based on input parameters and other
>>>>>>>>> things. And you're still not clear on which "secrets" you're ta
>>>>>>>>>  king
>>>>>>>>> issue with.
>>>>>>>>>=20
>>>>>>>>> -- Justin
>>>>>>>>>=20
>>>>>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>>>>=20
>>>>>>>>>> #1, its yet another endpoint to have to manage secrets at, yes th=
is
>>>>>>>>>> is an OAuth item but it=E2=80=99s growing out of control, we are t=
rying to
>>>>>>>>>> move away from secrets and management of these endpoints as this
>>>>>>>>>> would be just another one we have to support, monitor and report o=
n
>>>>>>>>>>=20
>>>>>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization serv=
ers
>>>>>>>>>>=20
>>>>>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>>>>>> *To:* Anthony Nadalin
>>>>>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>>>>>>> don't remove!
>>>>>>>>>>=20
>>>>>>>>>> Hi Tony,
>>>>>>>>>>=20
>>>>>>>>>> Could you please explain a little more?
>>>>>>>>>>=20
>>>>>>>>>> For issue 1:
>>>>>>>>>> * Which "secret" are you refe
>>>>>>>>>>  rring
>>>>>>>>>> to? OAuth2 by default allows for
>>>>>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>>>>>> management issues? Or are you referring to the "Registration Acce=
ss
>>>>>>>>>> Token"?
>>>>>>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>>>>>>> talking to more than just the /authorize and /token endpoints any=
way
>>>>>>>>>> so I'm confused regarding the extra complexity?
>>>>>>>>>>=20
>>>>>>>>>> For issue 2:
>>>>>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>>>>>>> multiple Authorization Servers?
>>>>>>>>>>=20
>>>>>>>>>> Thanks,
>>>>>>>>>> George
>>>>>>>>>>=20
>>>>>>>>>> [snip...]
>>>>>>>>=20
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>=20
>>>>>>> --
>>>>>>>=20
>>>>>>>=20
>>>>>>>=20
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>=20
>>>>>>=20
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>>=20
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20

--Apple-Mail-F583E0F7-9F3F-4D40-831D-2D8250BBE7C5
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>-1</div><div><br></div><div>I would sa=
y the analogy is this:</div><div><br></div><div>Clarify client_id =3D shave t=
he yak to get the fur</div><div>Dyn reg =3D skin the yak to make access to t=
he fur easier.&nbsp;<br><br>The yak in this case is the SP.&nbsp;</div><div>=
<br></div><div>Dyn reg works but the sp dies under the load in the process.&=
nbsp;</div><div><br>Phil</div><div><br>On 2013-08-16, at 7:06, Justin Richer=
 &lt;<a href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; wrote:<b=
r><br></div><blockquote type=3D"cite"><div>
 =20
    <meta content=3D"text/html; charset=3DISO-8859-1" http-equiv=3D"Content-=
Type">
 =20
 =20
    +1<br>
    <br>
    Let's not shave a yak quite yet. <br>
    <br>
    <div class=3D"moz-cite-prefix">On 08/16/2013 01:32 AM, Torsten
      Lodderstedt wrote:<br>
    </div>
    <blockquote cite=3D"mid:6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.andro=
id.com" type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html;
        charset=3DISO-8859-1">
      +1 <br>
      <br>
      Dyn reg should fit into the OAuth system as it is now, which uses
      client ids and secrets. A (probably) improved OAuth is a
      completely different topic. Let's handle it separately. <br>
      <br>
      <div class=3D"gmail_quote"><br>
        <br>
        John Bradley <a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:ve7jt=
b@ve7jtb.com">&lt;ve7jtb@ve7jtb.com&gt;</a> schrieb:
        <blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt
          0.8ex; border-left: 1px solid rgb(204, 204, 204);
          padding-left: 1ex;">
          <pre class=3D"k9mail">Yes a bearer token that is signed and or enc=
rypted by the AS reduces the amount of state required for the AS to maintain=
.=20

In RFC 6749 there is information about the client that is tied to the client=
_id, and is required at the authorization endpoint. (eg redirect_uri)

I understand the goal of reducing state in the IdP.   Some of us have looked=
 at storing information in a signed client_id that would work in the existin=
g RFC 6749 flows.

It seems that some people are dissatisfied with RFC 6749 and would like to s=
ee changes like removing implicit flows.

The current Dynamic registration spec deals with the current state of OAuth.=
   If the WG decides to do a OAuth 3 that fully supports assertions and ditc=
hes secrets I would be OK with that.=20
However lets not cripple what we have as a standard now by crating dynamic r=
egistration that can only be fully implemented  in a future version of OAuth=
.

Some peopl
 e
want/need a client registration API now.  It is clearly a missing part of an=
 entire OAuth system.  =20
Supporting existing OAuth while minimizing state at the AS is something I su=
pport, waiting for a OAuth redesign is not in my opinion a reasonable medium=
 term goal.

John B.


On 2013-08-14, at 11:47 PM, Phil Hunt <a class=3D"moz-txt-link-rfc2396E" hre=
f=3D"mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border=
-left: 1px solid #729fcf; padding-left: 1ex;">I am saying a bearer token is b=
etter than a password for the service provider as Hannes explains.=20

Phil

On 2013-08-14, at 19:42, Nat Sakimura <a class=3D"moz-txt-link-rfc2396E" hre=
f=3D"mailto:sakimura@gmail.com">&lt;sakimura@gmail.com&gt;</a> wrote:

<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border=
-left: 1px solid #ad7fa8; padding-left: 1ex;">Right. A Bearer Token does not=
 have to be a shared secret. It may have some structure that allows the serv=
er to validate it statelessly, e.g. JWS-JWT.=20

=3Dnat via iPhone

Aug 14, 2013 15:32=E3=80=81Hannes Tschofenig <a class=3D"moz-txt-link-rfc239=
6E" href=3D"mailto:hannes.tschofenig@gmx.net">&lt;hannes.tschofenig@gmx.net&=
gt;</a> =E3=81=AE=E3=83=A1=E3=83=83=E3=82=BB=E3=83=BC=E3=82=B8:

<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border=
-left: 1px solid #8ae234; padding-left: 1ex;">George is correct with his sta=
tements. There is, however, a difference between a shared secret and an asse=
rtion as Phil pointed out. For the assertion the server does not need to mai=
ntain state on a per-client basis. On the other hand since the client secret=
 isn't really used in the classical sense of a password either but rather as=
 a "cookie" (if used in the style of Section 2.3.1 of RFC6749) one could eas=
y apply the concept of stateless tokens to them:
<a moz-do-not-send=3D"true" href=3D"http://tools.ietf.org/html/draft-rescorl=
a-stateless-tokens-01">http://tools.ietf.org/html/draft-rescorla-stateless-t=
okens-01</a>


On 08/13/2013 07:21 PM, George Fletcher wrote:
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex;
border-left: 1px solid #fcaf3e; padding-left: 1ex;">Hi Phil,

I'm sorry for not following completely. Some questions inline...

On 8/13/13 11:00 AM, Phil Hunt wrote:
<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border=
-left: 1px solid #e9b96e; padding-left: 1ex;">Dyn reg and the scim reg varia=
nt depend too much/biased towards
passwords expressed as client secrets.
</blockquote>I'm not sure what you mean in regards to "client secrets". Ther=
e are
OAuth2 bearer tokens that need to be protected because they are bearer
tokens. That said, there is nothing in the spec that requires these to
be opaque blobs vs signed tokens. So both the "Initial Access Token" and
the "Registration Access Token" can be signed tokens. However, the
client still has to protect them as if they were a "secret" because they
are a bearer token and can be replayed. So it's the same amount of work
on the client either way
 .


<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border=
-left: 1px solid #e9b96e; padding-left: 1ex;">A signed token approach has ma=
ny advantages for service providers like
not having to maintain a secure database of secrets/passwords.
</blockquote>If the concern here is the amount of data the Authorization Ser=
ver has
to store to manage these clients, then the current spec doesn't preclude
using a "signed token". Both OAuth2 bearer tokens identified in the
current spec can be signed tokens.

<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border=
-left: 1px solid #e9b96e; padding-left: 1ex;">Finally issuing both a client s=
ecret and registration token is costly
and confusing to client developers.  I relented somewhat when I
realized kerberos does this--but i still feel it is a bad design at
cloud scale.
</blockquote>Given that client_secrets are OPTIONAL in OAuth2 for some use=20=

 cases,
I'm
not sure how you abstract the client developer from having to deal with
them. The client developer is going to be dealing with multiple OAuth2
tokens to multiple endpoints regardless so I don't see another token as
costly or complex. At a minimum there is the refresh_token and
access_token. Where is the added client developer complexity?

Thanks,
George


<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border=
-left: 1px solid #e9b96e; padding-left: 1ex;">Phil

On 2013-08-13, at 7:48, Justin Richer &lt;<a class=3D"moz-txt-link-abbreviat=
ed" href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>
<a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:jricher@mitre.org">&lt;mai=
lto:jricher@mitre.org&gt;</a>&gt; wrote:

<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border=
-left: 1px solid #ccc; padding-left: 1ex;">The spec doesn't care where you d=
eploy at -- if URL space is at a
premium for you, then switch based on input parameters and other
things. And you're still not clear on which "secrets" you're ta
 king
issue with.

-- Justin

On 08/13/2013 10:46 AM, Anthony Nadalin wrote:

<blockquote class=3D"gmail_quote" style=3D"margin: 0pt 0pt 1ex 0.8ex; border=
-left: 1px solid #ccc; padding-left: 1ex;">#1, its yet another endpoint to h=
ave to manage secrets at, yes this
is an OAuth item but it=E2=80=99s growing out of control, we are trying to
move away from secrets and management of these endpoints as this
would be just another one we have to support, monitor and report on

#2 yes, 1 physical endpoint acting as multiple authorization servers

*From:*George Fletcher [<a class=3D"moz-txt-link-freetext" href=3D"mailto:gf=
fletch@aol.com">mailto:gffletch@aol.com</a>]
*Sent:* Tuesday, August 13, 2013 7:40 AM
*To:* Anthony Nadalin
*Cc:* <a class=3D"moz-txt-link-abbreviated" href=3D"mailto:mike@gluu.org">mi=
ke@gluu.org</a>; Justin Richer; <a class=3D"moz-txt-link-abbreviated" href=3D=
"mailto:oauth@ietf.org">oauth@ietf.org</a>
*Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
don't remove!

Hi Tony,

Could you please explain a little more?

For issue 1:
* Which "secret" are you refe
 rring
to? OAuth2 by default allows for
an optional client_secret. I'm not sure why this would cause
management issues? Or are you referring to the "Registration Access
Token"?
* Why is a separate endpoint an issue? Any client is going to be
talking to more than just the /authorize and /token endpoints anyway
so I'm confused regarding the extra complexity?

For issue 2:
* What specifically do you mean by "multi-tenant"? Is this one
server acting on behalf of multiple tenants and so appearing as
multiple Authorization Servers?

Thanks,
George

[snip...]</blockquote>

</blockquote><hr>
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OAuth@ietf.org">OAuth@i=
etf.org</a>
<a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mailman/listinfo/oa=
uth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote>
--


<hr>
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OAuth@ietf.org">OAuth@i=
etf.org</a>
<a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mailman/listinfo/oa=
uth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote>
<hr>
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OAuth@ietf.org">OAuth@i=
etf.org</a>
<a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mailman/listinfo/oa=
uth">https://www.ietf.org/mailman/listinfo/oauth</a>
</blockquote><hr>
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OAuth@ietf.org">OAuth@i=
etf.org</a>
<a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mailman/listinfo/oa=
uth">https://www.ietf.org/mailman/listinfo/oauth</a>
</blockquote><hr>
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OAuth@ietf.org">OAuth@i=
etf.org</a>
<a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mailman/listinfo/oa=
uth">https://www.ietf.org/mailman/listinfo/oauth</a></blockquote>
</pre>
          <pre class=3D"k9mail"><hr>
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OAuth@ietf.org">OAuth@i=
etf.org</a>
<a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mailman/listinfo/oa=
uth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
        </blockquote>
      </div>
      <br>
      <fieldset class=3D"mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap=3D"">_______________________________________________
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:OAuth@ietf.org">OAuth@i=
etf.org</a>
<a class=3D"moz-txt-link-freetext" href=3D"https://www.ietf.org/mailman/list=
info/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
 =20

</div></blockquote></body></html>=

--Apple-Mail-F583E0F7-9F3F-4D40-831D-2D8250BBE7C5--

From tonynad@microsoft.com  Fri Aug 16 07:26:14 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1C5C11E80FA for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:26:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.198
X-Spam-Level: 
X-Spam-Status: No, score=-3.198 tagged_above=-999 required=5 tests=[AWL=0.400,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U+UWUMcmu7yQ for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 07:26:10 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0205.outbound.protection.outlook.com [207.46.163.205]) by ietfa.amsl.com (Postfix) with ESMTP id 86B0121F9A13 for <oauth@ietf.org>; Fri, 16 Aug 2013 07:26:09 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Fri, 16 Aug 2013 14:26:00 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Fri, 16 Aug 2013 14:26:00 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>, Torsten Lodderstedt <torsten@lodderstedt.net>
Thread-Topic: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
Thread-Index: AQHOlScLf934cBBLpkeg6cyc2g+rW5mSRG2AgADk0ACAAAcFgIAAArgwgAADowCAAAGnEIAAA3KAgAAAraCAAAGTAIAAA1KAgAAnc4CAAN0CAIABUjCAgAASCQCAAQ+hAIAAn/2AgACPwQCAAASiwA==
Date: Fri, 16 Aug 2013 14:26:00 +0000
Message-ID: <651d036888c545d1aefeb4134ffe47e9@BY2PR03MB189.namprd03.prod.outlook.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>	<520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com>	<520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net>	<F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com> <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com> <520E31EC.1090600@mitre.org>
In-Reply-To: <520E31EC.1090600@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e8:ed31::ff]
x-forefront-prvs: 0940A19703
x-forefront-antispam-report: SFV:NSPM; SFS:(377424004)(479174003)(377454003)(164054003)(55885003)(199002)(24454002)(189002)(77982001)(59766001)(47736001)(54316002)(47976001)(83322001)(50986001)(76482001)(65816001)(54356001)(4396001)(49866001)(19300405004)(19580385001)(53806001)(16236675002)(19580395003)(16406001)(33646001)(76796001)(15202345003)(76576001)(83072001)(76786001)(81816001)(56816003)(81686001)(77096001)(19580405001)(56776001)(80022001)(63696002)(74876001)(74366001)(74502001)(80976001)(74316001)(46102001)(551544002)(31966008)(69226001)(47446002)(81342001)(51856001)(81542001)(74706001)(79102001)(74662001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::ff; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: multipart/alternative; boundary="_000_651d036888c545d1aefeb4134ffe47e9BY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e8:ed31::ff
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB192.namprd03.prod.outlook.com
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 14:26:14 -0000

--_000_651d036888c545d1aefeb4134ffe47e9BY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable

The yak needs to be sheered to make way for better hair.

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of J=
ustin Richer
Sent: Friday, August 16, 2013 7:07 AM
To: Torsten Lodderstedt
Cc: mike@gluu.org; oauth@ietf.org
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!

+1

Let's not shave a yak quite yet.
On 08/16/2013 01:32 AM, Torsten Lodderstedt wrote:
+1

Dyn reg should fit into the OAuth system as it is now, which uses client id=
s and secrets. A (probably) improved OAuth is a completely different topic.=
 Let's handle it separately.


John Bradley <ve7jtb@ve7jtb.com><mailto:ve7jtb@ve7jtb.com> schrieb:

Yes a bearer token that is signed and or encrypted by the AS reduces the am=
ount of state required for the AS to maintain.



In RFC 6749 there is information about the client that is tied to the clien=
t_id, and is required at the authorization endpoint. (eg redirect_uri)



I understand the goal of reducing state in the IdP.   Some of us have looke=
d at storing information in a signed client_id that would work in the exist=
ing RFC 6749 flows.



It seems that some people are dissatisfied with RFC 6749 and would like to =
see changes like removing implicit flows.



The current Dynamic registration spec deals with the current state of OAuth=
.   If the WG decides to do a OAuth 3 that fully supports assertions and di=
tches secrets I would be OK with that.

However lets not cripple what we have as a standard now by crating dynamic =
registration that can only be fully implemented  in a future version of OAu=
th.



Some peopl

 e

want/need a client registration API now.  It is clearly a missing part of a=
n entire OAuth system.

Supporting existing OAuth while minimizing state at the AS is something I s=
upport, waiting for a OAuth redesign is not in my opinion a reasonable medi=
um term goal.



John B.





On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com><mailto:phil.hu=
nt@oracle.com> wrote:



I am saying a bearer token is better than a password for the service provid=
er as Hannes explains.



Phil



On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com><mailto:sakimura@=
gmail.com> wrote:



Right. A Bearer Token does not have to be a shared secret. It may have some=
 structure that allows the server to validate it statelessly, e.g. JWS-JWT.



=3Dnat via iPhone



Aug 14, 2013 15:32=1B$B!"=1B(BHannes Tschofenig <hannes.tschofenig@gmx.net>=
<mailto:hannes.tschofenig@gmx.net> =1B$B$N%a%C%;!<%8=1B(B:



George is correct with his statements. There is, however, a difference betw=
een a shared secret and an assertion as Phil pointed out. For the assertion=
 the server does not need to maintain state on a per-client basis. On the o=
ther hand since the client secret isn't really used in the classical sense =
of a password either but rather as a "cookie" (if used in the style of Sect=
ion 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens =
to them:

http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01





On 08/13/2013 07:21 PM, George Fletcher wrote:

Hi Phil,



I'm sorry for not following completely. Some questions inline...



On 8/13/13 11:00 AM, Phil Hunt wrote:

Dyn reg and the scim reg variant depend too much/biased towards

passwords expressed as client secrets.

I'm not sure what you mean in regards to "client secrets". There are

OAuth2 bearer tokens that need to be protected because they are bearer

tokens. That said, there is nothing in the spec that requires these to

be opaque blobs vs signed tokens. So both the "Initial Access Token" and

the "Registration Access Token" can be signed tokens. However, the

client still has to protect them as if they were a "secret" because they

are a bearer token and can be replayed. So it's the same amount of work

on the client either way

 .





A signed token approach has many advantages for service providers like

not having to maintain a secure database of secrets/passwords.

If the concern here is the amount of data the Authorization Server has

to store to manage these clients, then the current spec doesn't preclude

using a "signed token". Both OAuth2 bearer tokens identified in the

current spec can be signed tokens.



Finally issuing both a client secret and registration token is costly

and confusing to client developers.  I relented somewhat when I

realized kerberos does this--but i still feel it is a bad design at

cloud scale.

Given that client_secrets are OPTIONAL in OAuth2 for some use

 cases,

I'm

not sure how you abstract the client developer from having to deal with

them. The client developer is going to be dealing with multiple OAuth2

tokens to multiple endpoints regardless so I don't see another token as

costly or complex. At a minimum there is the refresh_token and

access_token. Where is the added client developer complexity?



Thanks,

George





Phil



On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org<mailto:jricher@mit=
re.org>

<mailto:jricher@mitre.org><mailto:jricher@mitre.org>> wrote:



The spec doesn't care where you deploy at -- if URL space is at a

premium for you, then switch based on input parameters and other

things. And you're still not clear on which "secrets" you're ta

 king

issue with.



-- Justin



On 08/13/2013 10:46 AM, Anthony Nadalin wrote:



#1, its yet another endpoint to have to manage secrets at, yes this

is an OAuth item but it=1B$B!G=1B(Bs growing out of control, we are trying =
to

move away from secrets and management of these endpoints as this

would be just another one we have to support, monitor and report on



#2 yes, 1 physical endpoint acting as multiple authorization servers



*From:*George Fletcher [mailto:gffletch@aol.com]

*Sent:* Tuesday, August 13, 2013 7:40 AM

*To:* Anthony Nadalin

*Cc:* mike@gluu.org<mailto:mike@gluu.org>; Justin Richer; oauth@ietf.org<ma=
ilto:oauth@ietf.org>

*Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please

don't remove!



Hi Tony,



Could you please explain a little more?



For issue 1:

* Which "secret" are you refe

 rring

to? OAuth2 by default allows for

an optional client_secret. I'm not sure why this would cause

management issues? Or are you referring to the "Registration Access

Token"?

* Why is a separate endpoint an issue? Any client is going to be

talking to more than just the /authorize and /token endpoints anyway

so I'm confused regarding the extra complexity?



For issue 2:

* What specifically do you mean by "multi-tenant"? Is this one

server acting on behalf of multiple tenants and so appearing as

multiple Authorization Servers?



Thanks,

George



[snip...]





________________________________



OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth



--





________________________________



OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth



________________________________



OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

________________________________



OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

________________________________



OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth



________________________________



OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth




_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth


--_000_651d036888c545d1aefeb4134ffe47e9BY2PR03MB189namprd03pro_
Content-Type: text/html; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:m=3D"http://schema=
s.microsoft.com/office/2004/12/omml" xmlns=3D"http://www.w3.org/TR/REC-html=
40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-2022-=
jp">
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:"MS Gothic";
	panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
	{font-family:"\@MS Gothic";
	panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
	{font-family:"MS PGothic";
	panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
	{font-family:"\@MS PGothic";
	panose-1:2 11 6 0 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"MS PGothic","sans-serif";
	color:black;
	mso-fareast-language:JA;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"MS Gothic";
	color:black;
	mso-fareast-language:JA;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;
	mso-fareast-language:JA;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=3D"white" lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D;mso-fareast-language:EN-US=
">The yak needs to be sheered to make way for better hair.<o:p></o:p></span=
></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D;mso-fareast-language:EN-US"><o:p>&nbsp;</o:p></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><sp=
an style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-ser=
if&quot;;color:windowtext"> oauth-bounces@ietf.org [mailto:oauth-bounces@ie=
tf.org]
<b>On Behalf Of </b>Justin Richer<br>
<b>Sent:</b> Friday, August 16, 2013 7:07 AM<br>
<b>To:</b> Torsten Lodderstedt<br>
<b>Cc:</b> mike@gluu.org; oauth@ietf.org<br>
<b>Subject:</b> Re: [OAUTH-WG] OX needs Dynamic Registration: please don't =
remove!<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">&#43;1<br>
<br>
Let's not shave a yak quite yet. <o:p></o:p></p>
<div>
<p class=3D"MsoNormal">On 08/16/2013 01:32 AM, Torsten Lodderstedt wrote:<o=
:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">&#43;1 <br>
<br>
Dyn reg should fit into the OAuth system as it is now, which uses client id=
s and secrets. A (probably) improved OAuth is a completely different topic.=
 Let's handle it separately.
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><br>
<br>
John Bradley <a href=3D"mailto:ve7jtb@ve7jtb.com">&lt;ve7jtb@ve7jtb.com&gt;=
</a> schrieb: <o:p>
</o:p></p>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<pre>Yes a bearer token that is signed and or encrypted by the AS reduces t=
he amount of state required for the AS to maintain. <o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>In RFC 6749 there is information about the client that is tied to the =
client_id, and is required at the authorization endpoint. (eg redirect_uri)=
<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>I understand the goal of reducing state in the IdP.&nbsp;&nbsp; Some o=
f us have looked at storing information in a signed client_id that would wo=
rk in the existing RFC 6749 flows.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>It seems that some people are dissatisfied with RFC 6749 and would lik=
e to see changes like removing implicit flows.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>The current Dynamic registration spec deals with the current state of =
OAuth.&nbsp;&nbsp; If the WG decides to do a OAuth 3 that fully supports as=
sertions and ditches secrets I would be OK with that. <o:p></o:p></pre>
<pre>However lets not cripple what we have as a standard now by crating dyn=
amic registration that can only be fully implemented&nbsp; in a future vers=
ion of OAuth.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Some peopl<o:p></o:p></pre>
<pre> e<o:p></o:p></pre>
<pre>want/need a client registration API now.&nbsp; It is clearly a missing=
 part of an entire OAuth system.&nbsp;&nbsp; <o:p></o:p></pre>
<pre>Supporting existing OAuth while minimizing state at the AS is somethin=
g I support, waiting for a OAuth redesign is not in my opinion a reasonable=
 medium term goal.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>John B.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 2013-08-14, at 11:47 PM, Phil Hunt <a href=3D"mailto:phil.hunt@orac=
le.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"border:none;border-left:solid #729FCF 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>I am saying a bearer token is better than a password for the service p=
rovider as Hannes explains. <o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Phil<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 2013-08-14, at 19:42, Nat Sakimura <a href=3D"mailto:sakimura@gmail=
.com">&lt;sakimura@gmail.com&gt;</a> wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"border:none;border-left:solid #AD7FA8 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>Right. A Bearer Token does not have to be a shared secret. It may have=
 some structure that allows the server to validate it statelessly, e.g. JWS=
-JWT. <o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>=3Dnat via iPhone<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Aug 14, 2013 15:32<span lang=3D"JA">=1B$B!"=1B(B</span>Hannes Tschofen=
ig <a href=3D"mailto:hannes.tschofenig@gmx.net">&lt;hannes.tschofenig@gmx.n=
et&gt;</a> <span lang=3D"JA">=1B$B$N%a%C%;!<%8=1B(B</span>:<o:p></o:p></pre=
>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"border:none;border-left:solid #8AE234 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>George is correct with his statements. There is, however, a difference=
 between a shared secret and an assertion as Phil pointed out. For the asse=
rtion the server does not need to maintain state on a per-client basis. On =
the other hand since the client secret isn't really used in the classical s=
ense of a password either but rather as a &quot;cookie&quot; (if used in th=
e style of Section 2.3.1 of RFC6749) one could easy apply the concept of st=
ateless tokens to them:<o:p></o:p></pre>
<pre><a href=3D"http://tools.ietf.org/html/draft-rescorla-stateless-tokens-=
01">http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01</a><o:p><=
/o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 08/13/2013 07:21 PM, George Fletcher wrote:<o:p></o:p></pre>
<blockquote style=3D"border:none;border-left:solid #FCAF3E 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>Hi Phil,<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>I'm sorry for not following completely. Some questions inline...<o:p><=
/o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 8/13/13 11:00 AM, Phil Hunt wrote:<o:p></o:p></pre>
<blockquote style=3D"border:none;border-left:solid #E9B96E 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>Dyn reg and the scim reg variant depend too much/biased towards<o:p></=
o:p></pre>
<pre>passwords expressed as client secrets.<o:p></o:p></pre>
</blockquote>
<pre>I'm not sure what you mean in regards to &quot;client secrets&quot;. T=
here are<o:p></o:p></pre>
<pre>OAuth2 bearer tokens that need to be protected because they are bearer=
<o:p></o:p></pre>
<pre>tokens. That said, there is nothing in the spec that requires these to=
<o:p></o:p></pre>
<pre>be opaque blobs vs signed tokens. So both the &quot;Initial Access Tok=
en&quot; and<o:p></o:p></pre>
<pre>the &quot;Registration Access Token&quot; can be signed tokens. Howeve=
r, the<o:p></o:p></pre>
<pre>client still has to protect them as if they were a &quot;secret&quot; =
because they<o:p></o:p></pre>
<pre>are a bearer token and can be replayed. So it's the same amount of wor=
k<o:p></o:p></pre>
<pre>on the client either way<o:p></o:p></pre>
<pre> .<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"border:none;border-left:solid #E9B96E 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>A signed token approach has many advantages for service providers like=
<o:p></o:p></pre>
<pre>not having to maintain a secure database of secrets/passwords.<o:p></o=
:p></pre>
</blockquote>
<pre>If the concern here is the amount of data the Authorization Server has=
<o:p></o:p></pre>
<pre>to store to manage these clients, then the current spec doesn't preclu=
de<o:p></o:p></pre>
<pre>using a &quot;signed token&quot;. Both OAuth2 bearer tokens identified=
 in the<o:p></o:p></pre>
<pre>current spec can be signed tokens.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"border:none;border-left:solid #E9B96E 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>Finally issuing both a client secret and registration token is costly<=
o:p></o:p></pre>
<pre>and confusing to client developers.&nbsp; I relented somewhat when I<o=
:p></o:p></pre>
<pre>realized kerberos does this--but i still feel it is a bad design at<o:=
p></o:p></pre>
<pre>cloud scale.<o:p></o:p></pre>
</blockquote>
<pre>Given that client_secrets are OPTIONAL in OAuth2 for some use <o:p></o=
:p></pre>
<pre>&nbsp;cases,<o:p></o:p></pre>
<pre>I'm<o:p></o:p></pre>
<pre>not sure how you abstract the client developer from having to deal wit=
h<o:p></o:p></pre>
<pre>them. The client developer is going to be dealing with multiple OAuth2=
<o:p></o:p></pre>
<pre>tokens to multiple endpoints regardless so I don't see another token a=
s<o:p></o:p></pre>
<pre>costly or complex. At a minimum there is the refresh_token and<o:p></o=
:p></pre>
<pre>access_token. Where is the added client developer complexity?<o:p></o:=
p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Thanks,<o:p></o:p></pre>
<pre>George<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"border:none;border-left:solid #E9B96E 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>Phil<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 2013-08-13, at 7:48, Justin Richer &lt;<a href=3D"mailto:jricher@mi=
tre.org">jricher@mitre.org</a><o:p></o:p></pre>
<pre><a href=3D"mailto:jricher@mitre.org">&lt;mailto:jricher@mitre.org&gt;<=
/a>&gt; wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>The spec doesn't care where you deploy at -- if URL space is at a<o:p>=
</o:p></pre>
<pre>premium for you, then switch based on input parameters and other<o:p><=
/o:p></pre>
<pre>things. And you're still not clear on which &quot;secrets&quot; you're=
 ta<o:p></o:p></pre>
<pre> king<o:p></o:p></pre>
<pre>issue with.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>-- Justin<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 08/13/2013 10:46 AM, Anthony Nadalin wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"border:none;border-left:solid #CCCCCC 1.0pt;padding:0i=
n 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in;margin-bottom:6.0pt">
<pre>#1, its yet another endpoint to have to manage secrets at, yes this<o:=
p></o:p></pre>
<pre>is an OAuth item but it=1B$B!G=1B(Bs growing out of control, we are tr=
ying to<o:p></o:p></pre>
<pre>move away from secrets and management of these endpoints as this<o:p><=
/o:p></pre>
<pre>would be just another one we have to support, monitor and report on<o:=
p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>#2 yes, 1 physical endpoint acting as multiple authorization servers<o=
:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>*From:*George Fletcher [<a href=3D"mailto:gffletch@aol.com">mailto:gff=
letch@aol.com</a>]<o:p></o:p></pre>
<pre>*Sent:* Tuesday, August 13, 2013 7:40 AM<o:p></o:p></pre>
<pre>*To:* Anthony Nadalin<o:p></o:p></pre>
<pre>*Cc:* <a href=3D"mailto:mike@gluu.org">mike@gluu.org</a>; Justin Riche=
r; <a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a><o:p></o:p></pre>
<pre>*Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please<o:p></=
o:p></pre>
<pre>don't remove!<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Hi Tony,<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Could you please explain a little more?<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>For issue 1:<o:p></o:p></pre>
<pre>* Which &quot;secret&quot; are you refe<o:p></o:p></pre>
<pre> rring<o:p></o:p></pre>
<pre>to? OAuth2 by default allows for<o:p></o:p></pre>
<pre>an optional client_secret. I'm not sure why this would cause<o:p></o:p=
></pre>
<pre>management issues? Or are you referring to the &quot;Registration Acce=
ss<o:p></o:p></pre>
<pre>Token&quot;?<o:p></o:p></pre>
<pre>* Why is a separate endpoint an issue? Any client is going to be<o:p><=
/o:p></pre>
<pre>talking to more than just the /authorize and /token endpoints anyway<o=
:p></o:p></pre>
<pre>so I'm confused regarding the extra complexity?<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>For issue 2:<o:p></o:p></pre>
<pre>* What specifically do you mean by &quot;multi-tenant&quot;? Is this o=
ne<o:p></o:p></pre>
<pre>server acting on behalf of multiple tenants and so appearing as<o:p></=
o:p></pre>
<pre>multiple Authorization Servers?<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Thanks,<o:p></o:p></pre>
<pre>George<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>[snip...]<o:p></o:p></pre>
</blockquote>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
</blockquote>
<pre style=3D"text-align:center"><hr size=3D"2" width=3D"100%" align=3D"cen=
ter"></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre><o:p>&nbsp;</o:p></pre>
<pre>--<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre style=3D"text-align:center"><hr size=3D"2" width=3D"100%" align=3D"cen=
ter"></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre><o:p>&nbsp;</o:p></pre>
<pre style=3D"text-align:center"><hr size=3D"2" width=3D"100%" align=3D"cen=
ter"></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre style=3D"text-align:center"><hr size=3D"2" width=3D"100%" align=3D"cen=
ter"></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre style=3D"text-align:center"><hr size=3D"2" width=3D"100%" align=3D"cen=
ter"></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre><o:p>&nbsp;</o:p></pre>
<pre style=3D"text-align:center"><hr size=3D"2" width=3D"100%" align=3D"cen=
ter"></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
</div>
<p class=3D"MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>

--_000_651d036888c545d1aefeb4134ffe47e9BY2PR03MB189namprd03pro_--

From tonynad@microsoft.com  Fri Aug 16 08:09:04 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DBC221F9EA9 for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 08:08:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.264
X-Spam-Level: 
X-Spam-Status: No, score=-3.264 tagged_above=-999 required=5 tests=[AWL=0.334,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RodeMTPr+7dg for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 08:08:24 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0243.outbound.protection.outlook.com [207.46.163.243]) by ietfa.amsl.com (Postfix) with ESMTP id 21DD321F9CC3 for <oauth@ietf.org>; Fri, 16 Aug 2013 08:08:18 -0700 (PDT)
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BY2PR03MB026.namprd03.prod.outlook.com (10.255.240.40) with Microsoft SMTP Server (TLS) id 15.0.745.25; Fri, 16 Aug 2013 14:22:46 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Fri, 16 Aug 2013 14:22:44 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Fri, 16 Aug 2013 14:22:44 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>, John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
Thread-Index: AQHOlScLf934cBBLpkeg6cyc2g+rW5mSRG2AgADk0ACAAAcFgIAAArgwgAADowCAAAGnEIAAA3KAgAAAraCAAAGTAIAAA1KAgAAnc4CAAN0CAIABUjCAgAASCQCAAQ+hAIAAn/2AgACUBhA=
Date: Fri, 16 Aug 2013 14:22:43 +0000
Message-ID: <0684fab7340d4a49a1ebdcf45c060117@BY2PR03MB189.namprd03.prod.outlook.com>
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com>	<520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com>	<520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net>	<F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com> <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com>
In-Reply-To: <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e8:ed31::ff]
x-forefront-prvs: 0940A19703
x-forefront-antispam-report: SFV:NSPM; SFS:(55885003)(377454003)(479174003)(24454002)(377424004)(199002)(189002)(164054003)(19300405004)(19580395003)(79102001)(74366001)(80976001)(83322001)(54356001)(19580405001)(19580385001)(53806001)(76482001)(56776001)(54316002)(74316001)(15202345003)(551544002)(63696002)(16406001)(16236675002)(46102001)(69226001)(74876001)(80022001)(77096001)(56816003)(65816001)(81542001)(74662001)(83072001)(81686001)(4396001)(59766001)(50986001)(47976001)(74502001)(76796001)(47446002)(47736001)(31966008)(81342001)(77982001)(76576001)(76786001)(33646001)(51856001)(49866001)(81816001)(74706001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::ff; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: multipart/alternative; boundary="_000_0684fab7340d4a49a1ebdcf45c060117BY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e8:ed31::ff
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB191.namprd03.prod.outlook.com
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: "mike@gluu.org" <mike@gluu.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 15:09:05 -0000

--_000_0684fab7340d4a49a1ebdcf45c060117BY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

LTENCg0KTGV04oCZcyBub3QgY29udGludWUgcHJvcGFnYXRpbmcgdGhlc2UgaXNzdWVzDQoNCkZy
b206IG9hdXRoLWJvdW5jZXNAaWV0Zi5vcmcgW21haWx0bzpvYXV0aC1ib3VuY2VzQGlldGYub3Jn
XSBPbiBCZWhhbGYgT2YgVG9yc3RlbiBMb2RkZXJzdGVkdA0KU2VudDogVGh1cnNkYXksIEF1Z3Vz
dCAxNSwgMjAxMyAxMDozMiBQTQ0KVG86IEpvaG4gQnJhZGxleTsgUGhpbCBIdW50DQpDYzogbWlr
ZUBnbHV1Lm9yZzsgb2F1dGhAaWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT0FVVEgtV0ddIE9YIG5l
ZWRzIER5bmFtaWMgUmVnaXN0cmF0aW9uOiBwbGVhc2UgZG9uJ3QgcmVtb3ZlIQ0KDQorMQ0KDQpE
eW4gcmVnIHNob3VsZCBmaXQgaW50byB0aGUgT0F1dGggc3lzdGVtIGFzIGl0IGlzIG5vdywgd2hp
Y2ggdXNlcyBjbGllbnQgaWRzIGFuZCBzZWNyZXRzLiBBIChwcm9iYWJseSkgaW1wcm92ZWQgT0F1
dGggaXMgYSBjb21wbGV0ZWx5IGRpZmZlcmVudCB0b3BpYy4gTGV0J3MgaGFuZGxlIGl0IHNlcGFy
YXRlbHkuDQoNCg0KSm9obiBCcmFkbGV5IDx2ZTdqdGJAdmU3anRiLmNvbTxtYWlsdG86dmU3anRi
QHZlN2p0Yi5jb20+PiBzY2hyaWViOg0KDQpZZXMgYSBiZWFyZXIgdG9rZW4gdGhhdCBpcyBzaWdu
ZWQgYW5kIG9yIGVuY3J5cHRlZCBieSB0aGUgQVMgcmVkdWNlcyB0aGUgYW1vdW50IG9mIHN0YXRl
IHJlcXVpcmVkIGZvciB0aGUgQVMgdG8gbWFpbnRhaW4uDQoNCkluIFJGQyA2NzQ5IHRoZXJlIGlz
IGluZm9ybWF0aW9uIGFib3V0IHRoZSBjbGllbnQgdGhhdCBpcyB0aWVkIHRvIHRoZSBjbGllbnRf
aWQsIGFuZCBpcyByZXF1aXJlZCBhdCB0aGUgYXV0aG9yaXphdGlvbiBlbmRwb2ludC4gKGVnIHJl
ZGlyZWN0X3VyaSkNCg0KSSB1bmRlcnN0YW5kIHRoZSBnb2FsIG9mIHJlZHVjaW5nIHN0YXRlIGlu
IHRoZSBJZFAuICAgU29tZSBvZiB1cyBoYXZlIGxvb2tlZCBhdCBzdG9yaW5nIGluZm9ybWF0aW9u
IGluIGEgc2lnbmVkIGNsaWVudF9pZCB0aGF0IHdvdWxkIHdvcmsgaW4gdGhlIGV4aXN0aW5nIFJG
QyA2NzQ5IGZsb3dzLg0KDQpJdCBzZWVtcyB0aGF0IHNvbWUgcGVvcGxlIGFyZSBkaXNzYXRpc2Zp
ZWQgd2l0aCBSRkMgNjc0OSBhbmQgd291bGQgbGlrZSB0byBzZWUgY2hhbmdlcyBsaWtlIHJlbW92
aW5nIGltcGxpY2l0IGZsb3dzLg0KDQpUaGUgY3VycmVudCBEeW5hbWljIHJlZ2lzdHJhdGlvbiBz
cGVjIGRlYWxzIHdpdGggdGhlIGN1cnJlbnQgc3RhdGUgb2YgT0F1dGguICAgSWYgdGhlIFdHIGRl
Y2lkZXMgdG8gZG8gYSBPQXV0aCAzIHRoYXQgZnVsbHkgc3VwcG9ydHMgYXNzZXJ0aW9ucyBhbmQg
ZGl0Y2hlcyBzZWNyZXRzIEkgd291bGQgYmUgT0sgd2l0aCB0aGF0Lg0KSG93ZXZlciBsZXRzIG5v
dCBjcmlwcGxlIHdoYXQgd2UgaGF2ZSBhcyBhIHN0YW5kYXJkIG5vdyBieSBjcmF0aW5nIGR5bmFt
aWMgcmVnaXN0cmF0aW9uIHRoYXQgY2FuIG9ubHkgYmUgZnVsbHkgaW1wbGVtZW50ZWQgIGluIGEg
ZnV0dXJlIHZlcnNpb24gb2YgT0F1dGguDQoNClNvbWUgcGVvcGwNCg0KIGUNCg0Kd2FudC9uZWVk
IGEgY2xpZW50IHJlZ2lzdHJhdGlvbiBBUEkgbm93LiAgSXQgaXMgY2xlYXJseSBhIG1pc3Npbmcg
cGFydCBvZiBhbiBlbnRpcmUgT0F1dGggc3lzdGVtLg0KU3VwcG9ydGluZyBleGlzdGluZyBPQXV0
aCB3aGlsZSBtaW5pbWl6aW5nIHN0YXRlIGF0IHRoZSBBUyBpcyBzb21ldGhpbmcgSSBzdXBwb3J0
LCB3YWl0aW5nIGZvciBhIE9BdXRoIHJlZGVzaWduIGlzIG5vdCBpbiBteSBvcGluaW9uIGEgcmVh
c29uYWJsZSBtZWRpdW0gdGVybSBnb2FsLg0KDQpKb2huIEIuDQoNCg0KT24gMjAxMy0wOC0xNCwg
YXQgMTE6NDcgUE0sIFBoaWwgSHVudCA8cGhpbC5odW50QG9yYWNsZS5jb208bWFpbHRvOnBoaWwu
aHVudEBvcmFjbGUuY29tPj4gd3JvdGU6DQoNCkkgYW0gc2F5aW5nIGEgYmVhcmVyIHRva2VuIGlz
IGJldHRlciB0aGFuIGEgcGFzc3dvcmQgZm9yIHRoZSBzZXJ2aWNlIHByb3ZpZGVyIGFzIEhhbm5l
cyBleHBsYWlucy4NCg0KUGhpbA0KDQpPbiAyMDEzLTA4LTE0LCBhdCAxOTo0MiwgTmF0IFNha2lt
dXJhIDxzYWtpbXVyYUBnbWFpbC5jb208bWFpbHRvOnNha2ltdXJhQGdtYWlsLmNvbT4+IHdyb3Rl
Og0KDQpSaWdodC4gQSBCZWFyZXIgVG9rZW4gZG9lcyBub3QgaGF2ZSB0byBiZSBhIHNoYXJlZCBz
ZWNyZXQuIEl0IG1heSBoYXZlIHNvbWUgc3RydWN0dXJlIHRoYXQgYWxsb3dzIHRoZSBzZXJ2ZXIg
dG8gdmFsaWRhdGUgaXQgc3RhdGVsZXNzbHksIGUuZy4gSldTLUpXVC4NCg0KPW5hdCB2aWEgaVBo
b25lDQoNCkF1ZyAxNCwgMjAxMyAxNTozMuOAgUhhbm5lcyBUc2Nob2ZlbmlnIDxoYW5uZXMudHNj
aG9mZW5pZ0BnbXgubmV0PG1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Pj4g44Gu44Oh
44OD44K744O844K4Og0KDQpHZW9yZ2UgaXMgY29ycmVjdCB3aXRoIGhpcyBzdGF0ZW1lbnRzLiBU
aGVyZSBpcywgaG93ZXZlciwgYSBkaWZmZXJlbmNlIGJldHdlZW4gYSBzaGFyZWQgc2VjcmV0IGFu
ZCBhbiBhc3NlcnRpb24gYXMgUGhpbCBwb2ludGVkIG91dC4gRm9yIHRoZSBhc3NlcnRpb24gdGhl
IHNlcnZlciBkb2VzIG5vdCBuZWVkIHRvIG1haW50YWluIHN0YXRlIG9uIGEgcGVyLWNsaWVudCBi
YXNpcy4gT24gdGhlIG90aGVyIGhhbmQgc2luY2UgdGhlIGNsaWVudCBzZWNyZXQgaXNuJ3QgcmVh
bGx5IHVzZWQgaW4gdGhlIGNsYXNzaWNhbCBzZW5zZSBvZiBhIHBhc3N3b3JkIGVpdGhlciBidXQg
cmF0aGVyIGFzIGEgImNvb2tpZSIgKGlmIHVzZWQgaW4gdGhlIHN0eWxlIG9mIFNlY3Rpb24gMi4z
LjEgb2YgUkZDNjc0OSkgb25lIGNvdWxkIGVhc3kgYXBwbHkgdGhlIGNvbmNlcHQgb2Ygc3RhdGVs
ZXNzIHRva2VucyB0byB0aGVtOg0KaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtcmVz
Y29ybGEtc3RhdGVsZXNzLXRva2Vucy0wMQ0KDQoNCk9uIDA4LzEzLzIwMTMgMDc6MjEgUE0sIEdl
b3JnZSBGbGV0Y2hlciB3cm90ZToNCg0KSGkgUGhpbCwNCg0KSSdtIHNvcnJ5IGZvciBub3QgZm9s
bG93aW5nIGNvbXBsZXRlbHkuIFNvbWUgcXVlc3Rpb25zIGlubGluZS4uLg0KDQpPbiA4LzEzLzEz
IDExOjAwIEFNLCBQaGlsIEh1bnQgd3JvdGU6DQoNCkR5biByZWcgYW5kIHRoZSBzY2ltIHJlZyB2
YXJpYW50IGRlcGVuZCB0b28gbXVjaC9iaWFzZWQgdG93YXJkcw0KcGFzc3dvcmRzIGV4cHJlc3Nl
ZCBhcyBjbGllbnQgc2VjcmV0cy4NCg0KSSdtIG5vdCBzdXJlIHdoYXQgeW91IG1lYW4gaW4gcmVn
YXJkcyB0byAiY2xpZW50IHNlY3JldHMiLiBUaGVyZSBhcmUNCk9BdXRoMiBiZWFyZXIgdG9rZW5z
IHRoYXQgbmVlZCB0byBiZSBwcm90ZWN0ZWQgYmVjYXVzZSB0aGV5IGFyZSBiZWFyZXINCnRva2Vu
cy4gVGhhdCBzYWlkLCB0aGVyZSBpcyBub3RoaW5nIGluIHRoZSBzcGVjIHRoYXQgcmVxdWlyZXMg
dGhlc2UgdG8NCmJlIG9wYXF1ZSBibG9icyB2cyBzaWduZWQgdG9rZW5zLiBTbyBib3RoIHRoZSAi
SW5pdGlhbCBBY2Nlc3MgVG9rZW4iIGFuZA0KdGhlICJSZWdpc3RyYXRpb24gQWNjZXNzIFRva2Vu
IiBjYW4gYmUgc2lnbmVkIHRva2Vucy4gSG93ZXZlciwgdGhlDQpjbGllbnQgc3RpbGwgaGFzIHRv
IHByb3RlY3QgdGhlbSBhcyBpZiB0aGV5IHdlcmUgYSAic2VjcmV0IiBiZWNhdXNlIHRoZXkNCmFy
ZSBhIGJlYXJlciB0b2tlbiBhbmQgY2FuIGJlIHJlcGxheWVkLiBTbyBpdCdzIHRoZSBzYW1lIGFt
b3VudCBvZiB3b3JrDQpvbiB0aGUgY2xpZW50IGVpdGhlciB3YXkNCg0KIC4NCg0KDQpBIHNpZ25l
ZCB0b2tlbiBhcHByb2FjaCBoYXMgbWFueSBhZHZhbnRhZ2VzIGZvciBzZXJ2aWNlIHByb3ZpZGVy
cyBsaWtlDQpub3QgaGF2aW5nIHRvIG1haW50YWluIGEgc2VjdXJlIGRhdGFiYXNlIG9mIHNlY3Jl
dHMvcGFzc3dvcmRzLg0KDQpJZiB0aGUgY29uY2VybiBoZXJlIGlzIHRoZSBhbW91bnQgb2YgZGF0
YSB0aGUgQXV0aG9yaXphdGlvbiBTZXJ2ZXIgaGFzDQp0byBzdG9yZSB0byBtYW5hZ2UgdGhlc2Ug
Y2xpZW50cywgdGhlbiB0aGUgY3VycmVudCBzcGVjIGRvZXNuJ3QgcHJlY2x1ZGUNCnVzaW5nIGEg
InNpZ25lZCB0b2tlbiIuIEJvdGggT0F1dGgyIGJlYXJlciB0b2tlbnMgaWRlbnRpZmllZCBpbiB0
aGUNCmN1cnJlbnQgc3BlYyBjYW4gYmUgc2lnbmVkIHRva2Vucy4NCg0KRmluYWxseSBpc3N1aW5n
IGJvdGggYSBjbGllbnQgc2VjcmV0IGFuZCByZWdpc3RyYXRpb24gdG9rZW4gaXMgY29zdGx5DQph
bmQgY29uZnVzaW5nIHRvIGNsaWVudCBkZXZlbG9wZXJzLiAgSSByZWxlbnRlZCBzb21ld2hhdCB3
aGVuIEkNCnJlYWxpemVkIGtlcmJlcm9zIGRvZXMgdGhpcy0tYnV0IGkgc3RpbGwgZmVlbCBpdCBp
cyBhIGJhZCBkZXNpZ24gYXQNCmNsb3VkIHNjYWxlLg0KDQpHaXZlbiB0aGF0IGNsaWVudF9zZWNy
ZXRzIGFyZSBPUFRJT05BTCBpbiBPQXV0aDIgZm9yIHNvbWUgdXNlDQoNCiBjYXNlcywNCg0KSSdt
DQpub3Qgc3VyZSBob3cgeW91IGFic3RyYWN0IHRoZSBjbGllbnQgZGV2ZWxvcGVyIGZyb20gaGF2
aW5nIHRvIGRlYWwgd2l0aA0KdGhlbS4gVGhlIGNsaWVudCBkZXZlbG9wZXIgaXMgZ29pbmcgdG8g
YmUgZGVhbGluZyB3aXRoIG11bHRpcGxlIE9BdXRoMg0KdG9rZW5zIHRvIG11bHRpcGxlIGVuZHBv
aW50cyByZWdhcmRsZXNzIHNvIEkgZG9uJ3Qgc2VlIGFub3RoZXIgdG9rZW4gYXMNCmNvc3RseSBv
ciBjb21wbGV4LiBBdCBhIG1pbmltdW0gdGhlcmUgaXMgdGhlIHJlZnJlc2hfdG9rZW4gYW5kDQph
Y2Nlc3NfdG9rZW4uIFdoZXJlIGlzIHRoZSBhZGRlZCBjbGllbnQgZGV2ZWxvcGVyIGNvbXBsZXhp
dHk/DQoNClRoYW5rcywNCkdlb3JnZQ0KDQoNClBoaWwNCg0KT24gMjAxMy0wOC0xMywgYXQgNzo0
OCwgSnVzdGluIFJpY2hlciA8anJpY2hlckBtaXRyZS5vcmcNCjxtYWlsdG86anJpY2hlckBtaXRy
ZS5vcmc8bWFpbHRvOmpyaWNoZXJAbWl0cmUub3JnJTBiJTNjbWFpbHRvOmpyaWNoZXJAbWl0cmUu
b3JnPj4+IHdyb3RlOg0KDQpUaGUgc3BlYyBkb2Vzbid0IGNhcmUgd2hlcmUgeW91IGRlcGxveSBh
dCAtLSBpZiBVUkwgc3BhY2UgaXMgYXQgYQ0KcHJlbWl1bSBmb3IgeW91LCB0aGVuIHN3aXRjaCBi
YXNlZCBvbiBpbnB1dCBwYXJhbWV0ZXJzIGFuZCBvdGhlcg0KdGhpbmdzLiBBbmQgeW91J3JlIHN0
aWxsIG5vdCBjbGVhciBvbiB3aGljaCAic2VjcmV0cyIgeW91J3JlIHRhDQoNCiBraW5nDQppc3N1
ZSB3aXRoLg0KDQotLSBKdXN0aW4NCg0KT24gMDgvMTMvMjAxMyAxMDo0NiBBTSwgQW50aG9ueSBO
YWRhbGluIHdyb3RlOg0KDQojMSwgaXRzIHlldCBhbm90aGVyIGVuZHBvaW50IHRvIGhhdmUgdG8g
bWFuYWdlIHNlY3JldHMgYXQsIHllcyB0aGlzDQppcyBhbiBPQXV0aCBpdGVtIGJ1dCBpdOKAmXMg
Z3Jvd2luZyBvdXQgb2YgY29udHJvbCwgd2UgYXJlIHRyeWluZyB0bw0KbW92ZSBhd2F5IGZyb20g
c2VjcmV0cyBhbmQgbWFuYWdlbWVudCBvZiB0aGVzZSBlbmRwb2ludHMgYXMgdGhpcw0Kd291bGQg
YmUganVzdCBhbm90aGVyIG9uZSB3ZSBoYXZlIHRvIHN1cHBvcnQsIG1vbml0b3IgYW5kIHJlcG9y
dCBvbg0KDQojMiB5ZXMsIDEgcGh5c2ljYWwgZW5kcG9pbnQgYWN0aW5nIGFzIG11bHRpcGxlIGF1
dGhvcml6YXRpb24gc2VydmVycw0KDQoqRnJvbToqR2VvcmdlIEZsZXRjaGVyIFttYWlsdG86Z2Zm
bGV0Y2hAYW9sLmNvbV0NCipTZW50OiogVHVlc2RheSwgQXVndXN0IDEzLCAyMDEzIDc6NDAgQU0N
CipUbzoqIEFudGhvbnkgTmFkYWxpbg0KKkNjOiogbWlrZUBnbHV1Lm9yZzxtYWlsdG86bWlrZUBn
bHV1Lm9yZz47IEp1c3RpbiBSaWNoZXI7IG9hdXRoQGlldGYub3JnPG1haWx0bzpvYXV0aEBpZXRm
Lm9yZz4NCipTdWJqZWN0OiogUmU6IFtPQVVUSC1XR10gT1ggbmVlZHMgRHluYW1pYyBSZWdpc3Ry
YXRpb246IHBsZWFzZQ0KZG9uJ3QgcmVtb3ZlIQ0KDQpIaSBUb255LA0KDQpDb3VsZCB5b3UgcGxl
YXNlIGV4cGxhaW4gYSBsaXR0bGUgbW9yZT8NCg0KRm9yIGlzc3VlIDE6DQoqIFdoaWNoICJzZWNy
ZXQiIGFyZSB5b3UgcmVmZQ0KDQogcnJpbmcNCg0KdG8/IE9BdXRoMiBieSBkZWZhdWx0IGFsbG93
cyBmb3INCmFuIG9wdGlvbmFsIGNsaWVudF9zZWNyZXQuIEknbSBub3Qgc3VyZSB3aHkgdGhpcyB3
b3VsZCBjYXVzZQ0KbWFuYWdlbWVudCBpc3N1ZXM/IE9yIGFyZSB5b3UgcmVmZXJyaW5nIHRvIHRo
ZSAiUmVnaXN0cmF0aW9uIEFjY2Vzcw0KVG9rZW4iPw0KKiBXaHkgaXMgYSBzZXBhcmF0ZSBlbmRw
b2ludCBhbiBpc3N1ZT8gQW55IGNsaWVudCBpcyBnb2luZyB0byBiZQ0KdGFsa2luZyB0byBtb3Jl
IHRoYW4ganVzdCB0aGUgL2F1dGhvcml6ZSBhbmQgL3Rva2VuIGVuZHBvaW50cyBhbnl3YXkNCnNv
IEknbSBjb25mdXNlZCByZWdhcmRpbmcgdGhlIGV4dHJhIGNvbXBsZXhpdHk/DQoNCkZvciBpc3N1
ZSAyOg0KKiBXaGF0IHNwZWNpZmljYWxseSBkbyB5b3UgbWVhbiBieSAibXVsdGktdGVuYW50Ij8g
SXMgdGhpcyBvbmUNCnNlcnZlciBhY3Rpbmcgb24gYmVoYWxmIG9mIG11bHRpcGxlIHRlbmFudHMg
YW5kIHNvIGFwcGVhcmluZyBhcw0KbXVsdGlwbGUgQXV0aG9yaXphdGlvbiBTZXJ2ZXJzPw0KDQpU
aGFua3MsDQpHZW9yZ2UNCg0KW3NuaXAuLi5dDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fXw0KDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpP
QXV0aEBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1
dGgNCg0KLS0NCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KDQpPQXV0aCBt
YWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0dHBz
Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg0KDQoNCl9fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fDQoNCk9BdXRoIG1haWxpbmcgbGlzdA0KT0F1dGhAaWV0Zi5v
cmc8bWFpbHRvOk9BdXRoQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9s
aXN0aW5mby9vYXV0aA0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KDQpPQXV0
aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4NCmh0
dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg0KX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX18NCg0KT0F1dGggbWFpbGluZyBsaXN0DQpPQXV0aEBpZXRmLm9y
ZzxtYWlsdG86T0F1dGhAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp
c3RpbmZvL29hdXRoDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KDQpP
QXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBpZXRmLm9yZz4N
Cmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg==

--_000_0684fab7340d4a49a1ebdcf45c060117BY2PR03MB189namprd03pro_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6eD0idXJuOnNjaGVtYXMtbWljcm9z
b2Z0LWNvbTpvZmZpY2U6ZXhjZWwiIHhtbG5zOm09Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5j
b20vb2ZmaWNlLzIwMDQvMTIvb21tbCIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnL1RSL1JFQy1o
dG1sNDAiPg0KPGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9
InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCI+DQo8bWV0YSBuYW1lPSJHZW5lcmF0b3IiIGNvbnRl
bnQ9Ik1pY3Jvc29mdCBXb3JkIDE1IChmaWx0ZXJlZCBtZWRpdW0pIj4NCjwhLS1baWYgIW1zb10+
PHN0eWxlPnZcOioge2JlaGF2aW9yOnVybCgjZGVmYXVsdCNWTUwpO30NCm9cOioge2JlaGF2aW9y
OnVybCgjZGVmYXVsdCNWTUwpO30NCndcOioge2JlaGF2aW9yOnVybCgjZGVmYXVsdCNWTUwpO30N
Ci5zaGFwZSB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0KPC9zdHlsZT48IVtlbmRpZl0t
LT48c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFjZQ0KCXtmb250
LWZhbWlseToiTVMgR290aGljIjsNCglwYW5vc2UtMToyIDExIDYgOSA3IDIgNSA4IDIgNDt9DQpA
Zm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0xOjIgNCA1
IDMgNSA0IDYgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJpOw0KCXBh
bm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
Q29uc29sYXM7DQoJcGFub3NlLTE6MiAxMSA2IDkgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0K
CXtmb250LWZhbWlseToiXEBNUyBHb3RoaWMiOw0KCXBhbm9zZS0xOjIgMTEgNiA5IDcgMiA1IDgg
MiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25zICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFs
LCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0K
CWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiIsInNlcmlm
Ijt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsN
Cgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBz
cGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xv
cjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpwDQoJe21zby1zdHlsZS1w
cmlvcml0eTo5OTsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGlu
Ow0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250
LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0K
cHJlDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVm
b3JtYXR0ZWQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4uSFRN
TFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENo
YXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVm
b3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uRW1haWxTdHlsZTIwDQoJ
e21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwi
c2Fucy1zZXJpZiI7DQoJY29sb3I6IzFGNDk3RDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5
bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0
aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4w
aW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxl
PjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIg
c3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48
eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQi
IGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+
DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNs
YXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5z
LXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPi0xPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p
bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7O2NvbG9yOiMxRjQ5
N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv
dDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj5MZXTigJlzIG5vdCBjb250
aW51ZSBwcm9wYWdhdGluZyB0aGVzZSBpc3N1ZXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48YSBuYW1lPSJfTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJm
b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fu
cy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L2E+
PC9wPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0Ux
RTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh
bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss
JnF1b3Q7c2Fucy1zZXJpZiZxdW90OyI+IG9hdXRoLWJvdW5jZXNAaWV0Zi5vcmcgW21haWx0bzpv
YXV0aC1ib3VuY2VzQGlldGYub3JnXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5Ub3JzdGVuIExvZGRl
cnN0ZWR0PGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBBdWd1c3QgMTUsIDIwMTMgMTA6MzIg
UE08YnI+DQo8Yj5Ubzo8L2I+IEpvaG4gQnJhZGxleTsgUGhpbCBIdW50PGJyPg0KPGI+Q2M6PC9i
PiBtaWtlQGdsdXUub3JnOyBvYXV0aEBpZXRmLm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTog
W09BVVRILVdHXSBPWCBuZWVkcyBEeW5hbWljIFJlZ2lzdHJhdGlvbjogcGxlYXNlIGRvbid0IHJl
bW92ZSE8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPiYjNDM7MSA8YnI+DQo8YnI+DQpEeW4gcmVnIHNob3Vs
ZCBmaXQgaW50byB0aGUgT0F1dGggc3lzdGVtIGFzIGl0IGlzIG5vdywgd2hpY2ggdXNlcyBjbGll
bnQgaWRzIGFuZCBzZWNyZXRzLiBBIChwcm9iYWJseSkgaW1wcm92ZWQgT0F1dGggaXMgYSBjb21w
bGV0ZWx5IGRpZmZlcmVudCB0b3BpYy4gTGV0J3MgaGFuZGxlIGl0IHNlcGFyYXRlbHkuDQo8bzpw
PjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+DQpKb2hu
IEJyYWRsZXkgJmx0OzxhIGhyZWY9Im1haWx0bzp2ZTdqdGJAdmU3anRiLmNvbSI+dmU3anRiQHZl
N2p0Yi5jb208L2E+Jmd0OyBzY2hyaWViOjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5
bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzow
aW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGluIj4NCjxw
cmU+WWVzIGEgYmVhcmVyIHRva2VuIHRoYXQgaXMgc2lnbmVkIGFuZCBvciBlbmNyeXB0ZWQgYnkg
dGhlIEFTIHJlZHVjZXMgdGhlIGFtb3VudCBvZiBzdGF0ZSByZXF1aXJlZCBmb3IgdGhlIEFTIHRv
IG1haW50YWluLiA8YnI+PGJyPkluIFJGQyA2NzQ5IHRoZXJlIGlzIGluZm9ybWF0aW9uIGFib3V0
IHRoZSBjbGllbnQgdGhhdCBpcyB0aWVkIHRvIHRoZSBjbGllbnRfaWQsIGFuZCBpcyByZXF1aXJl
ZCBhdCB0aGUgYXV0aG9yaXphdGlvbiBlbmRwb2ludC4gKGVnIHJlZGlyZWN0X3VyaSk8YnI+PGJy
PkkgdW5kZXJzdGFuZCB0aGUgZ29hbCBvZiByZWR1Y2luZyBzdGF0ZSBpbiB0aGUgSWRQLiZuYnNw
OyZuYnNwOyBTb21lIG9mIHVzIGhhdmUgbG9va2VkIGF0IHN0b3JpbmcgaW5mb3JtYXRpb24gaW4g
YSBzaWduZWQgY2xpZW50X2lkIHRoYXQgd291bGQgd29yayBpbiB0aGUgZXhpc3RpbmcgUkZDIDY3
NDkgZmxvd3MuPGJyPjxicj5JdCBzZWVtcyB0aGF0IHNvbWUgcGVvcGxlIGFyZSBkaXNzYXRpc2Zp
ZWQgd2l0aCBSRkMgNjc0OSBhbmQgd291bGQgbGlrZSB0byBzZWUgY2hhbmdlcyBsaWtlIHJlbW92
aW5nIGltcGxpY2l0IGZsb3dzLjxicj48YnI+VGhlIGN1cnJlbnQgRHluYW1pYyByZWdpc3RyYXRp
b24gc3BlYyBkZWFscyB3aXRoIHRoZSBjdXJyZW50IHN0YXRlIG9mIE9BdXRoLiZuYnNwOyZuYnNw
OyBJZiB0aGUgV0cgZGVjaWRlcyB0byBkbyBhIE9BdXRoIDMgdGhhdCBmdWxseSBzdXBwb3J0cyBh
c3NlcnRpb25zIGFuZCBkaXRjaGVzIHNlY3JldHMgSSB3b3VsZCBiZSBPSyB3aXRoIHRoYXQuIDxi
cj5Ib3dldmVyIGxldHMgbm90IGNyaXBwbGUgd2hhdCB3ZSBoYXZlIGFzIGEgc3RhbmRhcmQgbm93
IGJ5IGNyYXRpbmcgZHluYW1pYyByZWdpc3RyYXRpb24gdGhhdCBjYW4gb25seSBiZSBmdWxseSBp
bXBsZW1lbnRlZCZuYnNwOyBpbiBhIGZ1dHVyZSB2ZXJzaW9uIG9mIE9BdXRoLjxicj48YnI+U29t
ZSBwZW9wbDxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlPiBlPG86cD48L286cD48L3ByZT4NCjxwcmUg
c3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij53YW50L25lZWQgYSBjbGllbnQgcmVnaXN0cmF0
aW9uIEFQSSBub3cuJm5ic3A7IEl0IGlzIGNsZWFybHkgYSBtaXNzaW5nIHBhcnQgb2YgYW4gZW50
aXJlIE9BdXRoIHN5c3RlbS4mbmJzcDsmbmJzcDsgPGJyPlN1cHBvcnRpbmcgZXhpc3RpbmcgT0F1
dGggd2hpbGUgbWluaW1pemluZyBzdGF0ZSBhdCB0aGUgQVMgaXMgc29tZXRoaW5nIEkgc3VwcG9y
dCwgd2FpdGluZyBmb3IgYSBPQXV0aCByZWRlc2lnbiBpcyBub3QgaW4gbXkgb3BpbmlvbiBhIHJl
YXNvbmFibGUgbWVkaXVtIHRlcm0gZ29hbC48YnI+PGJyPkpvaG4gQi48YnI+PGJyPjxicj5PbiAy
MDEzLTA4LTE0LCBhdCAxMTo0NyBQTSwgUGhpbCBIdW50ICZsdDs8YSBocmVmPSJtYWlsdG86cGhp
bC5odW50QG9yYWNsZS5jb20iPnBoaWwuaHVudEBvcmFjbGUuY29tPC9hPiZndDsgd3JvdGU6PG86
cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVm
dDpzb2xpZCAjNzI5RkNGIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxl
ZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjYuMHB0Ij4NCjxwcmUgc3R5
bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5JIGFtIHNheWluZyBhIGJlYXJlciB0b2tlbiBpcyBi
ZXR0ZXIgdGhhbiBhIHBhc3N3b3JkIGZvciB0aGUgc2VydmljZSBwcm92aWRlciBhcyBIYW5uZXMg
ZXhwbGFpbnMuIDxicj48YnI+UGhpbDxicj48YnI+T24gMjAxMy0wOC0xNCwgYXQgMTk6NDIsIE5h
dCBTYWtpbXVyYSAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNha2ltdXJhQGdtYWlsLmNvbSI+c2FraW11
cmFAZ21haWwuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3Rl
IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQUQ3RkE4IDEuMHB0O3BhZGRp
bmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbjtt
YXJnaW4tYm90dG9tOjYuMHB0Ij4NCjxwcmUgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5S
aWdodC4gQSBCZWFyZXIgVG9rZW4gZG9lcyBub3QgaGF2ZSB0byBiZSBhIHNoYXJlZCBzZWNyZXQu
IEl0IG1heSBoYXZlIHNvbWUgc3RydWN0dXJlIHRoYXQgYWxsb3dzIHRoZSBzZXJ2ZXIgdG8gdmFs
aWRhdGUgaXQgc3RhdGVsZXNzbHksIGUuZy4gSldTLUpXVC4gPGJyPjxicj49bmF0IHZpYSBpUGhv
bmU8YnI+PGJyPkF1ZyAxNCwgMjAxMyAxNTozMjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVv
dDtDYWxpYnJpJnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDsiPuOAgTwvc3Bhbj5IYW5uZXMg
VHNjaG9mZW5pZyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQi
Pmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ8L2E+Jmd0OyA8c3BhbiBzdHlsZT0iZm9udC1mYW1p
bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij7jga7jg6Hjg4Pj
grvjg7zjgrg8L3NwYW4+OjxvOnA+PC9vOnA+PC9wcmU+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9y
ZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgIzhBRTIzNCAxLjBwdDtwYWRkaW5nOjBpbiAwaW4g
MGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRv
bTo2LjBwdCI+DQo8cHJlPkdlb3JnZSBpcyBjb3JyZWN0IHdpdGggaGlzIHN0YXRlbWVudHMuIFRo
ZXJlIGlzLCBob3dldmVyLCBhIGRpZmZlcmVuY2UgYmV0d2VlbiBhIHNoYXJlZCBzZWNyZXQgYW5k
IGFuIGFzc2VydGlvbiBhcyBQaGlsIHBvaW50ZWQgb3V0LiBGb3IgdGhlIGFzc2VydGlvbiB0aGUg
c2VydmVyIGRvZXMgbm90IG5lZWQgdG8gbWFpbnRhaW4gc3RhdGUgb24gYSBwZXItY2xpZW50IGJh
c2lzLiBPbiB0aGUgb3RoZXIgaGFuZCBzaW5jZSB0aGUgY2xpZW50IHNlY3JldCBpc24ndCByZWFs
bHkgdXNlZCBpbiB0aGUgY2xhc3NpY2FsIHNlbnNlIG9mIGEgcGFzc3dvcmQgZWl0aGVyIGJ1dCBy
YXRoZXIgYXMgYSAmcXVvdDtjb29raWUmcXVvdDsgKGlmIHVzZWQgaW4gdGhlIHN0eWxlIG9mIFNl
Y3Rpb24gMi4zLjEgb2YgUkZDNjc0OSkgb25lIGNvdWxkIGVhc3kgYXBwbHkgdGhlIGNvbmNlcHQg
b2Ygc3RhdGVsZXNzIHRva2VucyB0byB0aGVtOjxicj48YSBocmVmPSJodHRwOi8vdG9vbHMuaWV0
Zi5vcmcvaHRtbC9kcmFmdC1yZXNjb3JsYS1zdGF0ZWxlc3MtdG9rZW5zLTAxIj5odHRwOi8vdG9v
bHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1yZXNjb3JsYS1zdGF0ZWxlc3MtdG9rZW5zLTAxPC9hPjxi
cj48YnI+PGJyPk9uIDA4LzEzLzIwMTMgMDc6MjEgUE0sIEdlb3JnZSBGbGV0Y2hlciB3cm90ZTo8
bzpwPjwvbzpwPjwvcHJlPg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1s
ZWZ0OnNvbGlkICNGQ0FGM0UgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4t
bGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206Ni4wcHQiPg0KPHByZT5I
aSBQaGlsLDxicj48YnI+SSdtIHNvcnJ5IGZvciBub3QgZm9sbG93aW5nIGNvbXBsZXRlbHkuIFNv
bWUgcXVlc3Rpb25zIGlubGluZS4uLjxicj48YnI+T24gOC8xMy8xMyAxMTowMCBBTSwgUGhpbCBI
dW50IHdyb3RlOjxvOnA+PC9vOnA+PC9wcmU+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5v
bmU7Ym9yZGVyLWxlZnQ6c29saWQgI0U5Qjk2RSAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYu
MHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo2LjBw
dCI+DQo8cHJlPkR5biByZWcgYW5kIHRoZSBzY2ltIHJlZyB2YXJpYW50IGRlcGVuZCB0b28gbXVj
aC9iaWFzZWQgdG93YXJkczxicj5wYXNzd29yZHMgZXhwcmVzc2VkIGFzIGNsaWVudCBzZWNyZXRz
LjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8cHJlPkknbSBub3Qgc3VyZSB3aGF0
IHlvdSBtZWFuIGluIHJlZ2FyZHMgdG8gJnF1b3Q7Y2xpZW50IHNlY3JldHMmcXVvdDsuIFRoZXJl
IGFyZTxicj5PQXV0aDIgYmVhcmVyIHRva2VucyB0aGF0IG5lZWQgdG8gYmUgcHJvdGVjdGVkIGJl
Y2F1c2UgdGhleSBhcmUgYmVhcmVyPGJyPnRva2Vucy4gVGhhdCBzYWlkLCB0aGVyZSBpcyBub3Ro
aW5nIGluIHRoZSBzcGVjIHRoYXQgcmVxdWlyZXMgdGhlc2UgdG88YnI+YmUgb3BhcXVlIGJsb2Jz
IHZzIHNpZ25lZCB0b2tlbnMuIFNvIGJvdGggdGhlICZxdW90O0luaXRpYWwgQWNjZXNzIFRva2Vu
JnF1b3Q7IGFuZDxicj50aGUgJnF1b3Q7UmVnaXN0cmF0aW9uIEFjY2VzcyBUb2tlbiZxdW90OyBj
YW4gYmUgc2lnbmVkIHRva2Vucy4gSG93ZXZlciwgdGhlPGJyPmNsaWVudCBzdGlsbCBoYXMgdG8g
cHJvdGVjdCB0aGVtIGFzIGlmIHRoZXkgd2VyZSBhICZxdW90O3NlY3JldCZxdW90OyBiZWNhdXNl
IHRoZXk8YnI+YXJlIGEgYmVhcmVyIHRva2VuIGFuZCBjYW4gYmUgcmVwbGF5ZWQuIFNvIGl0J3Mg
dGhlIHNhbWUgYW1vdW50IG9mIHdvcms8YnI+b24gdGhlIGNsaWVudCBlaXRoZXIgd2F5PG86cD48
L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij4gLjxicj48YnI+
PG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXIt
bGVmdDpzb2xpZCAjRTlCOTZFIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2lu
LWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjYuMHB0Ij4NCjxwcmU+
QSBzaWduZWQgdG9rZW4gYXBwcm9hY2ggaGFzIG1hbnkgYWR2YW50YWdlcyBmb3Igc2VydmljZSBw
cm92aWRlcnMgbGlrZTxicj5ub3QgaGF2aW5nIHRvIG1haW50YWluIGEgc2VjdXJlIGRhdGFiYXNl
IG9mIHNlY3JldHMvcGFzc3dvcmRzLjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8
cHJlIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+SWYgdGhlIGNvbmNlcm4gaGVyZSBpcyB0
aGUgYW1vdW50IG9mIGRhdGEgdGhlIEF1dGhvcml6YXRpb24gU2VydmVyIGhhczxicj50byBzdG9y
ZSB0byBtYW5hZ2UgdGhlc2UgY2xpZW50cywgdGhlbiB0aGUgY3VycmVudCBzcGVjIGRvZXNuJ3Qg
cHJlY2x1ZGU8YnI+dXNpbmcgYSAmcXVvdDtzaWduZWQgdG9rZW4mcXVvdDsuIEJvdGggT0F1dGgy
IGJlYXJlciB0b2tlbnMgaWRlbnRpZmllZCBpbiB0aGU8YnI+Y3VycmVudCBzcGVjIGNhbiBiZSBz
aWduZWQgdG9rZW5zLjxvOnA+PC9vOnA+PC9wcmU+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVy
Om5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0U5Qjk2RSAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGlu
IDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo2
LjBwdCI+DQo8cHJlPkZpbmFsbHkgaXNzdWluZyBib3RoIGEgY2xpZW50IHNlY3JldCBhbmQgcmVn
aXN0cmF0aW9uIHRva2VuIGlzIGNvc3RseTxicj5hbmQgY29uZnVzaW5nIHRvIGNsaWVudCBkZXZl
bG9wZXJzLiZuYnNwOyBJIHJlbGVudGVkIHNvbWV3aGF0IHdoZW4gSTxicj5yZWFsaXplZCBrZXJi
ZXJvcyBkb2VzIHRoaXMtLWJ1dCBpIHN0aWxsIGZlZWwgaXQgaXMgYSBiYWQgZGVzaWduIGF0PGJy
PmNsb3VkIHNjYWxlLjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8cHJlPkdpdmVu
IHRoYXQgY2xpZW50X3NlY3JldHMgYXJlIE9QVElPTkFMIGluIE9BdXRoMiBmb3Igc29tZSB1c2Ug
PG86cD48L286cD48L3ByZT4NCjxwcmU+Jm5ic3A7Y2FzZXMsPG86cD48L286cD48L3ByZT4NCjxw
cmUgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5JJ208YnI+bm90IHN1cmUgaG93IHlvdSBh
YnN0cmFjdCB0aGUgY2xpZW50IGRldmVsb3BlciBmcm9tIGhhdmluZyB0byBkZWFsIHdpdGg8YnI+
dGhlbS4gVGhlIGNsaWVudCBkZXZlbG9wZXIgaXMgZ29pbmcgdG8gYmUgZGVhbGluZyB3aXRoIG11
bHRpcGxlIE9BdXRoMjxicj50b2tlbnMgdG8gbXVsdGlwbGUgZW5kcG9pbnRzIHJlZ2FyZGxlc3Mg
c28gSSBkb24ndCBzZWUgYW5vdGhlciB0b2tlbiBhczxicj5jb3N0bHkgb3IgY29tcGxleC4gQXQg
YSBtaW5pbXVtIHRoZXJlIGlzIHRoZSByZWZyZXNoX3Rva2VuIGFuZDxicj5hY2Nlc3NfdG9rZW4u
IFdoZXJlIGlzIHRoZSBhZGRlZCBjbGllbnQgZGV2ZWxvcGVyIGNvbXBsZXhpdHk/PGJyPjxicj5U
aGFua3MsPGJyPkdlb3JnZTxicj48YnI+PG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0
eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjRTlCOTZFIDEuMHB0O3BhZGRpbmc6
MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJn
aW4tYm90dG9tOjYuMHB0Ij4NCjxwcmUgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5QaGls
PGJyPjxicj5PbiAyMDEzLTA4LTEzLCBhdCA3OjQ4LCBKdXN0aW4gUmljaGVyICZsdDs8YSBocmVm
PSJtYWlsdG86anJpY2hlckBtaXRyZS5vcmclMGIlM2NtYWlsdG86anJpY2hlckBtaXRyZS5vcmci
PmpyaWNoZXJAbWl0cmUub3JnPGJyPiZsdDttYWlsdG86anJpY2hlckBtaXRyZS5vcmc8L2E+Jmd0
OyZndDsgd3JvdGU6PG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6
bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4g
Ni4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjYu
MHB0Ij4NCjxwcmU+VGhlIHNwZWMgZG9lc24ndCBjYXJlIHdoZXJlIHlvdSBkZXBsb3kgYXQgLS0g
aWYgVVJMIHNwYWNlIGlzIGF0IGE8YnI+cHJlbWl1bSBmb3IgeW91LCB0aGVuIHN3aXRjaCBiYXNl
ZCBvbiBpbnB1dCBwYXJhbWV0ZXJzIGFuZCBvdGhlcjxicj50aGluZ3MuIEFuZCB5b3UncmUgc3Rp
bGwgbm90IGNsZWFyIG9uIHdoaWNoICZxdW90O3NlY3JldHMmcXVvdDsgeW91J3JlIHRhPG86cD48
L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij4ga2luZzxicj5p
c3N1ZSB3aXRoLjxicj48YnI+LS0gSnVzdGluPGJyPjxicj5PbiAwOC8xMy8yMDEzIDEwOjQ2IEFN
LCBBbnRob255IE5hZGFsaW4gd3JvdGU6PG86cD48L286cD48L3ByZT4NCjxibG9ja3F1b3RlIHN0
eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6
MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJn
aW4tYm90dG9tOjYuMHB0Ij4NCjxwcmU+IzEsIGl0cyB5ZXQgYW5vdGhlciBlbmRwb2ludCB0byBo
YXZlIHRvIG1hbmFnZSBzZWNyZXRzIGF0LCB5ZXMgdGhpczxicj5pcyBhbiBPQXV0aCBpdGVtIGJ1
dCBpdOKAmXMgZ3Jvd2luZyBvdXQgb2YgY29udHJvbCwgd2UgYXJlIHRyeWluZyB0bzxicj5tb3Zl
IGF3YXkgZnJvbSBzZWNyZXRzIGFuZCBtYW5hZ2VtZW50IG9mIHRoZXNlIGVuZHBvaW50cyBhcyB0
aGlzPGJyPndvdWxkIGJlIGp1c3QgYW5vdGhlciBvbmUgd2UgaGF2ZSB0byBzdXBwb3J0LCBtb25p
dG9yIGFuZCByZXBvcnQgb248YnI+PGJyPiMyIHllcywgMSBwaHlzaWNhbCBlbmRwb2ludCBhY3Rp
bmcgYXMgbXVsdGlwbGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXJzPGJyPjxicj4qRnJvbToqR2Vvcmdl
IEZsZXRjaGVyIFs8YSBocmVmPSJtYWlsdG86Z2ZmbGV0Y2hAYW9sLmNvbSI+bWFpbHRvOmdmZmxl
dGNoQGFvbC5jb208L2E+XTxicj4qU2VudDoqIFR1ZXNkYXksIEF1Z3VzdCAxMywgMjAxMyA3OjQw
IEFNPGJyPipUbzoqIEFudGhvbnkgTmFkYWxpbjxicj4qQ2M6KiA8YSBocmVmPSJtYWlsdG86bWlr
ZUBnbHV1Lm9yZyI+bWlrZUBnbHV1Lm9yZzwvYT47IEp1c3RpbiBSaWNoZXI7IDxhIGhyZWY9Im1h
aWx0bzpvYXV0aEBpZXRmLm9yZyI+b2F1dGhAaWV0Zi5vcmc8L2E+PGJyPipTdWJqZWN0OiogUmU6
IFtPQVVUSC1XR10gT1ggbmVlZHMgRHluYW1pYyBSZWdpc3RyYXRpb246IHBsZWFzZTxicj5kb24n
dCByZW1vdmUhPGJyPjxicj5IaSBUb255LDxicj48YnI+Q291bGQgeW91IHBsZWFzZSBleHBsYWlu
IGEgbGl0dGxlIG1vcmU/PGJyPjxicj5Gb3IgaXNzdWUgMTo8YnI+KiBXaGljaCAmcXVvdDtzZWNy
ZXQmcXVvdDsgYXJlIHlvdSByZWZlPG86cD48L286cD48L3ByZT4NCjxwcmU+IHJyaW5nPG86cD48
L286cD48L3ByZT4NCjxwcmU+dG8/IE9BdXRoMiBieSBkZWZhdWx0IGFsbG93cyBmb3I8YnI+YW4g
b3B0aW9uYWwgY2xpZW50X3NlY3JldC4gSSdtIG5vdCBzdXJlIHdoeSB0aGlzIHdvdWxkIGNhdXNl
PGJyPm1hbmFnZW1lbnQgaXNzdWVzPyBPciBhcmUgeW91IHJlZmVycmluZyB0byB0aGUgJnF1b3Q7
UmVnaXN0cmF0aW9uIEFjY2Vzczxicj5Ub2tlbiZxdW90Oz88YnI+KiBXaHkgaXMgYSBzZXBhcmF0
ZSBlbmRwb2ludCBhbiBpc3N1ZT8gQW55IGNsaWVudCBpcyBnb2luZyB0byBiZTxicj50YWxraW5n
IHRvIG1vcmUgdGhhbiBqdXN0IHRoZSAvYXV0aG9yaXplIGFuZCAvdG9rZW4gZW5kcG9pbnRzIGFu
eXdheTxicj5zbyBJJ20gY29uZnVzZWQgcmVnYXJkaW5nIHRoZSBleHRyYSBjb21wbGV4aXR5Pzxi
cj48YnI+Rm9yIGlzc3VlIDI6PGJyPiogV2hhdCBzcGVjaWZpY2FsbHkgZG8geW91IG1lYW4gYnkg
JnF1b3Q7bXVsdGktdGVuYW50JnF1b3Q7PyBJcyB0aGlzIG9uZTxicj5zZXJ2ZXIgYWN0aW5nIG9u
IGJlaGFsZiBvZiBtdWx0aXBsZSB0ZW5hbnRzIGFuZCBzbyBhcHBlYXJpbmcgYXM8YnI+bXVsdGlw
bGUgQXV0aG9yaXphdGlvbiBTZXJ2ZXJzPzxicj48YnI+VGhhbmtzLDxicj5HZW9yZ2U8YnI+PGJy
PltzbmlwLi4uXTxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8cHJlIHN0eWxlPSJt
YXJnaW4tYm90dG9tOjEyLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3ByZT4NCjwvYmxvY2txdW90
ZT4NCjxwcmUgc3R5bGU9InRleHQtYWxpZ246Y2VudGVyIj48aHIgc2l6ZT0iMiIgd2lkdGg9IjEw
MCUiIGFsaWduPSJjZW50ZXIiPjwvcHJlPg0KPHByZT48YnI+T0F1dGggbWFpbGluZyBsaXN0PGJy
PjxhIGhyZWY9Im1haWx0bzpPQXV0aEBpZXRmLm9yZyI+T0F1dGhAaWV0Zi5vcmc8L2E+PGJyPjxh
IGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgiPmh0dHBz
Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg8L2E+PG86cD48L286cD48L3By
ZT4NCjwvYmxvY2txdW90ZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48YnI+
LS08YnI+PGJyPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJ0ZXh0LWFsaWduOmNlbnRl
ciI+PGhyIHNpemU9IjIiIHdpZHRoPSIxMDAlIiBhbGlnbj0iY2VudGVyIj48L3ByZT4NCjxwcmU+
PGJyPk9BdXRoIG1haWxpbmcgbGlzdDxicj48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmci
Pk9BdXRoQGlldGYub3JnPC9hPjxicj48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWls
bWFuL2xpc3RpbmZvL29hdXRoIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv
L29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8cHJlPjxvOnA+Jm5i
c3A7PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJ0ZXh0LWFsaWduOmNlbnRlciI+PGhyIHNpemU9
IjIiIHdpZHRoPSIxMDAlIiBhbGlnbj0iY2VudGVyIj48L3ByZT4NCjxwcmU+PGJyPk9BdXRoIG1h
aWxpbmcgbGlzdDxicj48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGlldGYu
b3JnPC9hPjxicj48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv
L29hdXRoIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxv
OnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8cHJlIHN0eWxlPSJ0ZXh0LWFsaWduOmNl
bnRlciI+PGhyIHNpemU9IjIiIHdpZHRoPSIxMDAlIiBhbGlnbj0iY2VudGVyIj48L3ByZT4NCjxw
cmU+PGJyPk9BdXRoIG1haWxpbmcgbGlzdDxicj48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0Zi5v
cmciPk9BdXRoQGlldGYub3JnPC9hPjxicj48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9t
YWlsbWFuL2xpc3RpbmZvL29hdXRoIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp
bmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8cHJlIHN0eWxl
PSJ0ZXh0LWFsaWduOmNlbnRlciI+PGhyIHNpemU9IjIiIHdpZHRoPSIxMDAlIiBhbGlnbj0iY2Vu
dGVyIj48L3ByZT4NCjxwcmU+PGJyPk9BdXRoIG1haWxpbmcgbGlzdDxicj48YSBocmVmPSJtYWls
dG86T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGlldGYub3JnPC9hPjxicj48YSBocmVmPSJodHRwczov
L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIj5odHRwczovL3d3dy5pZXRmLm9y
Zy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVv
dGU+DQo8cHJlPjxvOnA+Jm5ic3A7PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJ0ZXh0LWFsaWdu
OmNlbnRlciI+PGhyIHNpemU9IjIiIHdpZHRoPSIxMDAlIiBhbGlnbj0iY2VudGVyIj48L3ByZT4N
CjxwcmU+PGJyPk9BdXRoIG1haWxpbmcgbGlzdDxicj48YSBocmVmPSJtYWlsdG86T0F1dGhAaWV0
Zi5vcmciPk9BdXRoQGlldGYub3JnPC9hPjxicj48YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9y
Zy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp
c3RpbmZvL29hdXRoPC9hPjxvOnA+PC9vOnA+PC9wcmU+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4N
CjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_0684fab7340d4a49a1ebdcf45c060117BY2PR03MB189namprd03pro_--

From sberyozkin@gmail.com  Fri Aug 16 12:12:59 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10ABA21F9E4F for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 12:12:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level: 
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=0.650,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8x4yVaKNWRek for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 12:12:58 -0700 (PDT)
Received: from mail-ea0-x234.google.com (mail-ea0-x234.google.com [IPv6:2a00:1450:4013:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id 9009A11E810B for <oauth@ietf.org>; Fri, 16 Aug 2013 12:12:55 -0700 (PDT)
Received: by mail-ea0-f180.google.com with SMTP id h10so1171488eaj.39 for <oauth@ietf.org>; Fri, 16 Aug 2013 12:12:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=3mz4dZSxnNT9VPeuoGJR8DdiY8qU19He8B6Sid389hg=; b=G8sT1ge9TglFBheJAghbdKSkVoBRWu3C1QWeILn0h746qS8KYFS2CfOiJUi8ZV0qEu d0CHLyaJ5zCnRzKkZkVGioVLspIV+rGd3G1JEsVYSx02Hntl2etNUKfkkNyaCwC6SQfx YrFRUuXYnUhx/hSERNMGnY4wzuyN5+ehnXs0+Y/QQBeCSi2FXEh1LlPqQceYtsOP6XDq 6kmSPfE3Q2ainDGYS+eMIAOU6ia1fKScDsElG/Iz9XRFOaZyE82eeyXEe8pr/jtlOz+2 I4IyjQHuB0m5LNt+WpLHzSm4J+ciqEspsY2sIckJdwMdJ8HAUhjMHE6NGl9rq9UEUWTf UoBw==
X-Received: by 10.15.98.129 with SMTP id bj1mr175264eeb.75.1376680374604; Fri, 16 Aug 2013 12:12:54 -0700 (PDT)
Received: from [10.39.0.31] ([87.252.227.100]) by mx.google.com with ESMTPSA id h52sm4725425eez.3.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 Aug 2013 12:12:53 -0700 (PDT)
Message-ID: <520E79B1.8040203@gmail.com>
Date: Fri, 16 Aug 2013 22:12:49 +0300
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com>
In-Reply-To: <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 19:12:59 -0000

On 15/08/13 22:59, John Bradley wrote:
> Yes a bearer token that is signed and or encrypted by the AS reduces the amount of state required for the AS to maintain.
>
> In RFC 6749 there is information about the client that is tied to the client_id, and is required at the authorization endpoint. (eg redirect_uri)
>
> I understand the goal of reducing state in the IdP.   Some of us have looked at storing information in a signed client_id that would work in the existing RFC 6749 flows.
>
> It seems that some people are dissatisfied with RFC 6749 and would like to see changes like removing implicit flows.
>
> The current Dynamic registration spec deals with the current state of OAuth.   If the WG decides to do a OAuth 3 that fully supports assertions and ditches secrets I would be OK with that.

Except that developers looking for a simplicity will run away from it. 
Let assertions be supported and such, but please also protect the 
interests of developers who would like to do OAuth2 without IDP + CLoud 
+ encrypted JWT

Thanks, Sergey


> However lets not cripple what we have as a standard now by crating dynamic registration that can only be fully implemented  in a future version of OAuth.
>
> Some people want/need a client registration API now.  It is clearly a missing part of an entire OAuth system.
> Supporting existing OAuth while minimizing state at the AS is something I support, waiting for a OAuth redesign is not in my opinion a reasonable medium term goal.
>
> John B.
>
>
> On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> I am saying a bearer token is better than a password for the service provider as Hannes explains.
>>
>> Phil
>>
>> On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>>
>>> Right. A Bearer Token does not have to be a shared secret. It may have some structure that allows the server to validate it statelessly, e.g. JWS-JWT.
>>>
>>> =nat via iPhone
>>>
>>> Aug 14, 2013 15:32�Hannes Tschofenig <hannes.tschofenig@gmx.net> �メッセージ:
>>>
>>>> George is correct with his statements. There is, however, a difference between a shared secret and an assertion as Phil pointed out. For the assertion the server does not need to maintain state on a per-client basis. On the other hand since the client secret isn't really used in the classical sense of a password either but rather as a "cookie" (if used in the style of Section 2.3.1 of RFC6749) one could easy apply the concept of stateless tokens to them:
>>>> http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>>>>
>>>>
>>>> On 08/13/2013 07:21 PM, George Fletcher wrote:
>>>>> Hi Phil,
>>>>>
>>>>> I'm sorry for not following completely. Some questions inline...
>>>>>
>>>>> On 8/13/13 11:00 AM, Phil Hunt wrote:
>>>>>> Dyn reg and the scim reg variant depend too much/biased towards
>>>>>> passwords expressed as client secrets.
>>>>> I'm not sure what you mean in regards to "client secrets". There are
>>>>> OAuth2 bearer tokens that need to be protected because they are bearer
>>>>> tokens. That said, there is nothing in the spec that requires these to
>>>>> be opaque blobs vs signed tokens. So both the "Initial Access Token" and
>>>>> the "Registration Access Token" can be signed tokens. However, the
>>>>> client still has to protect them as if they were a "secret" because they
>>>>> are a bearer token and can be replayed. So it's the same amount of work
>>>>> on the client either way.
>>>>>
>>>>>>
>>>>>> A signed token approach has many advantages for service providers like
>>>>>> not having to maintain a secure database of secrets/passwords.
>>>>> If the concern here is the amount of data the Authorization Server has
>>>>> to store to manage these clients, then the current spec doesn't preclude
>>>>> using a "signed token". Both OAuth2 bearer tokens identified in the
>>>>> current spec can be signed tokens.
>>>>>>
>>>>>> Finally issuing both a client secret and registration token is costly
>>>>>> and confusing to client developers.  I relented somewhat when I
>>>>>> realized kerberos does this--but i still feel it is a bad design at
>>>>>> cloud scale.
>>>>> Given that client_secrets are OPTIONAL in OAuth2 for some use cases, I'm
>>>>> not sure how you abstract the client developer from having to deal with
>>>>> them. The client developer is going to be dealing with multiple OAuth2
>>>>> tokens to multiple endpoints regardless so I don't see another token as
>>>>> costly or complex. At a minimum there is the refresh_token and
>>>>> access_token. Where is the added client developer complexity?
>>>>>
>>>>> Thanks,
>>>>> George
>>>>>
>>>>>>
>>>>>> Phil
>>>>>>
>>>>>> On 2013-08-13, at 7:48, Justin Richer <jricher@mitre.org
>>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>>
>>>>>>> The spec doesn't care where you deploy at -- if URL space is at a
>>>>>>> premium for you, then switch based on input parameters and other
>>>>>>> things. And you're still not clear on which "secrets" you're taking
>>>>>>> issue with.
>>>>>>>
>>>>>>> -- Justin
>>>>>>>
>>>>>>> On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>>>>>>>>
>>>>>>>> #1, its yet another endpoint to have to manage secrets at, yes this
>>>>>>>> is an OAuth item but it’s growing out of control, we are trying to
>>>>>>>> move away from secrets and management of these endpoints as this
>>>>>>>> would be just another one we have to support, monitor and report on
>>>>>>>>
>>>>>>>> #2 yes, 1 physical endpoint acting as multiple authorization servers
>>>>>>>>
>>>>>>>> *From:*George Fletcher [mailto:gffletch@aol.com]
>>>>>>>> *Sent:* Tuesday, August 13, 2013 7:40 AM
>>>>>>>> *To:* Anthony Nadalin
>>>>>>>> *Cc:* mike@gluu.org; Justin Richer; oauth@ietf.org
>>>>>>>> *Subject:* Re: [OAUTH-WG] OX needs Dynamic Registration: please
>>>>>>>> don't remove!
>>>>>>>>
>>>>>>>> Hi Tony,
>>>>>>>>
>>>>>>>> Could you please explain a little more?
>>>>>>>>
>>>>>>>> For issue 1:
>>>>>>>> * Which "secret" are you referring to? OAuth2 by default allows for
>>>>>>>> an optional client_secret. I'm not sure why this would cause
>>>>>>>> management issues? Or are you referring to the "Registration Access
>>>>>>>> Token"?
>>>>>>>> * Why is a separate endpoint an issue? Any client is going to be
>>>>>>>> talking to more than just the /authorize and /token endpoints anyway
>>>>>>>> so I'm confused regarding the extra complexity?
>>>>>>>>
>>>>>>>> For issue 2:
>>>>>>>> * What specifically do you mean by "multi-tenant"? Is this one
>>>>>>>> server acting on behalf of multiple tenants and so appearing as
>>>>>>>> multiple Authorization Servers?
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> George
>>>>>>>>
>>>>>>>> [snip...]
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> --
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From sberyozkin@gmail.com  Fri Aug 16 12:17:36 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 469ED11E8182 for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 12:17:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.166
X-Spam-Level: 
X-Spam-Status: No, score=-2.166 tagged_above=-999 required=5 tests=[AWL=0.433,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FMEVeZQl7FxY for <oauth@ietfa.amsl.com>; Fri, 16 Aug 2013 12:17:35 -0700 (PDT)
Received: from mail-ee0-x236.google.com (mail-ee0-x236.google.com [IPv6:2a00:1450:4013:c00::236]) by ietfa.amsl.com (Postfix) with ESMTP id A61CB11E8179 for <oauth@ietf.org>; Fri, 16 Aug 2013 12:17:34 -0700 (PDT)
Received: by mail-ee0-f54.google.com with SMTP id e53so1101352eek.27 for <oauth@ietf.org>; Fri, 16 Aug 2013 12:17:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=D0FLQ/pDFNay4q62LZ50Svu0f+kHOnWOfK0LOha6ATw=; b=hVSgEiLprLJqY/aqEaDKOhGbsUxAbiIh+70h+5RN+YcOHjJgbcc0iP+jzYh0OezNBy G3AWOydatS7yxHjzNFH9juRasfgHV5iAGjiO20F21ydJLksmJVSyrQlEEC3H+LsdEy7k Mb2wsCNPEr9djZ1letNpAlrSacWtUc3lCvODeCbDJVoWMEHA6g5u6/MhdUXnIyu2QX/f QiPlPSVbnmGgiNfba18VZEVFLpuwc1OCXtLfLsPfxHylg1Z9yuL+BiUMeq9uJ6jhr9H9 XvhCxWrMsO7mkl6ctjqjzMFd//hhYaq8o+0xFQfrh9gV17YV46UfD0oPtux5hoTonI1y sRpw==
X-Received: by 10.15.34.65 with SMTP id d41mr4227655eev.45.1376680653780; Fri, 16 Aug 2013 12:17:33 -0700 (PDT)
Received: from [10.39.0.31] ([87.252.227.100]) by mx.google.com with ESMTPSA id a6sm4707848eei.10.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 Aug 2013 12:17:33 -0700 (PDT)
Message-ID: <520E7ACB.4070001@gmail.com>
Date: Fri, 16 Aug 2013 22:17:31 +0300
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <8e1ea7617c20b54b3cecbc99364b399a@gluu.org> <4AACCC15-5DE8-4906-9756-0E33D37FC240@oracle.com> <520A35CA.50006@aol.com> <520A3BAD.1050703@mitre.org> <7a9ce33274304311a64057bb305be011@BY2PR03MB189.namprd03.prod.outlook.com> <60b4af16cbbc9c5e5b00fc1e63072c45@gluu.org> <a31200b47c9d477ca226f5e1fdb2dfbf@BY2PR03MB189.namprd03.prod.outlook.com> <520A4549.5040206@aol.com> <a64cf984cc42495f9d5d362dd2f9b980@BY2PR03MB189.namprd03.prod.outlook.com> <520A472C.6040101@mitre.org> <D01CFAFF-0FB5-406C-86F3-E7D0952D01FB@oracle.com> <520A6B0D.7070103@aol.com> <520B2472.4040104@gmx.net> <F4E352F7-AF40-4D4B-B3F1-F8FEC4F5BA4C@gmail.com> <C4319956-096D-4040-BAE1-2247E2C37D8A@oracle.com> <3F77EA9B-0F5D-44E6-AFEB-C873D6342713@ve7jtb.com> <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com>
In-Reply-To: <6cedab5c-f3aa-4b85-9ae8-aea67278568a@email.android.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [OAUTH-WG] OX needs Dynamic Registration: please don't remove!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 19:17:36 -0000

On 16/08/13 08:32, Torsten Lodderstedt wrote:
> +1
>
> Dyn reg should fit into the OAuth system as it is now, which uses client
> ids and secrets. A (probably) improved OAuth is a completely different
> topic. Let's handle it separately.
+1


Cheers, Sergey
>
>
>
> John Bradley <ve7jtb@ve7jtb.com> schrieb:
>
>     Yes a bearer token that is signed and or encrypted by the AS reduces the amount of state required for the AS to maintain.
>
>     In RFC 6749 there is information about the client that is tied to the client_id, and is required at the authorization endpoint. (eg redirect_uri)
>
>     I understand the goal of reducing state in the IdP.   Some of us have looked at storing information in a signed client_id that would work in the existing RFC 6749 flows.
>
>     It seems that some people are dissatisfied with RFC 6749 and would like to see changes like removing implicit flows.
>
>     The current Dynamic registration spec deals with the current state of OAuth.   If the WG decides to do a OAuth 3 that fully supports assertions and ditches secrets I would be OK with that.
>     However lets not cripple what we have as a standard now by crating dynamic registration that can only be fully implemented  in a future version of OAuth.
>
>     Some peopl
>       e
>     want/need a client registration API now.  It is clearly a missing part of an entire OAuth system.
>     Supporting existing OAuth while minimizing state at the AS is something I support, waiting for a OAuth redesign is not in my opinion a reasonable medium term goal.
>
>     John B.
>
>
>     On 2013-08-14, at 11:47 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>         I am saying a bearer token is better than a password for the
>         service provider as Hannes explains.
>
>         Phil
>
>         On 2013-08-14, at 19:42, Nat Sakimura <sakimura@gmail.com> wrote:
>
>             Right. A Bearer Token does not have to be a shared secret.
>             It may have some structure that allows the server to
>             validate it statelessly, e.g. JWS-JWT.
>
>             =nat via iPhone
>
>             Aug 14, 2013 15:32�Hannes Tschofenig
>             <hannes.tschofenig@gmx.net> �メッセージ:
>
>                 George is correct with his statements. There is,
>                 however, a difference between a shared secret and an
>                 assertion as Phil pointed out. For the assertion the
>                 server does not need to maintain state on a per-client
>                 basis. On the other hand since the client secret isn't
>                 really used in the classical sense of a password either
>                 but rather as a "cookie" (if used in the style of
>                 Section 2.3.1 of RFC6749) one could easy apply the
>                 concept of stateless tokens to them:
>                 http://tools.ietf.org/html/draft-rescorla-stateless-tokens-01
>
>
>                 On 08/13/2013 07:21 PM, George Fletcher wrote:
>
>                     Hi Phil,
>
>                     I'm sorry for not following completely. Some
>                     questions inline...
>
>                     On 8/13/13 11:00 AM, Phil Hunt wrote:
>
>                         Dyn reg and the scim reg variant depend too
>                         much/biased towards
>                         passwords expressed as client secrets.
>
>                     I'm not sure what you mean in regards to "client
>                     secrets". There are
>                     OAuth2 bearer tokens that need to be protected
>                     because they are bearer
>                     tokens. That said, there is nothing in the spec that
>                     requires these to
>                     be opaque blobs vs signed tokens. So both the
>                     "Initial Access Token" and
>                     the "Registration Access Token" can be signed
>                     tokens. However, the
>                     client still has to protect them as if they were a
>                     "secret" because they
>                     are a bearer token and can be replayed. So it's the
>                     same amount of work
>                     on the client either way .
>
>
>                         A signed token approach has many advantages for
>                         service providers like
>                         not having to maintain a secure database of
>                         secrets/passwords.
>
>                     If the concern here is the amount of data the
>                     Authorization Server has
>                     to store to manage these clients, then the current
>                     spec doesn't preclude
>                     using a "signed token". Both OAuth2 bearer tokens
>                     identified in the
>                     current spec can be signed tokens.
>
>                         Finally issuing both a client secret and
>                         registration token is costly
>                         and confusing to client developers. I relented
>                         somewhat when I
>                         realized kerberos does this--but i still feel it
>                         is a bad design at
>                         cloud scale.
>
>                     Given that client_secrets are OPTIONAL in OAuth2 for
>                     some use cases, I'm
>                     not sure how you abstract the client developer from
>                     having to deal with
>                     them. The client developer is going to be dealing
>                     with multiple OAuth2
>                     tokens to multiple endpoints regardless so I don't
>                     see another token as
>                     costly or complex. At a minimum there is the
>                     refresh_token and
>                     access_token. Where is the added client developer
>                     complexity?
>
>                     Thanks,
>                     George
>
>
>                         Phil
>
>                         On 2013-08-13, at 7:48, Justin Richer
>                         <jricher@mitre.org
>                         <mailto:jricher@mitre.org>> wrote:
>
>                             The spec doesn't care where you deploy at --
>                             if URL space is at a
>                             premium for you, then switch based on input
>                             parameters and other
>                             things. And you're still not clear on which
>                             "secrets" you're ta king
>                             issue with.
>
>                             -- Justin
>
>                             On 08/13/2013 10:46 AM, Anthony Nadalin wrote:
>
>                                 #1, its yet another endpoint to have to
>                                 manage secrets at, yes this
>                                 is an OAuth item but it’s growing out of
>                                 control, we are trying to
>                                 move away from secrets and management of
>                                 these endpoints as this
>                                 would be just another one we have to
>                                 support, monitor and report on
>
>                                 #2 yes, 1 physical endpoint acting as
>                                 multiple authorization servers
>
>                                 *From:*George Fletcher
>                                 [mailto:gffletch@aol.com]
>                                 *Sent:* Tuesday, August 13, 2013 7:40 AM
>                                 *To:* Anthony Nadalin
>                                 *Cc:* mike@gluu.org; Justin Richer;
>                                 oauth@ietf.org
>                                 *Subject:* Re: [OAUTH-WG] OX needs
>                                 Dynamic Registration: please
>                                 don't remove!
>
>                                 Hi Tony,
>
>                                 Could you please explain a little more?
>
>                                 For issue 1:
>                                 * Which "secret" are you refe rring to?
>                                 OAuth2 by default allows for
>                                 an optional client_secret. I'm not sure
>                                 why this would cause
>                                 management issues? Or are you referring
>                                 to the "Registration Access
>                                 Token"?
>                                 * Why is a separate endpoint an issue?
>                                 Any client is going to be
>                                 talking to more than just the /authorize
>                                 and /token endpoints anyway
>                                 so I'm confused regarding the extra
>                                 complexity?
>
>                                 For issue 2:
>                                 * What specifically do you mean by
>                                 "multi-tenant"? Is this one
>                                 server acting on behalf of multiple
>                                 tenants and so appearing as
>                                 multiple Authorization Servers?
>
>                                 Thanks,
>                                 George
>
>                                 [snip...]
>
>
>
>                         ------------------------------------------------------------------------
>
>                         OAuth mailing list
>                         OAuth@ietf.org
>                         https://www.ietf.org/mailman/listinfo/oauth
>
>
>                     --
>
>
>                     ------------------------------------------------------------------------
>
>                     OAuth mailing list
>                     OAuth@ietf.org
>                     https://www.ietf.org/mailman/listinfo/oauth
>
>
>                 ------------------------------------------------------------------------
>
>                 OAuth mailing list
>                 OAuth@ietf.org
>                 https://www.ietf.org/mailman/listinfo/oauth
>
>             ------------------------------------------------------------------------
>
>             OAuth mailing list
>             OAuth@ietf.org
>             https://www.ietf.org/mailman/listinfo/oauth
>
>         ------------------------------------------------------------------------
>
>         OAuth mailing list
>         OAuth@ietf.org
>         https://www.ietf.org/mailman/listinfo/oauth
>
>
>     ------------------------------------------------------------------------
>
>     OAuth mailing list
>     OAuth@ietf.org
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From torsten@lodderstedt.net  Sat Aug 17 11:15:22 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD8811E823D for <oauth@ietfa.amsl.com>; Sat, 17 Aug 2013 11:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level: 
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4nl0GXV01OU for <oauth@ietfa.amsl.com>; Sat, 17 Aug 2013 11:15:11 -0700 (PDT)
Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.18.44]) by ietfa.amsl.com (Postfix) with ESMTP id B326411E823A for <oauth@ietf.org>; Sat, 17 Aug 2013 11:15:10 -0700 (PDT)
Received: from [91.2.64.99] (helo=[192.168.71.56]) by smtprelay02.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VAl1o-00063K-KC; Sat, 17 Aug 2013 20:15:08 +0200
Message-ID: <520FBDAC.9080404@lodderstedt.net>
Date: Sat, 17 Aug 2013 20:15:08 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <e1cdc1b2a4d1841d12938a900355121f@lodderstedt-online.de> <706472E2-DF7D-4963-8C07-552F3690D927@ve7jtb.com> <CA+k3eCR+0MCLC5F5ZtAt28vcn0mCfM9kHOHcc2nO4BQY3vt73A@mail.gmail.com>
In-Reply-To: <CA+k3eCR+0MCLC5F5ZtAt28vcn0mCfM9kHOHcc2nO4BQY3vt73A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090303000607020206090107"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authz Header + client_id in message body
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Aug 2013 18:15:22 -0000

This is a multi-part message in MIME format.
--------------090303000607020206090107
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hi all,

would it make sense to issue an errata and add a "public" to the 
sentence as follows?

"A _public_ client MAY use the "client_id" request parameter to identify 
itself
    when sending requests to the token endpoint."

regards,
Torsten.

Am 01.08.2013 15:57, schrieb Brian Campbell:
> I thought I remembered that text from RFC 6749, section 3.1 as saying 
> that a *public* client MAY use the "client_id" request parameter to 
> identify itself...
>
> Apparently that's not what it says. But I believe that was the intent 
> - hat a client with no means of authentication could identify itself 
> by sending only the "client_id" request parameter to the token endpoint.
>
> Sec 2.3 (http://tools.ietf.org/html/rfc6749#section-2.3) says, "The 
> client MUST NOT use more than one authentication method in each  request."
>
> And 5.2 (http://tools.ietf.org/html/rfc6749#section-5.2) has
>
>          "invalid_request
>                The request is missing a required parameter, includes an
>                unsupported parameter value (other than grant type),
>                repeats a parameter,*includes multiple credentials,*
>                utilizes more than one mechanism for authenticating the
>                client, or is otherwise malformed."
>
> There is some room for ambiguity in all that but, based on the above, 
> I'd say that the way your server is behaving is correct Torsten.
>
>
>
> On Thu, Aug 1, 2013 at 2:13 PM, John Bradley <ve7jtb@ve7jtb.com 
> <mailto:ve7jtb@ve7jtb.com>> wrote:
>
>     Hmm allowing sending the client_id even if there is no
>     authentication was intended to mitigate cases where the client
>     presenting the code or refresh_token was not the one that
>     requested it, and for logging.
>
>     I don't think the intention was to allow the client_id to be sent
>     twice.
>
>     If it were my Token endpoint I would ignore the extra one and only
>     processes the one sent as part of the authentication,  if there is
>     no authentication then the value of the "client_id" parameter MUST
>     match the client_id that was used to request the token.
>
>     It is probably a open question if the request should be considered
>     malformed if it contains both.
>
>     Personally I would recommend that the client not do that.
>
>     Others may remember it differently.
>
>     John B.
>
>     On 2013-08-01, at 11:34 AM, Torsten Lodderstedt
>     <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>
>     > Hi,
>     >
>     > while setting up our OIDC interop tests, we run into the
>     following problem:
>     >
>     > The test client sends a request to the token endpoint, which
>     contains the client credentials in an authorization header.
>     Additionally, it adds the client_id to the message body. Our
>     server treats this as an invalid request and responds with HTTP
>     status code 400.
>     >
>     > Now my question: The last paragraph of RFC 6749, section 3.1
>     (http://tools.ietf.org/html/rfc6749#section-3.2.1) states
>     >
>     > "A client MAY use the "client_id" request parameter to identify
>     itself
>     >   when sending requests to the token endpoint."
>     >
>     > This seems to allow the client to send the client_id in addition
>     to any other credential used to authenticate it.
>     >
>     > I'm not sure what the intension is/was. How is the server
>     supposed to handle such cases? Shall it compare both ids (from the
>     header and the body)? Must they match exactly?
>     >
>     > Any feedback is appreciated.
>     >
>     > regards,
>     > Torsten.
>     > _______________________________________________
>     > OAuth mailing list
>     > OAuth@ietf.org <mailto:OAuth@ietf.org>
>     > https://www.ietf.org/mailman/listinfo/oauth
>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>


--------------090303000607020206090107
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi all,<br>
    <br>
    would it make sense to issue an errata and add a "public" to the
    sentence as follows?<br>
    <br>
    "A _public_ client MAY use the "client_id" request parameter to
    identify itself<br>
    &nbsp;&nbsp; when sending requests to the token endpoint."<br>
    <br>
    regards,<br>
    Torsten.<br>
    <br>
    <div class="moz-cite-prefix">Am 01.08.2013 15:57, schrieb Brian
      Campbell:<br>
    </div>
    <blockquote
cite="mid:CA+k3eCR+0MCLC5F5ZtAt28vcn0mCfM9kHOHcc2nO4BQY3vt73A@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>
            <div>I thought I remembered that text from RFC 6749, section
              3.1 as saying that a *public* client MAY use the
              "client_id" request parameter to identify itself...<br>
              <br>
            </div>
            Apparently that's not what it says. But I believe that was
            the intent - hat a client with no means of authentication
            could identify itself by sending only the "client_id"
            request parameter to the token endpoint. <br>
            <br>
            Sec 2.3 (<a moz-do-not-send="true"
              href="http://tools.ietf.org/html/rfc6749#section-2.3">http://tools.ietf.org/html/rfc6749#section-2.3</a>)
            says, "The client MUST NOT use more than one authentication
            method in each&nbsp; request."<br>
            <br>
          </div>
          And 5.2 (<a moz-do-not-send="true"
            href="http://tools.ietf.org/html/rfc6749#section-5.2">http://tools.ietf.org/html/rfc6749#section-5.2</a>)
          has<br>
          <br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "invalid_request<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The request is missing a required parameter,
          includes an<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unsupported parameter value (other than grant
          type),<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; repeats a parameter,<b> includes multiple
            credentials,</b><br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; utilizes more than one mechanism for
          authenticating the<br>
          &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; client, or is otherwise malformed."<br>
          <br>
        </div>
        There is some room for ambiguity in all that but, based on the
        above, I'd say that the way your server is behaving is correct
        Torsten. <br>
        <div>
          <div>
            <br>
          </div>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Thu, Aug 1, 2013 at 2:13 PM, John
          Bradley <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Hmm
            allowing sending the client_id even if there is no
            authentication was intended to mitigate cases where the
            client presenting the code or refresh_token was not the one
            that requested it, and for logging.<br>
            <br>
            I don't think the intention was to allow the client_id to be
            sent twice.<br>
            <br>
            If it were my Token endpoint I would ignore the extra one
            and only processes the one sent as part of the
            authentication, &nbsp;if there is no authentication then the
            value of the "client_id" parameter MUST match the client_id
            that was used to request the token.<br>
            <br>
            It is probably a open question if the request should be
            considered malformed if it contains both.<br>
            <br>
            Personally I would recommend that the client not do that.<br>
            <br>
            Others may remember it differently.<br>
            <br>
            John B.<br>
            <div class="HOEnZb">
              <div class="h5"><br>
                On 2013-08-01, at 11:34 AM, Torsten Lodderstedt &lt;<a
                  moz-do-not-send="true"
                  href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>&gt;
                wrote:<br>
                <br>
                &gt; Hi,<br>
                &gt;<br>
                &gt; while setting up our OIDC interop tests, we run
                into the following problem:<br>
                &gt;<br>
                &gt; The test client sends a request to the token
                endpoint, which contains the client credentials in an
                authorization header. Additionally, it adds the
                client_id to the message body. Our server treats this as
                an invalid request and responds with HTTP status code
                400.<br>
                &gt;<br>
                &gt; Now my question: The last paragraph of RFC 6749,
                section 3.1 (<a moz-do-not-send="true"
                  href="http://tools.ietf.org/html/rfc6749#section-3.2.1"
                  target="_blank">http://tools.ietf.org/html/rfc6749#section-3.2.1</a>)
                states<br>
                &gt;<br>
                &gt; "A client MAY use the "client_id" request parameter
                to identify itself<br>
                &gt; &nbsp; when sending requests to the token endpoint."<br>
                &gt;<br>
                &gt; This seems to allow the client to send the
                client_id in addition to any other credential used to
                authenticate it.<br>
                &gt;<br>
                &gt; I'm not sure what the intension is/was. How is the
                server supposed to handle such cases? Shall it compare
                both ids (from the header and the body)? Must they match
                exactly?<br>
                &gt;<br>
                &gt; Any feedback is appreciated.<br>
                &gt;<br>
                &gt; regards,<br>
                &gt; Torsten.<br>
                &gt; _______________________________________________<br>
                &gt; OAuth mailing list<br>
                &gt; <a moz-do-not-send="true"
                  href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                &gt; <a moz-do-not-send="true"
                  href="https://www.ietf.org/mailman/listinfo/oauth"
                  target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                <br>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            OAuth mailing list<br>
            <a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
            <a moz-do-not-send="true"
              href="https://www.ietf.org/mailman/listinfo/oauth"
              target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>

--------------090303000607020206090107--

From sberyozkin@gmail.com  Sun Aug 18 09:32:42 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7465C11E8133 for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2013 09:32:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.274
X-Spam-Level: 
X-Spam-Status: No, score=-2.274 tagged_above=-999 required=5 tests=[AWL=0.325,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S82YQDKe7Z13 for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2013 09:32:42 -0700 (PDT)
Received: from mail-ee0-x235.google.com (mail-ee0-x235.google.com [IPv6:2a00:1450:4013:c00::235]) by ietfa.amsl.com (Postfix) with ESMTP id C0F6A11E8125 for <oauth@ietf.org>; Sun, 18 Aug 2013 09:32:41 -0700 (PDT)
Received: by mail-ee0-f53.google.com with SMTP id b15so1772600eek.12 for <oauth@ietf.org>; Sun, 18 Aug 2013 09:32:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=/pik36UYI0VJq8IXIE2JfxSDxZuicb84eJawz9YmF20=; b=CZj3Gpx8RMt2z4e2h1zexeUPOpLxdPeDCNvldI4npS5Ij8VBxEVTO7/U2yFO1B5t4r C+7xC76ne/ctzcdDvA+PyzPzVAW3NWC7cOldheiRaftfZ5h41Bj4s3Gx+nLMz2ssptCT I55KQBAQWD6dPF8tdtZztq1scflYhjVga6nnmZu++iLl1hYV4O41+9p5oOTVmrxUw1Ag uXOgrEGMyPVCXQo27ojRMPd051aAHxn2ekPYhLBL+XIo0lbflKM//76COGvdw2NCNUb1 GB09gcdjC8qMkKFCM8/Rq/mTT6aEPfRHI4ExJmScZeKfHYQOlkGn3vCJthCarD5h1UrW aTfg==
X-Received: by 10.14.122.132 with SMTP id t4mr15394228eeh.20.1376843560903; Sun, 18 Aug 2013 09:32:40 -0700 (PDT)
Received: from [10.39.0.31] ([87.252.227.100]) by mx.google.com with ESMTPSA id m54sm11210827eex.2.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 18 Aug 2013 09:32:39 -0700 (PDT)
Message-ID: <5210F714.80305@gmail.com>
Date: Sun, 18 Aug 2013 19:32:20 +0300
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2013 16:32:42 -0000

Hi Hannes, All,

Regarding [1], where would you expect an audience parameter be provided 
during the authorization flow ?

It appears to me it should be provided during the initial redirect 
(similarly to a parameter like redirect_uri).

Also, would it make sense to support pre-registered audience values, 
example, a client registers and specifies an audience during the 
registration ?

Thanks, Sergey

[1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00

From hannes.tschofenig@gmx.net  Sun Aug 18 15:01:15 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C55621F9343 for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2013 15:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jR9ZuuqhAhqi for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2013 15:01:11 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id F091321F91B7 for <oauth@ietf.org>; Sun, 18 Aug 2013 15:01:10 -0700 (PDT)
Received: from [172.16.42.99] ([80.168.129.202]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0LgZ7h-1Vpmls3uC5-00numZ for <oauth@ietf.org>; Mon, 19 Aug 2013 00:01:10 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Mon, 19 Aug 2013 00:01:02 +0200
Message-Id: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net>
To: oauth mailing list <oauth@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1085)
X-Pgp-Agent: GPGMail 1.4.1
X-Mailer: Apple Mail (2.1085)
X-Provags-ID: V03:K0:DvpC5ssrkvJ0f1/vPkTT7WGEGQB3OPmkDZ/+qeFbcfjkcHmJ99L Y9pSv9enZdCHsjX3TzIbc0nbkBxgErLh24YEp/Lkfevni2RN1KET7m4L0ofEuDAXU+pcrlC XYDJPnAsnin/CAzTlbO91lknDvc3a2nwIeI0jidL4dGcTMr1BLBcMdja/K1rhLa5jolM4v2 U8Xi5zYRRvAVRXFW0IgJA==
Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Aug 2013 22:01:15 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Based on your feedback via the poll let us start with August 22nd with =
the first conference call. I will distribute the conference call details =
on Tuesday.=20

Let us talk about the agenda. There were several items brought up in =
discussions, namely=20

* Software assertions / software statements

We briefly discussed this topic at the IETF OAuth session but we may =
need more time to understand the implications for the current dynamic =
client registration document:=20
http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx

* SCIM vs. current dynamic client registration approach for interacting =
with the client configuration endpoint

In the past we said that it would be fine to have a profile defined in =
SCIM to provide the dynamic client registration for those who implement =
SCIM and want to manage clients also using SCIM. It might, however, be =
useful to compare the two approaches in detail to see what the =
differences are.=20

* Interactions with the client registration endpoint=20

Justin added some "life cycle" description to the document to motivate =
some of the design decisions. Maybe we need to discuss those in more =
detail and add further text.=20
Additional text could come from the NIST Blue Button / Green Button =
usage.=20

* Aspects that allow servers to store less / no state

- - =46rom the discussions on the list it was not clear whether this is =
actually accomplishable with the current version of OAuth. We could =
explore this new requirement and try to get a better understanding how =
much this relates to dynamic client registration and to what extend it =
requires changes to the core spec.=20


What would you like to start with? Other topics you would like to bring =
up?=20
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
=3DtkGT
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
=3D3qNI
-----END PGP SIGNATURE-----

From phil.hunt@oracle.com  Sun Aug 18 17:16:11 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E3E11E81D9 for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2013 17:16:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.385
X-Spam-Level: 
X-Spam-Status: No, score=-5.385 tagged_above=-999 required=5 tests=[AWL=-0.182, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 927qrAIL+weY for <oauth@ietfa.amsl.com>; Sun, 18 Aug 2013 17:16:06 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id BF0D611E81A3 for <oauth@ietf.org>; Sun, 18 Aug 2013 17:16:06 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7J0G1Pl013568 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 19 Aug 2013 00:16:02 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7J0G0kM017216 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Aug 2013 00:16:01 GMT
Received: from abhmt102.oracle.com (abhmt102.oracle.com [141.146.116.54]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7J0G0sQ005803; Mon, 19 Aug 2013 00:16:00 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 18 Aug 2013 17:16:00 -0700
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net>
In-Reply-To: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net>
Mime-Version: 1.0 (1.0)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Message-Id: <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Sun, 18 Aug 2013 17:15:58 -0700
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 00:16:11 -0000

I think we should start by reviewing use cases taxonomy.=20

Then a discussion on any client_id assumptions and actual requirements for e=
ach client case. Why is registration needed for each case?

The statement can solve some complication but should be put in context of us=
e cases.=20

Phil

On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote=
:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>=20
> - -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>=20
> Based on your feedback via the poll let us start with August 22nd with the=
 first conference call. I will distribute the conference call details on Tue=
sday.=20
>=20
> Let us talk about the agenda. There were several items brought up in discu=
ssions, namely=20
>=20
> * Software assertions / software statements
>=20
> We briefly discussed this topic at the IETF OAuth session but we may need m=
ore time to understand the implications for the current dynamic client regis=
tration document:=20
> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>=20
> * SCIM vs. current dynamic client registration approach for interacting wi=
th the client configuration endpoint
>=20
> In the past we said that it would be fine to have a profile defined in SCI=
M to provide the dynamic client registration for those who implement SCIM an=
d want to manage clients also using SCIM. It might, however, be useful to co=
mpare the two approaches in detail to see what the differences are.=20
>=20
> * Interactions with the client registration endpoint=20
>=20
> Justin added some "life cycle" description to the document to motivate som=
e of the design decisions. Maybe we need to discuss those in more detail and=
 add further text.=20
> Additional text could come from the NIST Blue Button / Green Button usage.=
=20
>=20
> * Aspects that allow servers to store less / no state
>=20
> - - =46rom the discussions on the list it was not clear whether this is ac=
tually accomplishable with the current version of OAuth. We could explore th=
is new requirement and try to get a better understanding how much this relat=
es to dynamic client registration and to what extend it requires changes to t=
he core spec.=20
>=20
>=20
> What would you like to start with? Other topics you would like to bring up=
?=20
> - -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>=20
> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
> =3DtkGT
> - -----END PGP SIGNATURE-----
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
>=20
> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
> =3D3qNI
> -----END PGP SIGNATURE-----
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From jricher@mitre.org  Mon Aug 19 07:13:01 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74CA011E8271 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 07:13:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.486
X-Spam-Level: 
X-Spam-Status: No, score=-6.486 tagged_above=-999 required=5 tests=[AWL=0.113,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tbVyfA6WCZvY for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 07:12:56 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5A2C911E8259 for <oauth@ietf.org>; Mon, 19 Aug 2013 07:12:56 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 93BA61F0CA9; Mon, 19 Aug 2013 10:12:47 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 5B4AC1F0CBF; Mon, 19 Aug 2013 10:12:47 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 19 Aug 2013 10:12:47 -0400
Message-ID: <52122704.4030308@mitre.org>
Date: Mon, 19 Aug 2013 10:09:08 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Sergey Beryozkin <sberyozkin@gmail.com>
References: <5210F714.80305@gmail.com>
In-Reply-To: <5210F714.80305@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 14:13:01 -0000

Both of those make sense to me, and it mimics what "scope" does today. 
Namely, clients can usually register for a list of scopes that they want 
access to, then at authorization time they ask for a particular set to 
be approved by the user.

  -- Justin

On 08/18/2013 12:32 PM, Sergey Beryozkin wrote:
> Hi Hannes, All,
>
> Regarding [1], where would you expect an audience parameter be 
> provided during the authorization flow ?
>
> It appears to me it should be provided during the initial redirect 
> (similarly to a parameter like redirect_uri).
>
> Also, would it make sense to support pre-registered audience values, 
> example, a client registers and specifies an audience during the 
> registration ?
>
> Thanks, Sergey
>
> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Mon Aug 19 07:30:38 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FEA611E8290 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 07:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.499
X-Spam-Level: 
X-Spam-Status: No, score=-6.499 tagged_above=-999 required=5 tests=[AWL=0.100,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rH3mffDVGym9 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 07:30:32 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 616D011E828F for <oauth@ietf.org>; Mon, 19 Aug 2013 07:30:31 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 09A1F1F02A9; Mon, 19 Aug 2013 10:30:31 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id EA07E1F05B4; Mon, 19 Aug 2013 10:30:30 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 19 Aug 2013 10:30:30 -0400
Message-ID: <52122B2B.2060108@mitre.org>
Date: Mon, 19 Aug 2013 10:26:51 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com>
In-Reply-To: <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 14:30:38 -0000

I agree that dynamic registration isn't needed to solve *all* of the 
different use cases. It solves its set of specific problems (and does so 
well, if you ask me), but there are and will always be things that it 
won't work for, and that's fine. That's why I've suggested under a 
separate thread that the other drafts go forward separately and that 
DynReg not be hung up on them. We're fundamentally solving different use 
cases, and there is no magic solution that will solve all the problems 
at once.

  -- Justin

On 08/18/2013 08:15 PM, Phil Hunt wrote:
> I think we should start by reviewing use cases taxonomy.
>
> Then a discussion on any client_id assumptions and actual requirements for each client case. Why is registration needed for each case?
>
> The statement can solve some complication but should be put in context of use cases.
>
> Phil
>
> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> - -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Based on your feedback via the poll let us start with August 22nd with the first conference call. I will distribute the conference call details on Tuesday.
>>
>> Let us talk about the agenda. There were several items brought up in discussions, namely
>>
>> * Software assertions / software statements
>>
>> We briefly discussed this topic at the IETF OAuth session but we may need more time to understand the implications for the current dynamic client registration document:
>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>
>> * SCIM vs. current dynamic client registration approach for interacting with the client configuration endpoint
>>
>> In the past we said that it would be fine to have a profile defined in SCIM to provide the dynamic client registration for those who implement SCIM and want to manage clients also using SCIM. It might, however, be useful to compare the two approaches in detail to see what the differences are.
>>
>> * Interactions with the client registration endpoint
>>
>> Justin added some "life cycle" description to the document to motivate some of the design decisions. Maybe we need to discuss those in more detail and add further text.
>> Additional text could come from the NIST Blue Button / Green Button usage.
>>
>> * Aspects that allow servers to store less / no state
>>
>> - - From the discussions on the list it was not clear whether this is actually accomplishable with the current version of OAuth. We could explore this new requirement and try to get a better understanding how much this relates to dynamic client registration and to what extend it requires changes to the core spec.
>>
>>
>> What would you like to start with? Other topics you would like to bring up?
>> - -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
>> =tkGT
>> - -----END PGP SIGNATURE-----
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
>> =3qNI
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From tonynad@microsoft.com  Mon Aug 19 08:16:01 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69A2121F9A64 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.313
X-Spam-Level: 
X-Spam-Status: No, score=-3.313 tagged_above=-999 required=5 tests=[AWL=0.286,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mm8efI4iF0wj for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:15:57 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0203.outbound.protection.outlook.com [207.46.163.203]) by ietfa.amsl.com (Postfix) with ESMTP id 280CC21F9A26 for <oauth@ietf.org>; Mon, 19 Aug 2013 08:15:56 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Mon, 19 Aug 2013 15:15:53 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Mon, 19 Aug 2013 15:15:53 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
Thread-Index: AQHOnOkD8fHDmWiV9U66pCWcsN+0CJmcowiA
Date: Mon, 19 Aug 2013 15:15:53 +0000
Message-ID: <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org>
In-Reply-To: <52122B2B.2060108@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 09435FCA72
x-forefront-antispam-report: SFV:NSPM; SFS:(13464003)(189002)(199002)(51704005)(377454003)(479174003)(30513003)(24454002)(377424004)(54524002)(46102001)(47736001)(50986001)(63696002)(77982001)(51856001)(59766001)(74366001)(33646001)(76786001)(83322001)(76576001)(76796001)(19580395003)(47976001)(19580385001)(49866001)(15202345003)(79102001)(83072001)(19580405001)(80022001)(4396001)(81542001)(561944002)(56816003)(74316001)(69226001)(74876001)(53806001)(54356001)(54316002)(74706001)(65816001)(77096001)(31966008)(74662001)(81686001)(47446002)(81342001)(74502001)(56776001)(76482001)(81816001)(80976001)(16601075003)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e0:ed43::3
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB189.namprd03.prod.outlook.com
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 15:16:01 -0000

There are proposals out there that are trying to solve the same problem, bu=
t in different ways, so I would not say that they are trying to solve diffe=
rent use cases. I do think that we need to make sure that whatever proposal=
 we select it needs to have a wide range of use cases it solves, not just a=
 single use case as the more solutions this group produces the more confuse=
d folks will be

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of J=
ustin Richer
Sent: Monday, August 19, 2013 7:27 AM
To: Phil Hunt
Cc: oauth mailing list
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22=
 Aug, 2pm PDT

I agree that dynamic registration isn't needed to solve *all* of the differ=
ent use cases. It solves its set of specific problems (and does so well, if=
 you ask me), but there are and will always be things that it won't work fo=
r, and that's fine. That's why I've suggested under a separate thread that =
the other drafts go forward separately and that DynReg not be hung up on th=
em. We're fundamentally solving different use cases, and there is no magic =
solution that will solve all the problems at once.

  -- Justin

On 08/18/2013 08:15 PM, Phil Hunt wrote:
> I think we should start by reviewing use cases taxonomy.
>
> Then a discussion on any client_id assumptions and actual requirements fo=
r each client case. Why is registration needed for each case?
>
> The statement can solve some complication but should be put in context of=
 use cases.
>
> Phil
>
> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net> wr=
ote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> - -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Based on your feedback via the poll let us start with August 22nd with t=
he first conference call. I will distribute the conference call details on =
Tuesday.
>>
>> Let us talk about the agenda. There were several items brought up in=20
>> discussions, namely
>>
>> * Software assertions / software statements
>>
>> We briefly discussed this topic at the IETF OAuth session but we may nee=
d more time to understand the implications for the current dynamic client r=
egistration document:
>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>
>> * SCIM vs. current dynamic client registration approach for=20
>> interacting with the client configuration endpoint
>>
>> In the past we said that it would be fine to have a profile defined in S=
CIM to provide the dynamic client registration for those who implement SCIM=
 and want to manage clients also using SCIM. It might, however, be useful t=
o compare the two approaches in detail to see what the differences are.
>>
>> * Interactions with the client registration endpoint
>>
>> Justin added some "life cycle" description to the document to motivate s=
ome of the design decisions. Maybe we need to discuss those in more detail =
and add further text.
>> Additional text could come from the NIST Blue Button / Green Button usag=
e.
>>
>> * Aspects that allow servers to store less / no state
>>
>> - - From the discussions on the list it was not clear whether this is ac=
tually accomplishable with the current version of OAuth. We could explore t=
his new requirement and try to get a better understanding how much this rel=
ates to dynamic client registration and to what extend it requires changes =
to the core spec.
>>
>>
>> What would you like to start with? Other topics you would like to bring =
up?
>> - -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>> =3DtkGT
>> - -----END PGP SIGNATURE-----
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>>
>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>> =3D3qNI
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Mon Aug 19 08:22:14 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A3F511E8122 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:22:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.509
X-Spam-Level: 
X-Spam-Status: No, score=-6.509 tagged_above=-999 required=5 tests=[AWL=0.090,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2KBdYxNW6Vn for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:22:09 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 76F4311E8271 for <oauth@ietf.org>; Mon, 19 Aug 2013 08:22:09 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 110661F029C; Mon, 19 Aug 2013 11:22:09 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D19A41F04E2; Mon, 19 Aug 2013 11:22:08 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 19 Aug 2013 11:22:08 -0400
Message-ID: <52123743.9020203@mitre.org>
Date: Mon, 19 Aug 2013 11:18:27 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 15:22:14 -0000

Tony, I completely disagree. The proposals that I've seen have different 
means and different end states, and they make different assumptions 
about the relationship between entities and the capabilities of all 
players.

  -- Justin

On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
> There are proposals out there that are trying to solve the same problem, but in different ways, so I would not say that they are trying to solve different use cases. I do think that we need to make sure that whatever proposal we select it needs to have a wide range of use cases it solves, not just a single use case as the more solutions this group produces the more confused folks will be
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Justin Richer
> Sent: Monday, August 19, 2013 7:27 AM
> To: Phil Hunt
> Cc: oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
>
> I agree that dynamic registration isn't needed to solve *all* of the different use cases. It solves its set of specific problems (and does so well, if you ask me), but there are and will always be things that it won't work for, and that's fine. That's why I've suggested under a separate thread that the other drafts go forward separately and that DynReg not be hung up on them. We're fundamentally solving different use cases, and there is no magic solution that will solve all the problems at once.
>
>    -- Justin
>
> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>> I think we should start by reviewing use cases taxonomy.
>>
>> Then a discussion on any client_id assumptions and actual requirements for each client case. Why is registration needed for each case?
>>
>> The statement can solve some complication but should be put in context of use cases.
>>
>> Phil
>>
>> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> Based on your feedback via the poll let us start with August 22nd with the first conference call. I will distribute the conference call details on Tuesday.
>>>
>>> Let us talk about the agenda. There were several items brought up in
>>> discussions, namely
>>>
>>> * Software assertions / software statements
>>>
>>> We briefly discussed this topic at the IETF OAuth session but we may need more time to understand the implications for the current dynamic client registration document:
>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>
>>> * SCIM vs. current dynamic client registration approach for
>>> interacting with the client configuration endpoint
>>>
>>> In the past we said that it would be fine to have a profile defined in SCIM to provide the dynamic client registration for those who implement SCIM and want to manage clients also using SCIM. It might, however, be useful to compare the two approaches in detail to see what the differences are.
>>>
>>> * Interactions with the client registration endpoint
>>>
>>> Justin added some "life cycle" description to the document to motivate some of the design decisions. Maybe we need to discuss those in more detail and add further text.
>>> Additional text could come from the NIST Blue Button / Green Button usage.
>>>
>>> * Aspects that allow servers to store less / no state
>>>
>>> - - From the discussions on the list it was not clear whether this is actually accomplishable with the current version of OAuth. We could explore this new requirement and try to get a better understanding how much this relates to dynamic client registration and to what extend it requires changes to the core spec.
>>>
>>>
>>> What would you like to start with? Other topics you would like to bring up?
>>> - -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org
>>>
>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
>>> =tkGT
>>> - -----END PGP SIGNATURE-----
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org
>>>
>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
>>> =3qNI
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From tonynad@microsoft.com  Mon Aug 19 08:28:15 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9EA711E829A for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:28:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.348
X-Spam-Level: 
X-Spam-Status: No, score=-3.348 tagged_above=-999 required=5 tests=[AWL=0.251,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DMamHd5LqPRN for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:28:11 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0204.outbound.protection.outlook.com [207.46.163.204]) by ietfa.amsl.com (Postfix) with ESMTP id 1765A11E8297 for <oauth@ietf.org>; Mon, 19 Aug 2013 08:28:10 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Mon, 19 Aug 2013 15:28:02 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Mon, 19 Aug 2013 15:28:02 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
Thread-Index: AQHOnOkD8fHDmWiV9U66pCWcsN+0CJmcowiAgAAB24CAAAHYoA==
Date: Mon, 19 Aug 2013 15:28:00 +0000
Message-ID: <1554b8ca5a3a4aed8ac2cf466fafa54e@BY2PR03MB189.namprd03.prod.outlook.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org>
In-Reply-To: <52123743.9020203@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 09435FCA72
x-forefront-antispam-report: SFV:NSPM; SFS:(54524002)(13464003)(377454003)(30513003)(479174003)(377424004)(24454002)(199002)(189002)(51704005)(53806001)(54356001)(74876001)(54316002)(74706001)(561944002)(4396001)(81542001)(69226001)(74316001)(56816003)(47446002)(81686001)(31966008)(74662001)(81342001)(80976001)(76482001)(81816001)(16601075003)(74502001)(56776001)(65816001)(77096001)(77982001)(59766001)(74366001)(51856001)(50986001)(63696002)(46102001)(47736001)(15202345003)(19580385001)(47976001)(49866001)(80022001)(83072001)(19580405001)(79102001)(76786001)(33646001)(76796001)(19580395003)(83322001)(76576001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e0:ed43::3
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB189.namprd03.prod.outlook.com
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 15:28:15 -0000

What you say does not mean that they are trying to solve different use case=
s, they have gone about solving the different use cases in different ways a=
nd have different relationships with different actors, etc. within the use =
cases.

-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org]=20
Sent: Monday, August 19, 2013 8:18 AM
To: Anthony Nadalin
Cc: Phil Hunt; oauth mailing list
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22=
 Aug, 2pm PDT

Tony, I completely disagree. The proposals that I've seen have different me=
ans and different end states, and they make different assumptions about the=
 relationship between entities and the capabilities of all players.

  -- Justin

On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
> There are proposals out there that are trying to solve the same=20
> problem, but in different ways, so I would not say that they are=20
> trying to solve different use cases. I do think that we need to make=20
> sure that whatever proposal we select it needs to have a wide range of=20
> use cases it solves, not just a single use case as the more solutions=20
> this group produces the more confused folks will be
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf=20
> Of Justin Richer
> Sent: Monday, August 19, 2013 7:27 AM
> To: Phil Hunt
> Cc: oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call:=20
> Thu 22 Aug, 2pm PDT
>
> I agree that dynamic registration isn't needed to solve *all* of the diff=
erent use cases. It solves its set of specific problems (and does so well, =
if you ask me), but there are and will always be things that it won't work =
for, and that's fine. That's why I've suggested under a separate thread tha=
t the other drafts go forward separately and that DynReg not be hung up on =
them. We're fundamentally solving different use cases, and there is no magi=
c solution that will solve all the problems at once.
>
>    -- Justin
>
> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>> I think we should start by reviewing use cases taxonomy.
>>
>> Then a discussion on any client_id assumptions and actual requirements f=
or each client case. Why is registration needed for each case?
>>
>> The statement can solve some complication but should be put in context o=
f use cases.
>>
>> Phil
>>
>> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net> w=
rote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> Based on your feedback via the poll let us start with August 22nd with =
the first conference call. I will distribute the conference call details on=
 Tuesday.
>>>
>>> Let us talk about the agenda. There were several items brought up in=20
>>> discussions, namely
>>>
>>> * Software assertions / software statements
>>>
>>> We briefly discussed this topic at the IETF OAuth session but we may ne=
ed more time to understand the implications for the current dynamic client =
registration document:
>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>
>>> * SCIM vs. current dynamic client registration approach for=20
>>> interacting with the client configuration endpoint
>>>
>>> In the past we said that it would be fine to have a profile defined in =
SCIM to provide the dynamic client registration for those who implement SCI=
M and want to manage clients also using SCIM. It might, however, be useful =
to compare the two approaches in detail to see what the differences are.
>>>
>>> * Interactions with the client registration endpoint
>>>
>>> Justin added some "life cycle" description to the document to motivate =
some of the design decisions. Maybe we need to discuss those in more detail=
 and add further text.
>>> Additional text could come from the NIST Blue Button / Green Button usa=
ge.
>>>
>>> * Aspects that allow servers to store less / no state
>>>
>>> - - From the discussions on the list it was not clear whether this is a=
ctually accomplishable with the current version of OAuth. We could explore =
this new requirement and try to get a better understanding how much this re=
lates to dynamic client registration and to what extend it requires changes=
 to the core spec.
>>>
>>>
>>> What would you like to start with? Other topics you would like to bring=
 up?
>>> - -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org
>>>
>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>> =3DtkGT
>>> - -----END PGP SIGNATURE-----
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org
>>>
>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>> =3D3qNI
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



From phil.hunt@oracle.com  Mon Aug 19 08:34:01 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A6A911E8121 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:34:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.203
X-Spam-Level: 
X-Spam-Status: No, score=-5.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tR1VdhYif+M for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:33:56 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id C0BFF11E8102 for <oauth@ietf.org>; Mon, 19 Aug 2013 08:33:55 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7JFXkwR000759 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 19 Aug 2013 15:33:47 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7JFXdZt028773 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Aug 2013 15:33:46 GMT
Received: from abhmt108.oracle.com (abhmt108.oracle.com [141.146.116.60]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7JFXdhv011009; Mon, 19 Aug 2013 15:33:39 GMT
Received: from [25.66.68.152] (/24.114.27.107) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 19 Aug 2013 08:33:39 -0700
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <52123743.9020203@mitre.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 19 Aug 2013 08:33:30 -0700
To: Justin Richer <jricher@mitre.org>
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 15:34:01 -0000

I do not recall agreement in charter discussions to solving a specific case.=
=20

I recall more than one in the re-chartering discussion said dyn reg needed m=
ajor changes to solve their use cases.=20

Phil

On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:

> Tony, I completely disagree. The proposals that I've seen have different m=
eans and different end states, and they make different assumptions about the=
 relationship between entities and the capabilities of all players.
>=20
> -- Justin
>=20
> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>> There are proposals out there that are trying to solve the same problem, b=
ut in different ways, so I would not say that they are trying to solve diffe=
rent use cases. I do think that we need to make sure that whatever proposal w=
e select it needs to have a wide range of use cases it solves, not just a si=
ngle use case as the more solutions this group produces the more confused fo=
lks will be
>>=20
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of=
 Justin Richer
>> Sent: Monday, August 19, 2013 7:27 AM
>> To: Phil Hunt
>> Cc: oauth mailing list
>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 2=
2 Aug, 2pm PDT
>>=20
>> I agree that dynamic registration isn't needed to solve *all* of the diff=
erent use cases. It solves its set of specific problems (and does so well, i=
f you ask me), but there are and will always be things that it won't work fo=
r, and that's fine. That's why I've suggested under a separate thread that t=
he other drafts go forward separately and that DynReg not be hung up on them=
. We're fundamentally solving different use cases, and there is no magic sol=
ution that will solve all the problems at once.
>>=20
>>   -- Justin
>>=20
>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>> I think we should start by reviewing use cases taxonomy.
>>>=20
>>> Then a discussion on any client_id assumptions and actual requirements f=
or each client case. Why is registration needed for each case?
>>>=20
>>> The statement can solve some complication but should be put in context o=
f use cases.
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net> w=
rote:
>>>=20
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>=20
>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>=20
>>>> Based on your feedback via the poll let us start with August 22nd with t=
he first conference call. I will distribute the conference call details on T=
uesday.
>>>>=20
>>>> Let us talk about the agenda. There were several items brought up in
>>>> discussions, namely
>>>>=20
>>>> * Software assertions / software statements
>>>>=20
>>>> We briefly discussed this topic at the IETF OAuth session but we may ne=
ed more time to understand the implications for the current dynamic client r=
egistration document:
>>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>=20
>>>> * SCIM vs. current dynamic client registration approach for
>>>> interacting with the client configuration endpoint
>>>>=20
>>>> In the past we said that it would be fine to have a profile defined in S=
CIM to provide the dynamic client registration for those who implement SCIM a=
nd want to manage clients also using SCIM. It might, however, be useful to c=
ompare the two approaches in detail to see what the differences are.
>>>>=20
>>>> * Interactions with the client registration endpoint
>>>>=20
>>>> Justin added some "life cycle" description to the document to motivate s=
ome of the design decisions. Maybe we need to discuss those in more detail a=
nd add further text.
>>>> Additional text could come from the NIST Blue Button / Green Button usa=
ge.
>>>>=20
>>>> * Aspects that allow servers to store less / no state
>>>>=20
>>>> - - =46rom the discussions on the list it was not clear whether this is=
 actually accomplishable with the current version of OAuth. We could explore=
 this new requirement and try to get a better understanding how much this re=
lates to dynamic client registration and to what extend it requires changes t=
o the core spec.
>>>>=20
>>>>=20
>>>> What would you like to start with? Other topics you would like to bring=
 up?
>>>> - -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>> Comment: GPGTools - http://gpgtools.org
>>>>=20
>>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>>> =3DtkGT
>>>> - -----END PGP SIGNATURE-----
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>> Comment: GPGTools - http://gpgtools.org
>>>>=20
>>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>>> =3D3qNI
>>>> -----END PGP SIGNATURE-----
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20

From jricher@mitre.org  Mon Aug 19 08:35:46 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B58DF11E810E for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.517
X-Spam-Level: 
X-Spam-Status: No, score=-6.517 tagged_above=-999 required=5 tests=[AWL=0.082,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AwNw55h2H2wE for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 08:35:42 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id BCBD811E8102 for <oauth@ietf.org>; Mon, 19 Aug 2013 08:35:41 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 5AFF31F04A3; Mon, 19 Aug 2013 11:35:41 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 26F891F05BF; Mon, 19 Aug 2013 11:35:41 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 19 Aug 2013 11:35:40 -0400
Message-ID: <52123A6F.8060206@mitre.org>
Date: Mon, 19 Aug 2013 11:31:59 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com>
In-Reply-To: <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 15:35:46 -0000

All of this is a good argument to do both, which is what I've been 
saying all along.

  -- Justin

On 08/19/2013 11:33 AM, Phil Hunt wrote:
> I do not recall agreement in charter discussions to solving a specific case.
>
> I recall more than one in the re-chartering discussion said dyn reg needed major changes to solve their use cases.
>
> Phil
>
> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
>
>> Tony, I completely disagree. The proposals that I've seen have different means and different end states, and they make different assumptions about the relationship between entities and the capabilities of all players.
>>
>> -- Justin
>>
>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>>> There are proposals out there that are trying to solve the same problem, but in different ways, so I would not say that they are trying to solve different use cases. I do think that we need to make sure that whatever proposal we select it needs to have a wide range of use cases it solves, not just a single use case as the more solutions this group produces the more confused folks will be
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Justin Richer
>>> Sent: Monday, August 19, 2013 7:27 AM
>>> To: Phil Hunt
>>> Cc: oauth mailing list
>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
>>>
>>> I agree that dynamic registration isn't needed to solve *all* of the different use cases. It solves its set of specific problems (and does so well, if you ask me), but there are and will always be things that it won't work for, and that's fine. That's why I've suggested under a separate thread that the other drafts go forward separately and that DynReg not be hung up on them. We're fundamentally solving different use cases, and there is no magic solution that will solve all the problems at once.
>>>
>>>    -- Justin
>>>
>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>>> I think we should start by reviewing use cases taxonomy.
>>>>
>>>> Then a discussion on any client_id assumptions and actual requirements for each client case. Why is registration needed for each case?
>>>>
>>>> The statement can solve some complication but should be put in context of use cases.
>>>>
>>>> Phil
>>>>
>>>> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>>>
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA512
>>>>>
>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA512
>>>>>
>>>>> Based on your feedback via the poll let us start with August 22nd with the first conference call. I will distribute the conference call details on Tuesday.
>>>>>
>>>>> Let us talk about the agenda. There were several items brought up in
>>>>> discussions, namely
>>>>>
>>>>> * Software assertions / software statements
>>>>>
>>>>> We briefly discussed this topic at the IETF OAuth session but we may need more time to understand the implications for the current dynamic client registration document:
>>>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>>
>>>>> * SCIM vs. current dynamic client registration approach for
>>>>> interacting with the client configuration endpoint
>>>>>
>>>>> In the past we said that it would be fine to have a profile defined in SCIM to provide the dynamic client registration for those who implement SCIM and want to manage clients also using SCIM. It might, however, be useful to compare the two approaches in detail to see what the differences are.
>>>>>
>>>>> * Interactions with the client registration endpoint
>>>>>
>>>>> Justin added some "life cycle" description to the document to motivate some of the design decisions. Maybe we need to discuss those in more detail and add further text.
>>>>> Additional text could come from the NIST Blue Button / Green Button usage.
>>>>>
>>>>> * Aspects that allow servers to store less / no state
>>>>>
>>>>> - - From the discussions on the list it was not clear whether this is actually accomplishable with the current version of OAuth. We could explore this new requirement and try to get a better understanding how much this relates to dynamic client registration and to what extend it requires changes to the core spec.
>>>>>
>>>>>
>>>>> What would you like to start with? Other topics you would like to bring up?
>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>
>>>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
>>>>> =tkGT
>>>>> - -----END PGP SIGNATURE-----
>>>>> -----BEGIN PGP SIGNATURE-----
>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>
>>>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
>>>>> =3qNI
>>>>> -----END PGP SIGNATURE-----
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth


From sberyozkin@gmail.com  Mon Aug 19 11:59:31 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C85CB11E82D6 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 11:59:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.339
X-Spam-Level: 
X-Spam-Status: No, score=-2.339 tagged_above=-999 required=5 tests=[AWL=0.260,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tEUq1rny4j9 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 11:59:30 -0700 (PDT)
Received: from mail-ee0-x22e.google.com (mail-ee0-x22e.google.com [IPv6:2a00:1450:4013:c00::22e]) by ietfa.amsl.com (Postfix) with ESMTP id DD7BE11E82BA for <oauth@ietf.org>; Mon, 19 Aug 2013 11:59:22 -0700 (PDT)
Received: by mail-ee0-f46.google.com with SMTP id c13so2309732eek.5 for <oauth@ietf.org>; Mon, 19 Aug 2013 11:59:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=etvK6A42yP5frKe2pAed9AsS2S1ZgG3ANtx2y83uE2A=; b=CKZy6YJ8ftvukvcYRuIHgDmxRbzYfUjxBU0z+jV+reqhZTz7J3k22Dk8/lm5IDZjiO uEDXqtZcCgfB0hAuUtRBbWZWV3DC51GGJo4E76ihxw7aA0CSRby5HzojjpVmm+R7GeaY 13ZVZ8oVyOMxvVcavm53au+mn02W2Ooa/ClJ/1BLUuviFJoTKk6efHGFquwoy/Mm7b4e G0MoEAs83IjiJw5VufBD9FbpzpnGDP2DDQDtiAxLUP0f12/sy/YQvApge5VvV2XhjrJn MeNncy+/gJX7lJtyId+5mmmmNKMPN7N6gU1q8jyDpZfjEJG4LbOO/hi3jAgWizcUxAam U7uQ==
X-Received: by 10.14.45.70 with SMTP id o46mr25052174eeb.19.1376938762097; Mon, 19 Aug 2013 11:59:22 -0700 (PDT)
Received: from [10.39.0.31] ([87.252.227.100]) by mx.google.com with ESMTPSA id k7sm19263249eeg.13.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 19 Aug 2013 11:59:21 -0700 (PDT)
Message-ID: <52126B03.4080809@gmail.com>
Date: Mon, 19 Aug 2013 21:59:15 +0300
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Justin Richer <jricher@mitre.org>
References: <5210F714.80305@gmail.com> <52122704.4030308@mitre.org>
In-Reply-To: <52122704.4030308@mitre.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 18:59:31 -0000

Hi,

Thanks for the feedback,
On 19/08/13 17:09, Justin Richer wrote:
> Both of those make sense to me, and it mimics what "scope" does today.
> Namely, clients can usually register for a list of scopes that they want
> access to, then at authorization time they ask for a particular set to
> be approved by the user.
>

As a side note having a dedicated audience parameter is preferred in our 
case as it lets generalize the processing of the audience parameter and 
help the actual OAuth2 data services not to worry about it; I've heard 
that a scope can be used to emulate the 'audience' but it becomes very 
application specific,

Thanks, Sergey

>   -- Justin
>
> On 08/18/2013 12:32 PM, Sergey Beryozkin wrote:
>> Hi Hannes, All,
>>
>> Regarding [1], where would you expect an audience parameter be
>> provided during the authorization flow ?
>>
>> It appears to me it should be provided during the initial redirect
>> (similarly to a parameter like redirect_uri).
>>
>> Also, would it make sense to support pre-registered audience values,
>> example, a client registers and specifies an audience during the
>> registration ?
>>
>> Thanks, Sergey
>>
>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>



From eve@xmlgrrl.com  Mon Aug 19 16:33:27 2013
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 968A611E81CA for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 16:33:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.595
X-Spam-Level: 
X-Spam-Status: No, score=-0.595 tagged_above=-999 required=5 tests=[AWL=0.698,  BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, SARE_URI_CONS7=0.306,  URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kJJhMlUdGhHp for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 16:33:24 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id D6BEE11E8172 for <oauth@ietf.org>; Mon, 19 Aug 2013 16:33:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.promanage-inc.com (Postfix) with ESMTP id 68D4B216A8EA; Mon, 19 Aug 2013 16:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from mail.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzQIGq_GrQ_l; Mon, 19 Aug 2013 16:33:14 -0700 (PDT)
Received: from [192.168.168.107] (unknown [192.168.168.107]) by mail.promanage-inc.com (Postfix) with ESMTPSA id 794F9216A8DB; Mon, 19 Aug 2013 16:33:14 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Content-Type: text/plain; charset=us-ascii
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <52123A6F.8060206@mitre.org>
Date: Mon, 19 Aug 2013 16:33:13 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1508)
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 23:33:27 -0000

Hi folks-- Just a reminder that the first draft the UMA group submitted =
on May 1, 2011 contained extensive requirements and use cases related to =
UMA's various needs for dynamic client registration:

http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00

When there was interest to pick up this draft as a WG work item, it was =
recommended that we excise this content so that the doc wouldn't be so =
specific to our particular usage of OAuth.

I point this out just to show that the need for dynamic client =
registration isn't limited to OpenID Connect, and that some specific use =
cases have already been floated here.

FWIW,

	Eve

On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:

> All of this is a good argument to do both, which is what I've been =
saying all along.
>=20
> -- Justin
>=20
> On 08/19/2013 11:33 AM, Phil Hunt wrote:
>> I do not recall agreement in charter discussions to solving a =
specific case.
>>=20
>> I recall more than one in the re-chartering discussion said dyn reg =
needed major changes to solve their use cases.
>>=20
>> Phil
>>=20
>> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
>>=20
>>> Tony, I completely disagree. The proposals that I've seen have =
different means and different end states, and they make different =
assumptions about the relationship between entities and the capabilities =
of all players.
>>>=20
>>> -- Justin
>>>=20
>>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>>>> There are proposals out there that are trying to solve the same =
problem, but in different ways, so I would not say that they are trying =
to solve different use cases. I do think that we need to make sure that =
whatever proposal we select it needs to have a wide range of use cases =
it solves, not just a single use case as the more solutions this group =
produces the more confused folks will be
>>>>=20
>>>> -----Original Message-----
>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On =
Behalf Of Justin Richer
>>>> Sent: Monday, August 19, 2013 7:27 AM
>>>> To: Phil Hunt
>>>> Cc: oauth mailing list
>>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference =
Call: Thu 22 Aug, 2pm PDT
>>>>=20
>>>> I agree that dynamic registration isn't needed to solve *all* of =
the different use cases. It solves its set of specific problems (and =
does so well, if you ask me), but there are and will always be things =
that it won't work for, and that's fine. That's why I've suggested under =
a separate thread that the other drafts go forward separately and that =
DynReg not be hung up on them. We're fundamentally solving different use =
cases, and there is no magic solution that will solve all the problems =
at once.
>>>>=20
>>>>   -- Justin
>>>>=20
>>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>>>> I think we should start by reviewing use cases taxonomy.
>>>>>=20
>>>>> Then a discussion on any client_id assumptions and actual =
requirements for each client case. Why is registration needed for each =
case?
>>>>>=20
>>>>> The statement can solve some complication but should be put in =
context of use cases.
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> On 2013-08-18, at 15:01, Hannes Tschofenig =
<hannes.tschofenig@gmx.net> wrote:
>>>>>=20
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA512
>>>>>>=20
>>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA512
>>>>>>=20
>>>>>> Based on your feedback via the poll let us start with August 22nd =
with the first conference call. I will distribute the conference call =
details on Tuesday.
>>>>>>=20
>>>>>> Let us talk about the agenda. There were several items brought up =
in
>>>>>> discussions, namely
>>>>>>=20
>>>>>> * Software assertions / software statements
>>>>>>=20
>>>>>> We briefly discussed this topic at the IETF OAuth session but we =
may need more time to understand the implications for the current =
dynamic client registration document:
>>>>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>>>=20
>>>>>> * SCIM vs. current dynamic client registration approach for
>>>>>> interacting with the client configuration endpoint
>>>>>>=20
>>>>>> In the past we said that it would be fine to have a profile =
defined in SCIM to provide the dynamic client registration for those who =
implement SCIM and want to manage clients also using SCIM. It might, =
however, be useful to compare the two approaches in detail to see what =
the differences are.
>>>>>>=20
>>>>>> * Interactions with the client registration endpoint
>>>>>>=20
>>>>>> Justin added some "life cycle" description to the document to =
motivate some of the design decisions. Maybe we need to discuss those in =
more detail and add further text.
>>>>>> Additional text could come from the NIST Blue Button / Green =
Button usage.
>>>>>>=20
>>>>>> * Aspects that allow servers to store less / no state
>>>>>>=20
>>>>>> - - =46rom the discussions on the list it was not clear whether =
this is actually accomplishable with the current version of OAuth. We =
could explore this new requirement and try to get a better understanding =
how much this relates to dynamic client registration and to what extend =
it requires changes to the core spec.
>>>>>>=20
>>>>>>=20
>>>>>> What would you like to start with? Other topics you would like to =
bring up?
>>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>>=20
>>>>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>>>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>>>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>>>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>>>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>>>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>>>>> =3DtkGT
>>>>>> - -----END PGP SIGNATURE-----
>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>>=20
>>>>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>>>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>>>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>>>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>>>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>>>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>>>>> =3D3qNI
>>>>>> -----END PGP SIGNATURE-----
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl


From phil.hunt@oracle.com  Mon Aug 19 16:51:29 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A241611E81A2 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 16:51:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.999
X-Spam-Level: 
X-Spam-Status: No, score=-4.999 tagged_above=-999 required=5 tests=[AWL=-0.602, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FVJsi6Z76Xqk for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 16:51:24 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id C09C711E81A6 for <oauth@ietf.org>; Mon, 19 Aug 2013 16:51:24 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7JNpMaE018566 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 19 Aug 2013 23:51:23 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7JNpL2r010178 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 19 Aug 2013 23:51:22 GMT
Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7JNpLpj009493; Mon, 19 Aug 2013 23:51:21 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 19 Aug 2013 16:51:20 -0700
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org> <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <B7F0A03F-4B49-4AFF-8D3E-C499A55E3BFC@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 19 Aug 2013 16:51:19 -0700
To: Eve Maler <eve@xmlgrrl.com>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2013 23:51:29 -0000

The reason I want to go over the cases is some seem to think uma and oidc ar=
e all the use cases. As Justin points out they are very specific.=20

It doesn't seem like the dyn reg proposal is general enough to meet the wg c=
harter's intent. At least from what i recall of the discussion.=20

While i think some concepts in scim reg move things forward, i dont think it=
 should move forward either. There should be one approach. Or failing that a=
 strong taxonomy that makes it clear why multiple approaches are needed. Lac=
k of consensus is not such a reason IMHO.=20

I want to ask fundamental questions like what problem is being solved and wh=
at needs to be done for each client type.=20

The assumption that client id must be issued by the sp seems wrong to me in m=
any cases-- including oidc. 6749 does not make this restriction at all.=20

Given this, a statement approach may be sufficient for many clients. No need=
 for long term credential mgmt or records.=20

Phil

On 2013-08-19, at 16:33, Eve Maler <eve@xmlgrrl.com> wrote:

> Hi folks-- Just a reminder that the first draft the UMA group submitted on=
 May 1, 2011 contained extensive requirements and use cases related to UMA's=
 various needs for dynamic client registration:
>=20
> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00
>=20
> When there was interest to pick up this draft as a WG work item, it was re=
commended that we excise this content so that the doc wouldn't be so specifi=
c to our particular usage of OAuth.
>=20
> I point this out just to show that the need for dynamic client registratio=
n isn't limited to OpenID Connect, and that some specific use cases have alr=
eady been floated here.
>=20
> FWIW,
>=20
>    Eve
>=20
> On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:
>=20
>> All of this is a good argument to do both, which is what I've been saying=
 all along.
>>=20
>> -- Justin
>>=20
>> On 08/19/2013 11:33 AM, Phil Hunt wrote:
>>> I do not recall agreement in charter discussions to solving a specific c=
ase.
>>>=20
>>> I recall more than one in the re-chartering discussion said dyn reg need=
ed major changes to solve their use cases.
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
>>>=20
>>>> Tony, I completely disagree. The proposals that I've seen have differen=
t means and different end states, and they make different assumptions about t=
he relationship between entities and the capabilities of all players.
>>>>=20
>>>> -- Justin
>>>>=20
>>>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>>>>> There are proposals out there that are trying to solve the same proble=
m, but in different ways, so I would not say that they are trying to solve d=
ifferent use cases. I do think that we need to make sure that whatever propo=
sal we select it needs to have a wide range of use cases it solves, not just=
 a single use case as the more solutions this group produces the more confus=
ed folks will be
>>>>>=20
>>>>> -----Original Message-----
>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf=
 Of Justin Richer
>>>>> Sent: Monday, August 19, 2013 7:27 AM
>>>>> To: Phil Hunt
>>>>> Cc: oauth mailing list
>>>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: T=
hu 22 Aug, 2pm PDT
>>>>>=20
>>>>> I agree that dynamic registration isn't needed to solve *all* of the d=
ifferent use cases. It solves its set of specific problems (and does so well=
, if you ask me), but there are and will always be things that it won't work=
 for, and that's fine. That's why I've suggested under a separate thread tha=
t the other drafts go forward separately and that DynReg not be hung up on t=
hem. We're fundamentally solving different use cases, and there is no magic s=
olution that will solve all the problems at once.
>>>>>=20
>>>>>  -- Justin
>>>>>=20
>>>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>>>>> I think we should start by reviewing use cases taxonomy.
>>>>>>=20
>>>>>> Then a discussion on any client_id assumptions and actual requirement=
s for each client case. Why is registration needed for each case?
>>>>>>=20
>>>>>> The statement can solve some complication but should be put in contex=
t of use cases.
>>>>>>=20
>>>>>> Phil
>>>>>>=20
>>>>>> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net=
> wrote:
>>>>>>=20
>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA512
>>>>>>>=20
>>>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>> Hash: SHA512
>>>>>>>=20
>>>>>>> Based on your feedback via the poll let us start with August 22nd wi=
th the first conference call. I will distribute the conference call details o=
n Tuesday.
>>>>>>>=20
>>>>>>> Let us talk about the agenda. There were several items brought up in=

>>>>>>> discussions, namely
>>>>>>>=20
>>>>>>> * Software assertions / software statements
>>>>>>>=20
>>>>>>> We briefly discussed this topic at the IETF OAuth session but we may=
 need more time to understand the implications for the current dynamic clien=
t registration document:
>>>>>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>>>>=20
>>>>>>> * SCIM vs. current dynamic client registration approach for
>>>>>>> interacting with the client configuration endpoint
>>>>>>>=20
>>>>>>> In the past we said that it would be fine to have a profile defined i=
n SCIM to provide the dynamic client registration for those who implement SC=
IM and want to manage clients also using SCIM. It might, however, be useful t=
o compare the two approaches in detail to see what the differences are.
>>>>>>>=20
>>>>>>> * Interactions with the client registration endpoint
>>>>>>>=20
>>>>>>> Justin added some "life cycle" description to the document to motiva=
te some of the design decisions. Maybe we need to discuss those in more deta=
il and add further text.
>>>>>>> Additional text could come from the NIST Blue Button / Green Button u=
sage.
>>>>>>>=20
>>>>>>> * Aspects that allow servers to store less / no state
>>>>>>>=20
>>>>>>> - - =46rom the discussions on the list it was not clear whether this=
 is actually accomplishable with the current version of OAuth. We could expl=
ore this new requirement and try to get a better understanding how much this=
 relates to dynamic client registration and to what extend it requires chang=
es to the core spec.
>>>>>>>=20
>>>>>>>=20
>>>>>>> What would you like to start with? Other topics you would like to br=
ing up?
>>>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>>>=20
>>>>>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>>>>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>>>>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>>>>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>>>>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>>>>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>>>>>> =3DtkGT
>>>>>>> - -----END PGP SIGNATURE-----
>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>>>=20
>>>>>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>>>>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>>>>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>>>>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>>>>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>>>>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>>>>>> =3D3qNI
>>>>>>> -----END PGP SIGNATURE-----
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
>=20
> Eve Maler                                  http://www.xmlgrrl.com/blog
> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>=20

From torsten@lodderstedt.net  Mon Aug 19 22:34:42 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1069811E80E9 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 22:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.846
X-Spam-Level: 
X-Spam-Status: No, score=-1.846 tagged_above=-999 required=5 tests=[AWL=-0.403, BAYES_00=-2.599, HELO_EQ_DE=0.35, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XN2XdZsu1M7P for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 22:34:38 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.102]) by ietfa.amsl.com (Postfix) with ESMTP id 8E32111E80F3 for <oauth@ietf.org>; Mon, 19 Aug 2013 22:34:37 -0700 (PDT)
Received: from [80.187.106.22] (helo=[100.92.43.225]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VBeaM-0005Ti-BR; Tue, 20 Aug 2013 07:34:34 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <B7F0A03F-4B49-4AFF-8D3E-C499A55E3BFC@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org> <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com> <B7F0A03F-4B49-4AFF-8D3E-C499A55E3BFC@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Tue, 20 Aug 2013 07:34:21 +0200
To: Phil Hunt <phil.hunt@oracle.com>,Eve Maler <eve@xmlgrrl.com>
Message-ID: <94443a60-6e82-41e4-bce9-1c4411259370@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22	Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 05:34:42 -0000

Hi Phil,




>The assumption that client id must be issued by the sp seems wrong to
>me in many cases-- including oidc. 6749 does not make this restriction
>at all. 

What do you mean? Grant type code requires a client_id in order to identify the client at the AS's authz endpoint. Based on this data, the AS chooses the authz policy and validates the redirect_uri.

>
>Given this, a statement approach may be sufficient for many clients. No
>need for long term credential mgmt or records. 

Perhaps for clients using the token endpoint only.

regards,
Torsten.

>
>Phil
>
>On 2013-08-19, at 16:33, Eve Maler <eve@xmlgrrl.com> wrote:
>
>> Hi folks-- Just a reminder that the first draft the UMA group
>submitted on May 1, 2011 contained extensive requirements and use cases
>related to UMA's various needs for dynamic client registration:
>> 
>> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00
>> 
>> When there was interest to pick up this draft as a WG work item, it
>was recommended that we excise this content so that the doc wouldn't be
>so specific to our particular usage of OAuth.
>> 
>> I point this out just to show that the need for dynamic client
>registration isn't limited to OpenID Connect, and that some specific
>use cases have already been floated here.
>> 
>> FWIW,
>> 
>>    Eve
>> 
>> On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:
>> 
>>> All of this is a good argument to do both, which is what I've been
>saying all along.
>>> 
>>> -- Justin
>>> 
>>> On 08/19/2013 11:33 AM, Phil Hunt wrote:
>>>> I do not recall agreement in charter discussions to solving a
>specific case.
>>>> 
>>>> I recall more than one in the re-chartering discussion said dyn reg
>needed major changes to solve their use cases.
>>>> 
>>>> Phil
>>>> 
>>>> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
>>>> 
>>>>> Tony, I completely disagree. The proposals that I've seen have
>different means and different end states, and they make different
>assumptions about the relationship between entities and the
>capabilities of all players.
>>>>> 
>>>>> -- Justin
>>>>> 
>>>>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>>>>>> There are proposals out there that are trying to solve the same
>problem, but in different ways, so I would not say that they are trying
>to solve different use cases. I do think that we need to make sure that
>whatever proposal we select it needs to have a wide range of use cases
>it solves, not just a single use case as the more solutions this group
>produces the more confused folks will be
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>Behalf Of Justin Richer
>>>>>> Sent: Monday, August 19, 2013 7:27 AM
>>>>>> To: Phil Hunt
>>>>>> Cc: oauth mailing list
>>>>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference
>Call: Thu 22 Aug, 2pm PDT
>>>>>> 
>>>>>> I agree that dynamic registration isn't needed to solve *all* of
>the different use cases. It solves its set of specific problems (and
>does so well, if you ask me), but there are and will always be things
>that it won't work for, and that's fine. That's why I've suggested
>under a separate thread that the other drafts go forward separately and
>that DynReg not be hung up on them. We're fundamentally solving
>different use cases, and there is no magic solution that will solve all
>the problems at once.
>>>>>> 
>>>>>>  -- Justin
>>>>>> 
>>>>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>>>>>> I think we should start by reviewing use cases taxonomy.
>>>>>>> 
>>>>>>> Then a discussion on any client_id assumptions and actual
>requirements for each client case. Why is registration needed for each
>case?
>>>>>>> 
>>>>>>> The statement can solve some complication but should be put in
>context of use cases.
>>>>>>> 
>>>>>>> Phil
>>>>>>> 
>>>>>>> On 2013-08-18, at 15:01, Hannes Tschofenig
><hannes.tschofenig@gmx.net> wrote:
>>>>>>> 
>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>> Hash: SHA512
>>>>>>>> 
>>>>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>> Hash: SHA512
>>>>>>>> 
>>>>>>>> Based on your feedback via the poll let us start with August
>22nd with the first conference call. I will distribute the conference
>call details on Tuesday.
>>>>>>>> 
>>>>>>>> Let us talk about the agenda. There were several items brought
>up in
>>>>>>>> discussions, namely
>>>>>>>> 
>>>>>>>> * Software assertions / software statements
>>>>>>>> 
>>>>>>>> We briefly discussed this topic at the IETF OAuth session but
>we may need more time to understand the implications for the current
>dynamic client registration document:
>>>>>>>>
>http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>>>>> 
>>>>>>>> * SCIM vs. current dynamic client registration approach for
>>>>>>>> interacting with the client configuration endpoint
>>>>>>>> 
>>>>>>>> In the past we said that it would be fine to have a profile
>defined in SCIM to provide the dynamic client registration for those
>who implement SCIM and want to manage clients also using SCIM. It
>might, however, be useful to compare the two approaches in detail to
>see what the differences are.
>>>>>>>> 
>>>>>>>> * Interactions with the client registration endpoint
>>>>>>>> 
>>>>>>>> Justin added some "life cycle" description to the document to
>motivate some of the design decisions. Maybe we need to discuss those
>in more detail and add further text.
>>>>>>>> Additional text could come from the NIST Blue Button / Green
>Button usage.
>>>>>>>> 
>>>>>>>> * Aspects that allow servers to store less / no state
>>>>>>>> 
>>>>>>>> - - From the discussions on the list it was not clear whether
>this is actually accomplishable with the current version of OAuth. We
>could explore this new requirement and try to get a better
>understanding how much this relates to dynamic client registration and
>to what extend it requires changes to the core spec.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> What would you like to start with? Other topics you would like
>to bring up?
>>>>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>>>> 
>>>>>>>>
>iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>>>>>>>
>AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>>>>>>>
>dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>>>>>>>
>OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>>>>>>>
>IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>>>>>>>
>QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
>>>>>>>> =tkGT
>>>>>>>> - -----END PGP SIGNATURE-----
>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>>>>> 
>>>>>>>>
>iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>>>>>>>
>RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>>>>>>>
>wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>>>>>>>
>VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>>>>>>>
>p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>>>>>>>
>a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
>>>>>>>> =3qNI
>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> Eve Maler                                 
>http://www.xmlgrrl.com/blog
>> +1 425 345 6756                        
>http://www.twitter.com/xmlgrrl
>> 
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth


From phil.hunt@oracle.com  Mon Aug 19 22:53:59 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E80111E8190 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 22:53:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.295
X-Spam-Level: 
X-Spam-Status: No, score=-3.295 tagged_above=-999 required=5 tests=[AWL=-2.231, BAYES_00=-2.599, FB_IOW=3.333, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MOlETBFfj92M for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 22:53:55 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 02A4D11E810D for <oauth@ietf.org>; Mon, 19 Aug 2013 22:53:54 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7K5rrCl027420 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Aug 2013 05:53:54 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7K5rqqA016938 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Aug 2013 05:53:53 GMT
Received: from abhmt115.oracle.com (abhmt115.oracle.com [141.146.116.67]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7K5rqkI007189; Tue, 20 Aug 2013 05:53:52 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 19 Aug 2013 22:53:52 -0700
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org> <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com> <B7F0A03F-4B49-4AFF-8D3E-C499A55E3BFC@oracle.com> <94443a60-6e82-41e4-bce9-1c4411259370@email.android.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <94443a60-6e82-41e4-bce9-1c4411259370@email.android.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <2F54AF6F-BA62-4E09-81E5-15429515F053@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 19 Aug 2013 22:53:46 -0700
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 05:53:59 -0000

See below

Phil

On 2013-08-19, at 22:34, Torsten Lodderstedt <torsten@lodderstedt.net> wrote=
:

> Hi Phil,
>=20
>=20
>=20
>=20
>> The assumption that client id must be issued by the sp seems wrong to
>> me in many cases-- including oidc. 6749 does not make this restriction
>> at all.
>=20
> What do you mean? Grant type code requires a client_id in order to identif=
y the client at the AS's authz endpoint. Based on this data, the AS chooses t=
he authz policy and validates the redirect_uri.

[ph] yes. But i am referring to the fact that the client does not have to ob=
tain it from the as. It merely has to present one that is accepted.=20

Iow a federated assertion might solve the issue.=20
>=20
>>=20
>> Given this, a statement approach may be sufficient for many clients. No
>> need for long term credential mgmt or records.
>=20
> Perhaps for clients using the token endpoint only.

[Ph] Actually I was also thinking of javascript clients.=20
>=20
> regards,
> Torsten.
>=20
>>=20
>> Phil
>>=20
>> On 2013-08-19, at 16:33, Eve Maler <eve@xmlgrrl.com> wrote:
>>=20
>>> Hi folks-- Just a reminder that the first draft the UMA group
>> submitted on May 1, 2011 contained extensive requirements and use cases
>> related to UMA's various needs for dynamic client registration:
>>>=20
>>> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00
>>>=20
>>> When there was interest to pick up this draft as a WG work item, it
>> was recommended that we excise this content so that the doc wouldn't be
>> so specific to our particular usage of OAuth.
>>>=20
>>> I point this out just to show that the need for dynamic client
>> registration isn't limited to OpenID Connect, and that some specific
>> use cases have already been floated here.
>>>=20
>>> FWIW,
>>>=20
>>>   Eve
>>>=20
>>> On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:
>>>=20
>>>> All of this is a good argument to do both, which is what I've been
>> saying all along.
>>>>=20
>>>> -- Justin
>>>>=20
>>>> On 08/19/2013 11:33 AM, Phil Hunt wrote:
>>>>> I do not recall agreement in charter discussions to solving a
>> specific case.
>>>>>=20
>>>>> I recall more than one in the re-chartering discussion said dyn reg
>> needed major changes to solve their use cases.
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
>>>>>=20
>>>>>> Tony, I completely disagree. The proposals that I've seen have
>> different means and different end states, and they make different
>> assumptions about the relationship between entities and the
>> capabilities of all players.
>>>>>>=20
>>>>>> -- Justin
>>>>>>=20
>>>>>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>>>>>>> There are proposals out there that are trying to solve the same
>> problem, but in different ways, so I would not say that they are trying
>> to solve different use cases. I do think that we need to make sure that
>> whatever proposal we select it needs to have a wide range of use cases
>> it solves, not just a single use case as the more solutions this group
>> produces the more confused folks will be
>>>>>>>=20
>>>>>>> -----Original Message-----
>>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>> Behalf Of Justin Richer
>>>>>>> Sent: Monday, August 19, 2013 7:27 AM
>>>>>>> To: Phil Hunt
>>>>>>> Cc: oauth mailing list
>>>>>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference
>> Call: Thu 22 Aug, 2pm PDT
>>>>>>>=20
>>>>>>> I agree that dynamic registration isn't needed to solve *all* of
>> the different use cases. It solves its set of specific problems (and
>> does so well, if you ask me), but there are and will always be things
>> that it won't work for, and that's fine. That's why I've suggested
>> under a separate thread that the other drafts go forward separately and
>> that DynReg not be hung up on them. We're fundamentally solving
>> different use cases, and there is no magic solution that will solve all
>> the problems at once.
>>>>>>>=20
>>>>>>> -- Justin
>>>>>>>=20
>>>>>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>>>>>>> I think we should start by reviewing use cases taxonomy.
>>>>>>>>=20
>>>>>>>> Then a discussion on any client_id assumptions and actual
>> requirements for each client case. Why is registration needed for each
>> case?
>>>>>>>>=20
>>>>>>>> The statement can solve some complication but should be put in
>> context of use cases.
>>>>>>>>=20
>>>>>>>> Phil
>>>>>>>>=20
>>>>>>>> On 2013-08-18, at 15:01, Hannes Tschofenig
>> <hannes.tschofenig@gmx.net> wrote:
>>>>>>>>=20
>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>> Hash: SHA512
>>>>>>>>>=20
>>>>>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>> Hash: SHA512
>>>>>>>>>=20
>>>>>>>>> Based on your feedback via the poll let us start with August
>> 22nd with the first conference call. I will distribute the conference
>> call details on Tuesday.
>>>>>>>>>=20
>>>>>>>>> Let us talk about the agenda. There were several items brought
>> up in
>>>>>>>>> discussions, namely
>>>>>>>>>=20
>>>>>>>>> * Software assertions / software statements
>>>>>>>>>=20
>>>>>>>>> We briefly discussed this topic at the IETF OAuth session but
>> we may need more time to understand the implications for the current
>> dynamic client registration document:
>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>>>>>>=20
>>>>>>>>> * SCIM vs. current dynamic client registration approach for
>>>>>>>>> interacting with the client configuration endpoint
>>>>>>>>>=20
>>>>>>>>> In the past we said that it would be fine to have a profile
>> defined in SCIM to provide the dynamic client registration for those
>> who implement SCIM and want to manage clients also using SCIM. It
>> might, however, be useful to compare the two approaches in detail to
>> see what the differences are.
>>>>>>>>>=20
>>>>>>>>> * Interactions with the client registration endpoint
>>>>>>>>>=20
>>>>>>>>> Justin added some "life cycle" description to the document to
>> motivate some of the design decisions. Maybe we need to discuss those
>> in more detail and add further text.
>>>>>>>>> Additional text could come from the NIST Blue Button / Green
>> Button usage.
>>>>>>>>>=20
>>>>>>>>> * Aspects that allow servers to store less / no state
>>>>>>>>>=20
>>>>>>>>> - - =46rom the discussions on the list it was not clear whether
>> this is actually accomplishable with the current version of OAuth. We
>> could explore this new requirement and try to get a better
>> understanding how much this relates to dynamic client registration and
>> to what extend it requires changes to the core spec.
>>>>>>>>>=20
>>>>>>>>>=20
>>>>>>>>> What would you like to start with? Other topics you would like
>> to bring up?
>>>>>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>>> Comment: GPGTools - http://gpgtools.org
>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>>>>>>>> =3DtkGT
>>>>>>>>> - -----END PGP SIGNATURE-----
>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>>> Comment: GPGTools - http://gpgtools.org
>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>>>>>>>> =3D3qNI
>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>>=20
>>> Eve Maler                                =20
>> http://www.xmlgrrl.com/blog
>>> +1 425 345 6756                       =20
>> http://www.twitter.com/xmlgrrl
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20

From phil.hunt@oracle.com  Mon Aug 19 23:12:42 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E32011E81C1 for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 23:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.164
X-Spam-Level: 
X-Spam-Status: No, score=-3.164 tagged_above=-999 required=5 tests=[AWL=-2.100, BAYES_00=-2.599, FB_IOW=3.333, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ew4rHyUTW5eP for <oauth@ietfa.amsl.com>; Mon, 19 Aug 2013 23:12:37 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id BE12911E80D2 for <oauth@ietf.org>; Mon, 19 Aug 2013 23:12:37 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7K6CVlD008650 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Aug 2013 06:12:34 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7K6CUOa007753 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Aug 2013 06:12:31 GMT
Received: from abhmt113.oracle.com (abhmt113.oracle.com [141.146.116.65]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7K6CU8E022742; Tue, 20 Aug 2013 06:12:30 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 19 Aug 2013 23:12:30 -0700
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org> <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com> <B7F0A03F-4B49-4AFF-8D3E-C499A55E3BFC@oracle.com> <94443a60-6e82-41e4-bce9-1c4411259370@email.android.com> <2F54AF6F-BA62-4E09-81E5-15429515F053@oracle.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <2F54AF6F-BA62-4E09-81E5-15429515F053@oracle.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <016FEABF-7C29-4404-9FF0-FD5438EB0F46@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Mon, 19 Aug 2013 23:12:26 -0700
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 06:12:42 -0000

Sorry i see my message still isn't that clear.  I am saying there is no requ=
irement that a client directly obtain a client_id from the as service provid=
er. It is merely an assumption that has been made by dyn reg based on typica=
l use patterns to date.=20

It could be reasonable for a client to generate it's own guid or more likely=
, use an assertion signed by a party the service provider trusts.=20

Phil

On 2013-08-19, at 22:53, Phil Hunt <phil.hunt@oracle.com> wrote:

> See below
>=20
> Phil
>=20
> On 2013-08-19, at 22:34, Torsten Lodderstedt <torsten@lodderstedt.net> wro=
te:
>=20
>> Hi Phil,
>>=20
>>=20
>>=20
>>=20
>>> The assumption that client id must be issued by the sp seems wrong to
>>> me in many cases-- including oidc. 6749 does not make this restriction
>>> at all.
>>=20
>> What do you mean? Grant type code requires a client_id in order to identi=
fy the client at the AS's authz endpoint. Based on this data, the AS chooses=
 the authz policy and validates the redirect_uri.
>=20
> [ph] yes. But i am referring to the fact that the client does not have to o=
btain it from the as. It merely has to present one that is accepted.=20
>=20
> Iow a federated assertion might solve the issue.=20
>>=20
>>>=20
>>> Given this, a statement approach may be sufficient for many clients. No
>>> need for long term credential mgmt or records.
>>=20
>> Perhaps for clients using the token endpoint only.
>=20
> [Ph] Actually I was also thinking of javascript clients.=20
>>=20
>> regards,
>> Torsten.
>>=20
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-19, at 16:33, Eve Maler <eve@xmlgrrl.com> wrote:
>>>=20
>>>> Hi folks-- Just a reminder that the first draft the UMA group
>>> submitted on May 1, 2011 contained extensive requirements and use cases
>>> related to UMA's various needs for dynamic client registration:
>>>>=20
>>>> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00
>>>>=20
>>>> When there was interest to pick up this draft as a WG work item, it
>>> was recommended that we excise this content so that the doc wouldn't be
>>> so specific to our particular usage of OAuth.
>>>>=20
>>>> I point this out just to show that the need for dynamic client
>>> registration isn't limited to OpenID Connect, and that some specific
>>> use cases have already been floated here.
>>>>=20
>>>> FWIW,
>>>>=20
>>>>  Eve
>>>>=20
>>>> On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:
>>>>=20
>>>>> All of this is a good argument to do both, which is what I've been
>>> saying all along.
>>>>>=20
>>>>> -- Justin
>>>>>=20
>>>>> On 08/19/2013 11:33 AM, Phil Hunt wrote:
>>>>>> I do not recall agreement in charter discussions to solving a
>>> specific case.
>>>>>>=20
>>>>>> I recall more than one in the re-chartering discussion said dyn reg
>>> needed major changes to solve their use cases.
>>>>>>=20
>>>>>> Phil
>>>>>>=20
>>>>>> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
>>>>>>=20
>>>>>>> Tony, I completely disagree. The proposals that I've seen have
>>> different means and different end states, and they make different
>>> assumptions about the relationship between entities and the
>>> capabilities of all players.
>>>>>>>=20
>>>>>>> -- Justin
>>>>>>>=20
>>>>>>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>>>>>>>> There are proposals out there that are trying to solve the same
>>> problem, but in different ways, so I would not say that they are trying
>>> to solve different use cases. I do think that we need to make sure that
>>> whatever proposal we select it needs to have a wide range of use cases
>>> it solves, not just a single use case as the more solutions this group
>>> produces the more confused folks will be
>>>>>>>>=20
>>>>>>>> -----Original Message-----
>>>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>> Behalf Of Justin Richer
>>>>>>>> Sent: Monday, August 19, 2013 7:27 AM
>>>>>>>> To: Phil Hunt
>>>>>>>> Cc: oauth mailing list
>>>>>>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference
>>> Call: Thu 22 Aug, 2pm PDT
>>>>>>>>=20
>>>>>>>> I agree that dynamic registration isn't needed to solve *all* of
>>> the different use cases. It solves its set of specific problems (and
>>> does so well, if you ask me), but there are and will always be things
>>> that it won't work for, and that's fine. That's why I've suggested
>>> under a separate thread that the other drafts go forward separately and
>>> that DynReg not be hung up on them. We're fundamentally solving
>>> different use cases, and there is no magic solution that will solve all
>>> the problems at once.
>>>>>>>>=20
>>>>>>>> -- Justin
>>>>>>>>=20
>>>>>>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>>>>>>>> I think we should start by reviewing use cases taxonomy.
>>>>>>>>>=20
>>>>>>>>> Then a discussion on any client_id assumptions and actual
>>> requirements for each client case. Why is registration needed for each
>>> case?
>>>>>>>>>=20
>>>>>>>>> The statement can solve some complication but should be put in
>>> context of use cases.
>>>>>>>>>=20
>>>>>>>>> Phil
>>>>>>>>>=20
>>>>>>>>> On 2013-08-18, at 15:01, Hannes Tschofenig
>>> <hannes.tschofenig@gmx.net> wrote:
>>>>>>>>>=20
>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>> Hash: SHA512
>>>>>>>>>>=20
>>>>>>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>> Hash: SHA512
>>>>>>>>>>=20
>>>>>>>>>> Based on your feedback via the poll let us start with August
>>> 22nd with the first conference call. I will distribute the conference
>>> call details on Tuesday.
>>>>>>>>>>=20
>>>>>>>>>> Let us talk about the agenda. There were several items brought
>>> up in
>>>>>>>>>> discussions, namely
>>>>>>>>>>=20
>>>>>>>>>> * Software assertions / software statements
>>>>>>>>>>=20
>>>>>>>>>> We briefly discussed this topic at the IETF OAuth session but
>>> we may need more time to understand the implications for the current
>>> dynamic client registration document:
>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>>>>>>>=20
>>>>>>>>>> * SCIM vs. current dynamic client registration approach for
>>>>>>>>>> interacting with the client configuration endpoint
>>>>>>>>>>=20
>>>>>>>>>> In the past we said that it would be fine to have a profile
>>> defined in SCIM to provide the dynamic client registration for those
>>> who implement SCIM and want to manage clients also using SCIM. It
>>> might, however, be useful to compare the two approaches in detail to
>>> see what the differences are.
>>>>>>>>>>=20
>>>>>>>>>> * Interactions with the client registration endpoint
>>>>>>>>>>=20
>>>>>>>>>> Justin added some "life cycle" description to the document to
>>> motivate some of the design decisions. Maybe we need to discuss those
>>> in more detail and add further text.
>>>>>>>>>> Additional text could come from the NIST Blue Button / Green
>>> Button usage.
>>>>>>>>>>=20
>>>>>>>>>> * Aspects that allow servers to store less / no state
>>>>>>>>>>=20
>>>>>>>>>> - - =46rom the discussions on the list it was not clear whether
>>> this is actually accomplishable with the current version of OAuth. We
>>> could explore this new requirement and try to get a better
>>> understanding how much this relates to dynamic client registration and
>>> to what extend it requires changes to the core spec.
>>>>>>>>>>=20
>>>>>>>>>>=20
>>>>>>>>>> What would you like to start with? Other topics you would like
>>> to bring up?
>>>>>>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>>>>>>>>> =3DtkGT
>>>>>>>>>> - -----END PGP SIGNATURE-----
>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>>>>>>>>> =3D3qNI
>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>>=20
>>>> Eve Maler                                =20
>>> http://www.xmlgrrl.com/blog
>>>> +1 425 345 6756                       =20
>>> http://www.twitter.com/xmlgrrl
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From torsten@lodderstedt.net  Tue Aug 20 02:34:37 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7888611E8128 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 02:34:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.286
X-Spam-Level: ***
X-Spam-Status: No, score=3.286 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FB_IOW=3.333, HELO_EQ_DE=0.35, MIME_QP_LONG_LINE=1.396, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lKoRxpnhAIJv for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 02:34:33 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.31]) by ietfa.amsl.com (Postfix) with ESMTP id 01A6511E81D5 for <oauth@ietf.org>; Tue, 20 Aug 2013 02:34:32 -0700 (PDT)
Received: from [88.128.80.3] (helo=[10.227.185.187]) by smtprelay04.ispgateway.de with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VBiKb-0006YV-U4; Tue, 20 Aug 2013 11:34:30 +0200
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org> <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com> <B7F0A03F-4B49-4AFF-8D3E-C499A55E3BFC@oracle.com> <94443a60-6e82-41e4-bce9-1c4411259370@email.android.com> <2F54AF6F-BA62-4E09-81E5-15429515F053@oracle.com> <016FEABF-7C29-4404-9FF0-FD5438EB0F46@oracle.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <016FEABF-7C29-4404-9FF0-FD5438EB0F46@oracle.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <66EB6B65-C19D-42B2-A554-53E99948B376@lodderstedt.net>
X-Mailer: iPad Mail (10B329)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Tue, 20 Aug 2013 11:34:15 +0200
To: Phil Hunt <phil.hunt@oracle.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 09:34:37 -0000

Hi Phil,

I agree, the client may also present a client_id obtained from another "sour=
ce". But: the AS must be able to associate a policy with this particular id.=
 This typically requires a provisioning of the client id before the actual O=
Auth interaction takes place. Otherwise the AS does not have any information=
 regarding the client id in the code flow at authz endpoint.

This needs to be taken into account.

regards,
Torsten.

Am 20.08.2013 um 08:12 schrieb Phil Hunt <phil.hunt@oracle.com>:

> Sorry i see my message still isn't that clear.  I am saying there is no re=
quirement that a client directly obtain a client_id from the as service prov=
ider. It is merely an assumption that has been made by dyn reg based on typi=
cal use patterns to date.=20
>=20
> It could be reasonable for a client to generate it's own guid or more like=
ly, use an assertion signed by a party the service provider trusts.=20
>=20
> Phil
>=20
> On 2013-08-19, at 22:53, Phil Hunt <phil.hunt@oracle.com> wrote:
>=20
>> See below
>>=20
>> Phil
>>=20
>> On 2013-08-19, at 22:34, Torsten Lodderstedt <torsten@lodderstedt.net> wr=
ote:
>>=20
>>> Hi Phil,
>>>=20
>>>=20
>>>=20
>>>=20
>>>> The assumption that client id must be issued by the sp seems wrong to
>>>> me in many cases-- including oidc. 6749 does not make this restriction
>>>> at all.
>>>=20
>>> What do you mean? Grant type code requires a client_id in order to ident=
ify the client at the AS's authz endpoint. Based on this data, the AS choose=
s the authz policy and validates the redirect_uri.
>>=20
>> [ph] yes. But i am referring to the fact that the client does not have to=
 obtain it from the as. It merely has to present one that is accepted.=20
>>=20
>> Iow a federated assertion might solve the issue.=20
>>>=20
>>>>=20
>>>> Given this, a statement approach may be sufficient for many clients. No=

>>>> need for long term credential mgmt or records.
>>>=20
>>> Perhaps for clients using the token endpoint only.
>>=20
>> [Ph] Actually I was also thinking of javascript clients.=20
>>>=20
>>> regards,
>>> Torsten.
>>>=20
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-19, at 16:33, Eve Maler <eve@xmlgrrl.com> wrote:
>>>>=20
>>>>> Hi folks-- Just a reminder that the first draft the UMA group
>>>> submitted on May 1, 2011 contained extensive requirements and use cases=

>>>> related to UMA's various needs for dynamic client registration:
>>>>>=20
>>>>> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00
>>>>>=20
>>>>> When there was interest to pick up this draft as a WG work item, it
>>>> was recommended that we excise this content so that the doc wouldn't be=

>>>> so specific to our particular usage of OAuth.
>>>>>=20
>>>>> I point this out just to show that the need for dynamic client
>>>> registration isn't limited to OpenID Connect, and that some specific
>>>> use cases have already been floated here.
>>>>>=20
>>>>> FWIW,
>>>>>=20
>>>>> Eve
>>>>>=20
>>>>> On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:
>>>>>=20
>>>>>> All of this is a good argument to do both, which is what I've been
>>>> saying all along.
>>>>>>=20
>>>>>> -- Justin
>>>>>>=20
>>>>>> On 08/19/2013 11:33 AM, Phil Hunt wrote:
>>>>>>> I do not recall agreement in charter discussions to solving a
>>>> specific case.
>>>>>>>=20
>>>>>>> I recall more than one in the re-chartering discussion said dyn reg
>>>> needed major changes to solve their use cases.
>>>>>>>=20
>>>>>>> Phil
>>>>>>>=20
>>>>>>> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
>>>>>>>=20
>>>>>>>> Tony, I completely disagree. The proposals that I've seen have
>>>> different means and different end states, and they make different
>>>> assumptions about the relationship between entities and the
>>>> capabilities of all players.
>>>>>>>>=20
>>>>>>>> -- Justin
>>>>>>>>=20
>>>>>>>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>>>>>>>>> There are proposals out there that are trying to solve the same
>>>> problem, but in different ways, so I would not say that they are trying=

>>>> to solve different use cases. I do think that we need to make sure that=

>>>> whatever proposal we select it needs to have a wide range of use cases
>>>> it solves, not just a single use case as the more solutions this group
>>>> produces the more confused folks will be
>>>>>>>>>=20
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>> Behalf Of Justin Richer
>>>>>>>>> Sent: Monday, August 19, 2013 7:27 AM
>>>>>>>>> To: Phil Hunt
>>>>>>>>> Cc: oauth mailing list
>>>>>>>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference
>>>> Call: Thu 22 Aug, 2pm PDT
>>>>>>>>>=20
>>>>>>>>> I agree that dynamic registration isn't needed to solve *all* of
>>>> the different use cases. It solves its set of specific problems (and
>>>> does so well, if you ask me), but there are and will always be things
>>>> that it won't work for, and that's fine. That's why I've suggested
>>>> under a separate thread that the other drafts go forward separately and=

>>>> that DynReg not be hung up on them. We're fundamentally solving
>>>> different use cases, and there is no magic solution that will solve all=

>>>> the problems at once.
>>>>>>>>>=20
>>>>>>>>> -- Justin
>>>>>>>>>=20
>>>>>>>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>>>>>>>>> I think we should start by reviewing use cases taxonomy.
>>>>>>>>>>=20
>>>>>>>>>> Then a discussion on any client_id assumptions and actual
>>>> requirements for each client case. Why is registration needed for each
>>>> case?
>>>>>>>>>>=20
>>>>>>>>>> The statement can solve some complication but should be put in
>>>> context of use cases.
>>>>>>>>>>=20
>>>>>>>>>> Phil
>>>>>>>>>>=20
>>>>>>>>>> On 2013-08-18, at 15:01, Hannes Tschofenig
>>>> <hannes.tschofenig@gmx.net> wrote:
>>>>>>>>>>=20
>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>> Hash: SHA512
>>>>>>>>>>>=20
>>>>>>>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>> Hash: SHA512
>>>>>>>>>>>=20
>>>>>>>>>>> Based on your feedback via the poll let us start with August
>>>> 22nd with the first conference call. I will distribute the conference
>>>> call details on Tuesday.
>>>>>>>>>>>=20
>>>>>>>>>>> Let us talk about the agenda. There were several items brought
>>>> up in
>>>>>>>>>>> discussions, namely
>>>>>>>>>>>=20
>>>>>>>>>>> * Software assertions / software statements
>>>>>>>>>>>=20
>>>>>>>>>>> We briefly discussed this topic at the IETF OAuth session but
>>>> we may need more time to understand the implications for the current
>>>> dynamic client registration document:
>>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>>>>>>>>=20
>>>>>>>>>>> * SCIM vs. current dynamic client registration approach for
>>>>>>>>>>> interacting with the client configuration endpoint
>>>>>>>>>>>=20
>>>>>>>>>>> In the past we said that it would be fine to have a profile
>>>> defined in SCIM to provide the dynamic client registration for those
>>>> who implement SCIM and want to manage clients also using SCIM. It
>>>> might, however, be useful to compare the two approaches in detail to
>>>> see what the differences are.
>>>>>>>>>>>=20
>>>>>>>>>>> * Interactions with the client registration endpoint
>>>>>>>>>>>=20
>>>>>>>>>>> Justin added some "life cycle" description to the document to
>>>> motivate some of the design decisions. Maybe we need to discuss those
>>>> in more detail and add further text.
>>>>>>>>>>> Additional text could come from the NIST Blue Button / Green
>>>> Button usage.
>>>>>>>>>>>=20
>>>>>>>>>>> * Aspects that allow servers to store less / no state
>>>>>>>>>>>=20
>>>>>>>>>>> - - =46rom the discussions on the list it was not clear whether
>>>> this is actually accomplishable with the current version of OAuth. We
>>>> could explore this new requirement and try to get a better
>>>> understanding how much this relates to dynamic client registration and
>>>> to what extend it requires changes to the core spec.
>>>>>>>>>>>=20
>>>>>>>>>>>=20
>>>>>>>>>>> What would you like to start with? Other topics you would like
>>>> to bring up?
>>>>>>>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>>>>>>>>>> =3DtkGT
>>>>>>>>>>> - -----END PGP SIGNATURE-----
>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>>>>>>>>>> =3D3qNI
>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>=20
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>>=20
>>>>> Eve Maler                                =20
>>>> http://www.xmlgrrl.com/blog
>>>>> +1 425 345 6756                       =20
>>>> http://www.twitter.com/xmlgrrl
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

From phil.hunt@oracle.com  Tue Aug 20 07:42:44 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 066B611E822B for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 07:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.047
X-Spam-Level: 
X-Spam-Status: No, score=-3.047 tagged_above=-999 required=5 tests=[AWL=-1.983, BAYES_00=-2.599, FB_IOW=3.333, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hYzHzSBUoqU for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 07:42:34 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 2065711E8229 for <oauth@ietf.org>; Tue, 20 Aug 2013 07:42:34 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7KEgWpX029179 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Aug 2013 14:42:33 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7KEgVwT003083 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Aug 2013 14:42:32 GMT
Received: from abhmt104.oracle.com (abhmt104.oracle.com [141.146.116.56]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7KEgVgI025615; Tue, 20 Aug 2013 14:42:31 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 20 Aug 2013 07:42:31 -0700
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org> <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com> <B7F0A03F-4B49-4AFF-8D3E-C499A55E3BFC@oracle.com> <94443a60-6e82-41e4-bce9-1c4411259370@email.android.com> <2F54AF6F-BA62-4E09-81E5-15429515F053@oracle.com> <016FEABF-7C29-4404-9FF0-FD5438EB0F46@oracle.com> <66EB6B65-C19D-42B2-A554-53E99948B376@lodderstedt.net>
Mime-Version: 1.0 (1.0)
In-Reply-To: <66EB6B65-C19D-42B2-A554-53E99948B376@lodderstedt.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <8E8F6906-E408-4F21-83BE-B8E33ECDD9D2@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Tue, 20 Aug 2013 07:42:24 -0700
To: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 14:42:44 -0000

+1

The chosen solution should account for this. =20

Phil

On 2013-08-20, at 2:34, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:=


> Hi Phil,
>=20
> I agree, the client may also present a client_id obtained from another "so=
urce". But: the AS must be able to associate a policy with this particular i=
d. This typically requires a provisioning of the client id before the actual=
 OAuth interaction takes place. Otherwise the AS does not have any informati=
on regarding the client id in the code flow at authz endpoint.
>=20
> This needs to be taken into account.
>=20
> regards,
> Torsten.
>=20
> Am 20.08.2013 um 08:12 schrieb Phil Hunt <phil.hunt@oracle.com>:
>=20
>> Sorry i see my message still isn't that clear.  I am saying there is no r=
equirement that a client directly obtain a client_id from the as service pro=
vider. It is merely an assumption that has been made by dyn reg based on typ=
ical use patterns to date.=20
>>=20
>> It could be reasonable for a client to generate it's own guid or more lik=
ely, use an assertion signed by a party the service provider trusts.=20
>>=20
>> Phil
>>=20
>> On 2013-08-19, at 22:53, Phil Hunt <phil.hunt@oracle.com> wrote:
>>=20
>>> See below
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-19, at 22:34, Torsten Lodderstedt <torsten@lodderstedt.net> w=
rote:
>>>=20
>>>> Hi Phil,
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>> The assumption that client id must be issued by the sp seems wrong to
>>>>> me in many cases-- including oidc. 6749 does not make this restriction=

>>>>> at all.
>>>>=20
>>>> What do you mean? Grant type code requires a client_id in order to iden=
tify the client at the AS's authz endpoint. Based on this data, the AS choos=
es the authz policy and validates the redirect_uri.
>>>=20
>>> [ph] yes. But i am referring to the fact that the client does not have t=
o obtain it from the as. It merely has to present one that is accepted.=20
>>>=20
>>> Iow a federated assertion might solve the issue.=20
>>>>=20
>>>>>=20
>>>>> Given this, a statement approach may be sufficient for many clients. N=
o
>>>>> need for long term credential mgmt or records.
>>>>=20
>>>> Perhaps for clients using the token endpoint only.
>>>=20
>>> [Ph] Actually I was also thinking of javascript clients.=20
>>>>=20
>>>> regards,
>>>> Torsten.
>>>>=20
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> On 2013-08-19, at 16:33, Eve Maler <eve@xmlgrrl.com> wrote:
>>>>>=20
>>>>>> Hi folks-- Just a reminder that the first draft the UMA group
>>>>> submitted on May 1, 2011 contained extensive requirements and use case=
s
>>>>> related to UMA's various needs for dynamic client registration:
>>>>>>=20
>>>>>> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00
>>>>>>=20
>>>>>> When there was interest to pick up this draft as a WG work item, it
>>>>> was recommended that we excise this content so that the doc wouldn't b=
e
>>>>> so specific to our particular usage of OAuth.
>>>>>>=20
>>>>>> I point this out just to show that the need for dynamic client
>>>>> registration isn't limited to OpenID Connect, and that some specific
>>>>> use cases have already been floated here.
>>>>>>=20
>>>>>> FWIW,
>>>>>>=20
>>>>>> Eve
>>>>>>=20
>>>>>> On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:
>>>>>>=20
>>>>>>> All of this is a good argument to do both, which is what I've been
>>>>> saying all along.
>>>>>>>=20
>>>>>>> -- Justin
>>>>>>>=20
>>>>>>> On 08/19/2013 11:33 AM, Phil Hunt wrote:
>>>>>>>> I do not recall agreement in charter discussions to solving a
>>>>> specific case.
>>>>>>>>=20
>>>>>>>> I recall more than one in the re-chartering discussion said dyn reg=

>>>>> needed major changes to solve their use cases.
>>>>>>>>=20
>>>>>>>> Phil
>>>>>>>>=20
>>>>>>>> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
>>>>>>>>=20
>>>>>>>>> Tony, I completely disagree. The proposals that I've seen have
>>>>> different means and different end states, and they make different
>>>>> assumptions about the relationship between entities and the
>>>>> capabilities of all players.
>>>>>>>>>=20
>>>>>>>>> -- Justin
>>>>>>>>>=20
>>>>>>>>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
>>>>>>>>>> There are proposals out there that are trying to solve the same
>>>>> problem, but in different ways, so I would not say that they are tryin=
g
>>>>> to solve different use cases. I do think that we need to make sure tha=
t
>>>>> whatever proposal we select it needs to have a wide range of use cases=

>>>>> it solves, not just a single use case as the more solutions this group=

>>>>> produces the more confused folks will be
>>>>>>>>>>=20
>>>>>>>>>> -----Original Message-----
>>>>>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>>> Behalf Of Justin Richer
>>>>>>>>>> Sent: Monday, August 19, 2013 7:27 AM
>>>>>>>>>> To: Phil Hunt
>>>>>>>>>> Cc: oauth mailing list
>>>>>>>>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference
>>>>> Call: Thu 22 Aug, 2pm PDT
>>>>>>>>>>=20
>>>>>>>>>> I agree that dynamic registration isn't needed to solve *all* of
>>>>> the different use cases. It solves its set of specific problems (and
>>>>> does so well, if you ask me), but there are and will always be things
>>>>> that it won't work for, and that's fine. That's why I've suggested
>>>>> under a separate thread that the other drafts go forward separately an=
d
>>>>> that DynReg not be hung up on them. We're fundamentally solving
>>>>> different use cases, and there is no magic solution that will solve al=
l
>>>>> the problems at once.
>>>>>>>>>>=20
>>>>>>>>>> -- Justin
>>>>>>>>>>=20
>>>>>>>>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
>>>>>>>>>>> I think we should start by reviewing use cases taxonomy.
>>>>>>>>>>>=20
>>>>>>>>>>> Then a discussion on any client_id assumptions and actual
>>>>> requirements for each client case. Why is registration needed for each=

>>>>> case?
>>>>>>>>>>>=20
>>>>>>>>>>> The statement can solve some complication but should be put in
>>>>> context of use cases.
>>>>>>>>>>>=20
>>>>>>>>>>> Phil
>>>>>>>>>>>=20
>>>>>>>>>>> On 2013-08-18, at 15:01, Hannes Tschofenig
>>>>> <hannes.tschofenig@gmx.net> wrote:
>>>>>>>>>>>=20
>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>> Hash: SHA512
>>>>>>>>>>>>=20
>>>>>>>>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>> Hash: SHA512
>>>>>>>>>>>>=20
>>>>>>>>>>>> Based on your feedback via the poll let us start with August
>>>>> 22nd with the first conference call. I will distribute the conference
>>>>> call details on Tuesday.
>>>>>>>>>>>>=20
>>>>>>>>>>>> Let us talk about the agenda. There were several items brought
>>>>> up in
>>>>>>>>>>>> discussions, namely
>>>>>>>>>>>>=20
>>>>>>>>>>>> * Software assertions / software statements
>>>>>>>>>>>>=20
>>>>>>>>>>>> We briefly discussed this topic at the IETF OAuth session but
>>>>> we may need more time to understand the implications for the current
>>>>> dynamic client registration document:
>>>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>>>>>>>>>=20
>>>>>>>>>>>> * SCIM vs. current dynamic client registration approach for
>>>>>>>>>>>> interacting with the client configuration endpoint
>>>>>>>>>>>>=20
>>>>>>>>>>>> In the past we said that it would be fine to have a profile
>>>>> defined in SCIM to provide the dynamic client registration for those
>>>>> who implement SCIM and want to manage clients also using SCIM. It
>>>>> might, however, be useful to compare the two approaches in detail to
>>>>> see what the differences are.
>>>>>>>>>>>>=20
>>>>>>>>>>>> * Interactions with the client registration endpoint
>>>>>>>>>>>>=20
>>>>>>>>>>>> Justin added some "life cycle" description to the document to
>>>>> motivate some of the design decisions. Maybe we need to discuss those
>>>>> in more detail and add further text.
>>>>>>>>>>>> Additional text could come from the NIST Blue Button / Green
>>>>> Button usage.
>>>>>>>>>>>>=20
>>>>>>>>>>>> * Aspects that allow servers to store less / no state
>>>>>>>>>>>>=20
>>>>>>>>>>>> - - =46rom the discussions on the list it was not clear whether=

>>>>> this is actually accomplishable with the current version of OAuth. We
>>>>> could explore this new requirement and try to get a better
>>>>> understanding how much this relates to dynamic client registration and=

>>>>> to what extend it requires changes to the core spec.
>>>>>>>>>>>>=20
>>>>>>>>>>>>=20
>>>>>>>>>>>> What would you like to start with? Other topics you would like
>>>>> to bring up?
>>>>>>>>>>>> - -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>>>>>>>>>>> =3DtkGT
>>>>>>>>>>>> - -----END PGP SIGNATURE-----
>>>>>>>>>>>> -----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>>>>>>>>>> Comment: GPGTools - http://gpgtools.org
>>>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>>>>>>>>>>> =3D3qNI
>>>>>>>>>>>> -----END PGP SIGNATURE-----
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>=20
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>=20
>>>>>>=20
>>>>>> Eve Maler                                =20
>>>>> http://www.xmlgrrl.com/blog
>>>>>> +1 425 345 6756                       =20
>>>>> http://www.twitter.com/xmlgrrl
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth

From hannes.tschofenig@nsn.com  Tue Aug 20 07:50:59 2013
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE8C11E823F for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 07:50:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.793
X-Spam-Level: 
X-Spam-Status: No, score=-105.793 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nE5ewRkPRfhE for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 07:50:55 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 7E67F11E823A for <oauth@ietf.org>; Tue, 20 Aug 2013 07:50:51 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7KEomMc009211 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Aug 2013 16:50:48 +0200
Received: from USCHHTC001.nsn-intra.net ([10.159.161.14]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7KEnUbq017070 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 20 Aug 2013 16:50:47 +0200
Received: from USCHHTC004.nsn-intra.net (10.159.161.17) by USCHHTC001.nsn-intra.net (10.159.161.14) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 20 Aug 2013 09:50:07 -0500
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC004.nsn-intra.net ([10.159.161.17]) with mapi id 14.03.0123.003; Tue, 20 Aug 2013 09:50:06 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Eve Maler <eve@xmlgrrl.com>, Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
Thread-Index: AQHOnTSHiFrFHHda9E2Ya+ErypFShZmd+qSQ
Date: Tue, 20 Aug 2013 14:50:07 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA26F17@USCHMBX001.nsn-intra.net>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <52122B2B.2060108@mitre.org> <3a1743927cfe423aa8abed58f6e4460a@BY2PR03MB189.namprd03.prod.outlook.com> <52123743.9020203@mitre.org> <69B1F7D8-5DE5-4D29-8027-4CC4178A00DF@oracle.com> <52123A6F.8060206@mitre.org> <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com>
In-Reply-To: <21B5C872-5909-4D51-8700-B53E18C6C343@xmlgrrl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.159.161.118]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 9016
X-purgate-ID: 151667::1377010248-00003561-04532ED7/0-0/0-0
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22	Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 14:51:00 -0000

Hi Eve,=20

Thanks for pointing to this document. I took a brief look at the use case s=
ection and also followed the link to the original UMA use case page at http=
://kantarainitiative.org/confluence/display/uma/UMA+Scenarios+and+Use+Cases

The problem with the write-up is that it does not help us in the discussion=
 about these specific design choices for the dynamic client registration pr=
otocol since the UMA use cases are more high-level.=20

What we would, for example, need (at least I think so) are scenarios at the=
 level of "client generates a client id (instead of AS). What is the motiva=
tion? What are the implications for the protocol interaction and for securi=
ty?"

If someone from the UMA community could provide me with use cases that are =
focused to help me answer questions like the one above that would be helpfu=
l.=20

Ciao
Hannes

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of ext Eve Maler
> Sent: Tuesday, August 20, 2013 1:33 AM
> To: Justin Richer
> Cc: oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
> Thu 22 Aug, 2pm PDT
>=20
> Hi folks-- Just a reminder that the first draft the UMA group submitted
> on May 1, 2011 contained extensive requirements and use cases related
> to UMA's various needs for dynamic client registration:
>=20
> http://tools.ietf.org/html/draft-hardjono-oauth-dynreg-00
>=20
> When there was interest to pick up this draft as a WG work item, it was
> recommended that we excise this content so that the doc wouldn't be so
> specific to our particular usage of OAuth.
>=20
> I point this out just to show that the need for dynamic client
> registration isn't limited to OpenID Connect, and that some specific
> use cases have already been floated here.
>=20
> FWIW,
>=20
> 	Eve
>=20
> On 19 Aug 2013, at 8:31 AM, Justin Richer <jricher@mitre.org> wrote:
>=20
> > All of this is a good argument to do both, which is what I've been
> saying all along.
> >
> > -- Justin
> >
> > On 08/19/2013 11:33 AM, Phil Hunt wrote:
> >> I do not recall agreement in charter discussions to solving a
> specific case.
> >>
> >> I recall more than one in the re-chartering discussion said dyn reg
> needed major changes to solve their use cases.
> >>
> >> Phil
> >>
> >> On 2013-08-19, at 8:18, Justin Richer <jricher@mitre.org> wrote:
> >>
> >>> Tony, I completely disagree. The proposals that I've seen have
> different means and different end states, and they make different
> assumptions about the relationship between entities and the
> capabilities of all players.
> >>>
> >>> -- Justin
> >>>
> >>> On 08/19/2013 11:15 AM, Anthony Nadalin wrote:
> >>>> There are proposals out there that are trying to solve the same
> problem, but in different ways, so I would not say that they are trying
> to solve different use cases. I do think that we need to make sure that
> whatever proposal we select it needs to have a wide range of use cases
> it solves, not just a single use case as the more solutions this group
> produces the more confused folks will be
> >>>>
> >>>> -----Original Message-----
> >>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> Behalf Of Justin Richer
> >>>> Sent: Monday, August 19, 2013 7:27 AM
> >>>> To: Phil Hunt
> >>>> Cc: oauth mailing list
> >>>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference
> Call: Thu 22 Aug, 2pm PDT
> >>>>
> >>>> I agree that dynamic registration isn't needed to solve *all* of
> the different use cases. It solves its set of specific problems (and
> does so well, if you ask me), but there are and will always be things
> that it won't work for, and that's fine. That's why I've suggested
> under a separate thread that the other drafts go forward separately and
> that DynReg not be hung up on them. We're fundamentally solving
> different use cases, and there is no magic solution that will solve all
> the problems at once.
> >>>>
> >>>>   -- Justin
> >>>>
> >>>> On 08/18/2013 08:15 PM, Phil Hunt wrote:
> >>>>> I think we should start by reviewing use cases taxonomy.
> >>>>>
> >>>>> Then a discussion on any client_id assumptions and actual
> requirements for each client case. Why is registration needed for each
> case?
> >>>>>
> >>>>> The statement can solve some complication but should be put in
> context of use cases.
> >>>>>
> >>>>> Phil
> >>>>>
> >>>>> On 2013-08-18, at 15:01, Hannes Tschofenig
> <hannes.tschofenig@gmx.net> wrote:
> >>>>>
> >>>>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>>>> Hash: SHA512
> >>>>>>
> >>>>>> - -----BEGIN PGP SIGNED MESSAGE-----
> >>>>>> Hash: SHA512
> >>>>>>
> >>>>>> Based on your feedback via the poll let us start with August
> 22nd with the first conference call. I will distribute the conference
> call details on Tuesday.
> >>>>>>
> >>>>>> Let us talk about the agenda. There were several items brought
> up in
> >>>>>> discussions, namely
> >>>>>>
> >>>>>> * Software assertions / software statements
> >>>>>>
> >>>>>> We briefly discussed this topic at the IETF OAuth session but we
> may need more time to understand the implications for the current
> dynamic client registration document:
> >>>>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
> >>>>>>
> >>>>>> * SCIM vs. current dynamic client registration approach for
> >>>>>> interacting with the client configuration endpoint
> >>>>>>
> >>>>>> In the past we said that it would be fine to have a profile
> defined in SCIM to provide the dynamic client registration for those
> who implement SCIM and want to manage clients also using SCIM. It might,
> however, be useful to compare the two approaches in detail to see what
> the differences are.
> >>>>>>
> >>>>>> * Interactions with the client registration endpoint
> >>>>>>
> >>>>>> Justin added some "life cycle" description to the document to
> motivate some of the design decisions. Maybe we need to discuss those
> in more detail and add further text.
> >>>>>> Additional text could come from the NIST Blue Button / Green
> Button usage.
> >>>>>>
> >>>>>> * Aspects that allow servers to store less / no state
> >>>>>>
> >>>>>> - - From the discussions on the list it was not clear whether
> this is actually accomplishable with the current version of OAuth. We
> could explore this new requirement and try to get a better
> understanding how much this relates to dynamic client registration and
> to what extend it requires changes to the core spec.
> >>>>>>
> >>>>>>
> >>>>>> What would you like to start with? Other topics you would like
> to bring up?
> >>>>>> - -----BEGIN PGP SIGNATURE-----
> >>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> >>>>>> Comment: GPGTools - http://gpgtools.org
> >>>>>>
> >>>>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
> >>>>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
> >>>>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
> >>>>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
> >>>>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
> >>>>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
> >>>>>> =3DtkGT
> >>>>>> - -----END PGP SIGNATURE-----
> >>>>>> -----BEGIN PGP SIGNATURE-----
> >>>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> >>>>>> Comment: GPGTools - http://gpgtools.org
> >>>>>>
> >>>>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
> >>>>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
> >>>>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
> >>>>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
> >>>>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
> >>>>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
> >>>>>> =3D3qNI
> >>>>>> -----END PGP SIGNATURE-----
> >>>>>> _______________________________________________
> >>>>>> OAuth mailing list
> >>>>>> OAuth@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/oauth
> >>>>> _______________________________________________
> >>>>> OAuth mailing list
> >>>>> OAuth@ietf.org
> >>>>> https://www.ietf.org/mailman/listinfo/oauth
> >>>> _______________________________________________
> >>>> OAuth mailing list
> >>>> OAuth@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>=20
>=20
> Eve Maler                                  http://www.xmlgrrl.com/blog
> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From hannes.tschofenig@nsn.com  Tue Aug 20 07:53:48 2013
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D4EF11E8238 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 07:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.196
X-Spam-Level: 
X-Spam-Status: No, score=-106.196 tagged_above=-999 required=5 tests=[AWL=0.403, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAorXdxn01kS for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 07:53:29 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 149A711E80E3 for <oauth@ietf.org>; Tue, 20 Aug 2013 07:53:24 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7KErMF5013345 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Aug 2013 16:53:22 +0200
Received: from USCHHTC001.nsn-intra.net ([10.159.161.14]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7KEqbm6023017 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 20 Aug 2013 16:53:21 +0200
Received: from USCHHTC004.nsn-intra.net (10.159.161.17) by USCHHTC001.nsn-intra.net (10.159.161.14) with Microsoft SMTP Server (TLS) id 14.3.123.3; Tue, 20 Aug 2013 09:51:50 -0500
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC004.nsn-intra.net ([10.159.161.17]) with mapi id 14.03.0123.003; Tue, 20 Aug 2013 09:51:50 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Phil Hunt <phil.hunt@oracle.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
Thread-Index: AQHOnHFT52T2wsUCcUGLqz5mo8MPjZmd+56w
Date: Tue, 20 Aug 2013 14:51:49 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com>
In-Reply-To: <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.159.161.118]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 4201
X-purgate-ID: 151667::1377010402-00003561-AEDAEAB7/0-0/0-0
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22	Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 14:53:49 -0000

Hi Phil,=20


> I think we should start by reviewing use cases taxonomy.


What do you mean by "use cases taxonomy"? What exactly would we discuss und=
er that item?

>=20
> Then a discussion on any client_id assumptions and actual requirements
> for each client case. Why is registration needed for each case?

I guess you are bringing the use case to the table where there is no client=
 id needed (?) or where the client id is provided by yet another party (oth=
er than the one running the AS).=20

>=20
> The statement can solve some complication but should be put in context
> of use cases.
>=20

Ciao
Hannes

> Phil
>=20
> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net>
> wrote:
>=20
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > - -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA512
> >
> > Based on your feedback via the poll let us start with August 22nd
> with the first conference call. I will distribute the conference call
> details on Tuesday.
> >
> > Let us talk about the agenda. There were several items brought up in
> discussions, namely
> >
> > * Software assertions / software statements
> >
> > We briefly discussed this topic at the IETF OAuth session but we may
> need more time to understand the implications for the current dynamic
> client registration document:
> > http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
> >
> > * SCIM vs. current dynamic client registration approach for
> interacting with the client configuration endpoint
> >
> > In the past we said that it would be fine to have a profile defined
> in SCIM to provide the dynamic client registration for those who
> implement SCIM and want to manage clients also using SCIM. It might,
> however, be useful to compare the two approaches in detail to see what
> the differences are.
> >
> > * Interactions with the client registration endpoint
> >
> > Justin added some "life cycle" description to the document to
> motivate some of the design decisions. Maybe we need to discuss those
> in more detail and add further text.
> > Additional text could come from the NIST Blue Button / Green Button
> usage.
> >
> > * Aspects that allow servers to store less / no state
> >
> > - - From the discussions on the list it was not clear whether this is
> actually accomplishable with the current version of OAuth. We could
> explore this new requirement and try to get a better understanding how
> much this relates to dynamic client registration and to what extend it
> requires changes to the core spec.
> >
> >
> > What would you like to start with? Other topics you would like to
> bring up?
> > - -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
> > AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
> > dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
> > OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
> > IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
> > QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
> > =3DtkGT
> > - -----END PGP SIGNATURE-----
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> > Comment: GPGTools - http://gpgtools.org
> >
> > iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
> > RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
> > wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
> > VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
> > p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
> > a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
> > =3D3qNI
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From phil.hunt@oracle.com  Tue Aug 20 08:13:04 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAD4711E80E3 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 08:13:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.012
X-Spam-Level: 
X-Spam-Status: No, score=-5.012 tagged_above=-999 required=5 tests=[AWL=0.191,  BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0tt9qZGR-zL0 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 08:12:59 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 21AFB21F841B for <oauth@ietf.org>; Tue, 20 Aug 2013 08:12:52 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7KFCkLS008725 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Aug 2013 15:12:47 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7KFCjR0003004 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Aug 2013 15:12:46 GMT
Received: from abhmt105.oracle.com (abhmt105.oracle.com [141.146.116.57]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7KFCiE9016667; Tue, 20 Aug 2013 15:12:45 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 20 Aug 2013 08:12:44 -0700
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net>
Mime-Version: 1.0 (1.0)
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Tue, 20 Aug 2013 08:12:38 -0700
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 15:13:05 -0000

By taxonomy i mean the distinct types of clients and associations.=20

Eg=20
- javascript
- native app
- web app
- apps that associate to one endpoint vs those the register with multiple ba=
sed on events
- perm vs temporary associations

There are probably more.=20

As Torsten mentions one of the most important factors is first how the serve=
r recognizes the client that is registering. It needs to do this to set or a=
ssociate policy.=20

What does a service provider gain if it has no information about clients? Th=
e downside of issuing random client_ids is little or no policy based access c=
ontrol and resource depletion.=20

So we have to ask ourselves in each case why register? What is achieved for e=
ach side? Client id is a major factor but it is not THE factor.=20

Phil

On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.c=
om> wrote:

> Hi Phil,=20
>=20
>=20
>> I think we should start by reviewing use cases taxonomy.
>=20
>=20
> What do you mean by "use cases taxonomy"? What exactly would we discuss un=
der that item?
>=20
>>=20
>> Then a discussion on any client_id assumptions and actual requirements
>> for each client case. Why is registration needed for each case?
>=20
> I guess you are bringing the use case to the table where there is no clien=
t id needed (?) or where the client id is provided by yet another party (oth=
er than the one running the AS).=20
>=20
>>=20
>> The statement can solve some complication but should be put in context
>> of use cases.
>=20
> Ciao
> Hannes
>=20
>> Phil
>>=20
>> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net>
>> wrote:
>>=20
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>=20
>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>=20
>>> Based on your feedback via the poll let us start with August 22nd
>> with the first conference call. I will distribute the conference call
>> details on Tuesday.
>>>=20
>>> Let us talk about the agenda. There were several items brought up in
>> discussions, namely
>>>=20
>>> * Software assertions / software statements
>>>=20
>>> We briefly discussed this topic at the IETF OAuth session but we may
>> need more time to understand the implications for the current dynamic
>> client registration document:
>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>=20
>>> * SCIM vs. current dynamic client registration approach for
>> interacting with the client configuration endpoint
>>>=20
>>> In the past we said that it would be fine to have a profile defined
>> in SCIM to provide the dynamic client registration for those who
>> implement SCIM and want to manage clients also using SCIM. It might,
>> however, be useful to compare the two approaches in detail to see what
>> the differences are.
>>>=20
>>> * Interactions with the client registration endpoint
>>>=20
>>> Justin added some "life cycle" description to the document to
>> motivate some of the design decisions. Maybe we need to discuss those
>> in more detail and add further text.
>>> Additional text could come from the NIST Blue Button / Green Button
>> usage.
>>>=20
>>> * Aspects that allow servers to store less / no state
>>>=20
>>> - - =46rom the discussions on the list it was not clear whether this is
>> actually accomplishable with the current version of OAuth. We could
>> explore this new requirement and try to get a better understanding how
>> much this relates to dynamic client registration and to what extend it
>> requires changes to the core spec.
>>>=20
>>>=20
>>> What would you like to start with? Other topics you would like to
>> bring up?
>>> - -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org
>>>=20
>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>> =3DtkGT
>>> - -----END PGP SIGNATURE-----
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org
>>>=20
>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>> =3D3qNI
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

From jmandel@gmail.com  Tue Aug 20 08:30:41 2013
Return-Path: <jmandel@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8288B11E8261 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 08:30:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hVkPBK1YP4-S for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 08:30:36 -0700 (PDT)
Received: from mail-pb0-x231.google.com (mail-pb0-x231.google.com [IPv6:2607:f8b0:400e:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 2101E11E8243 for <oauth@ietf.org>; Tue, 20 Aug 2013 08:30:32 -0700 (PDT)
Received: by mail-pb0-f49.google.com with SMTP id xb4so557929pbc.22 for <oauth@ietf.org>; Tue, 20 Aug 2013 08:30:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=zX9nbq/pW3WnDmlDQlcXAIFK1JY5/y0nw5HgfQTPDvw=; b=HVYsyLlBR7VGRjUqwzUktY6ClJC2EruPlcp5zlLshNlG24+hlcWF/4n4SF8YCSlqz+ rdaJ6xKhx4dEFjoK8Ne16H79tohfg8GjQSanUAsg3d+qyzyuKUOzkTVd9wSJhuOnNUg/ 2Zlw+YVfMBe4LUBTdEOzvhKa/8keJ4eh9XSlTJKwG+4Xmd3QKVnfyLe7Y1LnhhkfVuxU ng9m3x/V6ZKLSWdSNfdPMCPp4E9Te8ljk2EGubfPhyTzcyjx45XfrhkkXEKH6+X691ks ZMN7BwiAvdyYXRtY+uBZaZrxxVmoomp15qDfhfXTLpOk1+DagEhGK1Z/ShHKyAxy+YJi yGWw==
X-Received: by 10.67.23.36 with SMTP id hx4mr4597527pad.54.1377012631077; Tue, 20 Aug 2013 08:30:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.211.4 with HTTP; Tue, 20 Aug 2013 08:30:16 -0700 (PDT)
In-Reply-To: <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net> <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com>
From: Josh Mandel <jmandel@gmail.com>
Date: Tue, 20 Aug 2013 08:30:16 -0700
Message-ID: <CANSMLKE_xTwbTMhuRg1ZDHRs2bHbKnK7ejar63kzbANQdNJxog@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary=047d7b072450ba0d5b04e462bcad
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 15:30:41 -0000

--047d7b072450ba0d5b04e462bcad
Content-Type: text/plain; charset=ISO-8859-1

The group may be interested in bits of the following classification that we
put together for BlueButton+:
http://blue-button.github.io/blue-button-plus-pull/#client-types

Here, we classified apps according to
1.  whether they can protect a `client_secret` and
2.  whether they can protect a `registration_jwt` (issued by a third party
and presented by the client to the registration endpoint at registration
time)

We used this classification with the current dyn-reg draft, in order to
give implementers a concrete idea about how policy might vary according to
client type. Part of why this works nicely for BB+ is that we actually get
to control (well, specify!) policy within the BB+ network.

  -Josh


On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <phil.hunt@oracle.com> wrote:

> By taxonomy i mean the distinct types of clients and associations.
>
> Eg
> - javascript
> - native app
> - web app
> - apps that associate to one endpoint vs those the register with multiple
> based on events
> - perm vs temporary associations
>
> There are probably more.
>
> As Torsten mentions one of the most important factors is first how the
> server recognizes the client that is registering. It needs to do this to
> set or associate policy.
>
> What does a service provider gain if it has no information about clients?
> The downside of issuing random client_ids is little or no policy based
> access control and resource depletion.
>
> So we have to ask ourselves in each case why register? What is achieved
> for each side? Client id is a major factor but it is not THE factor.
>
> Phil
>
> On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)" <
> hannes.tschofenig@nsn.com> wrote:
>
> > Hi Phil,
> >
> >
> >> I think we should start by reviewing use cases taxonomy.
> >
> >
> > What do you mean by "use cases taxonomy"? What exactly would we discuss
> under that item?
> >
> >>
> >> Then a discussion on any client_id assumptions and actual requirements
> >> for each client case. Why is registration needed for each case?
> >
> > I guess you are bringing the use case to the table where there is no
> client id needed (?) or where the client id is provided by yet another
> party (other than the one running the AS).
> >
> >>
> >> The statement can solve some complication but should be put in context
> >> of use cases.
> >
> > Ciao
> > Hannes
> >
> >> Phil
> >>
> >> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net>
> >> wrote:
> >>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA512
> >>>
> >>> - -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA512
> >>>
> >>> Based on your feedback via the poll let us start with August 22nd
> >> with the first conference call. I will distribute the conference call
> >> details on Tuesday.
> >>>
> >>> Let us talk about the agenda. There were several items brought up in
> >> discussions, namely
> >>>
> >>> * Software assertions / software statements
> >>>
> >>> We briefly discussed this topic at the IETF OAuth session but we may
> >> need more time to understand the implications for the current dynamic
> >> client registration document:
> >>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
> >>>
> >>> * SCIM vs. current dynamic client registration approach for
> >> interacting with the client configuration endpoint
> >>>
> >>> In the past we said that it would be fine to have a profile defined
> >> in SCIM to provide the dynamic client registration for those who
> >> implement SCIM and want to manage clients also using SCIM. It might,
> >> however, be useful to compare the two approaches in detail to see what
> >> the differences are.
> >>>
> >>> * Interactions with the client registration endpoint
> >>>
> >>> Justin added some "life cycle" description to the document to
> >> motivate some of the design decisions. Maybe we need to discuss those
> >> in more detail and add further text.
> >>> Additional text could come from the NIST Blue Button / Green Button
> >> usage.
> >>>
> >>> * Aspects that allow servers to store less / no state
> >>>
> >>> - - From the discussions on the list it was not clear whether this is
> >> actually accomplishable with the current version of OAuth. We could
> >> explore this new requirement and try to get a better understanding how
> >> much this relates to dynamic client registration and to what extend it
> >> requires changes to the core spec.
> >>>
> >>>
> >>> What would you like to start with? Other topics you would like to
> >> bring up?
> >>> - -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> >>> Comment: GPGTools - http://gpgtools.org
> >>>
> >>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
> >>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
> >>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
> >>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
> >>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
> >>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
> >>> =tkGT
> >>> - -----END PGP SIGNATURE-----
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> >>> Comment: GPGTools - http://gpgtools.org
> >>>
> >>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
> >>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
> >>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
> >>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
> >>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
> >>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
> >>> =3qNI
> >>> -----END PGP SIGNATURE-----
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

--047d7b072450ba0d5b04e462bcad
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><span style=3D"font-family:arial,sans-serif;font-size:12.5=
71428298950195px">The group may be interested in bits of the following clas=
sification that we put together for BlueButton+:</span><br><div style=3D"fo=
nt-family:arial,sans-serif;font-size:12.571428298950195px">

<a href=3D"http://blue-button.github.io/blue-button-plus-pull/#client-types=
" target=3D"_blank">http://blue-button.github.io/blue-button-plus-pull/#cli=
ent-types</a><br></div><div style=3D"font-family:arial,sans-serif;font-size=
:12.571428298950195px">

<br></div><div style=3D"font-family:arial,sans-serif;font-size:12.571428298=
950195px">Here, we classified apps according to</div><div style=3D"font-fam=
ily:arial,sans-serif;font-size:12.571428298950195px">1. =A0whether they can=
 protect a `client_secret` and=A0</div>

<div style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">=
2. =A0whether they can protect a `registration_jwt` (issued by a third part=
y and presented by the client to the registration endpoint at registration =
time)<br>

</div><div style=3D"font-family:arial,sans-serif;font-size:12.5714282989501=
95px"><br></div><div style=3D"font-family:arial,sans-serif;font-size:12.571=
428298950195px">We used this classification with the current dyn-reg draft,=
 in order to give implementers a concrete idea about how policy might vary =
according to client type. Part of why this works nicely for BB+ is that we =
actually get to control (well, specify!) policy within the BB+ network.</di=
v>

<div style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">=
<br></div><div style=3D"font-family:arial,sans-serif;font-size:12.571428298=
950195px">=A0 -Josh</div></div><div class=3D"gmail_extra"><br><br><div clas=
s=3D"gmail_quote">

On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <span dir=3D"ltr">&lt;<a href=3D=
"mailto:phil.hunt@oracle.com" target=3D"_blank">phil.hunt@oracle.com</a>&gt=
;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">

By taxonomy i mean the distinct types of clients and associations.<br>
<br>
Eg<br>
- javascript<br>
- native app<br>
- web app<br>
- apps that associate to one endpoint vs those the register with multiple b=
ased on events<br>
- perm vs temporary associations<br>
<br>
There are probably more.<br>
<br>
As Torsten mentions one of the most important factors is first how the serv=
er recognizes the client that is registering. It needs to do this to set or=
 associate policy.<br>
<br>
What does a service provider gain if it has no information about clients? T=
he downside of issuing random client_ids is little or no policy based acces=
s control and resource depletion.<br>
<br>
So we have to ask ourselves in each case why register? What is achieved for=
 each side? Client id is a major factor but it is not THE factor.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
Phil<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
On 2013-08-20, at 7:51, &quot;, Hannes (NSN - FI/Espoo)&quot; &lt;<a href=
=3D"mailto:hannes.tschofenig@nsn.com">hannes.tschofenig@nsn.com</a>&gt; wro=
te:<br>
<br>
&gt; Hi Phil,<br>
&gt;<br>
&gt;<br>
&gt;&gt; I think we should start by reviewing use cases taxonomy.<br>
&gt;<br>
&gt;<br>
&gt; What do you mean by &quot;use cases taxonomy&quot;? What exactly would=
 we discuss under that item?<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; Then a discussion on any client_id assumptions and actual requirem=
ents<br>
&gt;&gt; for each client case. Why is registration needed for each case?<br=
>
&gt;<br>
&gt; I guess you are bringing the use case to the table where there is no c=
lient id needed (?) or where the client id is provided by yet another party=
 (other than the one running the AS).<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; The statement can solve some complication but should be put in con=
text<br>
&gt;&gt; of use cases.<br>
&gt;<br>
&gt; Ciao<br>
&gt; Hannes<br>
&gt;<br>
&gt;&gt; Phil<br>
&gt;&gt;<br>
&gt;&gt; On 2013-08-18, at 15:01, Hannes Tschofenig &lt;<a href=3D"mailto:h=
annes.tschofenig@gmx.net">hannes.tschofenig@gmx.net</a>&gt;<br>
&gt;&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt;&gt; -----BEGIN PGP SIGNED MESSAGE-----<br>
&gt;&gt;&gt; Hash: SHA512<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; - -----BEGIN PGP SIGNED MESSAGE-----<br>
&gt;&gt;&gt; Hash: SHA512<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Based on your feedback via the poll let us start with August 2=
2nd<br>
&gt;&gt; with the first conference call. I will distribute the conference c=
all<br>
&gt;&gt; details on Tuesday.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Let us talk about the agenda. There were several items brought=
 up in<br>
&gt;&gt; discussions, namely<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Software assertions / software statements<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; We briefly discussed this topic at the IETF OAuth session but =
we may<br>
&gt;&gt; need more time to understand the implications for the current dyna=
mic<br>
&gt;&gt; client registration document:<br>
&gt;&gt;&gt; <a href=3D"http://www.ietf.org/proceedings/87/slides/slides-87=
-oauth-2.pptx" target=3D"_blank">http://www.ietf.org/proceedings/87/slides/=
slides-87-oauth-2.pptx</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * SCIM vs. current dynamic client registration approach for<br=
>
&gt;&gt; interacting with the client configuration endpoint<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; In the past we said that it would be fine to have a profile de=
fined<br>
&gt;&gt; in SCIM to provide the dynamic client registration for those who<b=
r>
&gt;&gt; implement SCIM and want to manage clients also using SCIM. It migh=
t,<br>
&gt;&gt; however, be useful to compare the two approaches in detail to see =
what<br>
&gt;&gt; the differences are.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Interactions with the client registration endpoint<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Justin added some &quot;life cycle&quot; description to the do=
cument to<br>
&gt;&gt; motivate some of the design decisions. Maybe we need to discuss th=
ose<br>
&gt;&gt; in more detail and add further text.<br>
&gt;&gt;&gt; Additional text could come from the NIST Blue Button / Green B=
utton<br>
&gt;&gt; usage.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Aspects that allow servers to store less / no state<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; - - From the discussions on the list it was not clear whether =
this is<br>
&gt;&gt; actually accomplishable with the current version of OAuth. We coul=
d<br>
&gt;&gt; explore this new requirement and try to get a better understanding=
 how<br>
&gt;&gt; much this relates to dynamic client registration and to what exten=
d it<br>
&gt;&gt; requires changes to the core spec.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; What would you like to start with? Other topics you would like=
 to<br>
&gt;&gt; bring up?<br>
&gt;&gt;&gt; - -----BEGIN PGP SIGNATURE-----<br>
&gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
&gt;&gt;&gt; Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"=
_blank">http://gpgtools.org</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbn=
ze<br>
&gt;&gt;&gt; AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1=
dk<br>
&gt;&gt;&gt; dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFo=
cF<br>
&gt;&gt;&gt; OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BL=
N9<br>
&gt;&gt;&gt; IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeS=
SP<br>
&gt;&gt;&gt; QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIER=
I=3D<br>
&gt;&gt;&gt; =3DtkGT<br>
&gt;&gt;&gt; - -----END PGP SIGNATURE-----<br>
&gt;&gt;&gt; -----BEGIN PGP SIGNATURE-----<br>
&gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
&gt;&gt;&gt; Comment: GPGTools - <a href=3D"http://gpgtools.org" target=3D"=
_blank">http://gpgtools.org</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+=
Zb<br>
&gt;&gt;&gt; RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg=
8x<br>
&gt;&gt;&gt; wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy1=
81<br>
&gt;&gt;&gt; VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo=
1q<br>
&gt;&gt;&gt; p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u=
36<br>
&gt;&gt;&gt; a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exy=
E=3D<br>
&gt;&gt;&gt; =3D3qNI<br>
&gt;&gt;&gt; -----END PGP SIGNATURE-----<br>
&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt; OAuth mailing list<br>
&gt;&gt;&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt;&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=
=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"=
_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><br>
</div></div></blockquote></div><br></div>

--047d7b072450ba0d5b04e462bcad--

From phil.hunt@oracle.com  Tue Aug 20 09:04:55 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BDE611E823A for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 09:04:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.719
X-Spam-Level: 
X-Spam-Status: No, score=-5.719 tagged_above=-999 required=5 tests=[AWL=0.879,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iFEnQS3ICF0I for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 09:04:50 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE1C11E8123 for <oauth@ietf.org>; Tue, 20 Aug 2013 09:04:49 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7KG4lqv007991 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Aug 2013 16:04:48 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7KG4kNA012533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 20 Aug 2013 16:04:46 GMT
Received: from abhmt111.oracle.com (abhmt111.oracle.com [141.146.116.63]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7KG4jPi026649; Tue, 20 Aug 2013 16:04:45 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 20 Aug 2013 09:04:45 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_DC024138-71B8-4A6B-9801-7925C9AADA80"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <CANSMLKE_xTwbTMhuRg1ZDHRs2bHbKnK7ejar63kzbANQdNJxog@mail.gmail.com>
Date: Tue, 20 Aug 2013 09:04:51 -0700
Message-Id: <FA7448BF-1DD3-4045-8C9C-47BDC8174F6A@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net> <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com> <CANSMLKE_xTwbTMhuRg1ZDHRs2bHbKnK7ejar63kzbANQdNJxog@mail.gmail.com>
To: Josh Mandel <jmandel@gmail.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 16:04:55 -0000

--Apple-Mail=_DC024138-71B8-4A6B-9801-7925C9AADA80
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1

Josh,

I think BlueButton is an important example of use.

Tell us more about registration_jwt (which is not part of dyn reg).

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-20, at 8:30 AM, Josh Mandel <jmandel@gmail.com> wrote:

> The group may be interested in bits of the following classification =
that we put together for BlueButton+:
> http://blue-button.github.io/blue-button-plus-pull/#client-types
>=20
> Here, we classified apps according to
> 1.  whether they can protect a `client_secret` and=20
> 2.  whether they can protect a `registration_jwt` (issued by a third =
party and presented by the client to the registration endpoint at =
registration time)
>=20
> We used this classification with the current dyn-reg draft, in order =
to give implementers a concrete idea about how policy might vary =
according to client type. Part of why this works nicely for BB+ is that =
we actually get to control (well, specify!) policy within the BB+ =
network.
>=20
>   -Josh
>=20
>=20
> On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <phil.hunt@oracle.com> =
wrote:
> By taxonomy i mean the distinct types of clients and associations.
>=20
> Eg
> - javascript
> - native app
> - web app
> - apps that associate to one endpoint vs those the register with =
multiple based on events
> - perm vs temporary associations
>=20
> There are probably more.
>=20
> As Torsten mentions one of the most important factors is first how the =
server recognizes the client that is registering. It needs to do this to =
set or associate policy.
>=20
> What does a service provider gain if it has no information about =
clients? The downside of issuing random client_ids is little or no =
policy based access control and resource depletion.
>=20
> So we have to ask ourselves in each case why register? What is =
achieved for each side? Client id is a major factor but it is not THE =
factor.
>=20
> Phil
>=20
> On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:
>=20
> > Hi Phil,
> >
> >
> >> I think we should start by reviewing use cases taxonomy.
> >
> >
> > What do you mean by "use cases taxonomy"? What exactly would we =
discuss under that item?
> >
> >>
> >> Then a discussion on any client_id assumptions and actual =
requirements
> >> for each client case. Why is registration needed for each case?
> >
> > I guess you are bringing the use case to the table where there is no =
client id needed (?) or where the client id is provided by yet another =
party (other than the one running the AS).
> >
> >>
> >> The statement can solve some complication but should be put in =
context
> >> of use cases.
> >
> > Ciao
> > Hannes
> >
> >> Phil
> >>
> >> On 2013-08-18, at 15:01, Hannes Tschofenig =
<hannes.tschofenig@gmx.net>
> >> wrote:
> >>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA512
> >>>
> >>> - -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA512
> >>>
> >>> Based on your feedback via the poll let us start with August 22nd
> >> with the first conference call. I will distribute the conference =
call
> >> details on Tuesday.
> >>>
> >>> Let us talk about the agenda. There were several items brought up =
in
> >> discussions, namely
> >>>
> >>> * Software assertions / software statements
> >>>
> >>> We briefly discussed this topic at the IETF OAuth session but we =
may
> >> need more time to understand the implications for the current =
dynamic
> >> client registration document:
> >>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
> >>>
> >>> * SCIM vs. current dynamic client registration approach for
> >> interacting with the client configuration endpoint
> >>>
> >>> In the past we said that it would be fine to have a profile =
defined
> >> in SCIM to provide the dynamic client registration for those who
> >> implement SCIM and want to manage clients also using SCIM. It =
might,
> >> however, be useful to compare the two approaches in detail to see =
what
> >> the differences are.
> >>>
> >>> * Interactions with the client registration endpoint
> >>>
> >>> Justin added some "life cycle" description to the document to
> >> motivate some of the design decisions. Maybe we need to discuss =
those
> >> in more detail and add further text.
> >>> Additional text could come from the NIST Blue Button / Green =
Button
> >> usage.
> >>>
> >>> * Aspects that allow servers to store less / no state
> >>>
> >>> - - =46rom the discussions on the list it was not clear whether =
this is
> >> actually accomplishable with the current version of OAuth. We could
> >> explore this new requirement and try to get a better understanding =
how
> >> much this relates to dynamic client registration and to what extend =
it
> >> requires changes to the core spec.
> >>>
> >>>
> >>> What would you like to start with? Other topics you would like to
> >> bring up?
> >>> - -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> >>> Comment: GPGTools - http://gpgtools.org
> >>>
> >>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
> >>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
> >>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
> >>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
> >>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
> >>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
> >>> =3DtkGT
> >>> - -----END PGP SIGNATURE-----
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> >>> Comment: GPGTools - http://gpgtools.org
> >>>
> >>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
> >>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
> >>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
> >>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
> >>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
> >>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
> >>> =3D3qNI
> >>> -----END PGP SIGNATURE-----
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>=20


--Apple-Mail=_DC024138-71B8-4A6B-9801-7925C9AADA80
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=iso-8859-1

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div>Josh,</div><div><br></div><div>I think BlueButton is an important =
example of use.</div><div><br></div><div>Tell us more about =
registration_jwt (which is not part of dyn =
reg).</div><div><br></div><div><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px; "><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-20, at 8:30 AM, Josh Mandel &lt;<a =
href=3D"mailto:jmandel@gmail.com">jmandel@gmail.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><div dir=3D"ltr"><span =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">The =
group may be interested in bits of the following classification that we =
put together for BlueButton+:</span><br><div =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">

<a =
href=3D"http://blue-button.github.io/blue-button-plus-pull/#client-types" =
target=3D"_blank">http://blue-button.github.io/blue-button-plus-pull/#clie=
nt-types</a><br></div><div =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">

<br></div><div =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">Here=
, we classified apps according to</div><div =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">1. =
&nbsp;whether they can protect a `client_secret` and&nbsp;</div>

<div =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">2. =
&nbsp;whether they can protect a `registration_jwt` (issued by a third =
party and presented by the client to the registration endpoint at =
registration time)<br>

</div><div =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px"><br>=
</div><div =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">We =
used this classification with the current dyn-reg draft, in order to =
give implementers a concrete idea about how policy might vary according =
to client type. Part of why this works nicely for BB+ is that we =
actually get to control (well, specify!) policy within the BB+ =
network.</div>

<div =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px"><br>=
</div><div =
style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">&nbs=
p; -Josh</div></div><div class=3D"gmail_extra"><br><br><div =
class=3D"gmail_quote">

On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <span dir=3D"ltr">&lt;<a =
href=3D"mailto:phil.hunt@oracle.com" =
target=3D"_blank">phil.hunt@oracle.com</a>&gt;</span> =
wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">

By taxonomy i mean the distinct types of clients and associations.<br>
<br>
Eg<br>
- javascript<br>
- native app<br>
- web app<br>
- apps that associate to one endpoint vs those the register with =
multiple based on events<br>
- perm vs temporary associations<br>
<br>
There are probably more.<br>
<br>
As Torsten mentions one of the most important factors is first how the =
server recognizes the client that is registering. It needs to do this to =
set or associate policy.<br>
<br>
What does a service provider gain if it has no information about =
clients? The downside of issuing random client_ids is little or no =
policy based access control and resource depletion.<br>
<br>
So we have to ask ourselves in each case why register? What is achieved =
for each side? Client id is a major factor but it is not THE factor.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
Phil<br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)" &lt;<a =
href=3D"mailto:hannes.tschofenig@nsn.com">hannes.tschofenig@nsn.com</a>&gt=
; wrote:<br>
<br>
&gt; Hi Phil,<br>
&gt;<br>
&gt;<br>
&gt;&gt; I think we should start by reviewing use cases taxonomy.<br>
&gt;<br>
&gt;<br>
&gt; What do you mean by "use cases taxonomy"? What exactly would we =
discuss under that item?<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; Then a discussion on any client_id assumptions and actual =
requirements<br>
&gt;&gt; for each client case. Why is registration needed for each =
case?<br>
&gt;<br>
&gt; I guess you are bringing the use case to the table where there is =
no client id needed (?) or where the client id is provided by yet =
another party (other than the one running the AS).<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; The statement can solve some complication but should be put in =
context<br>
&gt;&gt; of use cases.<br>
&gt;<br>
&gt; Ciao<br>
&gt; Hannes<br>
&gt;<br>
&gt;&gt; Phil<br>
&gt;&gt;<br>
&gt;&gt; On 2013-08-18, at 15:01, Hannes Tschofenig &lt;<a =
href=3D"mailto:hannes.tschofenig@gmx.net">hannes.tschofenig@gmx.net</a>&gt=
;<br>
&gt;&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt;&gt; -----BEGIN PGP SIGNED MESSAGE-----<br>
&gt;&gt;&gt; Hash: SHA512<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; - -----BEGIN PGP SIGNED MESSAGE-----<br>
&gt;&gt;&gt; Hash: SHA512<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Based on your feedback via the poll let us start with =
August 22nd<br>
&gt;&gt; with the first conference call. I will distribute the =
conference call<br>
&gt;&gt; details on Tuesday.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Let us talk about the agenda. There were several items =
brought up in<br>
&gt;&gt; discussions, namely<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Software assertions / software statements<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; We briefly discussed this topic at the IETF OAuth session =
but we may<br>
&gt;&gt; need more time to understand the implications for the current =
dynamic<br>
&gt;&gt; client registration document:<br>
&gt;&gt;&gt; <a =
href=3D"http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx" =
target=3D"_blank">http://www.ietf.org/proceedings/87/slides/slides-87-oaut=
h-2.pptx</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * SCIM vs. current dynamic client registration approach =
for<br>
&gt;&gt; interacting with the client configuration endpoint<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; In the past we said that it would be fine to have a profile =
defined<br>
&gt;&gt; in SCIM to provide the dynamic client registration for those =
who<br>
&gt;&gt; implement SCIM and want to manage clients also using SCIM. It =
might,<br>
&gt;&gt; however, be useful to compare the two approaches in detail to =
see what<br>
&gt;&gt; the differences are.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Interactions with the client registration endpoint<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Justin added some "life cycle" description to the document =
to<br>
&gt;&gt; motivate some of the design decisions. Maybe we need to discuss =
those<br>
&gt;&gt; in more detail and add further text.<br>
&gt;&gt;&gt; Additional text could come from the NIST Blue Button / =
Green Button<br>
&gt;&gt; usage.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Aspects that allow servers to store less / no state<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; - - =46rom the discussions on the list it was not clear =
whether this is<br>
&gt;&gt; actually accomplishable with the current version of OAuth. We =
could<br>
&gt;&gt; explore this new requirement and try to get a better =
understanding how<br>
&gt;&gt; much this relates to dynamic client registration and to what =
extend it<br>
&gt;&gt; requires changes to the core spec.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; What would you like to start with? Other topics you would =
like to<br>
&gt;&gt; bring up?<br>
&gt;&gt;&gt; - -----BEGIN PGP SIGNATURE-----<br>
&gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
&gt;&gt;&gt; Comment: GPGTools - <a href=3D"http://gpgtools.org/" =
target=3D"_blank">http://gpgtools.org</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; =
iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze<br>
&gt;&gt;&gt; =
AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk<br>
&gt;&gt;&gt; =
dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF<br>
&gt;&gt;&gt; =
OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9<br>
&gt;&gt;&gt; =
IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP<br>
&gt;&gt;&gt; =
QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D<br>
&gt;&gt;&gt; =3DtkGT<br>
&gt;&gt;&gt; - -----END PGP SIGNATURE-----<br>
&gt;&gt;&gt; -----BEGIN PGP SIGNATURE-----<br>
&gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
&gt;&gt;&gt; Comment: GPGTools - <a href=3D"http://gpgtools.org/" =
target=3D"_blank">http://gpgtools.org</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; =
iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb<br>
&gt;&gt;&gt; =
RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x<br>
&gt;&gt;&gt; =
wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181<br>
&gt;&gt;&gt; =
VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q<br>
&gt;&gt;&gt; =
p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36<br>
&gt;&gt;&gt; =
a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D<br>
&gt;&gt;&gt; =3D3qNI<br>
&gt;&gt;&gt; -----END PGP SIGNATURE-----<br>
&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt; OAuth mailing list<br>
&gt;&gt;&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt;&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
</div></div></blockquote></div><br></div>
</blockquote></div><br></div></body></html>=

--Apple-Mail=_DC024138-71B8-4A6B-9801-7925C9AADA80--

From gffletch@aol.com  Tue Aug 20 09:22:57 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5007621F9AA8 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 09:22:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level: 
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[AWL=0.200,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QlPvpyk6Elk7 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 09:22:53 -0700 (PDT)
Received: from omr-m01.mx.aol.com (omr-m01.mx.aol.com [64.12.143.75]) by ietfa.amsl.com (Postfix) with ESMTP id A024E21F90C3 for <oauth@ietf.org>; Tue, 20 Aug 2013 09:22:52 -0700 (PDT)
Received: from mtaout-da01.r1000.mx.aol.com (mtaout-da01.r1000.mx.aol.com [172.29.51.129]) by omr-m01.mx.aol.com (Outbound Mail Relay) with ESMTP id 5EBA4700D921A; Tue, 20 Aug 2013 12:22:51 -0400 (EDT)
Received: from ping-audit-10-181-176-212-20120320.ops.aol.com (ping-audit-10-181-176-212-20120320.ops.aol.com [10.181.176.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da01.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 67CE5E0000B7; Tue, 20 Aug 2013 12:22:46 -0400 (EDT)
Message-ID: <521397D4.2010203@aol.com>
Date: Tue, 20 Aug 2013 12:22:44 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net> <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com>
In-Reply-To: <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com>
Content-Type: multipart/alternative; boundary="------------090800080708010109030102"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93101
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377015771; bh=wF4fCM4YYSXnjo72bvH55OFkEQ6bBTI9iS/GUpigytU=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=TTHGSdgNN7gdwFZCOIoBRkj4XvXlrkBb69YhfKqJYzXPEAvN9nSUqiYBAXvnraEMs 0QRY5sp+n7UtPpxhgYbFKb/xj4fYSDSqi0Nb3CpyTzTchOkh3CaaX8vGATJldfa8wF y/NevFNIKDrRJbxzrIeHYxEFpt2OlBbt3pPqQrog=
x-aol-sid: 3039ac1d3381521397d5133e
X-AOL-IP: 10.181.176.212
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 16:22:57 -0000

This is a multi-part message in MIME format.
--------------090800080708010109030102
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

 From a use case perspective... do we need to take this back to the 
level of why do we need to do registration in the first place?

Current assumed reasons for registration:
1. callback URL specification as some Authorization Services require 
pre-registration
2. client meta-data data (useful for UI presentation to the user during 
authorization flows)
3. client identification often necessary for managing policy decisions
4. others?

[Personally, the concept of an application being able to access a 
protected resource without registering at all is orthogonal to this 
issue of dynamic registration and should be solved separately.]

Different cases for authorization policy
1. User-centric where the user explicitly grants a given app some set of 
limited authorizations
2. AS controlled authorization where the AS grants a set of limited 
authorizations based on the identification of the client outside of the 
user's control
3. Enterprise/policy based authorizations. These may include the user 
identity but are not dependent on the user's consent.
4. Others?

 From my perspective... here are the use cases we want to support

1. Client application can obtain an instance specific client 
identification and secret. This is for deployment of mobile apps.
2. Client applications can easily register with multiple Authorization 
Servers. For consumer based applications this will be more and more 
critical as application level protocols standardize on OAuth2 for API 
security.
3. Consumer friendly experience... meaning that the consumer can easily 
understand what client is requesting which scopes so that the user can 
make an informed decision.
4. Server side revocation of both client instances and classes of clients

One of my concerns with moving solely to the "assertion/statement" model 
is that it requires the client to send a lot of state with every request 
which increases the number of bytes on the wire. Given that all of this 
data is still just bearer data (must be protected by the client)... 
doing an upfront registration with the larger set of data and then using 
a reference (client_id) to that data makes a lot of sense to me.

Sorry for the mishmash of thoughts:)

George

On 8/20/13 11:12 AM, Phil Hunt wrote:
> By taxonomy i mean the distinct types of clients and associations.
>
> Eg
> - javascript
> - native app
> - web app
> - apps that associate to one endpoint vs those the register with multiple based on events
> - perm vs temporary associations
>
> There are probably more.
>
> As Torsten mentions one of the most important factors is first how the server recognizes the client that is registering. It needs to do this to set or associate policy.
>
> What does a service provider gain if it has no information about clients? The downside of issuing random client_ids is little or no policy based access control and resource depletion.
>
> So we have to ask ourselves in each case why register? What is achieved for each side? Client id is a major factor but it is not THE factor.
>
> Phil
>
> On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>
>> Hi Phil,
>>
>>
>>> I think we should start by reviewing use cases taxonomy.
>>
>> What do you mean by "use cases taxonomy"? What exactly would we discuss under that item?
>>
>>> Then a discussion on any client_id assumptions and actual requirements
>>> for each client case. Why is registration needed for each case?
>> I guess you are bringing the use case to the table where there is no client id needed (?) or where the client id is provided by yet another party (other than the one running the AS).
>>
>>> The statement can solve some complication but should be put in context
>>> of use cases.
>> Ciao
>> Hannes
>>
>>> Phil
>>>
>>> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net>
>>> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>
>>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA512
>>>>
>>>> Based on your feedback via the poll let us start with August 22nd
>>> with the first conference call. I will distribute the conference call
>>> details on Tuesday.
>>>> Let us talk about the agenda. There were several items brought up in
>>> discussions, namely
>>>> * Software assertions / software statements
>>>>
>>>> We briefly discussed this topic at the IETF OAuth session but we may
>>> need more time to understand the implications for the current dynamic
>>> client registration document:
>>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>>
>>>> * SCIM vs. current dynamic client registration approach for
>>> interacting with the client configuration endpoint
>>>> In the past we said that it would be fine to have a profile defined
>>> in SCIM to provide the dynamic client registration for those who
>>> implement SCIM and want to manage clients also using SCIM. It might,
>>> however, be useful to compare the two approaches in detail to see what
>>> the differences are.
>>>> * Interactions with the client registration endpoint
>>>>
>>>> Justin added some "life cycle" description to the document to
>>> motivate some of the design decisions. Maybe we need to discuss those
>>> in more detail and add further text.
>>>> Additional text could come from the NIST Blue Button / Green Button
>>> usage.
>>>> * Aspects that allow servers to store less / no state
>>>>
>>>> - - From the discussions on the list it was not clear whether this is
>>> actually accomplishable with the current version of OAuth. We could
>>> explore this new requirement and try to get a better understanding how
>>> much this relates to dynamic client registration and to what extend it
>>> requires changes to the core spec.
>>>>
>>>> What would you like to start with? Other topics you would like to
>>> bring up?
>>>> - -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>> Comment: GPGTools - http://gpgtools.org
>>>>
>>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
>>>> =tkGT
>>>> - -----END PGP SIGNATURE-----
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>>> Comment: GPGTools - http://gpgtools.org
>>>>
>>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
>>>> =3qNI
>>>> -----END PGP SIGNATURE-----
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------090800080708010109030102
Content-Type: multipart/related;
 boundary="------------090401030602080606020905"


--------------090401030602080606020905
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">From a use case perspective...
      do we need to take this back to the level of why do we need to do
      registration in the first place?<br>
      <br>
      Current assumed reasons for registration:<br>
      1. callback URL specification as some Authorization Services
      require pre-registration<br>
      2. client meta-data data (useful for UI presentation to the user
      during authorization flows)<br>
      3. client identification often necessary for managing policy
      decisions<br>
      4. others?<br>
      <br>
      [Personally, the concept of an application being able to access a
      protected resource without registering at all is orthogonal to
      this issue of dynamic registration and should be solved
      separately.]<br>
      <br>
      Different cases for authorization policy<br>
      1. User-centric where the user explicitly grants a given app some
      set of limited authorizations<br>
      2. AS controlled authorization where the AS grants a set of
      limited authorizations based on the identification of the client
      outside of the user's control<br>
      3. Enterprise/policy based authorizations. These may include the
      user identity but are not dependent on the user's consent.<br>
      4. Others?<br>
      <br>
      From my perspective... here are the use cases we want to support<br>
      <br>
      1. Client application can obtain an instance specific client
      identification and secret. This is for deployment of mobile apps.<br>
      2. Client applications can easily register with multiple
      Authorization Servers. For consumer based applications this will
      be more and more critical as application level protocols standardize
      on OAuth2 for API security.<br>
      3. Consumer friendly experience... meaning that the consumer can
      easily understand what client is requesting which scopes so that
      the user can make an informed decision.<br>
      4. Server side revocation of both client instances and classes of
      clients<br>
      <br>
      One of my concerns with moving solely to the "assertion/statement"
      model is that it requires the client to send a lot of state with
      every request which increases the number of bytes on the wire.
      Given that all of this data is still just bearer data (must be
      protected by the client)... doing an upfront registration with the
      larger set of data and then using a reference (client_id) to that
      data makes a lot of sense to me.<br>
      <br>
      Sorry for the mishmash of thoughts:)<br>
      <br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/20/13 11:12 AM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com"
      type="cite">
      <pre wrap="">By taxonomy i mean the distinct types of clients and associations. 

Eg 
- javascript
- native app
- web app
- apps that associate to one endpoint vs those the register with multiple based on events
- perm vs temporary associations

There are probably more. 

As Torsten mentions one of the most important factors is first how the server recognizes the client that is registering. It needs to do this to set or associate policy. 

What does a service provider gain if it has no information about clients? The downside of issuing random client_ids is little or no policy based access control and resource depletion. 

So we have to ask ourselves in each case why register? What is achieved for each side? Client id is a major factor but it is not THE factor. 

Phil

On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)" <a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">Hi Phil, 


</pre>
        <blockquote type="cite">
          <pre wrap="">I think we should start by reviewing use cases taxonomy.
</pre>
        </blockquote>
        <pre wrap="">

What do you mean by "use cases taxonomy"? What exactly would we discuss under that item?

</pre>
        <blockquote type="cite">
          <pre wrap="">
Then a discussion on any client_id assumptions and actual requirements
for each client case. Why is registration needed for each case?
</pre>
        </blockquote>
        <pre wrap="">
I guess you are bringing the use case to the table where there is no client id needed (?) or where the client id is provided by yet another party (other than the one running the AS). 

</pre>
        <blockquote type="cite">
          <pre wrap="">
The statement can solve some complication but should be put in context
of use cases.
</pre>
        </blockquote>
        <pre wrap="">
Ciao
Hannes

</pre>
        <blockquote type="cite">
          <pre wrap="">Phil

On 2013-08-18, at 15:01, Hannes Tschofenig <a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@gmx.net">&lt;hannes.tschofenig@gmx.net&gt;</a>
wrote:

</pre>
          <blockquote type="cite">
            <pre wrap="">-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Based on your feedback via the poll let us start with August 22nd
</pre>
          </blockquote>
          <pre wrap="">with the first conference call. I will distribute the conference call
details on Tuesday.
</pre>
          <blockquote type="cite">
            <pre wrap="">
Let us talk about the agenda. There were several items brought up in
</pre>
          </blockquote>
          <pre wrap="">discussions, namely
</pre>
          <blockquote type="cite">
            <pre wrap="">
* Software assertions / software statements

We briefly discussed this topic at the IETF OAuth session but we may
</pre>
          </blockquote>
          <pre wrap="">need more time to understand the implications for the current dynamic
client registration document:
</pre>
          <blockquote type="cite">
            <pre wrap=""><a class="moz-txt-link-freetext" href="http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx">http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx</a>

* SCIM vs. current dynamic client registration approach for
</pre>
          </blockquote>
          <pre wrap="">interacting with the client configuration endpoint
</pre>
          <blockquote type="cite">
            <pre wrap="">
In the past we said that it would be fine to have a profile defined
</pre>
          </blockquote>
          <pre wrap="">in SCIM to provide the dynamic client registration for those who
implement SCIM and want to manage clients also using SCIM. It might,
however, be useful to compare the two approaches in detail to see what
the differences are.
</pre>
          <blockquote type="cite">
            <pre wrap="">
* Interactions with the client registration endpoint

Justin added some "life cycle" description to the document to
</pre>
          </blockquote>
          <pre wrap="">motivate some of the design decisions. Maybe we need to discuss those
in more detail and add further text.
</pre>
          <blockquote type="cite">
            <pre wrap="">Additional text could come from the NIST Blue Button / Green Button
</pre>
          </blockquote>
          <pre wrap="">usage.
</pre>
          <blockquote type="cite">
            <pre wrap="">
* Aspects that allow servers to store less / no state

- - From the discussions on the list it was not clear whether this is
</pre>
          </blockquote>
          <pre wrap="">actually accomplishable with the current version of OAuth. We could
explore this new requirement and try to get a better understanding how
much this relates to dynamic client registration and to what extend it
requires changes to the core spec.
</pre>
          <blockquote type="cite">
            <pre wrap="">

What would you like to start with? Other topics you would like to
</pre>
          </blockquote>
          <pre wrap="">bring up?
</pre>
          <blockquote type="cite">
            <pre wrap="">- -----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - <a class="moz-txt-link-freetext" href="http://gpgtools.org">http://gpgtools.org</a>

iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
=tkGT
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - <a class="moz-txt-link-freetext" href="http://gpgtools.org">http://gpgtools.org</a>

iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
=3qNI
-----END PGP SIGNATURE-----
_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
          </blockquote>
          <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
        </blockquote>
      </blockquote>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part1.04090203.06030806@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------090401030602080606020905
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part1.04090203.06030806@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------090401030602080606020905--

--------------090800080708010109030102--

From jmandel@gmail.com  Tue Aug 20 09:36:43 2013
Return-Path: <jmandel@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B8F321F9223 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 09:36:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9XzV60FGMD8 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 09:36:41 -0700 (PDT)
Received: from mail-pd0-x234.google.com (mail-pd0-x234.google.com [IPv6:2607:f8b0:400e:c02::234]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB7321F90DC for <oauth@ietf.org>; Tue, 20 Aug 2013 09:36:41 -0700 (PDT)
Received: by mail-pd0-f180.google.com with SMTP id y10so598668pdj.39 for <oauth@ietf.org>; Tue, 20 Aug 2013 09:36:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=KtK+mYNadDVgor7MDrOePzl59dvudyN7NmltPcJVz1Y=; b=on+3VxZx0AKku9lAharixiFcw6UYMdEWwfiFtU9f1bbBQJpuJF81XJR09ljZ/qt9TX vLmnm41wkFxEinxiHFpcQpdafML2wwt3+1Klkp6C9CutZMQ593yADEq78ZZ+AlkcKkn1 iu2NFz89l2HPuXDfXrd0RfBKzx5gbqXfHU4Fyd6cLCA0ENvVyh3wuSjMzuBGVG2TRXDg 8L3uRS71A8aIr0WGyTlVsUBNgsnIkthx9qFQi6RBSdculG9fs8dyIHPRs35O3PMdap4Z Ib5wJ145fDlxn6p1R2+7yp4xvRoZmMpqakvBkptLjqH9Hl2vXNW1i2mwktug7GpGuwhy 29aQ==
X-Received: by 10.66.118.129 with SMTP id km1mr4748793pab.127.1377016601120; Tue, 20 Aug 2013 09:36:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.211.4 with HTTP; Tue, 20 Aug 2013 09:36:26 -0700 (PDT)
In-Reply-To: <FA7448BF-1DD3-4045-8C9C-47BDC8174F6A@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net> <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com> <CANSMLKE_xTwbTMhuRg1ZDHRs2bHbKnK7ejar63kzbANQdNJxog@mail.gmail.com> <FA7448BF-1DD3-4045-8C9C-47BDC8174F6A@oracle.com>
From: Josh Mandel <jmandel@gmail.com>
Date: Tue, 20 Aug 2013 09:36:26 -0700
Message-ID: <CANSMLKGZz5KR_uwFm_=PJinV0fY62Y75Wf7ynEKWyM7yrVSf3w@mail.gmail.com>
To: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary=e89a8ffbab6b5c32e704e463a99e
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 16:36:43 -0000

--e89a8ffbab6b5c32e704e463a99e
Content-Type: text/plain; charset=ISO-8859-1

Hi Phil,

Using dyn-reg-14 vocabulary:  the BB+ `registration_jwt` is an "initial
access token"  that's used to perform a "Protected Registration" (see
B.2<http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-14#appendix-B.2>of
dyn-reg-14).

Does this make sense?  (Happy to provide more detail if it would help.)

  -J




On Tue, Aug 20, 2013 at 9:04 AM, Phil Hunt <phil.hunt@oracle.com> wrote:

> Josh,
>
> I think BlueButton is an important example of use.
>
> Tell us more about registration_jwt (which is not part of dyn reg).
>
>   Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-20, at 8:30 AM, Josh Mandel <jmandel@gmail.com> wrote:
>
> The group may be interested in bits of the following classification that
> we put together for BlueButton+:
>  http://blue-button.github.io/blue-button-plus-pull/#client-types
>
> Here, we classified apps according to
> 1.  whether they can protect a `client_secret` and
> 2.  whether they can protect a `registration_jwt` (issued by a third party
> and presented by the client to the registration endpoint at registration
> time)
>
> We used this classification with the current dyn-reg draft, in order to
> give implementers a concrete idea about how policy might vary according to
> client type. Part of why this works nicely for BB+ is that we actually get
> to control (well, specify!) policy within the BB+ network.
>
>   -Josh
>
>
> On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> By taxonomy i mean the distinct types of clients and associations.
>>
>> Eg
>> - javascript
>> - native app
>> - web app
>> - apps that associate to one endpoint vs those the register with multiple
>> based on events
>> - perm vs temporary associations
>>
>> There are probably more.
>>
>> As Torsten mentions one of the most important factors is first how the
>> server recognizes the client that is registering. It needs to do this to
>> set or associate policy.
>>
>> What does a service provider gain if it has no information about clients?
>> The downside of issuing random client_ids is little or no policy based
>> access control and resource depletion.
>>
>> So we have to ask ourselves in each case why register? What is achieved
>> for each side? Client id is a major factor but it is not THE factor.
>>
>> Phil
>>
>> On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)" <
>> hannes.tschofenig@nsn.com> wrote:
>>
>> > Hi Phil,
>> >
>> >
>> >> I think we should start by reviewing use cases taxonomy.
>> >
>> >
>> > What do you mean by "use cases taxonomy"? What exactly would we discuss
>> under that item?
>> >
>> >>
>> >> Then a discussion on any client_id assumptions and actual requirements
>> >> for each client case. Why is registration needed for each case?
>> >
>> > I guess you are bringing the use case to the table where there is no
>> client id needed (?) or where the client id is provided by yet another
>> party (other than the one running the AS).
>> >
>> >>
>> >> The statement can solve some complication but should be put in context
>> >> of use cases.
>> >
>> > Ciao
>> > Hannes
>> >
>> >> Phil
>> >>
>> >> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net>
>> >> wrote:
>> >>
>> >>> -----BEGIN PGP SIGNED MESSAGE-----
>> >>> Hash: SHA512
>> >>>
>> >>> - -----BEGIN PGP SIGNED MESSAGE-----
>> >>> Hash: SHA512
>> >>>
>> >>> Based on your feedback via the poll let us start with August 22nd
>> >> with the first conference call. I will distribute the conference call
>> >> details on Tuesday.
>> >>>
>> >>> Let us talk about the agenda. There were several items brought up in
>> >> discussions, namely
>> >>>
>> >>> * Software assertions / software statements
>> >>>
>> >>> We briefly discussed this topic at the IETF OAuth session but we may
>> >> need more time to understand the implications for the current dynamic
>> >> client registration document:
>> >>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>> >>>
>> >>> * SCIM vs. current dynamic client registration approach for
>> >> interacting with the client configuration endpoint
>> >>>
>> >>> In the past we said that it would be fine to have a profile defined
>> >> in SCIM to provide the dynamic client registration for those who
>> >> implement SCIM and want to manage clients also using SCIM. It might,
>> >> however, be useful to compare the two approaches in detail to see what
>> >> the differences are.
>> >>>
>> >>> * Interactions with the client registration endpoint
>> >>>
>> >>> Justin added some "life cycle" description to the document to
>> >> motivate some of the design decisions. Maybe we need to discuss those
>> >> in more detail and add further text.
>> >>> Additional text could come from the NIST Blue Button / Green Button
>> >> usage.
>> >>>
>> >>> * Aspects that allow servers to store less / no state
>> >>>
>> >>> - - From the discussions on the list it was not clear whether this is
>> >> actually accomplishable with the current version of OAuth. We could
>> >> explore this new requirement and try to get a better understanding how
>> >> much this relates to dynamic client registration and to what extend it
>> >> requires changes to the core spec.
>> >>>
>> >>>
>> >>> What would you like to start with? Other topics you would like to
>> >> bring up?
>> >>> - -----BEGIN PGP SIGNATURE-----
>> >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> >>> Comment: GPGTools - http://gpgtools.org
>> >>>
>> >>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>> >>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>> >>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>> >>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>> >>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>> >>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
>> >>> =tkGT
>> >>> - -----END PGP SIGNATURE-----
>> >>> -----BEGIN PGP SIGNATURE-----
>> >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>> >>> Comment: GPGTools - http://gpgtools.org
>> >>>
>> >>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>> >>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>> >>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>> >>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>> >>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>> >>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
>> >>> =3qNI
>> >>> -----END PGP SIGNATURE-----
>> >>> _______________________________________________
>> >>> OAuth mailing list
>> >>> OAuth@ietf.org
>> >>> https://www.ietf.org/mailman/listinfo/oauth
>> >> _______________________________________________
>> >> OAuth mailing list
>> >> OAuth@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
>

--e89a8ffbab6b5c32e704e463a99e
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Phil,<div><br></div><div>Using dyn-reg-14 vocabulary: =
=A0the BB+ `registration_jwt` is an &quot;<span style=3D"color:rgb(0,0,0);f=
ont-size:1em">initial access token&quot;=A0</span>=A0that&#39;s used to per=
form a &quot;Protected Registration&quot; (see <a href=3D"http://tools.ietf=
.org/html/draft-ietf-oauth-dyn-reg-14#appendix-B.2">B.2</a> of dyn-reg-14).=
=A0</div>

<div><br></div><div>Does this make sense? =A0(Happy to provide more detail =
if it would help.)</div><div><br></div><div>=A0 -J<br><div><br></div><div><=
br></div></div></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">

On Tue, Aug 20, 2013 at 9:04 AM, Phil Hunt <span dir=3D"ltr">&lt;<a href=3D=
"mailto:phil.hunt@oracle.com" target=3D"_blank">phil.hunt@oracle.com</a>&gt=
;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">

<div style=3D"word-wrap:break-word"><div>Josh,</div><div><br></div><div>I t=
hink BlueButton is an important example of use.</div><div><br></div><div>Te=
ll us more about registration_jwt (which is not part of dyn reg).</div><div=
>

<br></div><div><div>
<span style=3D"border-collapse:separate;border-spacing:0px"><div style=3D"w=
ord-wrap:break-word"><span style=3D"border-spacing:0px;text-indent:0px;lett=
er-spacing:normal;font-variant:normal;font-style:normal;font-weight:normal;=
line-height:normal;border-collapse:separate;text-transform:none;font-size:m=
edium;white-space:normal;font-family:Helvetica;word-spacing:0px"><div style=
=3D"word-wrap:break-word">

<span style=3D"border-spacing:0px;text-indent:0px;letter-spacing:normal;fon=
t-variant:normal;font-style:normal;font-weight:normal;line-height:normal;bo=
rder-collapse:separate;text-transform:none;font-size:medium;white-space:nor=
mal;font-family:Helvetica;word-spacing:0px"><div style=3D"word-wrap:break-w=
ord">

<span style=3D"border-spacing:0px;text-indent:0px;letter-spacing:normal;fon=
t-variant:normal;font-style:normal;font-weight:normal;line-height:normal;bo=
rder-collapse:separate;text-transform:none;font-size:12px;white-space:norma=
l;font-family:Helvetica;word-spacing:0px"><div style=3D"word-wrap:break-wor=
d">

<div>Phil</div><div><br></div><div>@independentid</div><div><a href=3D"http=
://www.independentid.com" target=3D"_blank">www.independentid.com</a></div>=
</div></span><a href=3D"mailto:phil.hunt@oracle.com" target=3D"_blank">phil=
.hunt@oracle.com</a></div>

<div style=3D"word-wrap:break-word"><br><br></div></span><br></div></span><=
br></div></span><br><br>
</div><div><div class=3D"h5">
<br><div><div>On 2013-08-20, at 8:30 AM, Josh Mandel &lt;<a href=3D"mailto:=
jmandel@gmail.com" target=3D"_blank">jmandel@gmail.com</a>&gt; wrote:</div>=
<br><blockquote type=3D"cite"><div dir=3D"ltr"><span style=3D"font-family:a=
rial,sans-serif;font-size:12.571428298950195px">The group may be interested=
 in bits of the following classification that we put together for BlueButto=
n+:</span><br>

<div style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">

<a href=3D"http://blue-button.github.io/blue-button-plus-pull/#client-types=
" target=3D"_blank">http://blue-button.github.io/blue-button-plus-pull/#cli=
ent-types</a><br></div><div style=3D"font-family:arial,sans-serif;font-size=
:12.571428298950195px">



<br></div><div style=3D"font-family:arial,sans-serif;font-size:12.571428298=
950195px">Here, we classified apps according to</div><div style=3D"font-fam=
ily:arial,sans-serif;font-size:12.571428298950195px">1. =A0whether they can=
 protect a `client_secret` and=A0</div>



<div style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">=
2. =A0whether they can protect a `registration_jwt` (issued by a third part=
y and presented by the client to the registration endpoint at registration =
time)<br>



</div><div style=3D"font-family:arial,sans-serif;font-size:12.5714282989501=
95px"><br></div><div style=3D"font-family:arial,sans-serif;font-size:12.571=
428298950195px">We used this classification with the current dyn-reg draft,=
 in order to give implementers a concrete idea about how policy might vary =
according to client type. Part of why this works nicely for BB+ is that we =
actually get to control (well, specify!) policy within the BB+ network.</di=
v>



<div style=3D"font-family:arial,sans-serif;font-size:12.571428298950195px">=
<br></div><div style=3D"font-family:arial,sans-serif;font-size:12.571428298=
950195px">=A0 -Josh</div></div><div class=3D"gmail_extra"><br><br><div clas=
s=3D"gmail_quote">



On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <span dir=3D"ltr">&lt;<a href=3D=
"mailto:phil.hunt@oracle.com" target=3D"_blank">phil.hunt@oracle.com</a>&gt=
;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 =
.8ex;border-left:1px #ccc solid;padding-left:1ex">



By taxonomy i mean the distinct types of clients and associations.<br>
<br>
Eg<br>
- javascript<br>
- native app<br>
- web app<br>
- apps that associate to one endpoint vs those the register with multiple b=
ased on events<br>
- perm vs temporary associations<br>
<br>
There are probably more.<br>
<br>
As Torsten mentions one of the most important factors is first how the serv=
er recognizes the client that is registering. It needs to do this to set or=
 associate policy.<br>
<br>
What does a service provider gain if it has no information about clients? T=
he downside of issuing random client_ids is little or no policy based acces=
s control and resource depletion.<br>
<br>
So we have to ask ourselves in each case why register? What is achieved for=
 each side? Client id is a major factor but it is not THE factor.<br>
<span><font color=3D"#888888"><br>
Phil<br>
</font></span><div><div><br>
On 2013-08-20, at 7:51, &quot;, Hannes (NSN - FI/Espoo)&quot; &lt;<a href=
=3D"mailto:hannes.tschofenig@nsn.com" target=3D"_blank">hannes.tschofenig@n=
sn.com</a>&gt; wrote:<br>
<br>
&gt; Hi Phil,<br>
&gt;<br>
&gt;<br>
&gt;&gt; I think we should start by reviewing use cases taxonomy.<br>
&gt;<br>
&gt;<br>
&gt; What do you mean by &quot;use cases taxonomy&quot;? What exactly would=
 we discuss under that item?<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; Then a discussion on any client_id assumptions and actual requirem=
ents<br>
&gt;&gt; for each client case. Why is registration needed for each case?<br=
>
&gt;<br>
&gt; I guess you are bringing the use case to the table where there is no c=
lient id needed (?) or where the client id is provided by yet another party=
 (other than the one running the AS).<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; The statement can solve some complication but should be put in con=
text<br>
&gt;&gt; of use cases.<br>
&gt;<br>
&gt; Ciao<br>
&gt; Hannes<br>
&gt;<br>
&gt;&gt; Phil<br>
&gt;&gt;<br>
&gt;&gt; On 2013-08-18, at 15:01, Hannes Tschofenig &lt;<a href=3D"mailto:h=
annes.tschofenig@gmx.net" target=3D"_blank">hannes.tschofenig@gmx.net</a>&g=
t;<br>
&gt;&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt;&gt; -----BEGIN PGP SIGNED MESSAGE-----<br>
&gt;&gt;&gt; Hash: SHA512<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; - -----BEGIN PGP SIGNED MESSAGE-----<br>
&gt;&gt;&gt; Hash: SHA512<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Based on your feedback via the poll let us start with August 2=
2nd<br>
&gt;&gt; with the first conference call. I will distribute the conference c=
all<br>
&gt;&gt; details on Tuesday.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Let us talk about the agenda. There were several items brought=
 up in<br>
&gt;&gt; discussions, namely<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Software assertions / software statements<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; We briefly discussed this topic at the IETF OAuth session but =
we may<br>
&gt;&gt; need more time to understand the implications for the current dyna=
mic<br>
&gt;&gt; client registration document:<br>
&gt;&gt;&gt; <a href=3D"http://www.ietf.org/proceedings/87/slides/slides-87=
-oauth-2.pptx" target=3D"_blank">http://www.ietf.org/proceedings/87/slides/=
slides-87-oauth-2.pptx</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * SCIM vs. current dynamic client registration approach for<br=
>
&gt;&gt; interacting with the client configuration endpoint<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; In the past we said that it would be fine to have a profile de=
fined<br>
&gt;&gt; in SCIM to provide the dynamic client registration for those who<b=
r>
&gt;&gt; implement SCIM and want to manage clients also using SCIM. It migh=
t,<br>
&gt;&gt; however, be useful to compare the two approaches in detail to see =
what<br>
&gt;&gt; the differences are.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Interactions with the client registration endpoint<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Justin added some &quot;life cycle&quot; description to the do=
cument to<br>
&gt;&gt; motivate some of the design decisions. Maybe we need to discuss th=
ose<br>
&gt;&gt; in more detail and add further text.<br>
&gt;&gt;&gt; Additional text could come from the NIST Blue Button / Green B=
utton<br>
&gt;&gt; usage.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Aspects that allow servers to store less / no state<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; - - From the discussions on the list it was not clear whether =
this is<br>
&gt;&gt; actually accomplishable with the current version of OAuth. We coul=
d<br>
&gt;&gt; explore this new requirement and try to get a better understanding=
 how<br>
&gt;&gt; much this relates to dynamic client registration and to what exten=
d it<br>
&gt;&gt; requires changes to the core spec.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; What would you like to start with? Other topics you would like=
 to<br>
&gt;&gt; bring up?<br>
&gt;&gt;&gt; - -----BEGIN PGP SIGNATURE-----<br>
&gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
&gt;&gt;&gt; Comment: GPGTools - <a href=3D"http://gpgtools.org/" target=3D=
"_blank">http://gpgtools.org</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbn=
ze<br>
&gt;&gt;&gt; AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1=
dk<br>
&gt;&gt;&gt; dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFo=
cF<br>
&gt;&gt;&gt; OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BL=
N9<br>
&gt;&gt;&gt; IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeS=
SP<br>
&gt;&gt;&gt; QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIER=
I=3D<br>
&gt;&gt;&gt; =3DtkGT<br>
&gt;&gt;&gt; - -----END PGP SIGNATURE-----<br>
&gt;&gt;&gt; -----BEGIN PGP SIGNATURE-----<br>
&gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
&gt;&gt;&gt; Comment: GPGTools - <a href=3D"http://gpgtools.org/" target=3D=
"_blank">http://gpgtools.org</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+=
Zb<br>
&gt;&gt;&gt; RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg=
8x<br>
&gt;&gt;&gt; wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy1=
81<br>
&gt;&gt;&gt; VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo=
1q<br>
&gt;&gt;&gt; p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u=
36<br>
&gt;&gt;&gt; a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exy=
E=3D<br>
&gt;&gt;&gt; =3D3qNI<br>
&gt;&gt;&gt; -----END PGP SIGNATURE-----<br>
&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt; OAuth mailing list<br>
&gt;&gt;&gt; <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf=
.org</a><br>
&gt;&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=
=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org=
</a><br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"=
_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><br>
</div></div></blockquote></div><br></div>
</blockquote></div><br></div></div></div></div></blockquote></div><br></div=
>

--e89a8ffbab6b5c32e704e463a99e--

From jricher@mitre.org  Tue Aug 20 09:37:19 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8B8811E812D for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 09:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.467
X-Spam-Level: 
X-Spam-Status: No, score=-6.467 tagged_above=-999 required=5 tests=[AWL=0.131,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EW5cCayJCxf0 for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 09:37:15 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id B215411E80F8 for <oauth@ietf.org>; Tue, 20 Aug 2013 09:37:14 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id ADCD81F02B4; Tue, 20 Aug 2013 12:37:03 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 97702226000C; Tue, 20 Aug 2013 12:37:03 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 20 Aug 2013 12:37:02 -0400
Message-ID: <52139A23.5060902@mitre.org>
Date: Tue, 20 Aug 2013 12:32:35 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net> <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com> <CANSMLKE_xTwbTMhuRg1ZDHRs2bHbKnK7ejar63kzbANQdNJxog@mail.gmail.com> <FA7448BF-1DD3-4045-8C9C-47BDC8174F6A@oracle.com>
In-Reply-To: <FA7448BF-1DD3-4045-8C9C-47BDC8174F6A@oracle.com>
Content-Type: multipart/alternative; boundary="------------010403080808060801060207"
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 16:37:19 -0000

--------------010403080808060801060207
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

The registration_jwt captures many of the same things that the proposed 
"software statement" does, and it's presented as an initial access 
token. The Provider then parses this token and uses the BB+ Discovery 
system to validate the token against the Registry that issued it. This 
is what we talked about at IIW this year (and what I had suggested to 
Morteza for his use case), and it's all detailed on the same page that 
Josh linked:

http://blue-button.github.io/blue-button-plus-pull/#registration-trusted

When designing the BB+ registration system (which directly influenced 
the OAuth DynReg current draft, as I've said many times), we were 
careful about where we drew the lines dividing the two systems. You'll 
note that the BB+ "Open Registration" is exactly the OAuth DynReg 
registration, and that the "Trusted Registration" builds directly on top 
of that, but requires an assertion format (JWT), a discovery system, a 
manual pre-registration step, and a policy that vets a network of 
Registries to manage everything. We decided fairly early on that there 
was too much baggage to bring the full BB+ Trusted Registration over to 
a general use case, but I've continually pointed out its existence and 
asked you (Phil) to read it when you've brought up the software assertions.

  -- Justin

On 08/20/2013 12:04 PM, Phil Hunt wrote:
> Josh,
>
> I think BlueButton is an important example of use.
>
> Tell us more about registration_jwt (which is not part of dyn reg).
>
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>
>
>
>
>
>
> On 2013-08-20, at 8:30 AM, Josh Mandel <jmandel@gmail.com 
> <mailto:jmandel@gmail.com>> wrote:
>
>> The group may be interested in bits of the following classification 
>> that we put together for BlueButton+:
>> http://blue-button.github.io/blue-button-plus-pull/#client-types
>>
>> Here, we classified apps according to
>> 1.  whether they can protect a `client_secret` and
>> 2.  whether they can protect a `registration_jwt` (issued by a third 
>> party and presented by the client to the registration endpoint at 
>> registration time)
>>
>> We used this classification with the current dyn-reg draft, in order 
>> to give implementers a concrete idea about how policy might vary 
>> according to client type. Part of why this works nicely for BB+ is 
>> that we actually get to control (well, specify!) policy within the 
>> BB+ network.
>>
>> -Josh
>>
>>
>> On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <phil.hunt@oracle.com 
>> <mailto:phil.hunt@oracle.com>> wrote:
>>
>>     By taxonomy i mean the distinct types of clients and associations.
>>
>>     Eg
>>     - javascript
>>     - native app
>>     - web app
>>     - apps that associate to one endpoint vs those the register with
>>     multiple based on events
>>     - perm vs temporary associations
>>
>>     There are probably more.
>>
>>     As Torsten mentions one of the most important factors is first
>>     how the server recognizes the client that is registering. It
>>     needs to do this to set or associate policy.
>>
>>     What does a service provider gain if it has no information about
>>     clients? The downside of issuing random client_ids is little or
>>     no policy based access control and resource depletion.
>>
>>     So we have to ask ourselves in each case why register? What is
>>     achieved for each side? Client id is a major factor but it is not
>>     THE factor.
>>
>>     Phil
>>
>>     On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)"
>>     <hannes.tschofenig@nsn.com <mailto:hannes.tschofenig@nsn.com>> wrote:
>>
>>     > Hi Phil,
>>     >
>>     >
>>     >> I think we should start by reviewing use cases taxonomy.
>>     >
>>     >
>>     > What do you mean by "use cases taxonomy"? What exactly would we
>>     discuss under that item?
>>     >
>>     >>
>>     >> Then a discussion on any client_id assumptions and actual
>>     requirements
>>     >> for each client case. Why is registration needed for each case?
>>     >
>>     > I guess you are bringing the use case to the table where there
>>     is no client id needed (?) or where the client id is provided by
>>     yet another party (other than the one running the AS).
>>     >
>>     >>
>>     >> The statement can solve some complication but should be put in
>>     context
>>     >> of use cases.
>>     >
>>     > Ciao
>>     > Hannes
>>     >
>>     >> Phil
>>     >>
>>     >> On 2013-08-18, at 15:01, Hannes Tschofenig
>>     <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>
>>     >> wrote:
>>     >>
>>     >>> -----BEGIN PGP SIGNED MESSAGE-----
>>     >>> Hash: SHA512
>>     >>>
>>     >>> - -----BEGIN PGP SIGNED MESSAGE-----
>>     >>> Hash: SHA512
>>     >>>
>>     >>> Based on your feedback via the poll let us start with August 22nd
>>     >> with the first conference call. I will distribute the
>>     conference call
>>     >> details on Tuesday.
>>     >>>
>>     >>> Let us talk about the agenda. There were several items
>>     brought up in
>>     >> discussions, namely
>>     >>>
>>     >>> * Software assertions / software statements
>>     >>>
>>     >>> We briefly discussed this topic at the IETF OAuth session but
>>     we may
>>     >> need more time to understand the implications for the current
>>     dynamic
>>     >> client registration document:
>>     >>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>     >>>
>>     >>> * SCIM vs. current dynamic client registration approach for
>>     >> interacting with the client configuration endpoint
>>     >>>
>>     >>> In the past we said that it would be fine to have a profile
>>     defined
>>     >> in SCIM to provide the dynamic client registration for those who
>>     >> implement SCIM and want to manage clients also using SCIM. It
>>     might,
>>     >> however, be useful to compare the two approaches in detail to
>>     see what
>>     >> the differences are.
>>     >>>
>>     >>> * Interactions with the client registration endpoint
>>     >>>
>>     >>> Justin added some "life cycle" description to the document to
>>     >> motivate some of the design decisions. Maybe we need to
>>     discuss those
>>     >> in more detail and add further text.
>>     >>> Additional text could come from the NIST Blue Button / Green
>>     Button
>>     >> usage.
>>     >>>
>>     >>> * Aspects that allow servers to store less / no state
>>     >>>
>>     >>> - - From the discussions on the list it was not clear whether
>>     this is
>>     >> actually accomplishable with the current version of OAuth. We
>>     could
>>     >> explore this new requirement and try to get a better
>>     understanding how
>>     >> much this relates to dynamic client registration and to what
>>     extend it
>>     >> requires changes to the core spec.
>>     >>>
>>     >>>
>>     >>> What would you like to start with? Other topics you would like to
>>     >> bring up?
>>     >>> - -----BEGIN PGP SIGNATURE-----
>>     >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>     >>> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/>
>>     >>>
>>     >>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>     >>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>     >>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>     >>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>     >>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>     >>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=
>>     >>> =tkGT
>>     >>> - -----END PGP SIGNATURE-----
>>     >>> -----BEGIN PGP SIGNATURE-----
>>     >>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>     >>> Comment: GPGTools - http://gpgtools.org <http://gpgtools.org/>
>>     >>>
>>     >>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>     >>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>     >>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>     >>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>     >>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>     >>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=
>>     >>> =3qNI
>>     >>> -----END PGP SIGNATURE-----
>>     >>> _______________________________________________
>>     >>> OAuth mailing list
>>     >>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     >>> https://www.ietf.org/mailman/listinfo/oauth
>>     >> _______________________________________________
>>     >> OAuth mailing list
>>     >> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     >> https://www.ietf.org/mailman/listinfo/oauth
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------010403080808060801060207
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    The registration_jwt captures many of the same things that the
    proposed "software statement" does, and it's presented as an initial
    access token. The Provider then parses this token and uses the BB+
    Discovery system to validate the token against the Registry that
    issued it. This is what we talked about at IIW this year (and what I
    had suggested to Morteza for his use case), and it's all detailed on
    the same page that Josh linked:<br>
    <br>
<a class="moz-txt-link-freetext" href="http://blue-button.github.io/blue-button-plus-pull/#registration-trusted">http://blue-button.github.io/blue-button-plus-pull/#registration-trusted</a><br>
    <br>
    When designing the BB+ registration system (which directly
    influenced the OAuth DynReg current draft, as I've said many times),
    we were careful about where we drew the lines dividing the two
    systems. You'll note that the BB+ "Open Registration" is exactly the
    OAuth DynReg registration, and that the "Trusted Registration"
    builds directly on top of that, but requires an assertion format
    (JWT), a discovery system, a manual pre-registration step, and a
    policy that vets a network of Registries to manage everything. We
    decided fairly early on that there was too much baggage to bring the
    full BB+ Trusted Registration over to a general use case, but I've
    continually pointed out its existence and asked you (Phil) to read
    it when you've brought up the software assertions. <br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/20/2013 12:04 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote
      cite="mid:FA7448BF-1DD3-4045-8C9C-47BDC8174F6A@oracle.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div>Josh,</div>
      <div><br>
      </div>
      <div>I think BlueButton is an important example of use.</div>
      <div><br>
      </div>
      <div>Tell us more about registration_jwt (which is not part of dyn
        reg).</div>
      <div><br>
      </div>
      <div>
        <div apple-content-edited="true">
          <span class="Apple-style-span" style="border-collapse:
            separate; border-spacing: 0px; ">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; "><span
                class="Apple-style-span" style="border-collapse:
                separate; color: rgb(0, 0, 0); font-family: Helvetica;
                font-size: medium; font-style: normal; font-variant:
                normal; font-weight: normal; letter-spacing: normal;
                line-height: normal; orphans: 2; text-indent: 0px;
                text-transform: none; white-space: normal; widows: 2;
                word-spacing: 0px; border-spacing: 0px;
                -webkit-text-decorations-in-effect: none;
                -webkit-text-size-adjust: auto;
                -webkit-text-stroke-width: 0px; ">
                <div style="word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span
                    class="Apple-style-span" style="border-collapse:
                    separate; color: rgb(0, 0, 0); font-family:
                    Helvetica; font-size: medium; font-style: normal;
                    font-variant: normal; font-weight: normal;
                    letter-spacing: normal; line-height: normal;
                    orphans: 2; text-indent: 0px; text-transform: none;
                    white-space: normal; widows: 2; word-spacing: 0px;
                    border-spacing: 0px;
                    -webkit-text-decorations-in-effect: none;
                    -webkit-text-size-adjust: auto;
                    -webkit-text-stroke-width: 0px; ">
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span
                        class="Apple-style-span" style="border-collapse:
                        separate; color: rgb(0, 0, 0); font-family:
                        Helvetica; font-size: 12px; font-style: normal;
                        font-variant: normal; font-weight: normal;
                        letter-spacing: normal; line-height: normal;
                        orphans: 2; text-indent: 0px; text-transform:
                        none; white-space: normal; widows: 2;
                        word-spacing: 0px; border-spacing: 0px;
                        -webkit-text-decorations-in-effect: none;
                        -webkit-text-size-adjust: auto;
                        -webkit-text-stroke-width: 0px; ">
                        <div style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div>Phil</div>
                          <div><br>
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send="true"
                              href="http://www.independentid.com">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send="true"
                        href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br>
                      <br>
                    </div>
                  </span><br class="Apple-interchange-newline">
                </div>
              </span><br class="Apple-interchange-newline">
            </div>
          </span><br class="Apple-interchange-newline">
          <br class="Apple-interchange-newline">
        </div>
        <br>
        <div>
          <div>On 2013-08-20, at 8:30 AM, Josh Mandel &lt;<a
              moz-do-not-send="true" href="mailto:jmandel@gmail.com">jmandel@gmail.com</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <div dir="ltr"><span
                style="font-family:arial,sans-serif;font-size:12.571428298950195px">The
                group may be interested in bits of the following
                classification that we put together for BlueButton+:</span><br>
              <div
                style="font-family:arial,sans-serif;font-size:12.571428298950195px">
                <a moz-do-not-send="true"
                  href="http://blue-button.github.io/blue-button-plus-pull/#client-types"
                  target="_blank">http://blue-button.github.io/blue-button-plus-pull/#client-types</a><br>
              </div>
              <div
                style="font-family:arial,sans-serif;font-size:12.571428298950195px">
                <br>
              </div>
              <div
                style="font-family:arial,sans-serif;font-size:12.571428298950195px">Here,
                we classified apps according to</div>
              <div
                style="font-family:arial,sans-serif;font-size:12.571428298950195px">1.
                &nbsp;whether they can protect a `client_secret` and&nbsp;</div>
              <div
                style="font-family:arial,sans-serif;font-size:12.571428298950195px">2.
                &nbsp;whether they can protect a `registration_jwt` (issued
                by a third party and presented by the client to the
                registration endpoint at registration time)<br>
              </div>
              <div
                style="font-family:arial,sans-serif;font-size:12.571428298950195px"><br>
              </div>
              <div
                style="font-family:arial,sans-serif;font-size:12.571428298950195px">We
                used this classification with the current dyn-reg draft,
                in order to give implementers a concrete idea about how
                policy might vary according to client type. Part of why
                this works nicely for BB+ is that we actually get to
                control (well, specify!) policy within the BB+ network.</div>
              <div
                style="font-family:arial,sans-serif;font-size:12.571428298950195px"><br>
              </div>
              <div
                style="font-family:arial,sans-serif;font-size:12.571428298950195px">&nbsp;
                -Josh</div>
            </div>
            <div class="gmail_extra"><br>
              <br>
              <div class="gmail_quote">
                On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <span
                  dir="ltr">&lt;<a moz-do-not-send="true"
                    href="mailto:phil.hunt@oracle.com" target="_blank">phil.hunt@oracle.com</a>&gt;</span>
                wrote:<br>
                <blockquote class="gmail_quote" style="margin:0 0 0
                  .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  By taxonomy i mean the distinct types of clients and
                  associations.<br>
                  <br>
                  Eg<br>
                  - javascript<br>
                  - native app<br>
                  - web app<br>
                  - apps that associate to one endpoint vs those the
                  register with multiple based on events<br>
                  - perm vs temporary associations<br>
                  <br>
                  There are probably more.<br>
                  <br>
                  As Torsten mentions one of the most important factors
                  is first how the server recognizes the client that is
                  registering. It needs to do this to set or associate
                  policy.<br>
                  <br>
                  What does a service provider gain if it has no
                  information about clients? The downside of issuing
                  random client_ids is little or no policy based access
                  control and resource depletion.<br>
                  <br>
                  So we have to ask ourselves in each case why register?
                  What is achieved for each side? Client id is a major
                  factor but it is not THE factor.<br>
                  <span class="HOEnZb"><font color="#888888"><br>
                      Phil<br>
                    </font></span>
                  <div class="HOEnZb">
                    <div class="h5"><br>
                      On 2013-08-20, at 7:51, ", Hannes (NSN -
                      FI/Espoo)" &lt;<a moz-do-not-send="true"
                        href="mailto:hannes.tschofenig@nsn.com">hannes.tschofenig@nsn.com</a>&gt;
                      wrote:<br>
                      <br>
                      &gt; Hi Phil,<br>
                      &gt;<br>
                      &gt;<br>
                      &gt;&gt; I think we should start by reviewing use
                      cases taxonomy.<br>
                      &gt;<br>
                      &gt;<br>
                      &gt; What do you mean by "use cases taxonomy"?
                      What exactly would we discuss under that item?<br>
                      &gt;<br>
                      &gt;&gt;<br>
                      &gt;&gt; Then a discussion on any client_id
                      assumptions and actual requirements<br>
                      &gt;&gt; for each client case. Why is registration
                      needed for each case?<br>
                      &gt;<br>
                      &gt; I guess you are bringing the use case to the
                      table where there is no client id needed (?) or
                      where the client id is provided by yet another
                      party (other than the one running the AS).<br>
                      &gt;<br>
                      &gt;&gt;<br>
                      &gt;&gt; The statement can solve some complication
                      but should be put in context<br>
                      &gt;&gt; of use cases.<br>
                      &gt;<br>
                      &gt; Ciao<br>
                      &gt; Hannes<br>
                      &gt;<br>
                      &gt;&gt; Phil<br>
                      &gt;&gt;<br>
                      &gt;&gt; On 2013-08-18, at 15:01, Hannes
                      Tschofenig &lt;<a moz-do-not-send="true"
                        href="mailto:hannes.tschofenig@gmx.net">hannes.tschofenig@gmx.net</a>&gt;<br>
                      &gt;&gt; wrote:<br>
                      &gt;&gt;<br>
                      &gt;&gt;&gt; -----BEGIN PGP SIGNED MESSAGE-----<br>
                      &gt;&gt;&gt; Hash: SHA512<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; - -----BEGIN PGP SIGNED MESSAGE-----<br>
                      &gt;&gt;&gt; Hash: SHA512<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; Based on your feedback via the poll
                      let us start with August 22nd<br>
                      &gt;&gt; with the first conference call. I will
                      distribute the conference call<br>
                      &gt;&gt; details on Tuesday.<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; Let us talk about the agenda. There
                      were several items brought up in<br>
                      &gt;&gt; discussions, namely<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; * Software assertions / software
                      statements<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; We briefly discussed this topic at
                      the IETF OAuth session but we may<br>
                      &gt;&gt; need more time to understand the
                      implications for the current dynamic<br>
                      &gt;&gt; client registration document:<br>
                      &gt;&gt;&gt; <a moz-do-not-send="true"
                        href="http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx"
                        target="_blank">http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx</a><br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; * SCIM vs. current dynamic client
                      registration approach for<br>
                      &gt;&gt; interacting with the client configuration
                      endpoint<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; In the past we said that it would be
                      fine to have a profile defined<br>
                      &gt;&gt; in SCIM to provide the dynamic client
                      registration for those who<br>
                      &gt;&gt; implement SCIM and want to manage clients
                      also using SCIM. It might,<br>
                      &gt;&gt; however, be useful to compare the two
                      approaches in detail to see what<br>
                      &gt;&gt; the differences are.<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; * Interactions with the client
                      registration endpoint<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; Justin added some "life cycle"
                      description to the document to<br>
                      &gt;&gt; motivate some of the design decisions.
                      Maybe we need to discuss those<br>
                      &gt;&gt; in more detail and add further text.<br>
                      &gt;&gt;&gt; Additional text could come from the
                      NIST Blue Button / Green Button<br>
                      &gt;&gt; usage.<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; * Aspects that allow servers to store
                      less / no state<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; - - From the discussions on the list
                      it was not clear whether this is<br>
                      &gt;&gt; actually accomplishable with the current
                      version of OAuth. We could<br>
                      &gt;&gt; explore this new requirement and try to
                      get a better understanding how<br>
                      &gt;&gt; much this relates to dynamic client
                      registration and to what extend it<br>
                      &gt;&gt; requires changes to the core spec.<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt; What would you like to start with?
                      Other topics you would like to<br>
                      &gt;&gt; bring up?<br>
                      &gt;&gt;&gt; - -----BEGIN PGP SIGNATURE-----<br>
                      &gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19
                      (Darwin)<br>
                      &gt;&gt;&gt; Comment: GPGTools - <a
                        moz-do-not-send="true"
                        href="http://gpgtools.org/" target="_blank">http://gpgtools.org</a><br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt;
                      iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze<br>
                      &gt;&gt;&gt;
                      AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk<br>
                      &gt;&gt;&gt;
                      dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF<br>
                      &gt;&gt;&gt;
                      OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9<br>
                      &gt;&gt;&gt;
                      IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP<br>
                      &gt;&gt;&gt;
                      QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=<br>
                      &gt;&gt;&gt; =tkGT<br>
                      &gt;&gt;&gt; - -----END PGP SIGNATURE-----<br>
                      &gt;&gt;&gt; -----BEGIN PGP SIGNATURE-----<br>
                      &gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19
                      (Darwin)<br>
                      &gt;&gt;&gt; Comment: GPGTools - <a
                        moz-do-not-send="true"
                        href="http://gpgtools.org/" target="_blank">http://gpgtools.org</a><br>
                      &gt;&gt;&gt;<br>
                      &gt;&gt;&gt;
                      iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb<br>
                      &gt;&gt;&gt;
                      RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x<br>
                      &gt;&gt;&gt;
                      wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181<br>
                      &gt;&gt;&gt;
                      VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q<br>
                      &gt;&gt;&gt;
                      p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36<br>
                      &gt;&gt;&gt;
                      a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=<br>
                      &gt;&gt;&gt; =3qNI<br>
                      &gt;&gt;&gt; -----END PGP SIGNATURE-----<br>
                      &gt;&gt;&gt;
                      _______________________________________________<br>
                      &gt;&gt;&gt; OAuth mailing list<br>
                      &gt;&gt;&gt; <a moz-do-not-send="true"
                        href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                      &gt;&gt;&gt; <a moz-do-not-send="true"
                        href="https://www.ietf.org/mailman/listinfo/oauth"
                        target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                      &gt;&gt;
                      _______________________________________________<br>
                      &gt;&gt; OAuth mailing list<br>
                      &gt;&gt; <a moz-do-not-send="true"
                        href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                      &gt;&gt; <a moz-do-not-send="true"
                        href="https://www.ietf.org/mailman/listinfo/oauth"
                        target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                      _______________________________________________<br>
                      OAuth mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://www.ietf.org/mailman/listinfo/oauth"
                        target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                    </div>
                  </div>
                </blockquote>
              </div>
              <br>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------010403080808060801060207--

From tonynad@microsoft.com  Tue Aug 20 10:02:04 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68C9221F93BA for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 10:02:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.376
X-Spam-Level: 
X-Spam-Status: No, score=-3.376 tagged_above=-999 required=5 tests=[AWL=0.223,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJ7Xb+4JgKHX for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 10:01:58 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id 9854711E823B for <oauth@ietf.org>; Tue, 20 Aug 2013 10:01:52 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 20 Aug 2013 17:01:42 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Tue, 20 Aug 2013 17:01:42 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: oauth mailing list <oauth@ietf.org>
Thread-Topic: Dynamic Client Registration Requirements
Thread-Index: Ac6dtsFpKFcW5YVXRR6Mixl/Rfo9ZQ==
Date: Tue, 20 Aug 2013 17:01:42 +0000
Message-ID: <e1eb7a02625c46faa473c0e835637fb1@BY2PR03MB189.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e8:ed31::5]
x-forefront-prvs: 09443CAA7E
x-forefront-antispam-report: SFV:NSPM; SFS:(199002)(189002)(53806001)(54356001)(74876001)(54316002)(74706001)(561944002)(81542001)(4396001)(74316001)(69226001)(56816003)(47446002)(81686001)(81342001)(31966008)(74662001)(81816001)(80976001)(74502001)(56776001)(76482001)(65816001)(77096001)(77982001)(59766001)(74366001)(51856001)(50986001)(63696002)(76176001)(46102001)(47736001)(47976001)(49866001)(83072001)(80022001)(79102001)(76796001)(33646001)(76786001)(76576001)(83322001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::5; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e8:ed31::5
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB189.namprd03.prod.outlook.com
Subject: [OAUTH-WG] Dynamic Client Registration Requirements
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 17:02:04 -0000

Here are some of our requirements for Dynamic Client Registration as we wor=
k through the various proposals:

1. Stateless server
2. Code flow support
3. Implicit flow support
4. Multi-tenant  support (single endpoint, multiple services)
5. internationalization
6. simple provisioning schema with schema extensibility=20
7. self-assertion=20

From hannes.tschofenig@nsn.com  Tue Aug 20 12:41:57 2013
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E046C11E827E for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 12:41:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.397
X-Spam-Level: 
X-Spam-Status: No, score=-106.397 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n6JNmFBIlpJC for <oauth@ietfa.amsl.com>; Tue, 20 Aug 2013 12:41:54 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 4740311E812B for <oauth@ietf.org>; Tue, 20 Aug 2013 12:41:52 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7KJfoXK004417 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Aug 2013 21:41:50 +0200
Received: from USCHHTC002.nsn-intra.net ([10.159.161.15]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7KJfIX5019120 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 20 Aug 2013 21:41:49 +0200
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC002.nsn-intra.net ([10.159.161.15]) with mapi id 14.03.0123.003; Tue, 20 Aug 2013 14:40:31 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Josh Mandel <jmandel@gmail.com>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
Thread-Index: AQHOnbfCC3hAADCVk0ux4q+M224n6ZmejLkAgAAJqYCAAAjTAP//3tRg
Date: Tue, 20 Aug 2013 19:40:31 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA270DD@USCHMBX001.nsn-intra.net>
References: <DD8AFCA4-6F49-40F1-A65E-C1DDE45A9B32@gmx.net> <76E10B6F-F28D-456D-84EA-65FF25AEB744@oracle.com> <1373E8CE237FCC43BCA36C6558612D2AA26F2C@USCHMBX001.nsn-intra.net> <0EA89B9E-8907-441D-88E0-96E100BC123C@oracle.com> <CANSMLKE_xTwbTMhuRg1ZDHRs2bHbKnK7ejar63kzbANQdNJxog@mail.gmail.com> <FA7448BF-1DD3-4045-8C9C-47BDC8174F6A@oracle.com> <CANSMLKGZz5KR_uwFm_=PJinV0fY62Y75Wf7ynEKWyM7yrVSf3w@mail.gmail.com>
In-Reply-To: <CANSMLKGZz5KR_uwFm_=PJinV0fY62Y75Wf7ynEKWyM7yrVSf3w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.159.161.118]
Content-Type: multipart/alternative; boundary="_000_1373E8CE237FCC43BCA36C6558612D2AA270DDUSCHMBX001nsnintr_"
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 26928
X-purgate-ID: 151667::1377027710-00003561-7B0CF2BC/0-0/0-0
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 19:41:58 -0000

--_000_1373E8CE237FCC43BCA36C6558612D2AA270DDUSCHMBX001nsnintr_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Josh, Phil

Just saying BlueButton is not enough. You need to be a bit more specific si=
nce (a) not everyone is familiar with the details of the BlueButton project=
 and (b) we are only interested in a small subset of the work (namely the d=
ynamic client registration parts) and there only a small part of it.

It would be interesting to hear what specifically BlueButton (in terms of u=
se cases) contributes.

Ciao
Hannes

From: ext Josh Mandel [mailto:jmandel@gmail.com]
Sent: Tuesday, August 20, 2013 6:36 PM
To: Phil Hunt
Cc: Tschofenig, Hannes (NSN - FI/Espoo); oauth mailing list
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22=
 Aug, 2pm PDT

Hi Phil,

Using dyn-reg-14 vocabulary:  the BB+ `registration_jwt` is an "initial acc=
ess token"  that's used to perform a "Protected Registration" (see B.2<http=
://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-14#appendix-B.2> of dyn-reg=
-14).

Does this make sense?  (Happy to provide more detail if it would help.)

  -J



On Tue, Aug 20, 2013 at 9:04 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phi=
l.hunt@oracle.com>> wrote:
Josh,

I think BlueButton is an important example of use.

Tell us more about registration_jwt (which is not part of dyn reg).

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>





On 2013-08-20, at 8:30 AM, Josh Mandel <jmandel@gmail.com<mailto:jmandel@gm=
ail.com>> wrote:


The group may be interested in bits of the following classification that we=
 put together for BlueButton+:
http://blue-button.github.io/blue-button-plus-pull/#client-types

Here, we classified apps according to
1.  whether they can protect a `client_secret` and
2.  whether they can protect a `registration_jwt` (issued by a third party =
and presented by the client to the registration endpoint at registration ti=
me)

We used this classification with the current dyn-reg draft, in order to giv=
e implementers a concrete idea about how policy might vary according to cli=
ent type. Part of why this works nicely for BB+ is that we actually get to =
control (well, specify!) policy within the BB+ network.

  -Josh

On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt <phil.hunt@oracle.com<mailto:phi=
l.hunt@oracle.com>> wrote:
By taxonomy i mean the distinct types of clients and associations.

Eg
- javascript
- native app
- web app
- apps that associate to one endpoint vs those the register with multiple b=
ased on events
- perm vs temporary associations

There are probably more.

As Torsten mentions one of the most important factors is first how the serv=
er recognizes the client that is registering. It needs to do this to set or=
 associate policy.

What does a service provider gain if it has no information about clients? T=
he downside of issuing random client_ids is little or no policy based acces=
s control and resource depletion.

So we have to ask ourselves in each case why register? What is achieved for=
 each side? Client id is a major factor but it is not THE factor.

Phil

On 2013-08-20, at 7:51, ", Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.=
com<mailto:hannes.tschofenig@nsn.com>> wrote:

> Hi Phil,
>
>
>> I think we should start by reviewing use cases taxonomy.
>
>
> What do you mean by "use cases taxonomy"? What exactly would we discuss u=
nder that item?
>
>>
>> Then a discussion on any client_id assumptions and actual requirements
>> for each client case. Why is registration needed for each case?
>
> I guess you are bringing the use case to the table where there is no clie=
nt id needed (?) or where the client id is provided by yet another party (o=
ther than the one running the AS).
>
>>
>> The statement can solve some complication but should be put in context
>> of use cases.
>
> Ciao
> Hannes
>
>> Phil
>>
>> On 2013-08-18, at 15:01, Hannes Tschofenig <hannes.tschofenig@gmx.net<ma=
ilto:hannes.tschofenig@gmx.net>>
>> wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> - -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> Based on your feedback via the poll let us start with August 22nd
>> with the first conference call. I will distribute the conference call
>> details on Tuesday.
>>>
>>> Let us talk about the agenda. There were several items brought up in
>> discussions, namely
>>>
>>> * Software assertions / software statements
>>>
>>> We briefly discussed this topic at the IETF OAuth session but we may
>> need more time to understand the implications for the current dynamic
>> client registration document:
>>> http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx
>>>
>>> * SCIM vs. current dynamic client registration approach for
>> interacting with the client configuration endpoint
>>>
>>> In the past we said that it would be fine to have a profile defined
>> in SCIM to provide the dynamic client registration for those who
>> implement SCIM and want to manage clients also using SCIM. It might,
>> however, be useful to compare the two approaches in detail to see what
>> the differences are.
>>>
>>> * Interactions with the client registration endpoint
>>>
>>> Justin added some "life cycle" description to the document to
>> motivate some of the design decisions. Maybe we need to discuss those
>> in more detail and add further text.
>>> Additional text could come from the NIST Blue Button / Green Button
>> usage.
>>>
>>> * Aspects that allow servers to store less / no state
>>>
>>> - - From the discussions on the list it was not clear whether this is
>> actually accomplishable with the current version of OAuth. We could
>> explore this new requirement and try to get a better understanding how
>> much this relates to dynamic client registration and to what extend it
>> requires changes to the core spec.
>>>
>>>
>>> What would you like to start with? Other topics you would like to
>> bring up?
>>> - -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org<http://gpgtools.org/>
>>>
>>> iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbnze
>>> AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1dk
>>> dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFocF
>>> OiCs3qDajYaA395DCg5+4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccwF2BLN9
>>> IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeSSP
>>> QEb6+syyMD9Gt6wxQfWzyl5T0bYLP6DQ+ldZR8yGKCwb+2k3LN6Q8bIpj4mIERI=3D
>>> =3DtkGT
>>> - -----END PGP SIGNATURE-----
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>>> Comment: GPGTools - http://gpgtools.org<http://gpgtools.org/>
>>>
>>> iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG+Zb
>>> RvYqV+rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXLNGcg8x
>>> wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh+eOEDKGF6cmkEzrzrlw4q/Sfu6vy181
>>> VI+kqwzZ+iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8HrYFEJQo1q
>>> p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8+xwPATDuO6buQdFS9vZQ8t1u36
>>> a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exyE=3D
>>> =3D3qNI
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org<mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org<mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth




--_000_1373E8CE237FCC43BCA36C6558612D2AA270DDUSCHMBX001nsnintr_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:SimSun;
	panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:"\@SimSun";
	panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">Josh, Phil<o:p></o:p></sp=
an></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">Just saying BlueButton is=
 not enough. You need to be a bit more specific since (a) not everyone is f=
amiliar with the details of the BlueButton project and (b)
 we are only interested in a small subset of the work (namely the dynamic c=
lient registration parts) and there only a small part of it.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">It would be interesting t=
o hear what specifically BlueButton (in terms of use cases) contributes.
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">Ciao<o:p></o:p></span></p=
>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">Hannes<o:p></o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<div style=3D"border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm =
4.0pt">
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm =
0cm 0cm">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot=
;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> ext Josh=
 Mandel [mailto:jmandel@gmail.com]
<br>
<b>Sent:</b> Tuesday, August 20, 2013 6:36 PM<br>
<b>To:</b> Phil Hunt<br>
<b>Cc:</b> Tschofenig, Hannes (NSN - FI/Espoo); oauth mailing list<br>
<b>Subject:</b> Re: [OAUTH-WG] Dynamic Client Registration Conference Call:=
 Thu 22 Aug, 2pm PDT<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">Hi Phil,<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Using dyn-reg-14 vocabulary: &nbsp;the BB&#43; `regi=
stration_jwt` is an &quot;<span style=3D"color:black">initial access token&=
quot;&nbsp;</span>&nbsp;that's used to perform a &quot;Protected Registrati=
on&quot; (see
<a href=3D"http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-14#appendix-=
B.2">B.2</a> of dyn-reg-14).&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Does this make sense? &nbsp;(Happy to provide more d=
etail if it would help.)<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">&nbsp; -J<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">On Tue, Aug 20, 2013 at 9:04 AM, Phil Hunt &lt;<a hr=
ef=3D"mailto:phil.hunt@oracle.com" target=3D"_blank">phil.hunt@oracle.com</=
a>&gt; wrote:<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal">Josh,<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">I think BlueButton is an important example of use.<o=
:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Tell us more about registration_jwt (which is not pa=
rt of dyn reg).<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">Phil<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">@independentid<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;"><a href=3D"http://www.independentid.co=
m" target=3D"_blank">www.independentid.com</a><o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.co=
m" target=3D"_blank">phil.hunt@oracle.com</a><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt"><span style=3D"font-s=
ize:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;"><o:p>&=
nbsp;</o:p></span></p>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
</div>
<div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<p class=3D"MsoNormal">On 2013-08-20, at 8:30 AM, Josh Mandel &lt;<a href=
=3D"mailto:jmandel@gmail.com" target=3D"_blank">jmandel@gmail.com</a>&gt; w=
rote:<o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;">The group may be interested in bits of the=
 following classification that we put together for BlueButton&#43;:</span><=
o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;"><a href=3D"http://blue-button.github.io/bl=
ue-button-plus-pull/#client-types" target=3D"_blank">http://blue-button.git=
hub.io/blue-button-plus-pull/#client-types</a><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;">Here, we classified apps according to<o:p>=
</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;">1. &nbsp;whether they can protect a `clien=
t_secret` and&nbsp;<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;">2. &nbsp;whether they can protect a `regis=
tration_jwt` (issued by a third party and presented by the client to the re=
gistration endpoint at registration time)<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;">We used this classification with the curre=
nt dyn-reg draft, in order to give implementers a concrete idea about how p=
olicy might vary according to client type. Part of why this
 works nicely for BB&#43; is that we actually get to control (well, specify=
!) policy within the BB&#43; network.<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:7.5pt;font-family:&quot;Ari=
al&quot;,&quot;sans-serif&quot;">&nbsp; -Josh<o:p></o:p></span></p>
</div>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">On Tue, Aug 20, 2013 at 8:12 AM, Phil Hunt &lt;<a hr=
ef=3D"mailto:phil.hunt@oracle.com" target=3D"_blank">phil.hunt@oracle.com</=
a>&gt; wrote:<o:p></o:p></p>
<p class=3D"MsoNormal">By taxonomy i mean the distinct types of clients and=
 associations.<br>
<br>
Eg<br>
- javascript<br>
- native app<br>
- web app<br>
- apps that associate to one endpoint vs those the register with multiple b=
ased on events<br>
- perm vs temporary associations<br>
<br>
There are probably more.<br>
<br>
As Torsten mentions one of the most important factors is first how the serv=
er recognizes the client that is registering. It needs to do this to set or=
 associate policy.<br>
<br>
What does a service provider gain if it has no information about clients? T=
he downside of issuing random client_ids is little or no policy based acces=
s control and resource depletion.<br>
<br>
So we have to ask ourselves in each case why register? What is achieved for=
 each side? Client id is a major factor but it is not THE factor.<br>
<span style=3D"color:#888888"><br>
Phil</span><o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal"><br>
On 2013-08-20, at 7:51, &quot;, Hannes (NSN - FI/Espoo)&quot; &lt;<a href=
=3D"mailto:hannes.tschofenig@nsn.com" target=3D"_blank">hannes.tschofenig@n=
sn.com</a>&gt; wrote:<br>
<br>
&gt; Hi Phil,<br>
&gt;<br>
&gt;<br>
&gt;&gt; I think we should start by reviewing use cases taxonomy.<br>
&gt;<br>
&gt;<br>
&gt; What do you mean by &quot;use cases taxonomy&quot;? What exactly would=
 we discuss under that item?<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; Then a discussion on any client_id assumptions and actual requirem=
ents<br>
&gt;&gt; for each client case. Why is registration needed for each case?<br=
>
&gt;<br>
&gt; I guess you are bringing the use case to the table where there is no c=
lient id needed (?) or where the client id is provided by yet another party=
 (other than the one running the AS).<br>
&gt;<br>
&gt;&gt;<br>
&gt;&gt; The statement can solve some complication but should be put in con=
text<br>
&gt;&gt; of use cases.<br>
&gt;<br>
&gt; Ciao<br>
&gt; Hannes<br>
&gt;<br>
&gt;&gt; Phil<br>
&gt;&gt;<br>
&gt;&gt; On 2013-08-18, at 15:01, Hannes Tschofenig &lt;<a href=3D"mailto:h=
annes.tschofenig@gmx.net" target=3D"_blank">hannes.tschofenig@gmx.net</a>&g=
t;<br>
&gt;&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt;&gt; -----BEGIN PGP SIGNED MESSAGE-----<br>
&gt;&gt;&gt; Hash: SHA512<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; - -----BEGIN PGP SIGNED MESSAGE-----<br>
&gt;&gt;&gt; Hash: SHA512<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Based on your feedback via the poll let us start with August 2=
2nd<br>
&gt;&gt; with the first conference call. I will distribute the conference c=
all<br>
&gt;&gt; details on Tuesday.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Let us talk about the agenda. There were several items brought=
 up in<br>
&gt;&gt; discussions, namely<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Software assertions / software statements<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; We briefly discussed this topic at the IETF OAuth session but =
we may<br>
&gt;&gt; need more time to understand the implications for the current dyna=
mic<br>
&gt;&gt; client registration document:<br>
&gt;&gt;&gt; <a href=3D"http://www.ietf.org/proceedings/87/slides/slides-87=
-oauth-2.pptx" target=3D"_blank">
http://www.ietf.org/proceedings/87/slides/slides-87-oauth-2.pptx</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * SCIM vs. current dynamic client registration approach for<br=
>
&gt;&gt; interacting with the client configuration endpoint<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; In the past we said that it would be fine to have a profile de=
fined<br>
&gt;&gt; in SCIM to provide the dynamic client registration for those who<b=
r>
&gt;&gt; implement SCIM and want to manage clients also using SCIM. It migh=
t,<br>
&gt;&gt; however, be useful to compare the two approaches in detail to see =
what<br>
&gt;&gt; the differences are.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Interactions with the client registration endpoint<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Justin added some &quot;life cycle&quot; description to the do=
cument to<br>
&gt;&gt; motivate some of the design decisions. Maybe we need to discuss th=
ose<br>
&gt;&gt; in more detail and add further text.<br>
&gt;&gt;&gt; Additional text could come from the NIST Blue Button / Green B=
utton<br>
&gt;&gt; usage.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; * Aspects that allow servers to store less / no state<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; - - From the discussions on the list it was not clear whether =
this is<br>
&gt;&gt; actually accomplishable with the current version of OAuth. We coul=
d<br>
&gt;&gt; explore this new requirement and try to get a better understanding=
 how<br>
&gt;&gt; much this relates to dynamic client registration and to what exten=
d it<br>
&gt;&gt; requires changes to the core spec.<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; What would you like to start with? Other topics you would like=
 to<br>
&gt;&gt; bring up?<br>
&gt;&gt;&gt; - -----BEGIN PGP SIGNATURE-----<br>
&gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
&gt;&gt;&gt; Comment: GPGTools - <a href=3D"http://gpgtools.org/" target=3D=
"_blank">http://gpgtools.org</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; iQEcBAEBCgAGBQJSEULvAAoJEGhJURNOOiAtttEH/Aogg8Q/R/L9/mzU05IQbn=
ze<br>
&gt;&gt;&gt; AdXB1ZvySkV3jZT4I5shmP7hQr6mc6P6UdvyOrSjrvPlBHen55/oa5z7Cwchd1=
dk<br>
&gt;&gt;&gt; dcDUEavbodjnm9SrOs0nKaTvdeZimFSBkGMrfhoTYLXpymP24F9PZgwUXdOcFo=
cF<br>
&gt;&gt;&gt; OiCs3qDajYaA395DCg5&#43;4mOLQQgDnmy4drlgj2NPv1nMBRDBubzgAhJccw=
F2BLN9<br>
&gt;&gt;&gt; IW7MAwTEu7vYT/gwIFzriPkui7gYpf8sAqsnzf/z7FtXbsP8imgOKUlQxzZzeS=
SP<br>
&gt;&gt;&gt; QEb6&#43;syyMD9Gt6wxQfWzyl5T0bYLP6DQ&#43;ldZR8yGKCwb&#43;2k3LN=
6Q8bIpj4mIERI=3D<br>
&gt;&gt;&gt; =3DtkGT<br>
&gt;&gt;&gt; - -----END PGP SIGNATURE-----<br>
&gt;&gt;&gt; -----BEGIN PGP SIGNATURE-----<br>
&gt;&gt;&gt; Version: GnuPG/MacGPG2 v2.0.19 (Darwin)<br>
&gt;&gt;&gt; Comment: GPGTools - <a href=3D"http://gpgtools.org/" target=3D=
"_blank">http://gpgtools.org</a><br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; iQEcBAEBCgAGBQJSEUQfAAoJEGhJURNOOiAt8wkIAI3xgdsWuOB36KLiMLRUG&=
#43;Zb<br>
&gt;&gt;&gt; RvYqV&#43;rOH80m7YVJcdOLjQJcpPqOIBdzq/yuNiAaF1uFJCqBn97ZQ/NLXL=
NGcg8x<br>
&gt;&gt;&gt; wI/Laz7kP2U4B2trBTMtAf2wsY9uYw4Eh&#43;eOEDKGF6cmkEzrzrlw4q/Sfu=
6vy181<br>
&gt;&gt;&gt; VI&#43;kqwzZ&#43;iYX4iL3NYPlkg3rwF4OZ1v3T08Erg2SPrbmNd1TRfJJU8=
HrYFEJQo1q<br>
&gt;&gt;&gt; p0RiLjcFFDCEZs0gDr9zliCXllV7J9h2ttqLq8&#43;xwPATDuO6buQdFS9vZQ=
8t1u36<br>
&gt;&gt;&gt; a0FIuy3NM8PQbblC3B5WumUjW4kntLV09ytYV8h6S8C/dgFwMqzAwEAeNx1exy=
E=3D<br>
&gt;&gt;&gt; =3D3qNI<br>
&gt;&gt;&gt; -----END PGP SIGNATURE-----<br>
&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt; OAuth mailing list<br>
&gt;&gt;&gt; <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf=
.org</a><br>
&gt;&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=
=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org=
</a><br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"=
_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=3D"_blank">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</div>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</div>
</body>
</html>

--_000_1373E8CE237FCC43BCA36C6558612D2AA270DDUSCHMBX001nsnintr_--

From hannes.tschofenig@nsn.com  Wed Aug 21 09:28:59 2013
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7905F11E8255 for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:28:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.465
X-Spam-Level: 
X-Spam-Status: No, score=-106.465 tagged_above=-999 required=5 tests=[AWL=0.135, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NnLBOzUx6ZY for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:28:54 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by ietfa.amsl.com (Postfix) with ESMTP id 288BB11E8110 for <oauth@ietf.org>; Wed, 21 Aug 2013 09:28:53 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7LGSqJD025293 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 21 Aug 2013 18:28:52 +0200
Received: from USCHHTC002.nsn-intra.net ([10.159.161.15]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7LGSIRm026492 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 21 Aug 2013 18:28:51 +0200
Received: from USCHHTC003.nsn-intra.net (10.159.161.16) by USCHHTC002.nsn-intra.net (10.159.161.15) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 21 Aug 2013 11:28:10 -0500
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC003.nsn-intra.net ([10.159.161.16]) with mapi id 14.03.0123.003; Wed, 21 Aug 2013 11:28:10 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Anthony Nadalin <tonynad@microsoft.com>, oauth mailing list <oauth@ietf.org>
Thread-Topic: Dynamic Client Registration Requirements
Thread-Index: Ac6dtsFpKFcW5YVXRR6Mixl/Rfo9ZQA1DsLg
Date: Wed, 21 Aug 2013 16:28:10 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA272D0@USCHMBX001.nsn-intra.net>
References: <e1eb7a02625c46faa473c0e835637fb1@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <e1eb7a02625c46faa473c0e835637fb1@BY2PR03MB189.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.159.161.111]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 712
X-purgate-ID: 151667::1377102532-0000471E-CD31C93D/0-0/0-0
Subject: Re: [OAUTH-WG] Dynamic Client Registration Requirements
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 16:28:59 -0000

Hi Tony,=20

Could you expand a little bit on those issues:=20

> 4. Multi-tenant  support (single endpoint, multiple services)

What does multiple services mean here in the context of dynamic client regi=
stration?=20

> 5. Internationalization

Where do you see internationalization play a role here?=20

> 6. simple provisioning schema with schema extensibility

I guess all of the schemas we use are extensible. Is there something in par=
ticular you worry about?=20

> 7. self-assertion

I guess this refers to the ability of the client to upload configuration th=
at has not been verified by anyone, i.e., the client asserts this informati=
on by itself. Right?=20

Ciao
Hannes


From hannes.tschofenig@nsn.com  Wed Aug 21 09:31:10 2013
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FA9F21F9C4F for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:31:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.498
X-Spam-Level: 
X-Spam-Status: No, score=-106.498 tagged_above=-999 required=5 tests=[AWL=0.101, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BYJl+dBFMUZ for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:31:06 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 2C86411E8110 for <oauth@ietf.org>; Wed, 21 Aug 2013 09:31:05 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7LGV3gB014272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 21 Aug 2013 18:31:03 +0200
Received: from USCHHTC002.nsn-intra.net ([10.159.161.15]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7LGUMOW006415 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 21 Aug 2013 18:31:02 +0200
Received: from USCHHTC004.nsn-intra.net (10.159.161.17) by USCHHTC002.nsn-intra.net (10.159.161.15) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 21 Aug 2013 11:30:25 -0500
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC004.nsn-intra.net ([10.159.161.17]) with mapi id 14.03.0123.003; Wed, 21 Aug 2013 11:30:25 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Sergey Beryozkin <sberyozkin@gmail.com>, "<oauth@ietf.org>" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Audience parameter in authorization flow
Thread-Index: AQHOnDCajhaoawjKaEy8xBmc15ZZ85mf3quQ
Date: Wed, 21 Aug 2013 16:30:25 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net>
References: <5210F714.80305@gmail.com>
In-Reply-To: <5210F714.80305@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.159.161.111]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 1282
X-purgate-ID: 151667::1377102663-00003561-AC0A5A42/0-0/0-0
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 16:31:10 -0000

Hi Sergey,=20

The idea of the audience was to provide a way for the client to indicate th=
e resource server it wants to talk to explicitly rather than overloading th=
e scope field. We certainly need that capability for the MAC token work.=20

The audience information is provided when the client interacts with the AS.=
=20

Ciao
Hannes


> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of ext Sergey Beryozkin
> Sent: Sunday, August 18, 2013 6:32 PM
> To: <oauth@ietf.org>
> Subject: [OAUTH-WG] Audience parameter in authorization flow
>=20
> Hi Hannes, All,
>=20
> Regarding [1], where would you expect an audience parameter be provided
> during the authorization flow ?
>=20
> It appears to me it should be provided during the initial redirect
> (similarly to a parameter like redirect_uri).
>=20
> Also, would it make sense to support pre-registered audience values,
> example, a client registers and specifies an audience during the
> registration ?
>=20
> Thanks, Sergey
>=20
> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From hannes.tschofenig@nsn.com  Wed Aug 21 09:35:03 2013
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE6F11E8109 for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:35:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.518
X-Spam-Level: 
X-Spam-Status: No, score=-106.518 tagged_above=-999 required=5 tests=[AWL=0.081, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdFnIP-Yr37u for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:34:59 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by ietfa.amsl.com (Postfix) with ESMTP id 4FB9611E80C5 for <oauth@ietf.org>; Wed, 21 Aug 2013 09:34:57 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7LGYuda001247 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Wed, 21 Aug 2013 18:34:56 +0200
Received: from USCHHTC001.nsn-intra.net ([10.159.161.14]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7LGYXUq020798 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Wed, 21 Aug 2013 18:34:55 +0200
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC001.nsn-intra.net ([10.159.161.14]) with mapi id 14.03.0123.003; Wed, 21 Aug 2013 11:34:45 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: oauth mailing list <oauth@ietf.org>
Thread-Topic: Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details
Thread-Index: Ac6ejFcQ+Feb5O6JSeals6OhKh3S8Q==
Date: Wed, 21 Aug 2013 16:34:44 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.159.161.111]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 1454
X-purgate-ID: 151667::1377102896-0000471E-28CB8D08/0-0/0-0
Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 16:35:03 -0000

Here is the conference bridge and Webex information.=20

>From an agenda point of view I guess we should start at a basic level, name=
ly with what we have already in the dynamic client registration document (a=
nd folks may have actually missed it). There are two use cases described in=
 the WG document, namely=20
 - Use Case #1: Open Registration (Appendix B.1)
 - Use Case #2: Protected Registration (Appendix B.2)

Then, we could talk about some more sophisticated use cases where informati=
on for protected registration is provided by a third party.=20

--------------------

Meeting Number: 702 442 101=20
Meeting Password: oauth=20

-------------------------------------------------------=20
To join the online meeting=20
-------------------------------------------------------=20
1. Go to https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZ=
jIwNTEy&RT=3DMiMzMA%3D%3D=20
2. Enter your name and email address.=20
3. Enter the meeting password: oauth=20
4. Click "Join Now".=20

To view in other time zones or languages, please click the link:=20
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&O=
RT=3DMiMzMA%3D%3D=20

-------------------------------------------------------=20
To join the teleconference only=20
-------------------------------------------------------=20
Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc=20
Conference Code: 944 910 5485

From phil.hunt@oracle.com  Wed Aug 21 09:35:19 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A89E11E8264 for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:35:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.761
X-Spam-Level: 
X-Spam-Status: No, score=-5.761 tagged_above=-999 required=5 tests=[AWL=0.838,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23Lg1jLNN2xE for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:35:14 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 7D97811E80C5 for <oauth@ietf.org>; Wed, 21 Aug 2013 09:35:14 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7LGZCth012151 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 21 Aug 2013 16:35:13 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LGZBNJ016445 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Aug 2013 16:35:12 GMT
Received: from abhmt103.oracle.com (abhmt103.oracle.com [141.146.116.55]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LGZBVd013612; Wed, 21 Aug 2013 16:35:11 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 21 Aug 2013 09:35:11 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net>
Date: Wed, 21 Aug 2013 09:35:10 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com>
References: <5210F714.80305@gmail.com> <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 16:35:20 -0000

This could be bound up in the client registration process since oauth =
clients don't authorize for random "targets".

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:

> Hi Sergey,=20
>=20
> The idea of the audience was to provide a way for the client to =
indicate the resource server it wants to talk to explicitly rather than =
overloading the scope field. We certainly need that capability for the =
MAC token work.=20
>=20
> The audience information is provided when the client interacts with =
the AS.=20
>=20
> Ciao
> Hannes
>=20
>=20
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On =
Behalf
>> Of ext Sergey Beryozkin
>> Sent: Sunday, August 18, 2013 6:32 PM
>> To: <oauth@ietf.org>
>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>=20
>> Hi Hannes, All,
>>=20
>> Regarding [1], where would you expect an audience parameter be =
provided
>> during the authorization flow ?
>>=20
>> It appears to me it should be provided during the initial redirect
>> (similarly to a parameter like redirect_uri).
>>=20
>> Also, would it make sense to support pre-registered audience values,
>> example, a client registers and specifies an audience during the
>> registration ?
>>=20
>> Thanks, Sergey
>>=20
>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From hannes.tschofenig@gmx.net  Wed Aug 21 09:40:58 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D9AD11E80C5 for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.849
X-Spam-Level: 
X-Spam-Status: No, score=-102.849 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x9QCaTlJwDWb for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:40:54 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id AE6F211E8107 for <oauth@ietf.org>; Wed, 21 Aug 2013 09:40:53 -0700 (PDT)
Received: from [172.16.254.200] ([195.149.218.67]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MfAog-1VS4iX0g70-00OmxM for <oauth@ietf.org>; Wed, 21 Aug 2013 18:40:51 +0200
Message-ID: <5214ED9B.3070406@gmx.net>
Date: Wed, 21 Aug 2013 18:40:59 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <5210F714.80305@gmail.com> <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net> <CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com>
In-Reply-To: <CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:rvsWa35vErabx8g2S1iC2jJX+VM86ZcszfeFPaSHKOID9tAz7Hy 38rnbttDkYPzESo0XU0pvNNSqIx1FsKjJsEuU5dpvpVdAEFF1vSqCJV+YxvILPaoFsA7b2w q0cqbi9Rr56gIX8msn4Tb19dvUa/YxDOCagFnmJDy4VzW21lKvF0jYtecKOhRh1D44kENRY BqcFNtOzb7+3Jckuk7Xtg==
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 16:40:58 -0000

That's certainly true although the referenced document did not talk 
about the registration phase but rather about the time when the client 
talks to the authorization server to obtain an access token.

Maybe UMA has provided a story for this already...

On 08/21/2013 06:35 PM, Phil Hunt wrote:
> This could be bound up in the client registration process since oauth clients don't authorize for random "targets".
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>
>> Hi Sergey,
>>
>> The idea of the audience was to provide a way for the client to indicate the resource server it wants to talk to explicitly rather than overloading the scope field. We certainly need that capability for the MAC token work.
>>
>> The audience information is provided when the client interacts with the AS.
>>
>> Ciao
>> Hannes
>>
>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>>> Of ext Sergey Beryozkin
>>> Sent: Sunday, August 18, 2013 6:32 PM
>>> To: <oauth@ietf.org>
>>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>>
>>> Hi Hannes, All,
>>>
>>> Regarding [1], where would you expect an audience parameter be provided
>>> during the authorization flow ?
>>>
>>> It appears to me it should be provided during the initial redirect
>>> (similarly to a parameter like redirect_uri).
>>>
>>> Also, would it make sense to support pre-registered audience values,
>>> example, a client registers and specifies an audience during the
>>> registration ?
>>>
>>> Thanks, Sergey
>>>
>>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From tonynad@microsoft.com  Wed Aug 21 09:46:08 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DDD821F843F for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:46:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.389
X-Spam-Level: 
X-Spam-Status: No, score=-3.389 tagged_above=-999 required=5 tests=[AWL=0.210,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCQsm9z9GZUU for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:45:52 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) by ietfa.amsl.com (Postfix) with ESMTP id 21CFA11E80C5 for <oauth@ietf.org>; Wed, 21 Aug 2013 09:45:40 -0700 (PDT)
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BY2PR03MB208.namprd03.prod.outlook.com (10.242.36.156) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 21 Aug 2013 16:45:39 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 21 Aug 2013 16:45:37 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Wed, 21 Aug 2013 16:45:37 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Audience parameter in authorization flow
Thread-Index: AQHOnDCkyq+lVs2A30av5TP3RarnFZmf3xiAgAABVACAAAGggIAAAJ9A
Date: Wed, 21 Aug 2013 16:45:36 +0000
Message-ID: <1d4b764800be4cff991f02a91948d2c0@BY2PR03MB189.namprd03.prod.outlook.com>
References: <5210F714.80305@gmail.com> <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net> <CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com> <5214ED9B.3070406@gmx.net>
In-Reply-To: <5214ED9B.3070406@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e8:ed31::3]
x-forefront-prvs: 0945B0CC72
x-forefront-antispam-report: SFV:NSPM; SFS:(377454003)(479174003)(52084003)(24454002)(13464003)(377424004)(199002)(189002)(164054003)(51704005)(19580395003)(79102001)(15974865002)(74366001)(19580405001)(54356001)(83322001)(76482001)(54316002)(56776001)(74316001)(15202345003)(53806001)(80976001)(63696002)(76786001)(46102001)(69226001)(74876001)(80022001)(77096001)(56816003)(65816001)(81542001)(74662001)(83072001)(4396001)(47446002)(81686001)(50986001)(59766001)(76796001)(77982001)(19580385001)(76576001)(47736001)(31966008)(81342001)(47976001)(33646001)(49866001)(51856001)(74502001)(81816001)(74706001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::3; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e8:ed31::3
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB191.namprd03.prod.outlook.com
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 16:46:09 -0000

I think binding audience at registration time is to limiting as we see audi=
ence being on a per token request level and also see the audience being par=
t of the restrictions for "act as" or "on behalf of" support=20

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of H=
annes Tschofenig
Sent: Wednesday, August 21, 2013 9:41 AM
To: Phil Hunt
Cc: <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow

That's certainly true although the referenced document did not talk about t=
he registration phase but rather about the time when the client talks to th=
e authorization server to obtain an access token.

Maybe UMA has provided a story for this already...

On 08/21/2013 06:35 PM, Phil Hunt wrote:
> This could be bound up in the client registration process since oauth cli=
ents don't authorize for random "targets".
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.=
tschofenig@nsn.com> wrote:
>
>> Hi Sergey,
>>
>> The idea of the audience was to provide a way for the client to indicate=
 the resource server it wants to talk to explicitly rather than overloading=
 the scope field. We certainly need that capability for the MAC token work.
>>
>> The audience information is provided when the client interacts with the =
AS.
>>
>> Ciao
>> Hannes
>>
>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On=20
>>> Behalf Of ext Sergey Beryozkin
>>> Sent: Sunday, August 18, 2013 6:32 PM
>>> To: <oauth@ietf.org>
>>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>>
>>> Hi Hannes, All,
>>>
>>> Regarding [1], where would you expect an audience parameter be=20
>>> provided during the authorization flow ?
>>>
>>> It appears to me it should be provided during the initial redirect=20
>>> (similarly to a parameter like redirect_uri).
>>>
>>> Also, would it make sense to support pre-registered audience values,=20
>>> example, a client registers and specifies an audience during the=20
>>> registration ?
>>>
>>> Thanks, Sergey
>>>
>>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

From phil.hunt@oracle.com  Wed Aug 21 09:46:56 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E571911E80C5 for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.8
X-Spam-Level: 
X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[AWL=0.799, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJJYeKNUmepz for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:46:45 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 6875421F93BF for <oauth@ietf.org>; Wed, 21 Aug 2013 09:46:45 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7LGkfXU023446 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 21 Aug 2013 16:46:41 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LGkerv012371 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Aug 2013 16:46:41 GMT
Received: from abhmt108.oracle.com (abhmt108.oracle.com [141.146.116.60]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LGkeE1012367; Wed, 21 Aug 2013 16:46:40 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 21 Aug 2013 09:46:40 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <1d4b764800be4cff991f02a91948d2c0@BY2PR03MB189.namprd03.prod.outlook.com>
Date: Wed, 21 Aug 2013 09:46:39 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <5AA05FFA-99AB-4702-BC20-C209FF26416C@oracle.com>
References: <5210F714.80305@gmail.com> <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net> <CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com> <5214ED9B.3070406@gmx.net> <1d4b764800be4cff991f02a91948d2c0@BY2PR03MB189.namprd03.prod.outlook.com>
To: Anthony Nadalin <tonynad@microsoft.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 16:46:56 -0000

Yes.  The trade off is that each client_id becomes associated with a =
target.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-21, at 9:45 AM, Anthony Nadalin <tonynad@microsoft.com> =
wrote:

> I think binding audience at registration time is to limiting as we see =
audience being on a per token request level and also see the audience =
being part of the restrictions for "act as" or "on behalf of" support=20
>=20
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf =
Of Hannes Tschofenig
> Sent: Wednesday, August 21, 2013 9:41 AM
> To: Phil Hunt
> Cc: <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
>=20
> That's certainly true although the referenced document did not talk =
about the registration phase but rather about the time when the client =
talks to the authorization server to obtain an access token.
>=20
> Maybe UMA has provided a story for this already...
>=20
> On 08/21/2013 06:35 PM, Phil Hunt wrote:
>> This could be bound up in the client registration process since oauth =
clients don't authorize for random "targets".
>>=20
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>> On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:
>>=20
>>> Hi Sergey,
>>>=20
>>> The idea of the audience was to provide a way for the client to =
indicate the resource server it wants to talk to explicitly rather than =
overloading the scope field. We certainly need that capability for the =
MAC token work.
>>>=20
>>> The audience information is provided when the client interacts with =
the AS.
>>>=20
>>> Ciao
>>> Hannes
>>>=20
>>>=20
>>>> -----Original Message-----
>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On=20
>>>> Behalf Of ext Sergey Beryozkin
>>>> Sent: Sunday, August 18, 2013 6:32 PM
>>>> To: <oauth@ietf.org>
>>>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>>>=20
>>>> Hi Hannes, All,
>>>>=20
>>>> Regarding [1], where would you expect an audience parameter be=20
>>>> provided during the authorization flow ?
>>>>=20
>>>> It appears to me it should be provided during the initial redirect=20=

>>>> (similarly to a parameter like redirect_uri).
>>>>=20
>>>> Also, would it make sense to support pre-registered audience =
values,=20
>>>> example, a client registers and specifies an audience during the=20
>>>> registration ?
>>>>=20
>>>> Thanks, Sergey
>>>>=20
>>>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Wed Aug 21 09:49:15 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3981411E822A for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:49:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.475
X-Spam-Level: 
X-Spam-Status: No, score=-6.475 tagged_above=-999 required=5 tests=[AWL=0.124,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7FYiYE3Gr2xw for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 09:49:10 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 2548811E80EC for <oauth@ietf.org>; Wed, 21 Aug 2013 09:49:10 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 7B4001F0FFB; Wed, 21 Aug 2013 12:49:09 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 69B6E1F0FF8; Wed, 21 Aug 2013 12:49:09 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 21 Aug 2013 12:49:09 -0400
Message-ID: <5214EF84.6010300@mitre.org>
Date: Wed, 21 Aug 2013 12:49:08 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <5210F714.80305@gmail.com> <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net> <CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com> <5214ED9B.3070406@gmx.net> <1d4b764800be4cff991f02a91948d2c0@BY2PR03MB189.namprd03.prod.outlook.com> <5AA05FFA-99AB-4702-BC20-C209FF26416C@oracle.com>
In-Reply-To: <5AA05FFA-99AB-4702-BC20-C209FF26416C@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 16:49:15 -0000

I think it makes sense to have both, and this would parallel what we've 
got with the "scope" parameter today. At registration, the client is 
saying "this is what I want to be able to use" and the server is saying 
"this is what you're allowed to use". At auth time, the client is saying 
"this is what I'm using now" and the user is saying "this is what you're 
authorized to use now".

If there were a standardized "audience" parameter at the auth endpoint, 
it could easily be added to the registration's client model in parallel.

  -- Justin

On 08/21/2013 12:46 PM, Phil Hunt wrote:
> Yes.  The trade off is that each client_id becomes associated with a target.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-21, at 9:45 AM, Anthony Nadalin <tonynad@microsoft.com> wrote:
>
>> I think binding audience at registration time is to limiting as we see audience being on a per token request level and also see the audience being part of the restrictions for "act as" or "on behalf of" support
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
>> Sent: Wednesday, August 21, 2013 9:41 AM
>> To: Phil Hunt
>> Cc: <oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
>>
>> That's certainly true although the referenced document did not talk about the registration phase but rather about the time when the client talks to the authorization server to obtain an access token.
>>
>> Maybe UMA has provided a story for this already...
>>
>> On 08/21/2013 06:35 PM, Phil Hunt wrote:
>>> This could be bound up in the client registration process since oauth clients don't authorize for random "targets".
>>>
>>> Phil
>>>
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>
>>>> Hi Sergey,
>>>>
>>>> The idea of the audience was to provide a way for the client to indicate the resource server it wants to talk to explicitly rather than overloading the scope field. We certainly need that capability for the MAC token work.
>>>>
>>>> The audience information is provided when the client interacts with the AS.
>>>>
>>>> Ciao
>>>> Hannes
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>>> Behalf Of ext Sergey Beryozkin
>>>>> Sent: Sunday, August 18, 2013 6:32 PM
>>>>> To: <oauth@ietf.org>
>>>>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>>>>
>>>>> Hi Hannes, All,
>>>>>
>>>>> Regarding [1], where would you expect an audience parameter be
>>>>> provided during the authorization flow ?
>>>>>
>>>>> It appears to me it should be provided during the initial redirect
>>>>> (similarly to a parameter like redirect_uri).
>>>>>
>>>>> Also, would it make sense to support pre-registered audience values,
>>>>> example, a client registers and specifies an audience during the
>>>>> registration ?
>>>>>
>>>>> Thanks, Sergey
>>>>>
>>>>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From tonynad@microsoft.com  Wed Aug 21 10:07:08 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2091511E8264 for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 10:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.407
X-Spam-Level: 
X-Spam-Status: No, score=-3.407 tagged_above=-999 required=5 tests=[AWL=0.192,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OV2hpWqduJ+o for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 10:07:03 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0208.outbound.protection.outlook.com [207.46.163.208]) by ietfa.amsl.com (Postfix) with ESMTP id 7100811E8116 for <oauth@ietf.org>; Wed, 21 Aug 2013 10:06:56 -0700 (PDT)
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BY2PR03MB073.namprd03.prod.outlook.com (10.255.241.153) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 21 Aug 2013 16:51:43 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 21 Aug 2013 16:51:42 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Wed, 21 Aug 2013 16:51:42 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>, "oauth mailing list" <oauth@ietf.org>
Thread-Topic: Dynamic Client Registration Requirements
Thread-Index: Ac6dtsFpKFcW5YVXRR6Mixl/Rfo9ZQA1DsLgAAC97yA=
Date: Wed, 21 Aug 2013 16:51:41 +0000
Message-ID: <df7ee47a8e074df6a7a55ec2a1dff366@BY2PR03MB189.namprd03.prod.outlook.com>
References: <e1eb7a02625c46faa473c0e835637fb1@BY2PR03MB189.namprd03.prod.outlook.com> <1373E8CE237FCC43BCA36C6558612D2AA272D0@USCHMBX001.nsn-intra.net>
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA272D0@USCHMBX001.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e8:ed31::3]
x-forefront-prvs: 0945B0CC72
x-forefront-antispam-report: SFV:NSPM; SFS:(377454003)(13464003)(199002)(189002)(19580395003)(79102001)(74366001)(19580405001)(54356001)(83322001)(76482001)(54316002)(56776001)(74316001)(53806001)(80976001)(63696002)(76786001)(46102001)(69226001)(74876001)(80022001)(77096001)(56816003)(65816001)(81542001)(74662001)(83072001)(4396001)(47446002)(81686001)(50986001)(59766001)(76796001)(77982001)(76576001)(47736001)(31966008)(81342001)(47976001)(33646001)(49866001)(51856001)(74502001)(81816001)(74706001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::3; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e8:ed31::3
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB191.namprd03.prod.outlook.com
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Subject: Re: [OAUTH-WG] Dynamic Client Registration Requirements
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 17:07:08 -0000

4. So when registration takes place it may be at a single endpoint, but tha=
t endpoint has to have enough info to figure out which virtual registration=
 point it need to deal with, much like what we had to do in SCIM to support=
 multi-tenants
5. any info sent to the registration endpoint need a way to figure out inte=
rnationalization=20
6. What has been proposed does not take into account the data model differe=
nce that you can have with schema, having the ability to replace schema/add=
 elements is not schema extensibility, come over to the SCIM discussions=20
7. It is verified by the person asserting it, so yes you have the concept.

-----Original Message-----
From: Tschofenig, Hannes (NSN - FI/Espoo) [mailto:hannes.tschofenig@nsn.com=
]=20
Sent: Wednesday, August 21, 2013 9:28 AM
To: Anthony Nadalin; oauth mailing list
Subject: RE: Dynamic Client Registration Requirements

Hi Tony,=20

Could you expand a little bit on those issues:=20

> 4. Multi-tenant  support (single endpoint, multiple services)

What does multiple services mean here in the context of dynamic client regi=
stration?=20

> 5. Internationalization

Where do you see internationalization play a role here?=20

> 6. simple provisioning schema with schema extensibility

I guess all of the schemas we use are extensible. Is there something in par=
ticular you worry about?=20

> 7. self-assertion

I guess this refers to the ability of the client to upload configuration th=
at has not been verified by anyone, i.e., the client asserts this informati=
on by itself. Right?=20

Ciao
Hannes


From phil.hunt@oracle.com  Wed Aug 21 10:19:54 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CE3C11E83CA for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 10:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.834
X-Spam-Level: 
X-Spam-Status: No, score=-5.834 tagged_above=-999 required=5 tests=[AWL=0.765,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4KnVPyVYiwKw for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 10:19:48 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id A259611E8120 for <oauth@ietf.org>; Wed, 21 Aug 2013 10:19:48 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7LHJlD3025731 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 21 Aug 2013 17:19:47 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LHJjST005152 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Aug 2013 17:19:46 GMT
Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LHJiGf006690; Wed, 21 Aug 2013 17:19:44 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 21 Aug 2013 10:19:44 -0700
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <5214EF84.6010300@mitre.org>
Date: Wed, 21 Aug 2013 10:19:43 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CB0778B8-0603-459C-8106-18893D3824AD@oracle.com>
References: <5210F714.80305@gmail.com> <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net> <CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com> <5214ED9B.3070406@gmx.net> <1d4b764800be4cff991f02a91948d2c0@BY2PR03MB189.namprd03.prod.outlook.com> <5AA05FFA-99AB-4702-BC20-C209FF26416C@oracle.com> <5214EF84.6010300@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 17:19:54 -0000

Looking at the spec, the problem is you can still only authorize one api =
at a time.  You couldn't specify multiple audience apis and match them =
up with scopes.

A while ago I did start to write some stuff up about a structured scope =
specification where scope becomes a JSON multi-value structure so that =
multiple scopes and end-points could be defined.

I abandoned it after seeing that the same thing could be accomplished =
(as Google did) by defining the relationship during registration. I =
agree, it precludes being able to change on the fly, but came to the =
conclusion that is pretty rare (we're not talking about browsers for the =
most part).

Aside=85this is why I include "target" in the SCIM Registration draft.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-21, at 9:49 AM, Justin Richer <jricher@mitre.org> wrote:

> I think it makes sense to have both, and this would parallel what =
we've got with the "scope" parameter today. At registration, the client =
is saying "this is what I want to be able to use" and the server is =
saying "this is what you're allowed to use". At auth time, the client is =
saying "this is what I'm using now" and the user is saying "this is what =
you're authorized to use now".
>=20
> If there were a standardized "audience" parameter at the auth =
endpoint, it could easily be added to the registration's client model in =
parallel.
>=20
> -- Justin
>=20
> On 08/21/2013 12:46 PM, Phil Hunt wrote:
>> Yes.  The trade off is that each client_id becomes associated with a =
target.
>>=20
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>> On 2013-08-21, at 9:45 AM, Anthony Nadalin <tonynad@microsoft.com> =
wrote:
>>=20
>>> I think binding audience at registration time is to limiting as we =
see audience being on a per token request level and also see the =
audience being part of the restrictions for "act as" or "on behalf of" =
support
>>>=20
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On =
Behalf Of Hannes Tschofenig
>>> Sent: Wednesday, August 21, 2013 9:41 AM
>>> To: Phil Hunt
>>> Cc: <oauth@ietf.org>
>>> Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
>>>=20
>>> That's certainly true although the referenced document did not talk =
about the registration phase but rather about the time when the client =
talks to the authorization server to obtain an access token.
>>>=20
>>> Maybe UMA has provided a story for this already...
>>>=20
>>> On 08/21/2013 06:35 PM, Phil Hunt wrote:
>>>> This could be bound up in the client registration process since =
oauth clients don't authorize for random "targets".
>>>>=20
>>>> Phil
>>>>=20
>>>> @independentid
>>>> www.independentid.com
>>>> phil.hunt@oracle.com
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:
>>>>=20
>>>>> Hi Sergey,
>>>>>=20
>>>>> The idea of the audience was to provide a way for the client to =
indicate the resource server it wants to talk to explicitly rather than =
overloading the scope field. We certainly need that capability for the =
MAC token work.
>>>>>=20
>>>>> The audience information is provided when the client interacts =
with the AS.
>>>>>=20
>>>>> Ciao
>>>>> Hannes
>>>>>=20
>>>>>=20
>>>>>> -----Original Message-----
>>>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>>>> Behalf Of ext Sergey Beryozkin
>>>>>> Sent: Sunday, August 18, 2013 6:32 PM
>>>>>> To: <oauth@ietf.org>
>>>>>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>>>>>=20
>>>>>> Hi Hannes, All,
>>>>>>=20
>>>>>> Regarding [1], where would you expect an audience parameter be
>>>>>> provided during the authorization flow ?
>>>>>>=20
>>>>>> It appears to me it should be provided during the initial =
redirect
>>>>>> (similarly to a parameter like redirect_uri).
>>>>>>=20
>>>>>> Also, would it make sense to support pre-registered audience =
values,
>>>>>> example, a client registers and specifies an audience during the
>>>>>> registration ?
>>>>>>=20
>>>>>> Thanks, Sergey
>>>>>>=20
>>>>>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20


From amirabdulahi@hotmail.com  Wed Aug 21 11:36:54 2013
Return-Path: <amirabdulahi@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBF1821F842B for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 11:36:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.111
X-Spam-Level: *
X-Spam-Status: No, score=1.111 tagged_above=-999 required=5 tests=[AWL=3.709,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95Nfn6qWDO95 for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 11:36:50 -0700 (PDT)
Received: from dub0-omc1-s5.dub0.hotmail.com (dub0-omc1-s5.dub0.hotmail.com [157.55.0.204]) by ietfa.amsl.com (Postfix) with ESMTP id D689821F8424 for <oauth@ietf.org>; Wed, 21 Aug 2013 11:36:49 -0700 (PDT)
Received: from DUB119-DS2 ([157.55.0.237]) by dub0-omc1-s5.dub0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);  Wed, 21 Aug 2013 11:36:48 -0700
X-TMN: [jdRpNbrtNxJN0/oviY2xzs0dneRaJ38d]
X-Originating-Email: [amirabdulahi@hotmail.com]
Message-ID: <DUB119-DS2CB4360F733764F16CA29C64C0@phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_d8a7f631-bd40-4dd8-a055-dd56f6fe4e5f_"
From: "amir abdulahi " <amirabdulahi@hotmail.com>
To: "oauth@ietf.org " <oauth@ietf.org>
Date: Wed, 21 Aug 2013 18:36:48 +0000
X-OriginalArrivalTime: 21 Aug 2013 18:36:48.0722 (UTC) FILETIME=[65518B20:01CE9E9D]
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 58, Issue 72
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 18:36:55 -0000

--_d8a7f631-bd40-4dd8-a055-dd56f6fe4e5f_
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable



Amirabdulahi@hotmail.com.@nokia.com.@ovi.com.@yahoomail.com.@gmail.com
Sentall outlook from hotmail ovi my Nokia yahoo gmail facebook aol live msn=
 other e-mail PhoneSoftwarOpera in likes CCLmailGoogle yahoomail


-----Original Message-----
From: oauth-request@ietf.org
Sent: 8/21/2013 4:46:56 PM
To: oauth@ietf.org
Subject: OAuth Digest, Vol 58, Issue 72
If you have received this digest without all the individual message
attachments you will need to update your digest options in your list
subscription.  To do so, go to

https://www.ietf.org/mailman/listinfo/oauth

Click the 'Unsubscribe or edit options' button, log in, and set "Get
MIME or Plain Text Digests?" to MIME.  You can set this option
globally for all the list digests you receive at this point.



Send OAuth mailing list submissions to
        oauth@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.ietf.org/mailman/listinfo/oauth
or, via email, send a message with subject or body 'help' to
        oauth-request@ietf.org

You can reach the person managing the list at
        oauth-owner@ietf.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OAuth digest..."


Today's Topics:

   1. Re: Audience parameter in authorization flow
      (Tschofenig, Hannes (NSN - FI/Espoo))
   2. Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm
      PDT: Conference Bridge Details (Tschofenig, Hannes (NSN - FI/Espoo))
   3. (no subject)
   4. Re: Audience parameter in authorization flow (Phil Hunt)
   5. Re: Audience parameter in authorization flow (Hannes Tschofenig)
   6. Re: Audience parameter in authorization flow (Anthony Nadalin)
   7. Re: Audience parameter in authorization flow (Phil Hunt)


----------------------------------------------------------------------

Message: 1
Date: Wed, 21 Aug 2013 16:30:25 +0000
From: "Tschofenig, Hannes (NSN - FI/Espoo)"
        <hannes.tschofenig@nsn.com>
To: ext Sergey Beryozkin <sberyozkin@gmail.com>, "<oauth@ietf.org>"
        <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
Message-ID:
        <1373E8CE237FCC43BCA36C6558612D2AA272E8@USCHMBX001.nsn-intra.net>
Content-Type: text/plain; charset=3D"us-ascii"

Hi Sergey,

The idea of the audience was to provide a way for the client to indicate th=
e resource server it wants to talk to explicitly rather than overloading th=
e scope field. We certainly need that capability for the MAC token work.

The audience information is provided when the client interacts with the AS.

Ciao
Hannes


> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of ext Sergey Beryozkin
> Sent: Sunday, August 18, 2013 6:32 PM
> To: <oauth@ietf.org>
> Subject: [OAUTH-WG] Audience parameter in authorization flow
>
> Hi Hannes, All,
>
> Regarding [1], where would you expect an audience parameter be provided
> during the authorization flow ?
>
> It appears to me it should be provided during the initial redirect
> (similarly to a parameter like redirect_uri).
>
> Also, would it make sense to support pre-registered audience values,
> example, a client registers and specifies an audience during the
> registration ?
>
> Thanks, Sergey
>
> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


------------------------------

Message: 2
Date: Wed, 21 Aug 2013 16:34:44 +0000
From: "Tschofenig, Hannes (NSN - FI/Espoo)"
        <hannes.tschofenig@nsn.com>
To: oauth mailing list <oauth@ietf.org>
Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu
        22 Aug, 2pm PDT: Conference Bridge Details
Message-ID:
        <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net>
Content-Type: text/plain; charset=3D"us-ascii"

Here is the conference bridge and Webex information.


------------------------------

Message: 3
Message-ID: <mailman.2439.1377103616.3815.oauth@ietf.org>

ly with what we have already in the dynamic client registration document (a=
=3D
nd folks may have actually missed it). There are two use cases described in=
=3D
 the WG document, namely=3D20
 - Use Case #1: Open Registration (Appendix B.1)
 - Use Case #2: Protected Registration (Appendix B.2)

Then, we could talk about some more sophisticated use cases where informati=
=3D
on for protected registration is provided by a third party.=3D20

--------------------

Meeting Number: 702 442 101=3D20
Meeting Password: oauth=3D20

-------------------------------------------------------=3D20
To join the online meeting=3D20
-------------------------------------------------------=3D20
1. Go to https://nsn.webex.com/nsn/j.php?ED=3D3D268691357&UID=3D3D0&PW=3D3D=
NOTlkZ=3D
jIwNTEy&RT=3D3DMiMzMA%3D%3D=3D20
2. Enter your name and email address.=3D20
3. Enter the meeting password: oauth=3D20
4. Click "Join Now".=3D20

To view in other time zones or languages, please click the link:=3D20
https://nsn.webex.com/nsn/j.php?ED=3D3D268691357&UID=3D3D0&PW=3D3DNOTlkZjIw=
NTEy&O=3D
RT=3D3DMiMzMA%3D%3D=3D20

-------------------------------------------------------=3D20
To join the teleconference only=3D20
-------------------------------------------------------=3D20
Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc=3D20
Conference Code: 944 910 5485


------------------------------

Message: 4
Date: Wed, 21 Aug 2013 09:35:10 -0700
From: Phil Hunt <phil.hunt@oracle.com>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
Message-ID: <CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com>
Content-Type: text/plain; charset=3Dus-ascii

This could be bound up in the client registration process since oauth clien=
ts don't authorize for random "targets".

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com







On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.ts=
chofenig@nsn.com> wrote:

> Hi Sergey,
>
> The idea of the audience was to provide a way for the client to indicate =
the resource server it wants to talk to explicitly rather than overloading =
the scope field. We certainly need that capability for the MAC token work.
>
> The audience information is provided when the client interacts with the A=
S.
>
> Ciao
> Hannes
>
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of ext Sergey Beryozkin
>> Sent: Sunday, August 18, 2013 6:32 PM
>> To: <oauth@ietf.org>
>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>
>> Hi Hannes, All,
>>
>> Regarding [1], where would you expect an audience parameter be provided
>> during the authorization flow ?
>>
>> It appears to me it should be provided during the initial redirect
>> (similarly to a parameter like redirect_uri).
>>
>> Also, would it make sense to support pre-registered audience values,
>> example, a client registers and specifies an audience during the
>> registration ?
>>
>> Thanks, Sergey
>>
>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



------------------------------

Message: 5
Date: Wed, 21 Aug 2013 18:40:59 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: Phil Hunt <phil.hunt@oracle.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
Message-ID: <5214ED9B.3070406@gmx.net>
Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed

That's certainly true although the referenced document did not talk
about the registration phase but rather about the time when the client
talks to the authorization server to obtain an access token.

Maybe UMA has provided a story for this already...

On 08/21/2013 06:35 PM, Phil Hunt wrote:
> This could be bound up in the client registration process since oauth cli=
ents don't authorize for random "targets".
>
> Phil
>
> @independentid
> www.independentid.com<http://www.independentid.com>
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.=
tschofenig@nsn.com> wrote:
>
>> Hi Sergey,
>>
>> The idea of the audience was to provide a way for the client to indicate=
 the resource server it wants to talk to explicitly rather than overloading=
 the scope field. We certainly need that capability for the MAC token work.
>>
>> The audience information is provided when the client interacts with the =
AS.
>>
>> Ciao
>> Hannes
>>
>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>>> Of ext Sergey Beryozkin
>>> Sent: Sunday, August 18, 2013 6:32 PM
>>> To: <oauth@ietf.org>
>>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>>
>>> Hi Hannes, All,
>>>
>>> Regarding [1], where would you expect an audience parameter be provided
>>> during the authorization flow ?
>>>
>>> It appears to me it should be provided during the initial redirect
>>> (similarly to a parameter like redirect_uri).
>>>
>>> Also, would it make sense to support pre-registered audience values,
>>> example, a client registers and specifies an audience during the
>>> registration ?
>>>
>>> Thanks, Sergey
>>>
>>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



------------------------------

Message: 6
Date: Wed, 21 Aug 2013 16:45:36 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Phil Hunt
        <phil.hunt@oracle.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
Message-ID:
        <1d4b764800be4cff991f02a91948d2c0@BY2PR03MB189.namprd03.prod.outloo=
k.com>

Content-Type: text/plain; charset=3D"us-ascii"

I think binding audience at registration time is to limiting as we see audi=
ence being on a per token request level and also see the audience being par=
t of the restrictions for "act as" or "on behalf of" support

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of H=
annes Tschofenig
Sent: Wednesday, August 21, 2013 9:41 AM
To: Phil Hunt
Cc: <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow

That's certainly true although the referenced document did not talk about t=
he registration phase but rather about the time when the client talks to th=
e authorization server to obtain an access token.

Maybe UMA has provided a story for this already...

On 08/21/2013 06:35 PM, Phil Hunt wrote:
> This could be bound up in the client registration process since oauth cli=
ents don't authorize for random "targets".
>
> Phil
>
> @independentid
> www.independentid.com<http://www.independentid.com>
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.=
tschofenig@nsn.com> wrote:
>
>> Hi Sergey,
>>
>> The idea of the audience was to provide a way for the client to indicate=
 the resource server it wants to talk to explicitly rather than overloading=
 the scope field. We certainly need that capability for the MAC token work.
>>
>> The audience information is provided when the client interacts with the =
AS.
>>
>> Ciao
>> Hannes
>>
>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>> Behalf Of ext Sergey Beryozkin
>>> Sent: Sunday, August 18, 2013 6:32 PM
>>> To: <oauth@ietf.org>
>>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>>
>>> Hi Hannes, All,
>>>
>>> Regarding [1], where would you expect an audience parameter be
>>> provided during the authorization flow ?
>>>
>>> It appears to me it should be provided during the initial redirect
>>> (similarly to a parameter like redirect_uri).
>>>
>>> Also, would it make sense to support pre-registered audience values,
>>> example, a client registers and specifies an audience during the
>>> registration ?
>>>
>>> Thanks, Sergey
>>>
>>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


------------------------------

Message: 7
Date: Wed, 21 Aug 2013 09:46:39 -0700
From: Phil Hunt <phil.hunt@oracle.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
Message-ID: <5AA05FFA-99AB-4702-BC20-C209FF26416C@oracle.com>
Content-Type: text/plain; charset=3Dus-ascii

Yes.  The trade off is that each client_id becomes associated with a target=
.

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com







On 2013-08-21, at 9:45 AM, Anthony Nadalin <tonynad@microsoft.com> wrote:

> I think binding audience at registration time is to limiting as we see au=
dience being on a per token request level and also see the audience being p=
art of the restrictions for "act as" or "on behalf of" support
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of=
 Hannes Tschofenig
> Sent: Wednesday, August 21, 2013 9:41 AM
> To: Phil Hunt
> Cc: <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Audience parameter in authorization flow
>
> That's certainly true although the referenced document did not talk about=
 the registration phase but rather about the time when the client talks to =
the authorization server to obtain an access token.
>
> Maybe UMA has provided a story for this already...
>
> On 08/21/2013 06:35 PM, Phil Hunt wrote:
>> This could be bound up in the client registration process since oauth cl=
ients don't authorize for random "targets".
>>
>> Phil
>>
>> @independentid
>> www.independentid.com<http://www.independentid.com>
>> phil.hunt@oracle.com
>>
>>
>>
>>
>>
>>
>>
>> On 2013-08-21, at 9:30 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes=
.tschofenig@nsn.com> wrote:
>>
>>> Hi Sergey,
>>>
>>> The idea of the audience was to provide a way for the client to indicat=
e the resource server it wants to talk to explicitly rather than overloadin=
g the scope field. We certainly need that capability for the MAC token work=
.
>>>
>>> The audience information is provided when the client interacts with the=
 AS.
>>>
>>> Ciao
>>> Hannes
>>>
>>>
>>>> -----Original Message-----
>>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
>>>> Behalf Of ext Sergey Beryozkin
>>>> Sent: Sunday, August 18, 2013 6:32 PM
>>>> To: <oauth@ietf.org>
>>>> Subject: [OAUTH-WG] Audience parameter in authorization flow
>>>>
>>>> Hi Hannes, All,
>>>>
>>>> Regarding [1], where would you expect an audience parameter be
>>>> provided during the authorization flow ?
>>>>
>>>> It appears to me it should be provided during the initial redirect
>>>> (similarly to a parameter like redirect_uri).
>>>>
>>>> Also, would it make sense to support pre-registered audience values,
>>>> example, a client registers and specifies an audience during the
>>>> registration ?
>>>>
>>>> Thanks, Sergey
>>>>
>>>> [1] http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



------------------------------

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


End of OAuth Digest, Vol 58, Issue 72
*************************************

--_d8a7f631-bd40-4dd8-a055-dd56f6fe4e5f_
Content-Type: text/html; charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable

<br>=0A=
<br>=0A=
Amirabdulahi@hotmail.com.@nokia.com.@ovi.com.@yahoomail.com.@gmail.com<br>=
=0A=
Sentall outlook from hotmail ovi my Nokia yahoo gmail facebook aol live msn=
 other e-mail PhoneSoftwarOpera in likes CCLmailGoogle yahoomail<br><br><ht=
ml>
<head>

</head>
<body>
<br>
-----Original Message----- <br>
From: oauth-request@ietf.org <oauth-request@ietf.org><br>
Sent: 8/21/2013 4:46:56 PM <br>
To: oauth@ietf.org <oauth@ietf.org><br>
Subject: OAuth Digest, Vol 58, Issue 72 <br>
<meta name=3D"Generator" content=3D"Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; pad=
ding-left: 4pt; border-left: #800000 2px solid; } --></style><font size=3D"=
2">
<div class=3D"PlainText">If you have received this digest without all the i=
ndividual message<br>
attachments you will need to update your digest options in your list<br>
subscription.&nbsp; To do so, go to <br>
<br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.or=
g/mailman/listinfo/oauth</a><br>
<br>
Click the 'Unsubscribe or edit options' button, log in, and set &quot;Get<b=
r>
MIME or Plain Text Digests?&quot; to MIME.&nbsp; You can set this option<br=
>
globally for all the list digests you receive at this point.<br>
<br>
<br>
<br>
Send OAuth mailing list submissions to<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; oauth@ietf.org<br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=3D"https://www.ietf.org/=
mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
or, via email, send a message with subject or body 'help' to<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; oauth-request@ietf.org<br>
<br>
You can reach the person managing the list at<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; oauth-owner@ietf.org<br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than &quot;Re: Contents of OAuth digest...&quot;<br>
<br>
<br>
Today's Topics:<br>
<br>
&nbsp;&nbsp; 1. Re: Audience parameter in authorization flow<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (Tschofenig, Hannes (NSN - FI/Espoo))<br>
&nbsp;&nbsp; 2. Dynamic Client Registration Conference Call: Thu 22 Aug, 2p=
m<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; PDT: Conference Bridge Details (Tschofenig, =
Hannes (NSN - FI/Espoo))<br>
&nbsp;&nbsp; 3. (no subject)<br>
&nbsp;&nbsp; 4. Re: Audience parameter in authorization flow (Phil Hunt)<br=
>
&nbsp;&nbsp; 5. Re: Audience parameter in authorization flow (Hannes Tschof=
enig)<br>
&nbsp;&nbsp; 6. Re: Audience parameter in authorization flow (Anthony Nadal=
in)<br>
&nbsp;&nbsp; 7. Re: Audience parameter in authorization flow (Phil Hunt)<br=
>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Wed, 21 Aug 2013 16:30:25 &#43;0000<br>
From: &quot;Tschofenig, Hannes (NSN - FI/Espoo)&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;hannes.tschofenig@nsn.com&gt=
;<br>
To: ext Sergey Beryozkin &lt;sberyozkin@gmail.com&gt;, &quot;&lt;oauth@ietf=
.org&gt;&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;oauth@ietf.org&gt;<br>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow<br>
Message-ID:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;1373E8CE237FCC43BCA36C655861=
2D2AA272E8@USCHMBX001.nsn-intra.net&gt;<br>
Content-Type: text/plain; charset=3D&quot;us-ascii&quot;<br>
<br>
Hi Sergey, <br>
<br>
The idea of the audience was to provide a way for the client to indicate th=
e resource server it wants to talk to explicitly rather than overloading th=
e scope field. We certainly need that capability for the MAC token work.
<br>
<br>
The audience information is provided when the client interacts with the AS.=
 <br>
<br>
Ciao<br>
Hannes<br>
<br>
<br>
&gt; -----Original Message-----<br>
&gt; From: oauth-bounces@ietf.org [<a href=3D"mailto:oauth-bounces@ietf.org=
">mailto:oauth-bounces@ietf.org</a>] On Behalf<br>
&gt; Of ext Sergey Beryozkin<br>
&gt; Sent: Sunday, August 18, 2013 6:32 PM<br>
&gt; To: &lt;oauth@ietf.org&gt;<br>
&gt; Subject: [OAUTH-WG] Audience parameter in authorization flow<br>
&gt; <br>
&gt; Hi Hannes, All,<br>
&gt; <br>
&gt; Regarding [1], where would you expect an audience parameter be provide=
d<br>
&gt; during the authorization flow ?<br>
&gt; <br>
&gt; It appears to me it should be provided during the initial redirect<br>
&gt; (similarly to a parameter like redirect_uri).<br>
&gt; <br>
&gt; Also, would it make sense to support pre-registered audience values,<b=
r>
&gt; example, a client registers and specifies an audience during the<br>
&gt; registration ?<br>
&gt; <br>
&gt; Thanks, Sergey<br>
&gt; <br>
&gt; [1] <a href=3D"http://tools.ietf.org/html/draft-tschofenig-oauth-audie=
nce-00">http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00</a><b=
r>
&gt; _______________________________________________<br>
&gt; OAuth mailing list<br>
&gt; OAuth@ietf.org<br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Wed, 21 Aug 2013 16:34:44 &#43;0000<br>
From: &quot;Tschofenig, Hannes (NSN - FI/Espoo)&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;hannes.tschofenig@nsn.com&gt=
;<br>
To: oauth mailing list &lt;oauth@ietf.org&gt;<br>
Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 22 Aug, 2pm PDT: Conference Brid=
ge Details<br>
Message-ID:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;1373E8CE237FCC43BCA36C655861=
2D2AA272FE@USCHMBX001.nsn-intra.net&gt;<br>
Content-Type: text/plain; charset=3D&quot;us-ascii&quot;<br>
<br>
Here is the conference bridge and Webex information. <br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Message-ID: &lt;mailman.2439.1377103616.3815.oauth@ietf.org&gt;<br>
<br>
ly with what we have already in the dynamic client registration document (a=
=3D<br>
nd folks may have actually missed it). There are two use cases described in=
=3D<br>
&nbsp;the WG document, namely=3D20<br>
&nbsp;- Use Case #1: Open Registration (Appendix B.1)<br>
&nbsp;- Use Case #2: Protected Registration (Appendix B.2)<br>
<br>
Then, we could talk about some more sophisticated use cases where informati=
=3D<br>
on for protected registration is provided by a third party.=3D20<br>
<br>
--------------------<br>
<br>
Meeting Number: 702 442 101=3D20<br>
Meeting Password: oauth=3D20<br>
<br>
-------------------------------------------------------=3D20<br>
To join the online meeting=3D20<br>
-------------------------------------------------------=3D20<br>
1. Go to <a href=3D"https://nsn.webex.com/nsn/j.php?ED=3D3D268691357&amp;UI=
D=3D3D0&amp;PW=3D3DNOTlkZ=3D">
https://nsn.webex.com/nsn/j.php?ED=3D3D268691357&amp;UID=3D3D0&amp;PW=3D3DN=
OTlkZ=3D</a><br>
jIwNTEy&amp;RT=3D3DMiMzMA%3D%3D=3D20<br>
2. Enter your name and email address.=3D20<br>
3. Enter the meeting password: oauth=3D20<br>
4. Click &quot;Join Now&quot;.=3D20<br>
<br>
To view in other time zones or languages, please click the link:=3D20<br>
<a href=3D"https://nsn.webex.com/nsn/j.php?ED=3D3D268691357&amp;UID=3D3D0&a=
mp;PW=3D3DNOTlkZjIwNTEy&amp;O=3D">https://nsn.webex.com/nsn/j.php?ED=3D3D26=
8691357&amp;UID=3D3D0&amp;PW=3D3DNOTlkZjIwNTEy&amp;O=3D</a><br>
RT=3D3DMiMzMA%3D%3D=3D20<br>
<br>
-------------------------------------------------------=3D20<br>
To join the teleconference only=3D20<br>
-------------------------------------------------------=3D20<br>
Global Dial-In Numbers: <a href=3D"http://www.nokiasiemensnetworks.com/nvc=
=3D20">http://www.nokiasiemensnetworks.com/nvc=3D20</a><br>
Conference Code: 944 910 5485<br>
<br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Wed, 21 Aug 2013 09:35:10 -0700<br>
From: Phil Hunt &lt;phil.hunt@oracle.com&gt;<br>
To: &quot;Tschofenig, Hannes (NSN - FI/Espoo)&quot; &lt;hannes.tschofenig@n=
sn.com&gt;<br>
Cc: &quot;&lt;oauth@ietf.org&gt;&quot; &lt;oauth@ietf.org&gt;<br>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow<br>
Message-ID: &lt;CF5728A9-5271-4B57-A2B3-40A9FC1BC983@oracle.com&gt;<br>
Content-Type: text/plain; charset=3Dus-ascii<br>
<br>
This could be bound up in the client registration process since oauth clien=
ts don't authorize for random &quot;targets&quot;.<br>
<br>
Phil<br>
<br>
@independentid<br>
<a href=3D"http://www.independentid.com">www.independentid.com</a><br>
phil.hunt@oracle.com<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 2013-08-21, at 9:30 AM, &quot;Tschofenig, Hannes (NSN - FI/Espoo)&quot; =
&lt;hannes.tschofenig@nsn.com&gt; wrote:<br>
<br>
&gt; Hi Sergey, <br>
&gt; <br>
&gt; The idea of the audience was to provide a way for the client to indica=
te the resource server it wants to talk to explicitly rather than overloadi=
ng the scope field. We certainly need that capability for the MAC token wor=
k.
<br>
&gt; <br>
&gt; The audience information is provided when the client interacts with th=
e AS. <br>
&gt; <br>
&gt; Ciao<br>
&gt; Hannes<br>
&gt; <br>
&gt; <br>
&gt;&gt; -----Original Message-----<br>
&gt;&gt; From: oauth-bounces@ietf.org [<a href=3D"mailto:oauth-bounces@ietf=
.org">mailto:oauth-bounces@ietf.org</a>] On Behalf<br>
&gt;&gt; Of ext Sergey Beryozkin<br>
&gt;&gt; Sent: Sunday, August 18, 2013 6:32 PM<br>
&gt;&gt; To: &lt;oauth@ietf.org&gt;<br>
&gt;&gt; Subject: [OAUTH-WG] Audience parameter in authorization flow<br>
&gt;&gt; <br>
&gt;&gt; Hi Hannes, All,<br>
&gt;&gt; <br>
&gt;&gt; Regarding [1], where would you expect an audience parameter be pro=
vided<br>
&gt;&gt; during the authorization flow ?<br>
&gt;&gt; <br>
&gt;&gt; It appears to me it should be provided during the initial redirect=
<br>
&gt;&gt; (similarly to a parameter like redirect_uri).<br>
&gt;&gt; <br>
&gt;&gt; Also, would it make sense to support pre-registered audience value=
s,<br>
&gt;&gt; example, a client registers and specifies an audience during the<b=
r>
&gt;&gt; registration ?<br>
&gt;&gt; <br>
&gt;&gt; Thanks, Sergey<br>
&gt;&gt; <br>
&gt;&gt; [1] <a href=3D"http://tools.ietf.org/html/draft-tschofenig-oauth-a=
udience-00">http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00</=
a><br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; OAuth@ietf.org<br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://ww=
w.ietf.org/mailman/listinfo/oauth</a><br>
&gt; _______________________________________________<br>
&gt; OAuth mailing list<br>
&gt; OAuth@ietf.org<br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Wed, 21 Aug 2013 18:40:59 &#43;0200<br>
From: Hannes Tschofenig &lt;hannes.tschofenig@gmx.net&gt;<br>
To: Phil Hunt &lt;phil.hunt@oracle.com&gt;<br>
Cc: &quot;&lt;oauth@ietf.org&gt;&quot; &lt;oauth@ietf.org&gt;<br>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow<br>
Message-ID: &lt;5214ED9B.3070406@gmx.net&gt;<br>
Content-Type: text/plain; charset=3DISO-8859-1; format=3Dflowed<br>
<br>
That's certainly true although the referenced document did not talk <br>
about the registration phase but rather about the time when the client <br>
talks to the authorization server to obtain an access token.<br>
<br>
Maybe UMA has provided a story for this already...<br>
<br>
On 08/21/2013 06:35 PM, Phil Hunt wrote:<br>
&gt; This could be bound up in the client registration process since oauth =
clients don't authorize for random &quot;targets&quot;.<br>
&gt;<br>
&gt; Phil<br>
&gt;<br>
&gt; @independentid<br>
&gt; <a href=3D"http://www.independentid.com">www.independentid.com</a><br>
&gt; phil.hunt@oracle.com<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; On 2013-08-21, at 9:30 AM, &quot;Tschofenig, Hannes (NSN - FI/Espoo)&q=
uot; &lt;hannes.tschofenig@nsn.com&gt; wrote:<br>
&gt;<br>
&gt;&gt; Hi Sergey,<br>
&gt;&gt;<br>
&gt;&gt; The idea of the audience was to provide a way for the client to in=
dicate the resource server it wants to talk to explicitly rather than overl=
oading the scope field. We certainly need that capability for the MAC token=
 work.<br>
&gt;&gt;<br>
&gt;&gt; The audience information is provided when the client interacts wit=
h the AS.<br>
&gt;&gt;<br>
&gt;&gt; Ciao<br>
&gt;&gt; Hannes<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;&gt; -----Original Message-----<br>
&gt;&gt;&gt; From: oauth-bounces@ietf.org [<a href=3D"mailto:oauth-bounces@=
ietf.org">mailto:oauth-bounces@ietf.org</a>] On Behalf<br>
&gt;&gt;&gt; Of ext Sergey Beryozkin<br>
&gt;&gt;&gt; Sent: Sunday, August 18, 2013 6:32 PM<br>
&gt;&gt;&gt; To: &lt;oauth@ietf.org&gt;<br>
&gt;&gt;&gt; Subject: [OAUTH-WG] Audience parameter in authorization flow<b=
r>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Hi Hannes, All,<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Regarding [1], where would you expect an audience parameter be=
 provided<br>
&gt;&gt;&gt; during the authorization flow ?<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; It appears to me it should be provided during the initial redi=
rect<br>
&gt;&gt;&gt; (similarly to a parameter like redirect_uri).<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Also, would it make sense to support pre-registered audience v=
alues,<br>
&gt;&gt;&gt; example, a client registers and specifies an audience during t=
he<br>
&gt;&gt;&gt; registration ?<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Thanks, Sergey<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; [1] <a href=3D"http://tools.ietf.org/html/draft-tschofenig-oau=
th-audience-00">http://tools.ietf.org/html/draft-tschofenig-oauth-audience-=
00</a><br>
&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt; OAuth mailing list<br>
&gt;&gt;&gt; OAuth@ietf.org<br>
&gt;&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https:=
//www.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; OAuth@ietf.org<br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://ww=
w.ietf.org/mailman/listinfo/oauth</a><br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; OAuth mailing list<br>
&gt; OAuth@ietf.org<br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><br>
&gt;<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Wed, 21 Aug 2013 16:45:36 &#43;0000<br>
From: Anthony Nadalin &lt;tonynad@microsoft.com&gt;<br>
To: Hannes Tschofenig &lt;hannes.tschofenig@gmx.net&gt;, Phil Hunt<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;phil.hunt@oracle.com&gt;<br>
Cc: &quot;&lt;oauth@ietf.org&gt;&quot; &lt;oauth@ietf.org&gt;<br>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow<br>
Message-ID:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;1d4b764800be4cff991f02a91948=
d2c0@BY2PR03MB189.namprd03.prod.outlook.com&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <br>
Content-Type: text/plain; charset=3D&quot;us-ascii&quot;<br>
<br>
I think binding audience at registration time is to limiting as we see audi=
ence being on a per token request level and also see the audience being par=
t of the restrictions for &quot;act as&quot; or &quot;on behalf of&quot; su=
pport
<br>
<br>
-----Original Message-----<br>
From: oauth-bounces@ietf.org [<a href=3D"mailto:oauth-bounces@ietf.org">mai=
lto:oauth-bounces@ietf.org</a>] On Behalf Of Hannes Tschofenig<br>
Sent: Wednesday, August 21, 2013 9:41 AM<br>
To: Phil Hunt<br>
Cc: &lt;oauth@ietf.org&gt;<br>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow<br>
<br>
That's certainly true although the referenced document did not talk about t=
he registration phase but rather about the time when the client talks to th=
e authorization server to obtain an access token.<br>
<br>
Maybe UMA has provided a story for this already...<br>
<br>
On 08/21/2013 06:35 PM, Phil Hunt wrote:<br>
&gt; This could be bound up in the client registration process since oauth =
clients don't authorize for random &quot;targets&quot;.<br>
&gt;<br>
&gt; Phil<br>
&gt;<br>
&gt; @independentid<br>
&gt; <a href=3D"http://www.independentid.com">www.independentid.com</a><br>
&gt; phil.hunt@oracle.com<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt;<br>
&gt; On 2013-08-21, at 9:30 AM, &quot;Tschofenig, Hannes (NSN - FI/Espoo)&q=
uot; &lt;hannes.tschofenig@nsn.com&gt; wrote:<br>
&gt;<br>
&gt;&gt; Hi Sergey,<br>
&gt;&gt;<br>
&gt;&gt; The idea of the audience was to provide a way for the client to in=
dicate the resource server it wants to talk to explicitly rather than overl=
oading the scope field. We certainly need that capability for the MAC token=
 work.<br>
&gt;&gt;<br>
&gt;&gt; The audience information is provided when the client interacts wit=
h the AS.<br>
&gt;&gt;<br>
&gt;&gt; Ciao<br>
&gt;&gt; Hannes<br>
&gt;&gt;<br>
&gt;&gt;<br>
&gt;&gt;&gt; -----Original Message-----<br>
&gt;&gt;&gt; From: oauth-bounces@ietf.org [<a href=3D"mailto:oauth-bounces@=
ietf.org">mailto:oauth-bounces@ietf.org</a>] On
<br>
&gt;&gt;&gt; Behalf Of ext Sergey Beryozkin<br>
&gt;&gt;&gt; Sent: Sunday, August 18, 2013 6:32 PM<br>
&gt;&gt;&gt; To: &lt;oauth@ietf.org&gt;<br>
&gt;&gt;&gt; Subject: [OAUTH-WG] Audience parameter in authorization flow<b=
r>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Hi Hannes, All,<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Regarding [1], where would you expect an audience parameter be=
 <br>
&gt;&gt;&gt; provided during the authorization flow ?<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; It appears to me it should be provided during the initial redi=
rect <br>
&gt;&gt;&gt; (similarly to a parameter like redirect_uri).<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Also, would it make sense to support pre-registered audience v=
alues, <br>
&gt;&gt;&gt; example, a client registers and specifies an audience during t=
he <br>
&gt;&gt;&gt; registration ?<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; Thanks, Sergey<br>
&gt;&gt;&gt;<br>
&gt;&gt;&gt; [1] <a href=3D"http://tools.ietf.org/html/draft-tschofenig-oau=
th-audience-00">http://tools.ietf.org/html/draft-tschofenig-oauth-audience-=
00</a><br>
&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt; OAuth mailing list<br>
&gt;&gt;&gt; OAuth@ietf.org<br>
&gt;&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https:=
//www.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; OAuth@ietf.org<br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://ww=
w.ietf.org/mailman/listinfo/oauth</a><br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; OAuth mailing list<br>
&gt; OAuth@ietf.org<br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><br>
&gt;<br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
OAuth@ietf.org<br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.or=
g/mailman/listinfo/oauth</a><br>
<br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Wed, 21 Aug 2013 09:46:39 -0700<br>
From: Phil Hunt &lt;phil.hunt@oracle.com&gt;<br>
To: Anthony Nadalin &lt;tonynad@microsoft.com&gt;<br>
Cc: &quot;&lt;oauth@ietf.org&gt;&quot; &lt;oauth@ietf.org&gt;<br>
Subject: Re: [OAUTH-WG] Audience parameter in authorization flow<br>
Message-ID: &lt;5AA05FFA-99AB-4702-BC20-C209FF26416C@oracle.com&gt;<br>
Content-Type: text/plain; charset=3Dus-ascii<br>
<br>
Yes.&nbsp; The trade off is that each client_id becomes associated with a t=
arget.<br>
<br>
Phil<br>
<br>
@independentid<br>
<a href=3D"http://www.independentid.com">www.independentid.com</a><br>
phil.hunt@oracle.com<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
On 2013-08-21, at 9:45 AM, Anthony Nadalin &lt;tonynad@microsoft.com&gt; wr=
ote:<br>
<br>
&gt; I think binding audience at registration time is to limiting as we see=
 audience being on a per token request level and also see the audience bein=
g part of the restrictions for &quot;act as&quot; or &quot;on behalf of&quo=
t; support
<br>
&gt; <br>
&gt; -----Original Message-----<br>
&gt; From: oauth-bounces@ietf.org [<a href=3D"mailto:oauth-bounces@ietf.org=
">mailto:oauth-bounces@ietf.org</a>] On Behalf Of Hannes Tschofenig<br>
&gt; Sent: Wednesday, August 21, 2013 9:41 AM<br>
&gt; To: Phil Hunt<br>
&gt; Cc: &lt;oauth@ietf.org&gt;<br>
&gt; Subject: Re: [OAUTH-WG] Audience parameter in authorization flow<br>
&gt; <br>
&gt; That's certainly true although the referenced document did not talk ab=
out the registration phase but rather about the time when the client talks =
to the authorization server to obtain an access token.<br>
&gt; <br>
&gt; Maybe UMA has provided a story for this already...<br>
&gt; <br>
&gt; On 08/21/2013 06:35 PM, Phil Hunt wrote:<br>
&gt;&gt; This could be bound up in the client registration process since oa=
uth clients don't authorize for random &quot;targets&quot;.<br>
&gt;&gt; <br>
&gt;&gt; Phil<br>
&gt;&gt; <br>
&gt;&gt; @independentid<br>
&gt;&gt; <a href=3D"http://www.independentid.com">www.independentid.com</a>=
<br>
&gt;&gt; phil.hunt@oracle.com<br>
&gt;&gt; <br>
&gt;&gt; <br>
&gt;&gt; <br>
&gt;&gt; <br>
&gt;&gt; <br>
&gt;&gt; <br>
&gt;&gt; <br>
&gt;&gt; On 2013-08-21, at 9:30 AM, &quot;Tschofenig, Hannes (NSN - FI/Espo=
o)&quot; &lt;hannes.tschofenig@nsn.com&gt; wrote:<br>
&gt;&gt; <br>
&gt;&gt;&gt; Hi Sergey,<br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt; The idea of the audience was to provide a way for the client t=
o indicate the resource server it wants to talk to explicitly rather than o=
verloading the scope field. We certainly need that capability for the MAC t=
oken work.<br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt; The audience information is provided when the client interacts=
 with the AS.<br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt; Ciao<br>
&gt;&gt;&gt; Hannes<br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt; <br>
&gt;&gt;&gt;&gt; -----Original Message-----<br>
&gt;&gt;&gt;&gt; From: oauth-bounces@ietf.org [<a href=3D"mailto:oauth-boun=
ces@ietf.org">mailto:oauth-bounces@ietf.org</a>] On
<br>
&gt;&gt;&gt;&gt; Behalf Of ext Sergey Beryozkin<br>
&gt;&gt;&gt;&gt; Sent: Sunday, August 18, 2013 6:32 PM<br>
&gt;&gt;&gt;&gt; To: &lt;oauth@ietf.org&gt;<br>
&gt;&gt;&gt;&gt; Subject: [OAUTH-WG] Audience parameter in authorization fl=
ow<br>
&gt;&gt;&gt;&gt; <br>
&gt;&gt;&gt;&gt; Hi Hannes, All,<br>
&gt;&gt;&gt;&gt; <br>
&gt;&gt;&gt;&gt; Regarding [1], where would you expect an audience paramete=
r be <br>
&gt;&gt;&gt;&gt; provided during the authorization flow ?<br>
&gt;&gt;&gt;&gt; <br>
&gt;&gt;&gt;&gt; It appears to me it should be provided during the initial =
redirect <br>
&gt;&gt;&gt;&gt; (similarly to a parameter like redirect_uri).<br>
&gt;&gt;&gt;&gt; <br>
&gt;&gt;&gt;&gt; Also, would it make sense to support pre-registered audien=
ce values, <br>
&gt;&gt;&gt;&gt; example, a client registers and specifies an audience duri=
ng the <br>
&gt;&gt;&gt;&gt; registration ?<br>
&gt;&gt;&gt;&gt; <br>
&gt;&gt;&gt;&gt; Thanks, Sergey<br>
&gt;&gt;&gt;&gt; <br>
&gt;&gt;&gt;&gt; [1] <a href=3D"http://tools.ietf.org/html/draft-tschofenig=
-oauth-audience-00">
http://tools.ietf.org/html/draft-tschofenig-oauth-audience-00</a><br>
&gt;&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt;&gt; OAuth mailing list<br>
&gt;&gt;&gt;&gt; OAuth@ietf.org<br>
&gt;&gt;&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">ht=
tps://www.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt;&gt; _______________________________________________<br>
&gt;&gt;&gt; OAuth mailing list<br>
&gt;&gt;&gt; OAuth@ietf.org<br>
&gt;&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https:=
//www.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; <br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; OAuth@ietf.org<br>
&gt;&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://ww=
w.ietf.org/mailman/listinfo/oauth</a><br>
&gt;&gt; <br>
&gt; <br>
&gt; _______________________________________________<br>
&gt; OAuth mailing list<br>
&gt; OAuth@ietf.org<br>
&gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><br>
<br>
<br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
OAuth mailing list<br>
OAuth@ietf.org<br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.or=
g/mailman/listinfo/oauth</a><br>
<br>
<br>
End of OAuth Digest, Vol 58, Issue 72<br>
*************************************<br>
</div>
</font>
</body>
</html>

--_d8a7f631-bd40-4dd8-a055-dd56f6fe4e5f_--

From Michael.Jones@microsoft.com  Wed Aug 21 16:11:11 2013
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24DE921F99A0 for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 16:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.384
X-Spam-Level: 
X-Spam-Status: No, score=-3.384 tagged_above=-999 required=5 tests=[AWL=0.215,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f+5i73oragTF for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 16:11:06 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0240.outbound.protection.outlook.com [207.46.163.240]) by ietfa.amsl.com (Postfix) with ESMTP id A806F21F9A13 for <oauth@ietf.org>; Wed, 21 Aug 2013 16:11:05 -0700 (PDT)
Received: from BLUPR03CA031.namprd03.prod.outlook.com (10.141.30.24) by BLUPR03MB149.namprd03.prod.outlook.com (10.255.212.17) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 21 Aug 2013 22:10:44 +0000
Received: from BN1BFFO11FD017.protection.gbl (2a01:111:f400:7c10::25) by BLUPR03CA031.outlook.office365.com (2a01:111:e400:879::24) with Microsoft SMTP Server (TLS) id 15.0.745.25 via Frontend Transport; Wed, 21 Aug 2013 22:10:42 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD017.mail.protection.outlook.com (10.58.53.77) with Microsoft SMTP Server (TLS) id 15.0.745.15 via Frontend Transport; Wed, 21 Aug 2013 22:10:42 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.178]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0136.001; Wed, 21 Aug 2013 22:08:35 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org WG" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] WGLC on JSON Web Token (JWT)
Thread-Index: AQHOk09MPVTXxCf600aHih1/kI1D/ZmgTazQ
Date: Wed, 21 Aug 2013 22:08:35 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B7CAF50@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <5202113B.1020505@gmx.net>
In-Reply-To: <5202113B.1020505@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.71]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(13464003)(53754006)(377454003)(199002)(189002)(53806001)(74876001)(47776003)(65816001)(56816003)(47976001)(46406003)(77096001)(69226001)(31966008)(76482001)(74662001)(81342001)(47446002)(74502001)(80976001)(54316002)(74706001)(50466002)(80022001)(20776003)(56776001)(54356001)(59766001)(77982001)(55846006)(74366001)(51856001)(6806004)(19580385001)(83072001)(66066001)(46102001)(15202345003)(4396001)(81542001)(79102001)(49866001)(63696002)(23726002)(76796001)(44976005)(81686001)(76786001)(47736001)(33656001)(19580395003)(83322001)(19580405001)(81816001)(50986001); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB149; H:mail.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en; 
X-O365ENT-EOP-Header: Message processed by -  O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0945B0CC72
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 131.107.125.37
X-MS-Exchange-CrossPremises-AuthSource: BN1BFFO11FD017.protection.gbl
X-MS-Exchange-CrossPremises-AuthAs: Anonymous
X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: BLUPR03MB149.namprd03.prod.outlook.com
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 23:11:11 -0000

I believe that the technical content of this document is complete and stabl=
e and ready to move forward.

As a JOSE working group member and editor, I am aware of editorial changes =
being requested to be made to the JWS and JWE documents that could change s=
ome of the terminology used by JWT - in particular, the terms JWS Header, J=
WS Payload, JWE Header, and JWE Plaintext could change.  Other JOSE actions=
 could also require changes to the JWT document to maintain editorial consi=
stency.

I believe that we should continue the IETF process for this document, while=
 recognizing that some local editorial changes may still be required.

				-- Mike

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of H=
annes Tschofenig
Sent: Wednesday, August 07, 2013 2:20 AM
To: oauth@ietf.org WG
Subject: [OAUTH-WG] WGLC on JSON Web Token (JWT)

Hi all,

this is a working group last call for the JSON Web Token (JWT).

Here is the document:
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11

Please send you comments to the OAuth mailing list by August 21, 2013.

Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


From prateek.mishra@oracle.com  Wed Aug 21 16:51:19 2013
Return-Path: <prateek.mishra@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4147311E8129 for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 16:51:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLIzX1BnBUNY for <oauth@ietfa.amsl.com>; Wed, 21 Aug 2013 16:51:13 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 9F39311E8143 for <oauth@ietf.org>; Wed, 21 Aug 2013 16:51:13 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7LNp7M2025977 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 21 Aug 2013 23:51:08 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LNp6Gj028982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 21 Aug 2013 23:51:07 GMT
Received: from abhmt108.oracle.com (abhmt108.oracle.com [141.146.116.60]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7LNp65n015597; Wed, 21 Aug 2013 23:51:06 GMT
Received: from [10.152.55.230] (/10.152.55.230) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 21 Aug 2013 16:51:06 -0700
Message-ID: <52155269.7040302@oracle.com>
Date: Wed, 21 Aug 2013 19:51:05 -0400
From: Prateek Mishra <prateek.mishra@oracle.com>
Organization: Oracle Corporation
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <5202113B.1020505@gmx.net>
In-Reply-To: <5202113B.1020505@gmx.net>
Content-Type: multipart/alternative; boundary="------------070803070105030009000709"
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on JSON Web Token (JWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Aug 2013 23:51:19 -0000

This is a multi-part message in MIME format.
--------------070803070105030009000709
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

1) As a JWT is always an instance of JWE or JWS, I am not sure why there 
is a need for the the materials found in Section 5, para 1 (these are 
also found in the JWE and JWS draft specifications). It could simply be 
removed from the draft.

2) Why do we need both a "typ" claim and a "typ" header name? Need they 
have some relationship to each other?
Isn't this also covered by Section 5.3?

3)  The materials in Section 5.3 could be simplified further.

Why should the use of claims as header parameters be restricted to the 
case where the JWT=JWE; what about the encrypt then sign (symmetric) 
use-case? I see no issue in allowing this feature with a JWT of any type.

The last paragraph of Section 5.3 ("This specification reserves the iss 
(issuer), sub (subject),....") seems to be an instance of the
previous paragraph. If claims are allowed in the header, then iss 
(issuer), sub (subject) are trivially allowed, right? I couldn't find 
any additional information in this last paragraph.

Finally, do we need "SHOULD verify that their values are identical" - 
given that this matter is left upto applications, couldnt they choose to 
verify only a certain relationship between the corresponding values 
(e.g., header carries hash of value, JWT carries the (large) complete 
value)?  Can this be weakened to "SHOULD verify that their values have 
an appropriate (application-defined) relationship. In many instances, 
applications may want to ensure that they are identical".

4) Section 8 -

am I correct in reading this as: all conforming JWT implementations MUST 
implement JWS and MAY implement JWE?
At least thats what I understood from the last paragraph ("/if/ an 
implementation provides encryption capabilities...").



- prateek
> Hi all,
>
> this is a working group last call for the JSON Web Token (JWT).
>
> Here is the document:
> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11
>
> Please send you comments to the OAuth mailing list by August 21, 2013.
>
> Ciao
> Hannes & Derek
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------070803070105030009000709
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    1) As a JWT is always an instance of JWE or JWS, I am not sure why
    there is a need for the the materials found in Section 5, para 1
    (these are also found in the JWE and JWS draft specifications). It
    could simply be removed from the draft.<br>
    <br>
    2) Why do we need both a "typ" claim and a "typ" header name? Need
    they have some relationship to each other?<br>
    Isn't this also covered by Section 5.3?<br>
    <br>
    3)&nbsp; The materials in Section 5.3 could be simplified further. <br>
    <br>
    Why should the use of claims as header parameters be restricted to
    the case where the JWT=JWE; what about the encrypt then sign
    (symmetric) use-case? I see no issue in allowing this feature with a
    JWT of any type.<br>
    <br>
    The last paragraph of Section 5.3 ("This specification reserves the
    iss (issuer), sub (subject),....") seems to be an instance of the<br>
    previous paragraph. If claims are allowed in the header, then iss
    (issuer), sub (subject) are trivially allowed, right? I couldn't
    find any additional information in this last paragraph.<br>
    <br>
    Finally, do we need "SHOULD verify that their values are identical"
    - given that this matter is left upto applications, couldnt they
    choose to verify only a certain relationship between the
    corresponding values (e.g., header carries hash of value, JWT
    carries the (large) complete value)?&nbsp; Can this be weakened to
    "SHOULD verify that their values have an appropriate
    (application-defined) relationship. In many instances, applications
    may want to ensure that they are identical".<br>
    <br>
    4) Section 8 - <br>
    <br>
    am I correct in reading this as: all conforming JWT implementations
    MUST implement JWS and MAY implement JWE?<br>
    At least thats what I understood from the last paragraph ("<i>if</i>
    an implementation provides encryption capabilities...").<br>
    <br>
    <br>
    <br>
    - prateek<br>
    <blockquote cite="mid:5202113B.1020505@gmx.net" type="cite">Hi all,
      <br>
      <br>
      this is a working group last call for the JSON Web Token (JWT).
      <br>
      <br>
      Here is the document:
      <br>
      <a class="moz-txt-link-freetext" href="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11">http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-11</a>
      <br>
      <br>
      Please send you comments to the OAuth mailing list by August 21,
      2013.
      <br>
      <br>
      Ciao
      <br>
      Hannes &amp; Derek
      <br>
      _______________________________________________
      <br>
      OAuth mailing list
      <br>
      <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
      <br>
      <a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
      <br>
    </blockquote>
    <br>
  </body>
</html>

--------------070803070105030009000709--

From hannes.tschofenig@nsn.com  Thu Aug 22 04:06:20 2013
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D13811E80F4 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 04:06:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.532
X-Spam-Level: 
X-Spam-Status: No, score=-106.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gX6fEAqgD9Si for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 04:06:16 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 56E7F11E81A4 for <oauth@ietf.org>; Thu, 22 Aug 2013 04:06:14 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7MB6AB3008128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Thu, 22 Aug 2013 13:06:11 +0200
Received: from USCHHTC001.nsn-intra.net ([10.159.161.14]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7MB68xs022631 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Thu, 22 Aug 2013 13:06:09 +0200
Received: from USCHHTC004.nsn-intra.net (10.159.161.17) by USCHHTC001.nsn-intra.net (10.159.161.14) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 22 Aug 2013 06:06:08 -0500
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC004.nsn-intra.net ([10.159.161.17]) with mapi id 14.03.0123.003; Thu, 22 Aug 2013 06:06:07 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: oauth mailing list <oauth@ietf.org>
Thread-Topic: Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
Thread-Index: AQHOnyeZekkCCpCh/EOAAl1wrHvUVA==
Date: Thu, 22 Aug 2013 11:06:07 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net>
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.159.161.120]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 3213
X-purgate-ID: 151667::1377169571-00003561-8B6E4985/0-0/0-0
Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 11:06:20 -0000

I messed up the conference bridge time; here is the corrected version but t=
he details are actually the same.=20

Meeting Number: 702 442 101=20
Meeting Password: oauth=20

-------------------------------------------------------=20
To join the online meeting=20
-------------------------------------------------------=20
1. Go to https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZ=
jIwNTEy&RT=3DMiMyNQ%3D%3D=20
2. Enter your name and email address.=20
3. Enter the meeting password: oauth=20
4. Click "Join Now".=20

To view in other time zones or languages, please click the link:=20
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&O=
RT=3DMiMyNQ%3D%3D=20

-------------------------------------------------------=20
To join the Teleconference=20
-------------------------------------------------------=20
Global dial-in numbers: http://www.nokiasiemensnetworks.com/nvc=20
Conference Code: 944 910 5485=20

To update this meeting to your calendar program (for example Microsoft Outl=
ook), click this link:=20
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&ICS=3DMRS3&LD=3D1&RD=
=3D2&ST=3D1&SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&RT=3DMiMy=
NQ%3D%3D

> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
> Sent: Wednesday, August 21, 2013 6:35 PM
> To: oauth mailing list
> Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22
> Aug, 2pm PDT: Conference Bridge Details
>=20
> Here is the conference bridge and Webex information.
>=20
> From an agenda point of view I guess we should start at a basic level,
> namely with what we have already in the dynamic client registration
> document (and folks may have actually missed it). There are two use
> cases described in the WG document, namely
>  - Use Case #1: Open Registration (Appendix B.1)
>  - Use Case #2: Protected Registration (Appendix B.2)
>=20
> Then, we could talk about some more sophisticated use cases where
> information for protected registration is provided by a third party.
>=20
> --------------------
>=20
> Meeting Number: 702 442 101
> Meeting Password: oauth
>=20
> -------------------------------------------------------
> To join the online meeting
> -------------------------------------------------------
> 1. Go to
> https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy=
&RT=3D
> MiMzMA%3D%3D
> 2. Enter your name and email address.
> 3. Enter the meeting password: oauth
> 4. Click "Join Now".
>=20
> To view in other time zones or languages, please click the link:
> https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy=
&ORT
> =3DMiMzMA%3D%3D
>=20
> -------------------------------------------------------
> To join the teleconference only
> -------------------------------------------------------
> Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc
> Conference Code: 944 910 5485
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From bcampbell@pingidentity.com  Thu Aug 22 10:34:32 2013
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14E5711E80F3 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 10:34:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.797
X-Spam-Level: 
X-Spam-Status: No, score=-5.797 tagged_above=-999 required=5 tests=[AWL=0.179,  BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zDSAUm0yt7ah for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 10:34:27 -0700 (PDT)
Received: from na3sys009aog113.obsmtp.com (na3sys009aog113.obsmtp.com [74.125.149.209]) by ietfa.amsl.com (Postfix) with ESMTP id 1CF1311E80ED for <oauth@ietf.org>; Thu, 22 Aug 2013 10:34:26 -0700 (PDT)
Received: from mail-ob0-f174.google.com ([209.85.214.174]) (using TLSv1) by na3sys009aob113.postini.com ([74.125.148.12]) with SMTP ID DSNKUhZLorJLpTtxvY4uIOYx99KjSESPlZwy@postini.com; Thu, 22 Aug 2013 10:34:27 PDT
Received: by mail-ob0-f174.google.com with SMTP id wd6so4179207obb.19 for <oauth@ietf.org>; Thu, 22 Aug 2013 10:34:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=QTlONJ1QQPKQUgv8zELsgk6RACAfjCJu1u5W6OWEgAc=; b=b5nRd9/D4bJfWHX9ZUm5TOx+SoBc8rP5Ed/BJQHCnlWzypPZr1bzdjCr/CN+JXlsGf U1u1vAa9A7SfSQJAVlOaUtbCVOTLgzI+cOXDfaIsdXw6Z6+xJFRrBpdqNIlxFQ6JZxF8 eGKVDvytN6Xsx5I7OnndQqaUrytUfAoJn930Y/4kCmRZBPovMj2wh4UotLDQIgMn7MDm tdRJghUff34EGt5J71s8xe2MX+dmQ30CfbnR8HdVaiWfanLjdAVWePVJSPgWiBIuSGRN jyeUXVyLtnqhID8iqPmEgzzwklFneTP9g98llyiscjNz0K/p4S9eCmHy8dLbY2qDabyk mdWQ==
X-Gm-Message-State: ALoCoQmLXh6RRK1nemyrhzMjUS+jnTZD6Ej5ZlmgyFy4rqXyKFYNStP8onsj3StZoPx9L4D0XQZmCLezkLwU73MQf3CjDqJtWxZ+NES1zYLtHWlSTHvgNOD7A8lSkvfHY8mjvu5dmOEgJ3RdOA2mDun8X0YPNkIGIw==
X-Received: by 10.50.3.42 with SMTP id 10mr6823097igz.39.1377192865886; Thu, 22 Aug 2013 10:34:25 -0700 (PDT)
X-Received: by 10.50.3.42 with SMTP id 10mr6823087igz.39.1377192864775; Thu, 22 Aug 2013 10:34:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.183.133 with HTTP; Thu, 22 Aug 2013 10:33:54 -0700 (PDT)
In-Reply-To: <520FBDAC.9080404@lodderstedt.net>
References: <e1cdc1b2a4d1841d12938a900355121f@lodderstedt-online.de> <706472E2-DF7D-4963-8C07-552F3690D927@ve7jtb.com> <CA+k3eCR+0MCLC5F5ZtAt28vcn0mCfM9kHOHcc2nO4BQY3vt73A@mail.gmail.com> <520FBDAC.9080404@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 22 Aug 2013 11:33:54 -0600
Message-ID: <CA+k3eCQNE5ScN0ebvoiS+GSpCie8L1486P45SeUVSJbVShFd0Q@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Content-Type: multipart/alternative; boundary=089e013c6a727e167804e48cb335
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authz Header + client_id in message body
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 17:34:32 -0000

--089e013c6a727e167804e48cb335
Content-Type: text/plain; charset=ISO-8859-1

I so believe that was the intent and what it probably should have said. So
maybe errata makes sense?
On Aug 17, 2013 12:15 PM, "Torsten Lodderstedt" <torsten@lodderstedt.net>
wrote:

>  Hi all,
>
> would it make sense to issue an errata and add a "public" to the sentence
> as follows?
>
> "A _public_ client MAY use the "client_id" request parameter to identify
> itself
>    when sending requests to the token endpoint."
>
> regards,
> Torsten.
>
> Am 01.08.2013 15:57, schrieb Brian Campbell:
>
>   I thought I remembered that text from RFC 6749, section 3.1 as saying
> that a *public* client MAY use the "client_id" request parameter to
> identify itself...
>
>  Apparently that's not what it says. But I believe that was the intent -
> hat a client with no means of authentication could identify itself by
> sending only the "client_id" request parameter to the token endpoint.
>
> Sec 2.3 (http://tools.ietf.org/html/rfc6749#section-2.3) says, "The
> client MUST NOT use more than one authentication method in each  request."
>
>  And 5.2 (http://tools.ietf.org/html/rfc6749#section-5.2) has
>
>          "invalid_request
>                The request is missing a required parameter, includes an
>                unsupported parameter value (other than grant type),
>                repeats a parameter,* includes multiple credentials,*
>                utilizes more than one mechanism for authenticating the
>                client, or is otherwise malformed."
>
>  There is some room for ambiguity in all that but, based on the above, I'd
> say that the way your server is behaving is correct Torsten.
>
>
>
> On Thu, Aug 1, 2013 at 2:13 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> Hmm allowing sending the client_id even if there is no authentication was
>> intended to mitigate cases where the client presenting the code or
>> refresh_token was not the one that requested it, and for logging.
>>
>> I don't think the intention was to allow the client_id to be sent twice.
>>
>> If it were my Token endpoint I would ignore the extra one and only
>> processes the one sent as part of the authentication,  if there is no
>> authentication then the value of the "client_id" parameter MUST match the
>> client_id that was used to request the token.
>>
>> It is probably a open question if the request should be considered
>> malformed if it contains both.
>>
>> Personally I would recommend that the client not do that.
>>
>> Others may remember it differently.
>>
>> John B.
>>
>> On 2013-08-01, at 11:34 AM, Torsten Lodderstedt <torsten@lodderstedt.net>
>> wrote:
>>
>> > Hi,
>> >
>> > while setting up our OIDC interop tests, we run into the following
>> problem:
>> >
>> > The test client sends a request to the token endpoint, which contains
>> the client credentials in an authorization header. Additionally, it adds
>> the client_id to the message body. Our server treats this as an invalid
>> request and responds with HTTP status code 400.
>> >
>> > Now my question: The last paragraph of RFC 6749, section 3.1 (
>> http://tools.ietf.org/html/rfc6749#section-3.2.1) states
>> >
>> > "A client MAY use the "client_id" request parameter to identify itself
>> >   when sending requests to the token endpoint."
>> >
>> > This seems to allow the client to send the client_id in addition to any
>> other credential used to authenticate it.
>> >
>> > I'm not sure what the intension is/was. How is the server supposed to
>> handle such cases? Shall it compare both ids (from the header and the
>> body)? Must they match exactly?
>> >
>> > Any feedback is appreciated.
>> >
>> > regards,
>> > Torsten.
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>

--089e013c6a727e167804e48cb335
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><p dir=3D"ltr">I so believe that was the intent and what i=
t probably should have said. So maybe errata makes sense?<br></p>
<div class=3D"gmail_quote">On Aug 17, 2013 12:15 PM, &quot;Torsten Lodderst=
edt&quot; &lt;<a href=3D"mailto:torsten@lodderstedt.net" target=3D"_blank">=
torsten@lodderstedt.net</a>&gt; wrote:<br type=3D"attribution"><blockquote =
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol=
id rgb(204,204,204);padding-left:1ex">



 =20
   =20
 =20
  <div text=3D"#000000" bgcolor=3D"#FFFFFF">
    Hi all,<br>
    <br>
    would it make sense to issue an errata and add a &quot;public&quot; to =
the
    sentence as follows?<br>
    <br>
    &quot;A _public_ client MAY use the &quot;client_id&quot; request param=
eter to
    identify itself<br>
    =A0=A0 when sending requests to the token endpoint.&quot;<br>
    <br>
    regards,<br>
    Torsten.<br>
    <br>
    <div>Am 01.08.2013 15:57, schrieb Brian
      Campbell:<br>
    </div>
    <blockquote type=3D"cite">
      <div dir=3D"ltr">
        <div>
          <div>
            <div>I thought I remembered that text from RFC 6749, section
              3.1 as saying that a *public* client MAY use the
              &quot;client_id&quot; request parameter to identify itself...=
<br>
              <br>
            </div>
            Apparently that&#39;s not what it says. But I believe that was
            the intent - hat a client with no means of authentication
            could identify itself by sending only the &quot;client_id&quot;
            request parameter to the token endpoint. <br>
            <br>
            Sec 2.3 (<a href=3D"http://tools.ietf.org/html/rfc6749#section-=
2.3" target=3D"_blank">http://tools.ietf.org/html/rfc6749#section-2.3</a>)
            says, &quot;The client MUST NOT use more than one authenticatio=
n
            method in each=A0 request.&quot;<br>
            <br>
          </div>
          And 5.2 (<a href=3D"http://tools.ietf.org/html/rfc6749#section-5.=
2" target=3D"_blank">http://tools.ietf.org/html/rfc6749#section-5.2</a>)
          has<br>
          <br>
          =A0=A0=A0=A0=A0=A0=A0=A0 &quot;invalid_request<br>
          =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 The request is missing=
 a required parameter,
          includes an<br>
          =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 unsupported parameter =
value (other than grant
          type),<br>
          =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 repeats a parameter,<b=
> includes multiple
            credentials,</b><br>
          =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 utilizes more than one=
 mechanism for
          authenticating the<br>
          =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 client, or is otherwis=
e malformed.&quot;<br>
          <br>
        </div>
        There is some room for ambiguity in all that but, based on the
        above, I&#39;d say that the way your server is behaving is correct
        Torsten. <br>
        <div>
          <div>
            <br>
          </div>
        </div>
      </div>
      <div class=3D"gmail_extra"><br>
        <br>
        <div class=3D"gmail_quote">On Thu, Aug 1, 2013 at 2:13 PM, John
          Bradley <span dir=3D"ltr">&lt;<a href=3D"mailto:ve7jtb@ve7jtb.com=
" target=3D"_blank">ve7jtb@ve7jtb.com</a>&gt;</span>
          wrote:<br>
          <blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hmm
            allowing sending the client_id even if there is no
            authentication was intended to mitigate cases where the
            client presenting the code or refresh_token was not the one
            that requested it, and for logging.<br>
            <br>
            I don&#39;t think the intention was to allow the client_id to b=
e
            sent twice.<br>
            <br>
            If it were my Token endpoint I would ignore the extra one
            and only processes the one sent as part of the
            authentication, =A0if there is no authentication then the
            value of the &quot;client_id&quot; parameter MUST match the cli=
ent_id
            that was used to request the token.<br>
            <br>
            It is probably a open question if the request should be
            considered malformed if it contains both.<br>
            <br>
            Personally I would recommend that the client not do that.<br>
            <br>
            Others may remember it differently.<br>
            <br>
            John B.<br>
            <div>
              <div><br>
                On 2013-08-01, at 11:34 AM, Torsten Lodderstedt &lt;<a href=
=3D"mailto:torsten@lodderstedt.net" target=3D"_blank">torsten@lodderstedt.n=
et</a>&gt;
                wrote:<br>
                <br>
                &gt; Hi,<br>
                &gt;<br>
                &gt; while setting up our OIDC interop tests, we run
                into the following problem:<br>
                &gt;<br>
                &gt; The test client sends a request to the token
                endpoint, which contains the client credentials in an
                authorization header. Additionally, it adds the
                client_id to the message body. Our server treats this as
                an invalid request and responds with HTTP status code
                400.<br>
                &gt;<br>
                &gt; Now my question: The last paragraph of RFC 6749,
                section 3.1 (<a href=3D"http://tools.ietf.org/html/rfc6749#=
section-3.2.1" target=3D"_blank">http://tools.ietf.org/html/rfc6749#section=
-3.2.1</a>)
                states<br>
                &gt;<br>
                &gt; &quot;A client MAY use the &quot;client_id&quot; reque=
st parameter
                to identify itself<br>
                &gt; =A0 when sending requests to the token endpoint.&quot;=
<br>
                &gt;<br>
                &gt; This seems to allow the client to send the
                client_id in addition to any other credential used to
                authenticate it.<br>
                &gt;<br>
                &gt; I&#39;m not sure what the intension is/was. How is the
                server supposed to handle such cases? Shall it compare
                both ids (from the header and the body)? Must they match
                exactly?<br>
                &gt;<br>
                &gt; Any feedback is appreciated.<br>
                &gt;<br>
                &gt; regards,<br>
                &gt; Torsten.<br>
                &gt; _______________________________________________<br>
                &gt; OAuth mailing list<br>
                &gt; <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OA=
uth@ietf.org</a><br>
                &gt; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth=
" target=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                <br>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            OAuth mailing list<br>
            <a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">OAuth@ietf.=
org</a><br>
            <a href=3D"https://www.ietf.org/mailman/listinfo/oauth" target=
=3D"_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div>

</blockquote></div>
</div>

--089e013c6a727e167804e48cb335--

From jricher@mitre.org  Thu Aug 22 10:38:44 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2B2C11E8121 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 10:38:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.482
X-Spam-Level: 
X-Spam-Status: No, score=-6.482 tagged_above=-999 required=5 tests=[AWL=0.116,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2wQGw3nX9mcY for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 10:38:39 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 5E03E21F8904 for <oauth@ietf.org>; Thu, 22 Aug 2013 10:38:39 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id CF1091F0711; Thu, 22 Aug 2013 13:38:38 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 8FE331F04EB; Thu, 22 Aug 2013 13:38:38 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 22 Aug 2013 13:38:38 -0400
Message-ID: <52164C9B.2010909@mitre.org>
Date: Thu, 22 Aug 2013 13:38:35 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Brian Campbell <bcampbell@pingidentity.com>
References: <e1cdc1b2a4d1841d12938a900355121f@lodderstedt-online.de> <706472E2-DF7D-4963-8C07-552F3690D927@ve7jtb.com> <CA+k3eCR+0MCLC5F5ZtAt28vcn0mCfM9kHOHcc2nO4BQY3vt73A@mail.gmail.com> <520FBDAC.9080404@lodderstedt.net> <CA+k3eCQNE5ScN0ebvoiS+GSpCie8L1486P45SeUVSJbVShFd0Q@mail.gmail.com>
In-Reply-To: <CA+k3eCQNE5ScN0ebvoiS+GSpCie8L1486P45SeUVSJbVShFd0Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090905080103010204080908"
X-Originating-IP: [129.83.31.56]
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authz Header + client_id in message body
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 17:38:45 -0000

--------------090905080103010204080908
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

+1, I believe that was the intent of the edit.

  -- Justin

On 08/22/2013 01:33 PM, Brian Campbell wrote:
>
> I so believe that was the intent and what it probably should have 
> said. So maybe errata makes sense?
>
> On Aug 17, 2013 12:15 PM, "Torsten Lodderstedt" 
> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>
>     Hi all,
>
>     would it make sense to issue an errata and add a "public" to the
>     sentence as follows?
>
>     "A _public_ client MAY use the "client_id" request parameter to
>     identify itself
>        when sending requests to the token endpoint."
>
>     regards,
>     Torsten.
>
>     Am 01.08.2013 15:57, schrieb Brian Campbell:
>>     I thought I remembered that text from RFC 6749, section 3.1 as
>>     saying that a *public* client MAY use the "client_id" request
>>     parameter to identify itself...
>>
>>     Apparently that's not what it says. But I believe that was the
>>     intent - hat a client with no means of authentication could
>>     identify itself by sending only the "client_id" request parameter
>>     to the token endpoint.
>>
>>     Sec 2.3 (http://tools.ietf.org/html/rfc6749#section-2.3) says,
>>     "The client MUST NOT use more than one authentication method in
>>     each  request."
>>
>>     And 5.2 (http://tools.ietf.org/html/rfc6749#section-5.2) has
>>
>>              "invalid_request
>>                    The request is missing a required parameter,
>>     includes an
>>                    unsupported parameter value (other than grant type),
>>                    repeats a parameter,*includes multiple credentials,*
>>                    utilizes more than one mechanism for
>>     authenticating the
>>                    client, or is otherwise malformed."
>>
>>     There is some room for ambiguity in all that but, based on the
>>     above, I'd say that the way your server is behaving is correct
>>     Torsten.
>>
>>
>>
>>     On Thu, Aug 1, 2013 at 2:13 PM, John Bradley <ve7jtb@ve7jtb.com
>>     <mailto:ve7jtb@ve7jtb.com>> wrote:
>>
>>         Hmm allowing sending the client_id even if there is no
>>         authentication was intended to mitigate cases where the
>>         client presenting the code or refresh_token was not the one
>>         that requested it, and for logging.
>>
>>         I don't think the intention was to allow the client_id to be
>>         sent twice.
>>
>>         If it were my Token endpoint I would ignore the extra one and
>>         only processes the one sent as part of the authentication,
>>          if there is no authentication then the value of the
>>         "client_id" parameter MUST match the client_id that was used
>>         to request the token.
>>
>>         It is probably a open question if the request should be
>>         considered malformed if it contains both.
>>
>>         Personally I would recommend that the client not do that.
>>
>>         Others may remember it differently.
>>
>>         John B.
>>
>>         On 2013-08-01, at 11:34 AM, Torsten Lodderstedt
>>         <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>
>>         > Hi,
>>         >
>>         > while setting up our OIDC interop tests, we run into the
>>         following problem:
>>         >
>>         > The test client sends a request to the token endpoint,
>>         which contains the client credentials in an authorization
>>         header. Additionally, it adds the client_id to the message
>>         body. Our server treats this as an invalid request and
>>         responds with HTTP status code 400.
>>         >
>>         > Now my question: The last paragraph of RFC 6749, section
>>         3.1 (http://tools.ietf.org/html/rfc6749#section-3.2.1) states
>>         >
>>         > "A client MAY use the "client_id" request parameter to
>>         identify itself
>>         >   when sending requests to the token endpoint."
>>         >
>>         > This seems to allow the client to send the client_id in
>>         addition to any other credential used to authenticate it.
>>         >
>>         > I'm not sure what the intension is/was. How is the server
>>         supposed to handle such cases? Shall it compare both ids
>>         (from the header and the body)? Must they match exactly?
>>         >
>>         > Any feedback is appreciated.
>>         >
>>         > regards,
>>         > Torsten.
>>         > _______________________________________________
>>         > OAuth mailing list
>>         > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         > https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------090905080103010204080908
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    +1, I believe that was the intent of the edit.<br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/22/2013 01:33 PM, Brian Campbell
      wrote:<br>
    </div>
    <blockquote
cite="mid:CA+k3eCQNE5ScN0ebvoiS+GSpCie8L1486P45SeUVSJbVShFd0Q@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div dir="ltr">
        <p dir="ltr">I so believe that was the intent and what it
          probably should have said. So maybe errata makes sense?<br>
        </p>
        <div class="gmail_quote">On Aug 17, 2013 12:15 PM, "Torsten
          Lodderstedt" &lt;<a moz-do-not-send="true"
            href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>&gt;
          wrote:<br type="attribution">
          <blockquote class="gmail_quote" style="margin:0px 0px 0px
            0.8ex;border-left:1px solid
            rgb(204,204,204);padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi all,<br>
              <br>
              would it make sense to issue an errata and add a "public"
              to the sentence as follows?<br>
              <br>
              "A _public_ client MAY use the "client_id" request
              parameter to identify itself<br>
              &nbsp;&nbsp; when sending requests to the token endpoint."<br>
              <br>
              regards,<br>
              Torsten.<br>
              <br>
              <div>Am 01.08.2013 15:57, schrieb Brian Campbell:<br>
              </div>
              <blockquote type="cite">
                <div dir="ltr">
                  <div>
                    <div>
                      <div>I thought I remembered that text from RFC
                        6749, section 3.1 as saying that a *public*
                        client MAY use the "client_id" request parameter
                        to identify itself...<br>
                        <br>
                      </div>
                      Apparently that's not what it says. But I believe
                      that was the intent - hat a client with no means
                      of authentication could identify itself by sending
                      only the "client_id" request parameter to the
                      token endpoint. <br>
                      <br>
                      Sec 2.3 (<a moz-do-not-send="true"
                        href="http://tools.ietf.org/html/rfc6749#section-2.3"
                        target="_blank">http://tools.ietf.org/html/rfc6749#section-2.3</a>)
                      says, "The client MUST NOT use more than one
                      authentication method in each&nbsp; request."<br>
                      <br>
                    </div>
                    And 5.2 (<a moz-do-not-send="true"
                      href="http://tools.ietf.org/html/rfc6749#section-5.2"
                      target="_blank">http://tools.ietf.org/html/rfc6749#section-5.2</a>)
                    has<br>
                    <br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "invalid_request<br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The request is missing a required
                    parameter, includes an<br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unsupported parameter value (other
                    than grant type),<br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; repeats a parameter,<b> includes
                      multiple credentials,</b><br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; utilizes more than one mechanism for
                    authenticating the<br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; client, or is otherwise malformed."<br>
                    <br>
                  </div>
                  There is some room for ambiguity in all that but,
                  based on the above, I'd say that the way your server
                  is behaving is correct Torsten. <br>
                  <div>
                    <div> <br>
                    </div>
                  </div>
                </div>
                <div class="gmail_extra"><br>
                  <br>
                  <div class="gmail_quote">On Thu, Aug 1, 2013 at 2:13
                    PM, John Bradley <span dir="ltr">&lt;<a
                        moz-do-not-send="true"
                        href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0px
                      0px 0px 0.8ex;border-left:1px solid
                      rgb(204,204,204);padding-left:1ex">Hmm allowing
                      sending the client_id even if there is no
                      authentication was intended to mitigate cases
                      where the client presenting the code or
                      refresh_token was not the one that requested it,
                      and for logging.<br>
                      <br>
                      I don't think the intention was to allow the
                      client_id to be sent twice.<br>
                      <br>
                      If it were my Token endpoint I would ignore the
                      extra one and only processes the one sent as part
                      of the authentication, &nbsp;if there is no
                      authentication then the value of the "client_id"
                      parameter MUST match the client_id that was used
                      to request the token.<br>
                      <br>
                      It is probably a open question if the request
                      should be considered malformed if it contains
                      both.<br>
                      <br>
                      Personally I would recommend that the client not
                      do that.<br>
                      <br>
                      Others may remember it differently.<br>
                      <br>
                      John B.<br>
                      <div>
                        <div><br>
                          On 2013-08-01, at 11:34 AM, Torsten
                          Lodderstedt &lt;<a moz-do-not-send="true"
                            href="mailto:torsten@lodderstedt.net"
                            target="_blank">torsten@lodderstedt.net</a>&gt;

                          wrote:<br>
                          <br>
                          &gt; Hi,<br>
                          &gt;<br>
                          &gt; while setting up our OIDC interop tests,
                          we run into the following problem:<br>
                          &gt;<br>
                          &gt; The test client sends a request to the
                          token endpoint, which contains the client
                          credentials in an authorization header.
                          Additionally, it adds the client_id to the
                          message body. Our server treats this as an
                          invalid request and responds with HTTP status
                          code 400.<br>
                          &gt;<br>
                          &gt; Now my question: The last paragraph of
                          RFC 6749, section 3.1 (<a
                            moz-do-not-send="true"
                            href="http://tools.ietf.org/html/rfc6749#section-3.2.1"
                            target="_blank">http://tools.ietf.org/html/rfc6749#section-3.2.1</a>)
                          states<br>
                          &gt;<br>
                          &gt; "A client MAY use the "client_id" request
                          parameter to identify itself<br>
                          &gt; &nbsp; when sending requests to the token
                          endpoint."<br>
                          &gt;<br>
                          &gt; This seems to allow the client to send
                          the client_id in addition to any other
                          credential used to authenticate it.<br>
                          &gt;<br>
                          &gt; I'm not sure what the intension is/was.
                          How is the server supposed to handle such
                          cases? Shall it compare both ids (from the
                          header and the body)? Must they match exactly?<br>
                          &gt;<br>
                          &gt; Any feedback is appreciated.<br>
                          &gt;<br>
                          &gt; regards,<br>
                          &gt; Torsten.<br>
                          &gt;
                          _______________________________________________<br>
                          &gt; OAuth mailing list<br>
                          &gt; <a moz-do-not-send="true"
                            href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a><br>
                          &gt; <a moz-do-not-send="true"
                            href="https://www.ietf.org/mailman/listinfo/oauth"
                            target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                          <br>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      OAuth mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://www.ietf.org/mailman/listinfo/oauth"
                        target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------090905080103010204080908--

From phil.hunt@oracle.com  Thu Aug 22 12:22:44 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A45821F9BAD for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:22:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.866
X-Spam-Level: 
X-Spam-Status: No, score=-5.866 tagged_above=-999 required=5 tests=[AWL=0.733,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZrLf734UTIyZ for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:22:38 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 71CFF21F95DC for <oauth@ietf.org>; Thu, 22 Aug 2013 12:22:37 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7MJMYaa010390 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 22 Aug 2013 19:22:35 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MJMYGC026985 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Aug 2013 19:22:34 GMT
Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MJMY0n026978; Thu, 22 Aug 2013 19:22:34 GMT
Received: from [192.168.1.89] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 22 Aug 2013 12:22:33 -0700
Content-Type: multipart/mixed; boundary="Apple-Mail=_E40EC1FE-D1C0-4B13-97E5-2C6DF7CC08CF"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net>
Date: Thu, 22 Aug 2013 12:22:32 -0700
Message-Id: <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net>
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 19:22:44 -0000

--Apple-Mail=_E40EC1FE-D1C0-4B13-97E5-2C6DF7CC08CF
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I have attached a PDF including some of my thoughts, concerns, and =
suggestions for the upcoming meeting.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

--Apple-Mail=_E40EC1FE-D1C0-4B13-97E5-2C6DF7CC08CF
Content-Disposition: inline;
	filename=Dyn-Reg-requirementsDiscussion-03.pdf
Content-Type: application/pdf;
	x-unix-mode=0644;
	name="Dyn-Reg-requirementsDiscussion-03.pdf"
Content-Transfer-Encoding: base64

JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmlsdGVyIC9G
bGF0ZURlY29kZSA+PgpzdHJlYW0KeAF9Uk1vEzEQvftXTGladtPGscf2ek1boCAu3CpZ4kA4ragQ
apBC/r/Es9frTZSU9WGeZ+fj+c3s6Il2pEhJhY8NW9dr8jrIgI+cVfT3J32jP7T+vNc07Ennsx+Q
5EwJ29YMUX0v1VeKG+WD6Q291Haz5xc9L1MHTh3ABmc/iB1aJaip01JnQqbzUntHw5Y+RbI2/4fx
WnY+VV/hEre0jhEpyIzP9J2ai1asFO7NmxZsLDWXLcEBsLia0HUGiHmbAVOzaTJyQO2Elq3IeTfZ
kQrUvNtlKb5K1hxmyRyN2ot1iVF6dImGM0B4LYmKPyh+pS8xT+dUBO0ORMijY4qDmOVg5aQzzOfk
aMymlfZSyk3LN2gVf4+NFDI8OxtAviA8dfJh4PM4NAgwsUlKjJMwnCcBo3st2YDKCpc6CTFNwpX3
V9lnaWe5q6RdnVMVZ+HTBDCTGvSKXCNJHfgcSWulZR1AMmBxsFqiUq1L04dpMu8mcJfBYfOL7Dna
rLRq5zfrvjz+IVnk/J+57aQVJ/KCcB/6JG9hPotcmZ9s+biRYl77eSGrjO8TKWz9ZH26Hz51+vEh
B4rmY0l4LPboNU//AF+U0zAKZW5kc3RyZWFtCmVuZG9iago1IDAgb2JqCjQ1MgplbmRvYmoKMiAw
IG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgNiAwIFIgL0NvbnRl
bnRzIDQgMCBSIC9NZWRpYUJveCBbMCAwIDcyMCA1NDBdCj4+CmVuZG9iago2IDAgb2JqCjw8IC9Q
cm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczIgOCAwIFIgL0NzMSA3IDAg
UiA+PiAvRm9udCA8PAovVFQxLjEgMTAgMCBSID4+ID4+CmVuZG9iagoxMSAwIG9iago8PCAvTGVu
Z3RoIDEyIDAgUiAvTiAzIC9BbHRlcm5hdGUgL0RldmljZVJHQiAvRmlsdGVyIC9GbGF0ZURlY29k
ZSA+PgpzdHJlYW0KeAGdlndUU9kWh8+9N73QEiIgJfQaegkg0jtIFQRRiUmAUAKGhCZ2RAVGFBEp
VmRUwAFHhyJjRRQLg4Ji1wnyEFDGwVFEReXdjGsJ7601896a/cdZ39nnt9fZZ+9917oAUPyCBMJ0
WAGANKFYFO7rwVwSE8vE9wIYEAEOWAHA4WZmBEf4RALU/L09mZmoSMaz9u4ugGS72yy/UCZz1v9/
kSI3QyQGAApF1TY8fiYX5QKUU7PFGTL/BMr0lSkyhjEyFqEJoqwi48SvbPan5iu7yZiXJuShGlnO
Gbw0noy7UN6aJeGjjAShXJgl4GejfAdlvVRJmgDl9yjT0/icTAAwFJlfzOcmoWyJMkUUGe6J8gIA
CJTEObxyDov5OWieAHimZ+SKBIlJYqYR15hp5ejIZvrxs1P5YjErlMNN4Yh4TM/0tAyOMBeAr2+W
RQElWW2ZaJHtrRzt7VnW5mj5v9nfHn5T/T3IevtV8Sbsz55BjJ5Z32zsrC+9FgD2JFqbHbO+lVUA
tG0GQOXhrE/vIADyBQC03pzzHoZsXpLE4gwnC4vs7GxzAZ9rLivoN/ufgm/Kv4Y595nL7vtWO6YX
P4EjSRUzZUXlpqemS0TMzAwOl89k/fcQ/+PAOWnNycMsnJ/AF/GF6FVR6JQJhIlou4U8gViQLmQK
hH/V4X8YNicHGX6daxRodV8AfYU5ULhJB8hvPQBDIwMkbj96An3rWxAxCsi+vGitka9zjzJ6/uf6
Hwtcim7hTEEiU+b2DI9kciWiLBmj34RswQISkAd0oAo0gS4wAixgDRyAM3AD3iAAhIBIEAOWAy5I
AmlABLJBPtgACkEx2AF2g2pwANSBetAEToI2cAZcBFfADXALDIBHQAqGwUswAd6BaQiC8BAVokGq
kBakD5lC1hAbWgh5Q0FQOBQDxUOJkBCSQPnQJqgYKoOqoUNQPfQjdBq6CF2D+qAH0CA0Bv0BfYQR
mALTYQ3YALaA2bA7HAhHwsvgRHgVnAcXwNvhSrgWPg63whfhG/AALIVfwpMIQMgIA9FGWAgb8URC
kFgkAREha5EipAKpRZqQDqQbuY1IkXHkAwaHoWGYGBbGGeOHWYzhYlZh1mJKMNWYY5hWTBfmNmYQ
M4H5gqVi1bGmWCesP3YJNhGbjS3EVmCPYFuwl7ED2GHsOxwOx8AZ4hxwfrgYXDJuNa4Etw/XjLuA
68MN4SbxeLwq3hTvgg/Bc/BifCG+Cn8cfx7fjx/GvyeQCVoEa4IPIZYgJGwkVBAaCOcI/YQRwjRR
gahPdCKGEHnEXGIpsY7YQbxJHCZOkxRJhiQXUiQpmbSBVElqIl0mPSa9IZPJOmRHchhZQF5PriSf
IF8lD5I/UJQoJhRPShxFQtlOOUq5QHlAeUOlUg2obtRYqpi6nVpPvUR9Sn0vR5Mzl/OX48mtk6uR
a5Xrl3slT5TXl3eXXy6fJ18hf0r+pvy4AlHBQMFTgaOwVqFG4bTCPYVJRZqilWKIYppiiWKD4jXF
USW8koGStxJPqUDpsNIlpSEaQtOledK4tE20Otpl2jAdRzek+9OT6cX0H+i99AllJWVb5SjlHOUa
5bPKUgbCMGD4M1IZpYyTjLuMj/M05rnP48/bNq9pXv+8KZX5Km4qfJUilWaVAZWPqkxVb9UU1Z2q
bapP1DBqJmphatlq+9Uuq43Pp893ns+dXzT/5PyH6rC6iXq4+mr1w+o96pMamhq+GhkaVRqXNMY1
GZpumsma5ZrnNMe0aFoLtQRa5VrntV4wlZnuzFRmJbOLOaGtru2nLdE+pN2rPa1jqLNYZ6NOs84T
XZIuWzdBt1y3U3dCT0svWC9fr1HvoT5Rn62fpL9Hv1t/ysDQINpgi0GbwaihiqG/YZ5ho+FjI6qR
q9Eqo1qjO8Y4Y7ZxivE+41smsImdSZJJjclNU9jU3lRgus+0zwxr5mgmNKs1u8eisNxZWaxG1qA5
wzzIfKN5m/krCz2LWIudFt0WXyztLFMt6ywfWSlZBVhttOqw+sPaxJprXWN9x4Zq42Ozzqbd5rWt
qS3fdr/tfTuaXbDdFrtOu8/2DvYi+yb7MQc9h3iHvQ732HR2KLuEfdUR6+jhuM7xjOMHJ3snsdNJ
p9+dWc4pzg3OowsMF/AX1C0YctFx4bgccpEuZC6MX3hwodRV25XjWuv6zE3Xjed2xG3E3dg92f24
+ysPSw+RR4vHlKeT5xrPC16Il69XkVevt5L3Yu9q76c+Oj6JPo0+E752vqt9L/hh/QL9dvrd89fw
5/rX+08EOASsCegKpARGBFYHPgsyCRIFdQTDwQHBu4IfL9JfJFzUFgJC/EN2hTwJNQxdFfpzGC4s
NKwm7Hm4VXh+eHcELWJFREPEu0iPyNLIR4uNFksWd0bJR8VF1UdNRXtFl0VLl1gsWbPkRoxajCCm
PRYfGxV7JHZyqffS3UuH4+ziCuPuLjNclrPs2nK15anLz66QX8FZcSoeGx8d3xD/iRPCqeVMrvRf
uXflBNeTu4f7kufGK+eN8V34ZfyRBJeEsoTRRJfEXYljSa5JFUnjAk9BteB1sl/ygeSplJCUoykz
qdGpzWmEtPi000IlYYqwK10zPSe9L8M0ozBDuspp1e5VE6JA0ZFMKHNZZruYjv5M9UiMJJslg1kL
s2qy3mdHZZ/KUcwR5vTkmuRuyx3J88n7fjVmNXd1Z752/ob8wTXuaw6thdauXNu5Tnddwbrh9b7r
j20gbUjZ8MtGy41lG99uit7UUaBRsL5gaLPv5sZCuUJR4b0tzlsObMVsFWzt3WazrWrblyJe0fVi
y+KK4k8l3JLr31l9V/ndzPaE7b2l9qX7d+B2CHfc3em681iZYlle2dCu4F2t5czyovK3u1fsvlZh
W3FgD2mPZI+0MqiyvUqvakfVp+qk6oEaj5rmvep7t+2d2sfb17/fbX/TAY0DxQc+HhQcvH/I91Br
rUFtxWHc4azDz+ui6rq/Z39ff0TtSPGRz0eFR6XHwo911TvU1zeoN5Q2wo2SxrHjccdv/eD1Q3sT
q+lQM6O5+AQ4ITnx4sf4H++eDDzZeYp9qukn/Z/2ttBailqh1tzWibakNml7THvf6YDTnR3OHS0/
m/989Iz2mZqzymdLz5HOFZybOZ93fvJCxoXxi4kXhzpXdD66tOTSna6wrt7LgZevXvG5cqnbvfv8
VZerZ645XTt9nX297Yb9jdYeu56WX+x+aem172296XCz/ZbjrY6+BX3n+l37L972un3ljv+dGwOL
BvruLr57/17cPel93v3RB6kPXj/Mejj9aP1j7OOiJwpPKp6qP6391fjXZqm99Oyg12DPs4hnj4a4
Qy//lfmvT8MFz6nPK0a0RupHrUfPjPmM3Xqx9MXwy4yX0+OFvyn+tveV0auffnf7vWdiycTwa9Hr
mT9K3qi+OfrW9m3nZOjk03dp76anit6rvj/2gf2h+2P0x5Hp7E/4T5WfjT93fAn88ngmbWbm3/eE
8/sKZW5kc3RyZWFtCmVuZG9iagoxMiAwIG9iagoyNjEyCmVuZG9iago4IDAgb2JqClsgL0lDQ0Jh
c2VkIDExIDAgUiBdCmVuZG9iagoxMyAwIG9iago8PCAvTGVuZ3RoIDE0IDAgUiAvTiAzIC9BbHRl
cm5hdGUgL0RldmljZVJHQiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAGFVd9v21QU
PolvUqQWPyBYR4eKxa9VU1u5GxqtxgZJk6XtShal6dgqJOQ6N4mpGwfb6baqT3uBNwb8AUDZAw9I
PCENBmJ72fbAtElThyqqSUh76MQPISbtBVXhu3ZiJ1PEXPX6yznfOec7517bRD1fabWaGVWIlquu
nc8klZOnFpSeTYrSs9RLA9Sr6U4tkcvNEi7BFffO6+EdigjL7ZHu/k72I796i9zRiSJPwG4VHX0Z
+AxRzNRrtksUvwf7+Gm3BtzzHPDTNgQCqwKXfZwSeNHHJz1OIT8JjtAq6xWtCLwGPLzYZi+3YV8D
GMiT4VVuG7oiZpGzrZJhcs/hL49xtzH/Dy6bdfTsXYNY+5yluWO4D4neK/ZUvok/17X0HPBLsF+v
uUlhfwX4j/rSfAJ4H1H0qZJ9dN7nR19frRTeBt4Fe9FwpwtN+2p1MXscGLHR9SXrmMgjONd1ZxKz
pBeA71b4tNhj6JGoyFNp4GHgwUp9qplfmnFW5oTdy7NamcwCI49kv6fN5IAHgD+0rbyoBc3SOjcz
ohbyS1drbq6pQdqumllRC/0ymTtej8gpbbuVwpQfyw66dqEZyxZKxtHpJn+tZnpnEdrYBbueF9qQ
n93S7HQGGHnYP7w6L+YGHNtd1FJitqPAR+hERCNOFi1i1alKO6RQnjKUxL1GNjwlMsiEhcPLYTEi
T9ISbN15OY/jx4SMshe9LaJRpTvHr3C/ybFYP1PZAfwfYrPsMBtnE6SwN9ib7AhLwTrBDgUKcm06
FSrTfSj187xPdVQWOk5Q8vxAfSiIUc7Z7xr6zY/+hpqwSyv0I0/QMTRb7RMgBxNodTfSPqdraz/s
DjzKBrv4zu2+a2t0/HHzjd2Lbcc2sG7GtsL42K+xLfxtUgI7YHqKlqHK8HbCCXgjHT1cAdMlDetv
4FnQ2lLasaOl6vmB0CMmwT/IPszSueHQqv6i/qluqF+oF9TfO2qEGTumJH0qfSv9KH0nfS/9TIp0
Wboi/SRdlb6RLgU5u++9nyXYe69fYRPdil1o1WufNSdTTsp75BfllPy8/LI8G7AUuV8ek6fkvfDs
CfbNDP0dvRh0CrNqTbV7LfEEGDQPJQadBtfGVMWEq3QWWdufk6ZSNsjG2PQjp3ZcnOWWing6noon
SInvi0/Ex+IzAreevPhe+CawpgP1/pMTMDo64G0sTCXIM+KdOnFWRfQKdJvQzV1+Bt8OokmrdtY2
yhVX2a+qrykJfMq4Ml3VR4cVzTQVz+UoNne4vcKLoyS+gyKO6EHe+75Fdt0Mbe5bRIf/wjvrVmhb
qBN97RD1vxrahvBOfOYzoosH9bq94uejSOQGkVM6sN/7HelL4t10t9F4gPdVzydEOx83Gv+uNxo7
XyL/FtFl8z9ZAHF4CmVuZHN0cmVhbQplbmRvYmoKMTQgMCBvYmoKMTA0NwplbmRvYmoKNyAwIG9i
agpbIC9JQ0NCYXNlZCAxMyAwIFIgXQplbmRvYmoKMTYgMCBvYmoKPDwgL0xlbmd0aCAxNyAwIFIg
L0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBrVnLcts2FN3jK9BVoU7MCHxYYrqq07Tj
LjpOqplMp+4iVa0kjWUnJOPWf99L4p4DihQV2RN7IQi8z3NfIPTJvrSf7NzOk7n8pVmaF0tvF75M
SvmzRT631ZV9bW/s0+e1t+va+u6/XgtTkSnZlhyGe9fcU+HZfFFmy8xeU13ceWc337Ua0laDWCP/
9dp8ElXt0ts8S3xnUF6WyWKRl3a9tWerIDm1q7XN845UPtI0TeZZ6e2JfFlt7dPVSjaMt6uN/cO6
X28bcWhm/dK6q+trO7N/2tUv9sWqQwIKT9OkWBTzzOZpkcxTKvSnwaL248SfGsoXI4P81UysSq17
N7Mn3eI9FrXo6nbqz9jabt9gWd3bmZlguAXRDRbXWAhXELq9wpaKNI7UjdKAFt8pFw8+QgafqPUH
hN2Tlm5BHF2nJfARFhAlWg/eisxvYRSJA7dxoP0bFOSpKG8NVXxGe2nVE0Ue8hgUUlADSLhBaarR
uJpc37a4e+tgApjpCBXd0V7QvJmZkD8MNRdCcjhn56cPy1nYR7tG1tAlxnicZWty1UlMOL9sq2Gl
G9MazjUGL0D6k7IARJbPuT64eIWwA7MLDYZxxIpRX7NSuEWJNS0HEpC4UasY5QoU9ASkFEus8OTs
eTDUuIu277QZgUcLuFBi8X2ErusGLEm6pMYax+yJ9kNuzH8SMWNBQ4ObQfqvyRPFbNQsxp/mcHE/
s4s8SY3rRf9gnmbLxXSelskyH7bXFrbVP5O9OjvNj5KXJe1MGbXrDm5mAlD6Sx2vECCBTSiNI+UG
pDVIBKRO2BYbXERk8egedf5MxByGK/eT7qVLHXV54sOoc99ErDC7MVll5I8GXTYl3UtMi4WcCk7S
pQakkBTuABwo2RnfX1BiZHzHaZpKJrQHkFaJetKP0llES6cqMJfy6KIxBrYJgbJuDWZsBB4b64ek
N1oJMnK6AELLv/odEhqp/h0CbjArMOnOlbLf17yXFvBkIELKJzR86TWdbGQRJNFFWMeUpFIuYHgD
YdjY3KqLUradFnyCEK6CYZ/9PdeNA5q0BpKIO61igXDRe6Tj7ujm4eXMOnEwY6JKNexN1O4ke7Aa
ovTdRO1Xgybq46tBlZhwmD26GhASNp5e6oQjZEydEGSmDoNE4BFnkiABeACZ5mHWk7kZiQsbJlYh
0kPGZJdHDeWjutBy4QXLM7B2Z9FeCloHkfsA2a0l6tIMjGfIS8ekhDh2bYJFh2EqnHg7GKG9iOwa
AHyAMg2CxOYKA2HYIGgf0Q4Td08vgQcVZInafbNlWeprTrooJ6tJ8jK85khH5muUnCa6EMBsGseq
R/T4hAukBHgBIrChf3hANEFxrtq1qRqHwyIIaAWQgCiBV9vsf1g0lzOwvdcwDkztzRDIuwM35TGS
umMcMIJ05PXIHbRQOh6tDHYb14xMgiXUCzUHpYX+MC5TMOETYwExIqDRRoAFQwAxLe0l8OHkK0Ly
jfpg944dk4+HNgII1cg1QLBF3uMBbaLnCA4cJAU9BQSYmKRgyKGObSGCg0cbbqlcCWWi2Ss0+3Dh
3UOaHxpxgouRu41Hj7hd6SZOn6854qBkFNovHPh+D+8SsbUjkDgM4TuSDuFkbFgWDFvDUESmUA4I
1oE4jmcBNel4imMJ5zNqhnwKQdKBEsdJzU7j0CqoBCLoFp8wX1EMJAmY9N5UAFKvMLsmDm3khCgi
BlFUxid0sulJ3ZfWcdbMH1ju6ElACdbxcIvpS/tp3ZCVqE1BwVNPzJEw6BAASEQCAjt0C4SW5Y4H
bFqQRCNpNtGFpxCm02ZPKI/tJb6c7iVy2/vgd21/uvvuHq5ffftx4hdJtu9qFENa4hfedCpAMbpd
GF6z9Dwnk4ATxEiowgJiooJ4v4p7G5lafM0asPcSOJxMtU8zUBLKwPIhGC69XEmoER6RBxtriWlg
5iM6IMe0omivyYYWkLRWjb2XVnotGoQ7s+4HXNf0roag/kdoj0pZC7wipReSkTBot0NGCgiGTuvu
KJqS5ZQbfA7UES+CQVLIG8WQoHOhRhhH8dRMUKSzBs3Pjhy2Pg8JjUk1Smg9h8hvCTyH4GLPji/2
yqC//35B7GgkfEYWTaOC21GygoX4VXzELdBAzW9ho5cd5JF2OEjOilu8Jr2o6ALueuW2u+6Oz/s6
Pg8yPm0vpAv90aZrEgJi7BURWr5fHIA2ha0FFnDwsn0TDH7ITU4/8+Id/DTGr7vLWalCCqk+aGL1
fv5gYkHpz5pgERwZDUG3zIpdIz7CqkgMJK0gycgdg6le8n+lfF0EU41bDm3eAXXgDzJsH6ihcZwr
Ov3rL7y786eBTAaGdRVxqyE3pJY58PvcMvzUcUxudWVr5CfAA7mlMFin9Rtv6scwxNqGkywn2M+A
sndxwUfSfQNUdJ9dn8TItV4FMrcoSGemcfyl4xViyf7I7GXEYCqrnLSPKCEAMYp2G0gTe8TL/wHw
i+QMCmVuZHN0cmVhbQplbmRvYmoKMTcgMCBvYmoKMTg1MwplbmRvYmoKMTUgMCBvYmoKPDwgL1R5
cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDE4IDAgUiAvQ29udGVudHMgMTYgMCBS
IC9NZWRpYUJveApbMCAwIDcyMCA1NDBdID4+CmVuZG9iagoxOCAwIG9iago8PCAvUHJvY1NldCBb
IC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MyIDggMCBSIC9DczEgNyAwIFIgPj4gL0Zv
bnQgPDwKL1RUMi4wIDE5IDAgUiAvVFQzLjAgMjAgMCBSIC9UVDQuMSAyMiAwIFIgL1RUNS4xIDI0
IDAgUiA+PiA+PgplbmRvYmoKMjYgMCBvYmoKPDwgL0xlbmd0aCAyNyAwIFIgL0ZpbHRlciAvRmxh
dGVEZWNvZGUgPj4Kc3RyZWFtCngBlVbNbhMxEL77KQYIyNsSx7/1LseWtlDgEGklDi2niAqhBink
mXgfHomx1zPOdpdQEqnejOf/+2a2O1jDDjRopfFjnfWhNRBNpzr8QPAafn6Fz/ADVhd7A5s9mPzd
b9AouKK2ZQvBsgeWFedOx861Dh44XJV8g/uTFMGmCJgNfvcbscNQ6dGAd8rkhHzXqRh9B5stnPfg
fVbAw9igdKsNLPFHv4VV3xuVcu3v4VbI0GAWHuSqnHdNA0utAsjzJLEgNV1dFJVXWcOAfH1SJG+z
xAv5YngAWd2QNemSW/p9SiYL9PsF+hu47GE9W6JJmQ71OZvry8cS/w6FWZV6goXJXw303wdPhA91
D2Gddm/WtTHKamcsDBEEti5Q6+QzjjDB5+kRbBzolSKIx+CAbLk53HOb2+UqYJfUP2roqhEZUTZZ
sA2LfAIOEdR3Mpsj3PWJtfRpI5ALyA4WYdUoQcvnBXpGfPGSEmFl0rkaYggZkxHGYg3KowavxKF6
uAeJIEPw63elxuIZ5Jt8hW1hHU5Hv09R8Yocogrz7ACqiHXlUXLRKi+O8YwHSGp0Voj2dFfWqnBm
Q6HVeCJBHu/JgG3tyU1tGDLh33VN5sc4r5zF3TZPQe6nprzopHZ+INwX+iM9Ip6JOQg1abGfGTZW
6ky0BwoJeZU9o79PFAIdzlbbEYpYF20L2+ZtkY8lyiMNW10YvyuORxZGnPEuqncTVIjWRuxlClK2
0v/ujHGQQsQaJLEnvZLGQZiSt3U2Ve4VDmt5ONjPtIUZPEO6vCyYYwxdHSmV4UXPfMfQE4R0Tt1M
1gI7mdggpYcFxHlyepX3HAEXRGIdplUvH/cA6juKorHKmFKC3hJjPMoAVTx8Z5Xx9uzvePi0rVJW
ddnyW5aSqEU8YaJHLJwQJLT434eLab8csJAJkjCjlbX+AymZsKYKZW5kc3RyZWFtCmVuZG9iagoy
NyAwIG9iago3MDMKZW5kb2JqCjI1IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIg
L1Jlc291cmNlcyAyOCAwIFIgL0NvbnRlbnRzIDI2IDAgUiAvTWVkaWFCb3gKWzAgMCA3MjAgNTQw
XSA+PgplbmRvYmoKMjggMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3Bh
Y2UgPDwgL0NzMiA4IDAgUiAvQ3MxIDcgMCBSID4+IC9Gb250IDw8Ci9UVDUuMSAyNCAwIFIgL1RU
MS4xIDEwIDAgUiAvVFQyLjAgMTkgMCBSID4+ID4+CmVuZG9iagozMCAwIG9iago8PCAvTGVuZ3Ro
IDMxIDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAG1WNtuHEUQfe+vKMCY3sCO
u3tmdnYknhJMBEGAYSAPmKcVEUIxkvE35X/4JKovdap3Z9brmDiWMr073XU7Vaeq95au6JYcucbx
v9CGrt96GvzYjPyP+s7RP3/Qa/qbLl7cedrdkU9/dzs+1Ldl2w1OGHz3Ft8V4a0bxnbb0luo02/+
pDfPooYQNbA1/He3M7esKi49dW3jk0HdODbD0I20u6HnE3Vd2sCPsW96P/RbWvOH6YYupsk30dbp
Df1m7Pb5is0IZF+taO2ajmxIi5bsRXzDX5y5z+Xd2XlaebJfPCtvv8rvjP1ENl2v0qpXCbJXdMln
lduI3POV+Z2mb+lySgDM/fTRpuxkmwOSHuswFO9CEwPD3tl3KzP9lSUJSBJCxvaBollf78LYEmsw
OX69xM9+tKJKwx5IJzQYNT4MOceihhlCZD9LoWGErq3EVSOcI2msRpIRWgrgMJZEaYctAhg2KUvS
Yx3GZtMVDzWG/+55mBJ9IYZL0o1K913T9eO4YQ+jkuLk+4ZxX4nJOaBKQmCguFT3lWiu3xtJY+c5
iVx/+XHJ9e8TAFwaeOUUlJLCRgsIu4COKJHnZRLINYatDqtuZRwn2j2w0z7sXL68vYu28lOqVzIE
qkQ3jPLJCD5SOQMrfkgva35wzcpkVSjaH6NO3jOjDigd4g5mBJa7lJ3eeT7fdpwnM1wdA9o2bWK5
Q/5icoLOqwKS+hfN5Ng+XHfhFc2poW2C835QE0qB1Gm1gQk/nfSuaEhdJZhpR6rL+02z8aNXXYdk
YH/m8AnfLBBYyxIkfkovHL+24+jm2Gllv1NZD2HHZeHKjpWOBxX2UhNLOuoQ9cQhUleUKSttDIXJ
3Yzs1wx+zn3+/5u0vl5xRfCn/Oa8rzYE2XGpx8yxFAX7hIGjPMuUmKUVt3GYs1H2PQl0WfoBgT6y
Dy25ULH0aQKdShVLicmzlLmxYATwh7R8nSHcOkphEpXTskU+F2IyVqcNbXhgrV+EmFB9wngiz4HY
QmIsVonTsM99JxQMORhkVL+QKrN9JBUmMrXowGympGMk53suw9AFSR8TQu6/8bEOfcODIM+WjytU
r9KFQiF9aAYXfMcz4IGSU5Vq4rhZTTKVEqkAKPFbjDH7niSuNHHcJPtlIelPJepOgyxdlks08fZ2
nk250Zgq+tp/dQVwFSTV4gTL/NTGD21Y/CpG3g+obxOghsfuJwA0Sn9yQIsL8eagLjwIUG1+MgQg
+vKFoqAQ6YoH/jxN6DYFS0paakywQ60Kl4AzVMprOQSD6tmKU4ybgpqh5/KxeqQ+lQfgVb/lAUYK
44PP1pX0irUPWsP/na2TEsk3uHC6NUhhK8+flTpKHTVDrMMaMMGEqACg/sDfQFfgBkUvnAK1QIdk
zR7ahcclSdAZNPncK6l/LPYkxPsydwKZ0+t2E1/V7QYuwSaNEyJQ3tXsBqsgoLqMi1viAvawoDJk
m/gjhlx085Dtu/FIjh4fsku5GYumq34gNlgsBykXnASpuiXNfVT7934D0DIL/ogLH+IK61X6E5ZZ
VPKIMnvpXpTuOEPA6E84isBsN1AChepmKSaDS+TsOKYlvgXGJM+DdWrXh3kcr4OxyOo6gNFyWQP4
MEe6Bt6UM8Yu1COMgODjdYWfuKqfquDOPAikwywYRSpN2hJuwqxer7VX/wFoR+B5CmVuZHN0cmVh
bQplbmRvYmoKMzEgMCBvYmoKMTI2MwplbmRvYmoKMjkgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1Bh
cmVudCAzIDAgUiAvUmVzb3VyY2VzIDMyIDAgUiAvQ29udGVudHMgMzAgMCBSIC9NZWRpYUJveApb
MCAwIDcyMCA1NDBdID4+CmVuZG9iagozMiAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQg
XSAvQ29sb3JTcGFjZSA8PCAvQ3MyIDggMCBSIC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwKL1RUNS4x
IDI0IDAgUiAvVFQxLjEgMTAgMCBSIC9UVDIuMCAxOSAwIFIgPj4gPj4KZW5kb2JqCjM0IDAgb2Jq
Cjw8IC9MZW5ndGggMzUgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AaVW247T
MBB991cMooCzbF3f0iSvC/vA8rRSxG3LU8UKoS1S6Tfxn4wdz9jdpGEprVSnjj0znnPmjPdwC3vQ
oJXGj3XW162BxnSqww/UXsOvb/ARfsLqzcHA9gAmfg9b3FS7tGzHOwTPPfBcMu5007nWwQO7yzPf
4f4ieLDBA0aD38NW7NFVeDTgnTIxIN91qml8B9sdXPXgfVyAg3FembarYYl/+h2s+t6oEGt/D3dC
PqtgqfG/XLyITx7kRYWB4bhK40tacklv3tLS5/SwqSqBduq8i9ZeBSs2W31NWxaK7KKDr9DfwHUf
kz4+m8F4xHAwZ+PB4rDE3+FEVoVk4Ink7wr6H4MlAobShng+0bQxympnLGQPNeUsZKzwcAQM7MW0
h4RKDt42A68KDxkVkK9iaqyQGxmfMK+Y4YAUPlFmcyYZobRvjMJ1hKcAlzcbQkFnX2zv0sa3Dumh
eaGNtnCObfwNQNdYJNQUgJ1aN8hf8Z8wFg5ETnIBY/KT6HI2mIUfyH4KMI/9ZEiFdDGTRSF8ogmq
M8J1GSoG05sR50pZrCoRa7NEI9Din9Cw64iGQJ3Ih9BIxePozy4qFxyM6vVsNETQvKnijX5GtJpD
A8szyB7Iz0mV9LuUbM059mEGBZFgyTC8j4hhES1QsMSMYE0HZmqvXKfXo0QjTTgwLj0KI1dlDoSY
wgVYamnQYQz/C1visGkbnYxX0Iu7eEDcPEwISUGwzhciMEG7wTOZJ6sDn1HLWME418jnodfM8fkD
pT3JjDjVJ2wbamNGZia6hSi0PLbxuW4x7WBM7CRnT5SZcVcq/BRyNkfs1M9BttRvGXUiUAkA4Zoh
WTAZ+N3J1iOy8pfESxeJTDymJzGBxuuMaGLrZhOnUMaYapkkCfeT9wNK17GguQbvRm2DF59HupZV
GZjglKSsumKiz97kfOERZu8sFBNexgoIfetVVztzOiaJhyVK3v4BDQMKzQplbmRzdHJlYW0KZW5k
b2JqCjM1IDAgb2JqCjczNAplbmRvYmoKMzMgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAz
IDAgUiAvUmVzb3VyY2VzIDM2IDAgUiAvQ29udGVudHMgMzQgMCBSIC9NZWRpYUJveApbMCAwIDcy
MCA1NDBdID4+CmVuZG9iagozNiAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29s
b3JTcGFjZSA8PCAvQ3MyIDggMCBSIC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwKL1RUNS4xIDI0IDAg
UiAvVFQxLjEgMTAgMCBSIC9UVDIuMCAxOSAwIFIgPj4gPj4KZW5kb2JqCjM4IDAgb2JqCjw8IC9M
ZW5ndGggMzkgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ac1a224bNxB951ew
qeJQbr1e7kUr9YYiRuImLpAGVdG0sXszGhRFXMD1N+V/8kkdcjlnqCW1Xilx0PhBCpc7Zzhz5kJS
1/q5vtalLouS/lV11bRLqzu7Klb0T7dNqf/9U/+o/9HHJzdWX95o6/9uLumltg7TrvCGwthrjAXh
ddmt6mWtXwNORv7Srw4dQuUQSBv6u7lU1wTlvlrd1IX1CjWrVdF1zUpfXumHa900fgJ92HJVLMpy
oY/oP+srfbxe28Lpun6lXypzWp6fz/VRWdTaVPzleE6qNdoc+AGrzTdhoOCBw+GMB3NFQiptymQO
BkjchV4/1Y/W3rhb16D6NZA8Mj0pfRktp7FtUS+7Lrcc087mev33VPlePNlhQ3xbFct20WTFH3x9
8RWtYQzBkt2C+nbZ+8h9HNmmqL2feg9UhXMeecC8EXlMJHazvlapiRxA8LEALIq6tF27THBa9rT5
aK5Y7yGdiOcTcaqujwbBUUNGabN21GiJCJbJ8sSNEL8S0twLLDrzMxtlwhdtbuNMtwq8r1e1GKTt
Le4+jognrbN40FAs/nbM4rBEDkBZACyLuqmqZSs4IbZii4MpqcXh2RyOFpyqKlqXfxKczRj+pDeg
NifDuHzmn1Bczu7zHIT5xzwSrK1MCUGPBs+0uWBJDx0GSTyf+xFy9bkZflPRU+BBOLz7PctEpuHU
w1w5mivPHQHDyzOeK0wbgQoIStYBTEgUEKh6FLgrS2TNXnDGG5pRiM4KElIu8Ynvu1bSBjgWkTiQ
ayKJM+RyAJw2ADCJxFPSxuZCEpyUxJm0sbXEsBFfMFfgrt4TRDXQj33TOK9R3ZrxAOgMp8tLQnom
GzxasvtZzq2ebDs2dJQt9vZkJh05AK4wu3kyl46U6yeiAiCelIVMTEfEOtdSaFOzo9hocNjzkJ1m
iNMzPzduNX7xI1ZJ83GK2d/ybAlUcSOj3eoias5SC+7tokywOYAkCO4g2LI4k4ItcRGXaDEsh1Bk
VmrIyC8Phu5FrkRCTqXIyExKlOsYKUgZCW5G+Ilz0/hlvQI61S5hR5IPEPXgGzCSt+LSxarhfWEu
hngO1Ic9fvUVghofaD9QWhv0SKWsFZKhY9BaGU5HnBPLRDK9PF5qKuvJqWiTIG3G3uzPJCgH8CES
VFiI2+3IQlL2y54HCerLUB0Sb/AAzCtOkW89f6P8JI9SCrDD4FNUJMZ46Boc6qYwg/kkYiV4WEFQ
bIaqyMxUBkPcXj/2EUt9GjCE9OjhIBKUIlgXofQenkXLGWdZeddduQBEdXZSjs2VQdowuDKYyeWC
M5FlFBH9zvpTdhYbTdyIgoiMOdbCHng3UKLMCIBHpb1nWDwCWslcS6b8wDkdDGZ6Qgq/w5Xi0PGW
CjdP7MMi4tgOPFZmRjg5RuF8g/ZaUlQ3dtbLgk5l6EgGO+s+zsd31shbtwBEO+uAE1rXifu8URwX
XXzCIZv5aJO9uTTZ8mnzxaELYeKE8w993DsjktCnqxT04VzeP8wZFU1etWjEqGgmo2LwrpvnCOBO
wzTC2TVMPydT+STHBP/OVYc4ITPDecLWeCYa89yxeEY8IrawtcYIR6rsTZL4QncAeawgKxEe+FI1
zoNmMc6DJLh2PESpsgBput4zuITQghPxbawpCOlam1PYUwpv6M6ikirPJBkn1RGSNps65wI1OPsU
zavlVBf0Kpu3Gyd6/ghaTg6Rd24BuAMXyEJ2dcHjYSgykZ+EQ6AhwdHpcPOjpfnZGhXbhFHsjQdJ
fPR6J8lSACLLpR4KwTixAqU9TSU4uybL30LnjDZB2g6kLgkRzEoiBC1Nph0eZF/JgGhMARVGFI49
AUStzvCQkvsRvM0DorB0vMw0CEwb7Yhr2xpthe6I5QnW1AoROKncdRQf0yOo7aq626yRB0g5+a6J
O8KJuD8pcaPPBj84NafmZ5fPniJHc45xnhmNf69isrFddUVrmwVdr/GFg2w4UVsSyt33mY4uPITd
3FUwU5C/8PJYkx6OUvhladIpCnZu0sOuj4VJDJAqOROhh7Zd1E/mmvSkn3wz6TImB6CkY06b9D1T
ZA5HC86EzlyZn0LiKdkHciHK7APlsPk+6/lAB9aw8EbAZxWT+0tRcbUsFm1X0f2llc2D2rjzpT0D
5Su3VzgrtjhU8gtdh6ZHme9xg2AFIIr7NL/s6dBbFjIhvyiz5FICJ0kS50wjh5gy4ra0/QHn7/5L
reSCPdlj/IzJQEGGksManGtKoWJO4X0eyCmZjWinozLPvI607eH3JTP94RhNp5iyoJC+ol8MCNoj
f1oRn+izRJkjRtqqESuS5nCk+eTd3GFqdMOocrlLGFJHuSvX3gUK+js45a7ud9wD2SxASvV3LqWC
E4XUBKpr81lPVDnUERIU6SEUzM2Zjh0CLqI/x0g/RZmXHBv8DpMErEdnCH9DCEePRIG0oUItlC28
h0DiBIwGtZeo5GcHrBbPTKtxeRnCYjg1wMXXksCR8/qMntwBQN9Q8CUEIIdTEqbiCVbNag2niDQ8
YWkQwqtOZLDl+wfKwKKQBUPJAuFJPKPZ47Fo6TwiabWishPHov8ZzWgsplsg6wA+wBVdHieNxRDz
8QnfaXniCBYnUqRd9BaJg5B9+WXwYZ8dUXwVxlAQuOuOKLSooIwQBCIR6plnUXRcqPRHZMjj1AH1
v7Tqf0QmV0NZ+oSz4lH6pNuurRjvP5tHUJtXdimJQlDEJMLeiK3Hho1S3aQzS8Q3C8BPtKKLMMQ3
uMakwev/sz3M8/8AQb0NcgplbmRzdHJlYW0KZW5kb2JqCjM5IDAgb2JqCjIwODEKZW5kb2JqCjM3
IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291cmNlcyA0MCAwIFIgL0Nv
bnRlbnRzIDM4IDAgUiAvTWVkaWFCb3gKWzAgMCA3MjAgNTQwXSA+PgplbmRvYmoKNDAgMCBvYmoK
PDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMiA4IDAgUiAvQ3Mx
IDcgMCBSID4+IC9Gb250IDw8Ci9UVDUuMSAyNCAwIFIgL1RUMS4xIDEwIDAgUiAvVFQyLjAgMTkg
MCBSID4+ID4+CmVuZG9iago0MiAwIG9iago8PCAvTGVuZ3RoIDQzIDAgUiAvRmlsdGVyIC9GbGF0
ZURlY29kZSA+PgpzdHJlYW0KeAGtWG1vHDUQ/u5fMcARfKluY3t3s3sI8aFVoG1AJeIKSA18OagQ
apDS/Kb+H34SY6/nGe/t3kuqJor24rVnxvM883h893RD9+TIVY5/Qh2atvfU+XW15h9qG0fv/6Jf
6V+6ePbgaftAPv0+bHlRW+dpd1hhMPYOY9l47bp13df0Du505G96ex49hOiBo+Hfh625Z1fxo6em
rnwKqFmvq65r1rS9o6cbapo0gR++7yvvmpZW/M/mji42G1/FWDdv6Y2xz5ccRUO2WtLK8bg9zwNn
MvBV+hDIuskcDJwtze+0eUlXm5S2Y9GxJ04qh7MtAq27y8p3fRcDNTuB2naxpM0/p9pP5nmHpfnG
19Vl06U8TMyffcvbPWTfxyQNqa1DSm16rEJfdTH/2WKoIiicWftB7QlBBD7m1TRB6sCoA++r4Gof
CH4ygq0gaD8b+RnRhO7NIT+kfkI3sHzip2RKLTx4lhnyJA0wd9zTOMIMuV2moZZsE0eYTWDR53nR
9dIw+rzoWlYXJMoUfCWehIs/ytxVtFKTzQNG7XMeBv72iBPE/VnscTRzNO3WuYgiBRszwBz6BHN6
rGpfrUPOvWL83yj3SQRmMD5i3bdV24XAtC+dnARwoQNjJ5mpuoUQqjbK2NhJia7iE/N4GJ/Fl4KH
WwBgQTwkgBkj0AMfBE6ZqosXIVnkVbA3cMrYL8TXrU2fmFw+fWB2gUP6TnzAjnDSaEBg3MIhNolJ
1mMODCHE12mHTHe8UjMYkny2mfc9v5njnndc41TzgTFLvNDy2x0xfEP2B0nKVJOvhldFaSBwbBZR
ym5f5LqS/zFzUaXNlpWM6rzIW3PKB1kvr+BIphg7kytFbxqqVPxvaVuc9IX6MImoA1ESGgcS7DjB
k7JwLHhDgs3oWCQrGxBnGqID+6bBZtIYiwIR9hVchRpB1ZClPRxBcYeun6dJKR0frU/z1j+xPiUn
EyCO6xPEfIY/yLbb5TEyq/hN9ekQxYbmqKDYcMhIEMbmcivEAMqBsEAUYdXiJDYPrkSYdAfKKWGn
lms2bKwqKnyJJH2XSol1dA/dBkkKTUgVY7ib1HZNjxStnXFLyeJ0u3xyxX+c10E3clma2FFLR6Kc
5iZntjIPcNqkPvNAX3XE+g6nc/N20pl7ZAtGE3SM02S/TkDwoSe8wFkHIdEj8nuwCJQT+JUa+xDl
DQfyXaPqMdwPQnysuP2rLyfdzYeTuht/wDSLFd+c+Nox8nBSmovWpvAguoHgfY/GtdiD9jUxx7Hf
LHIspVtcebSgoO17hMTYPxJm5Xn4ZxrhjgkAoRxFWSBDQPx8ORxegvxEYV4lq3zeSSQapIM5GSt6
GxkquiQ34kcWMJEVeQqXcN5DxuBNJeUmn/yyCBv+RXKRD7nUhcydyihQzzfYU8qfrzLxWvXIlnve
+icu/8LJo8r/m5xFnBNFN80wRt6ySE9x0OZPgVVW7wKa4TNKz9dCLSAL/LS5EdoJxJj7IjKX6wlx
TduYn+LGmLqyFgHDiLseiGK0hYc9cIhnH6aO49uaSMLktja5kT+WOmq9QHWHOo+7jk8PPx+dTC6c
x0+O/dQxxSUcKUXepQ1XbPAqI6JvLrJE7RIKZFk40TcBGsYghZlrxW0Ep9dHfY3AxNn7/cE8cW7+
B9uswv0KZW5kc3RyZWFtCmVuZG9iago0MyAwIG9iagoxMjQxCmVuZG9iago0MSAwIG9iago8PCAv
VHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgNDQgMCBSIC9Db250ZW50cyA0MiAw
IFIgL01lZGlhQm94ClswIDAgNzIwIDU0MF0gPj4KZW5kb2JqCjQ0IDAgb2JqCjw8IC9Qcm9jU2V0
IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczIgOCAwIFIgL0NzMSA3IDAgUiA+PiAv
Rm9udCA8PAovVFQ1LjEgMjQgMCBSIC9UVDEuMSAxMCAwIFIgL1RUMi4wIDE5IDAgUiA+PiA+Pgpl
bmRvYmoKNDYgMCBvYmoKPDwgL0xlbmd0aCA0NyAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4K
c3RyZWFtCngBrVjbbtw2EH3nV0zSdcJNuzIv0krqY4L0DjRGBBRoEhTFNkFRxAVcf1P+p5/UIcU5
pHa5Xq9TG/DK0nBmeM6c4Whv6IpuyJBpDP8479pusNTbsRn5h7rW0D/v6Rf6my5f3Fra3ZKNv7c7
XtT5ZHaNFQr3PuJecu5NP/rB00eEy3f+pA/PQgQXInA2/Hu7UzccKlxaan1jY0LtODZ93460u6bn
E7VtNOCPrW1s572jDf8zXdPlNPEdXjp9oDdKP13TxjSO9BfxoiV9uea8is9n6f8vxWD1ZE3vaPqB
Xk4RpKO5qDmXCKGjaVdk5czQWLNtq1mR9i/WnKHmkCmQCmwcDXSwadcPjbM15/rJWk1/nUz90OPA
CXf9HoxqhpH0V4LSBinfjc1BAN+1zbazERG1zxNx2oEnxsQLYcKT2QWCfGEyNGLcrNW8CuxKnjA5
SaYN1RCZVFxFoezix4b/zmm6JlQil5P+tCbBVlQhNVulL7hORZJdW9s44y0jjQidFKx+tIiwUAXd
MBv7qsjJz1nH5F0/i7qIkCVBIUYATekf4wVLwQqeLl4w1hCDeavjvY7027Vcrbh8o4YSa0q/B38Q
HHw9D8asQITLLoWtN5IAxwiMcrQyRk2N/Zg6g++dEEhuiAjFj41vm96lUssc/rtAOHa2Coc17yp7
t13DWnE9IxyCpEK5J43Q+TJIKpQcxLmmC715GaRkcgrIMlaAOrSumVtBFkTCBlJhKUddXcQ1XAbg
8BshevtIBPZdYvwPMYZOYfwuPmKivxVjPPo6PvJKn5JlhsTfxSoDrrjRP5zVqvc9VlPpPJzVHKQo
ndOsbkHVq6QcEPN7pIP1KfSWwgnMczH8JAwdygx+VimE0leJV3GIegFToBX6NXiGi1drFTWO1KV7
v5RsYMr+7tZzgK08WvlY3xXK9nxSmaEbj8viwvGu+CjhkCGS2jvHT9RY23KDbl1NdirMFIVOjOxS
0APA0JQBoEBCeFFgEY94fQ0bazglcqOtNzo3VA7U3K2BPLIT+ovOgWdtYJLBA5PntO8j+QNx1w3g
Njc6s6Tywaque99T9Tm9uhhEl1tI003ewilVK/04CQ1s4AINWZCWaoIFyAmncTofpYqKckQZmZXB
krvqwEk7gbTvNwnAeVndIa/yEEH2cC77agMUXGI5td/m80H6mtLYSg51bCxP4rBcWQe0cGVVxbGv
WzkKc0bIfiW2xspZCGlA28gS+O1zCYtf01VW//cBjqKnS0AZslYX0kNzeog8Z67y2Z1tsAXEBqri
Gm6M5MvLU4EJS7y61pPwZmaHFsjnKTdoemy2Pb+8HYxgn+41gtUCFBN6MUanOOcouzZM1zdSDNPL
OHkQUzrNN0XXRI0AfEE4a0ZYgIn0XqkAEQx4kxvgDfVWzOmJ91gTNebQyqw/oplyqOVuPL8F6jMn
57r3vW78uTNWEeSsGat8n43iK2UTBMDtqVR+ejkFqyAA3OUzlYeP2AlnslR+l4JtGSx5hlhxGgjX
IJ/f7FNiSCN7xFuaLJNXAdIi5HxiZJGLNfaTlx3Wq5E2KatSeFV08hU2wg9r1Te363FofPxeZ/4K
JR+kxzp2dRNp4pV0Kpv4fxSFff4cOzG/4mQRg4vcpiUfkTFYKmuEpyw+LcUUqb+WCAv4rv4DabLA
kgplbmRzdHJlYW0KZW5kb2JqCjQ3IDAgb2JqCjEyNDgKZW5kb2JqCjQ1IDAgb2JqCjw8IC9UeXBl
IC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291cmNlcyA0OCAwIFIgL0NvbnRlbnRzIDQ2IDAgUiAv
TWVkaWFCb3gKWzAgMCA3MjAgNTQwXSA+PgplbmRvYmoKNDggMCBvYmoKPDwgL1Byb2NTZXQgWyAv
UERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMiA4IDAgUiAvQ3MxIDcgMCBSID4+IC9Gb250
IDw8Ci9UVDUuMSAyNCAwIFIgL1RUMS4xIDEwIDAgUiAvVFQyLjAgMTkgMCBSID4+ID4+CmVuZG9i
ago1MSAwIG9iago8PCAvTGVuZ3RoIDUyIDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJl
YW0KeAG1WW1v3EQQ/r6/YhHXytcSx+uX8/lroyKRFJWoB0UqFaCItJQGKeQ38X/4Scyu93lmz967
3AWSfLBjr2dmZ555ZnZyay/tra1sVVbyUzd1262d7d1QDvJju7ayf/1m39o/7enZnbNXd9aF37sr
+ahr4rIbfmH47DOfReFN1Q/NurGfqU6ffLTXz7yG2msQa+T37srciip/62zblC4Y1A5D2fftYK9u
7IvNKLm2myvbtmGpXNy6LddDvbIn8sfmxp5uNq50xtnNtX1ni+ZsKQKL50v73m7O7ctN8MB9ilR8
3bXim5Xz4g3Fi0gRXzxd2s2nB8hcicy2aXMyxeSvni1lp60tTo4y2qjRTePKtum7bZ+MRosCMfuk
KsUr6xJ3vPkyPGlNASP4Rr7a70LnjR4DVfchPOFyUruy89GM7qtLH2Lvvr/VfYAbwCAoncdIFRhV
MJRtV6+a3lJPREEnOxz1fLGlZwt09laQMgWd6rGqp+7HnJnpEbRFz5qiCd6rbVGHm8Zm3Tg6XyAp
NxJmrl0wMC+XZnyHKPwMefwKb/hNxTuGbFHF5aZ4CW3VaUQXn/C77/wbMb6SnAmW8c2CNj4Nlgl2
LuMaGsQlEKNfP4HyidHG5+W40WoRkWcLGDhZnDjq+/CVWCoqIiaNJzaEshd0B/5o1t1+TCpjxBja
YvFk6nxupPV7lr3/VAQDOrlb4g7WckeIpilew1x4hv6osMgWDBr9eOW1CYTwlUTOhLBA1RvIVTds
sVs/wA2dZAlSc2TO2l9OaiEin5uz1PxnK2VCJcikZk6BCZIrKxfXlE3br4SaoeeBqZnT4xV4k+RS
12Xny9lMT5qax8WO0WDsmTfPYhT4ZjEFbLVAhOY5Vk0lZ5iWSyCGmHIh4oLAKoEgwXg2tQzpn6QO
RSHHX3iUpYwV89AoIu+FV5MwP6Pyf8JLFTwuvFTP48LrR2QuUKmRjsRPUCnDYC2BN8Wd9AuBMPBJ
EkKKqwgh8gwhcW+cK2krTKzwuTjH9NYKv5dGWHk1vb2CGU8dRCMGjdi0rUzLAvkwq2dOI9OGT3on
BOqb6Gv8jVggrRikMWrmuJqRFhaGJ9KCKVjWbQFMwAyqRVoDC6GbDOhg8ZHa48EmbALjIWUKpKQ6
kdrwTdSYdBiq8jrAXMokBOMj/M29LZTPEhbL9ZsES93XGbAkrCNoNHIaOBCN2jwAJXkFczRGlBzY
b+7Vk7DbHI2ZXoX+YzITAFJoYnRZTiKz2wLguAjxkRZ0Pyl4kAjqCJykawH+NHwa/XmQiWBaie+1
UvHVKxgHOXwDeKIf4ua5QW4M384LsdoZnSg7pCCqYt/9LlgjubJbIrU/RwOpOhYMgojOwdoJJdVS
dJo8puWEXmfYiO5L/M92YLelH3yj4LsI+ok3iSC2ttSSg0msV9zfB0+MInvHPjV960duGmpVkKTV
PH3/a0+a6Dm2afgl+grXj8Qd3UlIamCmpYeJzq81VRWBlMhVOFfoGj36cJGeKgkRkDhNm72BRO1t
F2yfUSDfh4SSxlM3RoEEnL4TkR5pUkve7sY190hJKoDZGUFs9Nz9HEzDXb+GcVu8tDtv3SC1KNcZ
+bzN8LaeAmgydjV61+yjZHHdPabMeqhhXbbrtlnbkx1MgpCFUdl4JNdHzPvk2HFejVEysx6EW+LN
uTLrpYe8VBxsV3zPvSQTwJEOg1vjXsLIMsz+koPf0JVV18rsZ+pn4+dLbySeaAt1OMDholslp+Kt
gdW6lOGlzEPHeZ80EOM48diBVV5BMrCKeh7YQOQ2kgzGkoHV9n70VJzMGn8NiE8GVm2sEVuVa2wX
f/cxlMz9FK9/xOvneGUaAeZGR44KKh19AAussbqIEIIZpvghyVZCJ9flu2aVL6aYRkS/P7hBTBQ8
aoVJ9BxbYRCBpIMnEaILhPvpa4nf/Y6dsZ1zrmwqn4zwb4b4wOzKyxLrSOywg3S8OFcgSAN3v01C
FUb+TaAE4YQgXL0e9tpEuMIh0UPp8ZlrdnelW6ViTBSYnxyOZpskt7LVxBLUWeq+GJFveF5jmUNL
AIVW572QNu+AX6FNRUmmoq+DIqm1nc9oYetvD865qs8XwgkmDsy5+YjAeQWz8nZQV3fUiCCvZ34o
yzTlB9MjQxLjqO1SmoojlJgUjLnyJ1cng/t49tvbCfY+uhJlxl3ho8LlWcxPquF6PtEPkUMRq2l7
N8IsqQVkIm6OHgFqkQMcmFHlBdCLpaSWJdA7yyiKlx0om1z+C2iHgwsKZW5kc3RyZWFtCmVuZG9i
ago1MiAwIG9iagoxNjkxCmVuZG9iago0OSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDUw
IDAgUiAvUmVzb3VyY2VzIDUzIDAgUiAvQ29udGVudHMgNTEgMCBSIC9NZWRpYUJveApbMCAwIDcy
MCA1NDBdID4+CmVuZG9iago1MyAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29s
b3JTcGFjZSA8PCAvQ3MyIDggMCBSIC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwKL1RUNS4xIDI0IDAg
UiAvVFQxLjEgMTAgMCBSIC9UVDIuMCAxOSAwIFIgPj4gPj4KZW5kb2JqCjU1IDAgb2JqCjw8IC9M
ZW5ndGggNTYgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AaVX224bNxB951dM
k3VCORBNcne12tekNhC7QGt02wKJ8yQ0KIq4gOtv6v/0kzrkcs5Q0EpOXAnwrsnhnLmcGY4e6JYe
yJN3nj+xjV2/DTSE0Y38ob7z9Pfv9Bv9RRfvHgPtHink7+OOD/VtEbvHCYO1L1gryls/jO22pS+A
05U/6PN5QogJga3h7+POPDBUeg3UtS5kg7pxdMPQjbS7p7cTdV0W4EfYsogfO1rzP9M9XUxTcMnW
6TN9NPZqRWvverLdis0JZP2dlaXztNSRfZUXeO91folkY35pyb7JLyzTrUw+LmcuylkIOFHC2j7R
dE2XUw7xoSeBQc3sRhuzG/mx5r+z/dEl19l++8+Kpj9nTZIGCRJn7ytVh+Cib0MkReglQva7PYS9
NNCDWUYoOVDj4zCzqELQHJB9kWNl7Nv0rKP7UqKLKDbIBVLwSxbiY9i6XBnOKSfFNx6LotxDl18n
PE6i5OxS4HDoRjSJiKQVEkIbZc3dKqthSsmhgmisWq9CNS/YamZZA9fwAriz2URjVYF4UbZyHE4S
rB0iB2eJYKPbDFxN5n/SrAIwSoKKZgWn0PnZZKtwSHEqsu3jKOWUamCY5i/kEHMeboQOuicZRT5c
JggLy05zmE9k8ZCpwp6ZVgZawERRC9LCuqpP1ZAl8yZ1b6nOgWmVm2QbN0cyL60FMbI/lsL/Fk3c
glMj6Y/UOXM2FSZXBtxRGi85du0lQPKUeCDu8P1ay+a29F4RZrSlgtgPy0HHjUNww7gZjzgzJBB2
BVSQ1nCebgJuPlKX6iJsbUTWw2uQBKGZAYwCaOcCPQAu8VGqKqyGobTF5ufM7LllnoxM3G6PEaY0
CRDmI1l0IA9PYSD21C4J0Jk0WQgjGDdSguLD04Ez9Q0OjRIfaIaF2pM/QLrAsirBQ55E0ULjgLAm
4V1h4itpEz+lBQ48wiGOIe1sxOmUdOMT40GdEgRQUwLPZ1uMDjPi7CG9fpA8qBoxvBI2S4ZjQot8
AZy8durpxjxjulkGOLx2CnO/8tpBF11yhCudp+Oept03XUD26iy+vLOXnGsZ3xZmqSP+xNb1PC9z
Wzp+vQlLlYladpI4MK65BiVkT85flF4m680yOZdCUwdk9G7cbCuTF5oHig9cE1DswEwUH+Yz8BwF
LmRuRA2I+quQeb/UMMwOY7kuw6YHY+M2T+L5sW47N8iNqcP4v8imOTGMP6E99K4fYhw4vQnkmVxd
AjHqQoyuT7/qCsjBzyKyCLXyRtr1G2nXB4FFok5exfNoXgCq6w0t0b9PTbKay6FXEL+XDIIIaRoq
swWkRU01KUFeNEHY6z2gqkAmadtyTMiF41IwOIEAst5k2N5cj2NX2RGeInpcFFX3v/0PtrTsdApl
bmRzdHJlYW0KZW5kb2JqCjU2IDAgb2JqCjEwMzcKZW5kb2JqCjU0IDAgb2JqCjw8IC9UeXBlIC9Q
YWdlIC9QYXJlbnQgNTAgMCBSIC9SZXNvdXJjZXMgNTcgMCBSIC9Db250ZW50cyA1NSAwIFIgL01l
ZGlhQm94ClswIDAgNzIwIDU0MF0gPj4KZW5kb2JqCjU3IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BE
RiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczIgOCAwIFIgL0NzMSA3IDAgUiA+PiAvRm9udCA8
PAovVFQ1LjEgMjQgMCBSIC9UVDEuMSAxMCAwIFIgL1RUMi4wIDE5IDAgUiA+PiA+PgplbmRvYmoK
NTkgMCBvYmoKPDwgL0xlbmd0aCA2MCAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFt
CngBrVndjtw0FL73UxzotHh2NdnYSSYTwVVXRaKAYMWwILUrhEZUCHWRln0m3qePxLHj89kZe7LZ
Ee1Fsont7/x85y/zQDf0QDXVVc3/bGPbbmeoN0M18D/q2pr++YN+ob/p6vrR0OGRjP//eOBNXROW
3WOHwrOPeBYOb+p+aHYNfQRcfPInfbhwCNYhsDT8//GgHhjK3Rpqm8p4gdphqPq+HehwT6/3tPFy
G9ofqG39Wr5Y21f1dtvShv/Y39PVfm8qo3jVB3pH+v7FmjaG9EVl7OV4W71a0x3t39KbvbdHDmvq
qg2YtvdA/rKxpuqcYGrEsZWTlnH0v2va/zWeJ5YTvdjgcwAqAgxV29lt0xNwgj5d5dzgcD6b4Ezs
Rw+s87H9ioo4gzn3ZzhstxHnndJfsK3qypJ+r/1dx3drubtYs5db0s6g/mb1Nr58M7HuUqGMbSu7
M7vTQulXayVGjjbth8CVZtdFp43ssO6y4YMH57VgTHGa0p8mxvR0LzjtCQDTVE3bb7cRJ5BjodNA
jhKO8hrUxBdrqy44bapPdBpFp9XwDHOdXWSUbp3POBCW+TNsI12N+zmAgs95v+ITmQ8/+1dMkV/l
psZq3Mi2q7B9desXM3kg2Vfh1Ut5cx0e3Mm5P7oHDJStgJhBX6Wt39OQngCVwj0avNvOMycL9+cy
JwIkHs2Zc2a4P6HIAuYk4T5hzhlm27bVjuOY07HEXbBeytPncRG5RelpbinETrS0CxoXznwx7a7a
dnwzJxOo9J3QUKiLNxPbuKgizYx30cB3Jxlv/Hm8AtQ8Dk7SP4xMV4iy70WIjaM+0xkPIA0Ace4h
rB3DRelagi7TBHtX9Upevg5BJn9DytVPXkeOP8YuUcKYjqOz4bqCqjkmUusuG1tXvS/nqJpjdV5Y
NedOd5XMDF0TQc7MvnMgZod6GTQpUPrcenmS03MSDdwIbevOFZ1oWzV2PqGCI796jvoakDyaVGvm
L6fjI7crDd7+5rnIHJQlQitQ8Zg6MVAC0ZRke9Ky1vVlHjhyEeedDsHP18pv+trv5iKEPVElHIgb
YIkGnEccuNK9I316DKCxZwWIrAzV8R3DH5dF3leMlqZx0VI3iJbY1vqA4Zzl48ZsCzyr3q83l6wG
55M3tycQUBDsrhWQpPCc7onouT2RB1Bjd57k26wnWljZlBsEkoa5pEiS1+cqGwaArLtInFbD28ih
Bbdb71nm/7dCWYQGtiFZ1qX+anXtaOZ7nlAt0DvhhCyoIqElZIAvGCrpyVFT0aVHcv7uBWcNgCZU
RojceiXHtqzEWsxktkv67MlwxGnS5Xn2tUtF0mc/ezgqAyTDUcA5M9OXFEmGsGQ4ivqEoRKptfH2
5IIIeyY5ghMUv5FMgxfiX3mREgUjVuRJ6NrBK9km15DBkgS4yoWBd1+Id0Eh3GCXCBhpgzVZX6+0
ECjbDsEADhOUSD+mcywBi2GSGAaiOmziJE24ilGz54bMNxzWxiQb52yX/8IgH/JS3psqLeYQVOgl
DyAGskHi0kT5EPHRhlA2lkk8gjlhe5yONATgdJRK7IC2GFQ3Q9KalWI2xNLZMZsAJLGUx+zCOsBd
o6sDcOgTiiyIWaXn6gC8Jb4VGqIaCBtimU9yeuiuZBN8CEfJGzleTruUsIT/wTJZEun/Teju5RAI
HTar+DlGlsgVpwKnFIpSouhO5R/HUIoNT3ho8zFine4pnv2dpQyQT8tn5v+SIklzNNdTIP+LP6UO
x29jcYKD82M+lW3i28w98iDsTXrwJLXAhzF95P7NocZEi5VHUBTb/RKUSByorfSqTvKS4z83F9CY
JSylo3GiMU3SP5TGxDNz0dzp//OYWFZh0Zj4pe8ceOBAkhDTwq1SWcVDoUdNRihxbk6/2HfAGZF+
kkDwySL/poBd0b2yS8SZOreQoo2J+aFUa0INyGuNusHPDiMvJrNArAFFgLzWnJkfSjhJTVtQa2im
1vBHmUUzRxan4oZYD1o3CvMYmDiG45Af1Khaq5cyscgiOBjhO5KJ5cITUBOLwU2RArUnp5CItZic
pVQxdYIMmGBTx79rGOs+f5zu0adWCCBMsfjTwRQk/N7jZ3H+IelAsWHstjy89a2Z4E0+t2g3isuP
Ezf/AT3BPbQKZW5kc3RyZWFtCmVuZG9iago2MCAwIG9iagoxNjAzCmVuZG9iago1OCAwIG9iago8
PCAvVHlwZSAvUGFnZSAvUGFyZW50IDUwIDAgUiAvUmVzb3VyY2VzIDYxIDAgUiAvQ29udGVudHMg
NTkgMCBSIC9NZWRpYUJveApbMCAwIDcyMCA1NDBdID4+CmVuZG9iago2MSAwIG9iago8PCAvUHJv
Y1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MyIDggMCBSIC9DczEgNyAwIFIg
Pj4gL0ZvbnQgPDwKL1RUNS4xIDI0IDAgUiAvVFQxLjEgMTAgMCBSIC9UVDIuMCAxOSAwIFIgPj4g
Pj4KZW5kb2JqCjYzIDAgb2JqCjw8IC9MZW5ndGggNjQgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2Rl
ID4+CnN0cmVhbQp4AbVX227TQBB9368YRIqcomz3YmOHx1YtohWCCiMeWp4iKoSaSqHfxP/wScyu
d87asdukiCZS7e7OzpmdOXPJhi5pQ4aMNvxx3pVVY6m2S73kD1WloV/f6Svd0dHJvaXVPdn4vV/x
oconsTVOKKzdYi0p96Ze+sbTLeDyyg+6OQwILiCwNfy9X6kNQ4VXS6XXNhpULpe6rsslrdZ03FJZ
RgF+WN9oa01JC/6nXdNR21odbG1v6EoVZ3NaGF1R4eKLp2I1Z7v4+Sk8HRXmKLyUVBym56soaSmf
nZnZ4VxFoeN0SoRfR2E+PeNj36g9p9M2unZ8AxsURPOVd9H8+Fjw385up8OV2e7i95zan50mcb84
h6M2rVp1nsmqrdXOeOsoI1TimeLFAGHgftqoaYTk+4zg6o49PYTseyreubli57Ovtbg0eImX2Lmn
4jgzM+NFREv8rKMqPgdZeB6yWXkZosTCBwCB9CJseTWO9oXICqTwAoiyIAKi6noejzLJ8j1F1ti4
x7bATJjCiqcYUy8T533tdJnC6prImPhY+FLXY9L8GYQ05uwEaXZot5WuaudqDmkPZC/e9NJ2CJJ4
k6/gnK5C1RmCZOqoQJ3AE6bO+xivieyUTIRkdn4vYl3WDiNGxb9FTGXygSyoHkbsESwuGV1dESrA
vlfC5Rlsf4AK1nAOk/fMg5ETDS3Yo+1aDSpej4NQvrPinSfTVBErXWf29n1A29k0bYe2Ki7SvYB7
q8s3ZZNMHhTp4FQpdrm2gUFu2TxjEkxr/89JEEFG8dudBGdSVvaKCkhvekSLxVYVucIKGYWcXQ3b
PyNSQQcZJlABLxiCuV0KVQE1dcgVLqBQhx2wOFd3g00WTxVUhXFG2lZHRVcxc0Zul7QZcPCKx4CX
0duhkx/E/OxNBMDDDaTB7CjvodWx9+ERvOxyDWXXfBC7uGw82i6cK6fv26/kMmOo4ontYlr7Vqao
bpDZq1304pWTPV9B9arHjnZBxVvpFkI1BDN5nCsbqDVR/LEHtiHk2IKmfF6SB8LbYcVh6P0SLeWx
E01ATJazojTDgDUzkR3RrpdKwPwoUNdFfOP0Eow78ZcsiGJYNWWw5Npgvu1yzTYPcM81iRO5u/eL
DTyHqwEYAyJiWYYZnCcpZCFkoeaz3Jm98Giy2Iqn8Webraa1byVLmvr3Spap2SqCjOrbE9pKZpj0
+ovoPq58mTJZCNQ9SYMNyJILMoIGFgrDpjQKLGOEvsIERSDDL65uDoEm4ahsPJgonOwiO0qUHgQU
5ysCPu2pQkzMV8y3T79k0AuQp2IhFgal+/IvU0Hp7QplbmRzdHJlYW0KZW5kb2JqCjY0IDAgb2Jq
Cjk4OQplbmRvYmoKNjIgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCA1MCAwIFIgL1Jlc291
cmNlcyA2NSAwIFIgL0NvbnRlbnRzIDYzIDAgUiAvTWVkaWFCb3gKWzAgMCA3MjAgNTQwXSA+Pgpl
bmRvYmoKNjUgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwg
L0NzMiA4IDAgUiAvQ3MxIDcgMCBSID4+IC9Gb250IDw8Ci9UVDUuMSAyNCAwIFIgL1RUMS4xIDEw
IDAgUiAvVFQyLjAgMTkgMCBSID4+ID4+CmVuZG9iago2NyAwIG9iago8PCAvTGVuZ3RoIDY4IDAg
UiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHFWduO2zYQfedXsIibym5XS1KSZQN9
SpBtulsgDeo2BbJBH4wGRZEUSPeb8j/9pA4vc4ayaFl2GtR+kCyRnOHMmTMz9Af9Un/QRpva0Mc1
ru02Vvd2W2/po7vW6L9/16/0X/r66YPV+wdtw/dhT5O6Jg17jxkKz97hWVq8Mf222TT6HcTJkz/0
25WX4LwE0oa+D3v1gUT5W6vbprZBoXa7rfu+3er9e/1kp6+C3q3e7XXbhrF0cbap3dr1+op+7N7r
693O1lZZvXurX+uqc0t9ZXVVDy73y/jzh3jhn/fV8Lf1P1W1SpMfL/UbvbvVz3bBjmN1ranbpKvr
goLhcuVM0szVJmpWfVzq3Z9xJbY1W4JcNHPpTd13rm2tJgkq7r2rvcto79UXAwkDW5+QoER510eo
eAli3SiBrHtDBjJ1pytvZVM3utovCQB0/dFfnarMtb9pdbVK11tvTENaVguz4IdPwmgZ9HUYQ7MW
MLny0J1pF9d0ddO3R5R+vFRRAQNVLvOsW2/qlmCdmZ+gB+O0flO0z4CqYKWAs3DHG5eN3vJLVT3D
ps/BWdN1dd/26+GuE9xogww3sWK/TXHWbNYCXBeB6y9XztWb3lNDBJfA9x9ZbwK+JwRYV5Onmk7k
XAjikhzvYyK5wBYOe6INdZ76RGQB1c9TvK/IEZ47PGDoksji6RGwlJTQIpmozG42xGUwatpsDpn7
e44j871HDwWSgJTxxBHFgNHVXUD0IFwGyDmhmt10tbEbj5zk74Jqb4JmjuDsuTOAmKP2Ljwg8SWk
t0sVowDTFmTAGIC8o9K8cYTUHLdHHIC00ayP8fB6BOQzebi8dMbD6wshXFK+zMO8hxw3N+yS/4uH
y3YRHi4pXebhiAwws6ANVHmVIkNQs/IYI/ydA4ycHpCrm8bV637dUCSwI2Hm6npFkscsWvKclgza
rLu624bgGi1JGRSxgCBCxjQcXxwKSJfX0/uVcG+yQAAHDnldUcFEvJ6KhnN5vSjgM/C6yFFCqfPI
3KOFsAFEsTWfMWnCBZ7gw9inaQ7efJse8FyMTCOozoH/cAOJWMYAwz6zMGQHiFdSSh26H8tgFeML
1MCunC1Ywbl6lepZgY9pp8uCxHWXw0cEZG4dwyex9szalkqe2Eec2MgM+Kjqq2Bhn/Z8b3CyioOP
OLVxsmaKGjueR4C6s7p4PDohT1UjjPI6DIFfWfPDF+DPlJGVxEbGMDFqJuiXtjqJHtf3dati5yYx
OyQf363NRM/Yq0EAt1tgt1noUUzjh11o1mMAPWU5Y/QUiqbv4NRDJwAoP7ObMJQrpkfhTU5dmISx
oAK8AmQiDlTF1CCuZGwyUjD3UMkppPBY4aAJpcCXgtrUg91wVHWHPA2tXrCFYk+pqy/ZMIZLyQzC
0GLvF0QnSoU0azzaNkyW5lLHX1CmBHZrbO0o2dsyT9qeUj99CshgCYadgU1h31CLx0ZPqqwC58k8
AnOxGvqI0RDziBPgAqNhPLaVgOYVLwC1fmK/kNQ3anwuIgEk2TtriI4zgarOLENcUcCYCS6szUsb
yfLVmAkKPeU3bL7DmPKVSYqFBVt9VkzxYF44cbeqwAmoDuBWvAJQCpGZSoqboBad7XBkYo6AYlzi
QNQdB2nSIitsoIWRpOoxNHW25kzDMZa1RR5D3FpIHvkoZfrE4QTq9rA0Jyq0AnlPd2H9MZTAmQoS
srM13gOaDTlby+x2ktFOnK3FJgnWl7O1wWHBKa1xtjbZzghGIA/4kSMN4IfLIwb1HOhiMucFrsHV
sUYQgWx7oOkUI6UDtDMZqSzgv2ekTM65jPT8MMcxkZzTGO38IsQRwlhcbsTVgitii8Le8cdVqfmB
BwGNF5xTfgs3lL5fhxs6fmOIIP9gEoNGNpDWFxAeDuEaazFIYgUCEsi0VM5yDKPazJLYpzZDVgRk
rhxD5kIyOrGRGUlMyXG/GJabVPhUKJ3dAT/B3aHDiWzE83kw2IJLO12NK2T2ZlpZVVwHiXDRcGJl
nsbrjSA2mgteGqauQQuf/fkBq5CmpfQmTnFHSkjySziB/2R0iYDPiy6RkzHrLHRNlkipKJlZIqWC
Svwau1m0t0AZ/Im6Ba8ArqkSyas1u0RKWkEU0DGhxRBnwFDp39JtdlqDImNWhaSy/2GzDhiVQHHl
coGU0uWZfz4WBeT1UaGDIhEx7KR94XBlv4Nwfgljwwmxgg31y38Br134wQplbmRzdHJlYW0KZW5k
b2JqCjY4IDAgb2JqCjE2NjMKZW5kb2JqCjY2IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQg
NTAgMCBSIC9SZXNvdXJjZXMgNjkgMCBSIC9Db250ZW50cyA2NyAwIFIgL01lZGlhQm94ClswIDAg
NzIwIDU0MF0gPj4KZW5kb2JqCjY5IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9D
b2xvclNwYWNlIDw8IC9DczIgOCAwIFIgL0NzMSA3IDAgUiA+PiAvRm9udCA8PAovVFQ1LjEgMjQg
MCBSIC9UVDEuMSAxMCAwIFIgL1RUMi4wIDE5IDAgUiA+PiA+PgplbmRvYmoKMyAwIG9iago8PCAv
VHlwZSAvUGFnZXMgL1BhcmVudCA3MCAwIFIgL0NvdW50IDggL0tpZHMgWyAyIDAgUiAxNSAwIFIg
MjUgMCBSIDI5IDAgUgozMyAwIFIgMzcgMCBSIDQxIDAgUiA0NSAwIFIgXSA+PgplbmRvYmoKNTAg
MCBvYmoKPDwgL1R5cGUgL1BhZ2VzIC9QYXJlbnQgNzAgMCBSIC9Db3VudCA1IC9LaWRzIFsgNDkg
MCBSIDU0IDAgUiA1OCAwIFIgNjIgMCBSCjY2IDAgUiBdID4+CmVuZG9iago3MCAwIG9iago8PCAv
VHlwZSAvUGFnZXMgL01lZGlhQm94IFswIDAgNzIwIDU0MF0gL0NvdW50IDEzIC9LaWRzIFsgMyAw
IFIgNTAgMCBSIF0gPj4KZW5kb2JqCjcxIDAgb2JqCjw8IC9UeXBlIC9DYXRhbG9nIC9QYWdlcyA3
MCAwIFIgPj4KZW5kb2JqCjIyIDAgb2JqCjw8IC9UeXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlw
ZSAvQmFzZUZvbnQgL1RMV1JYSitXaW5nZGluZ3MtUmVndWxhciAvRm9udERlc2NyaXB0b3IKNzIg
MCBSIC9Ub1VuaWNvZGUgNzMgMCBSIC9GaXJzdENoYXIgMzMgL0xhc3RDaGFyIDMzIC9XaWR0aHMg
WyA4OTEgXSA+PgplbmRvYmoKNzMgMCBvYmoKPDwgL0xlbmd0aCA3NCAwIFIgL0ZpbHRlciAvRmxh
dGVEZWNvZGUgPj4Kc3RyZWFtCngBXZDBasQgEIbvPsUcdw+LyR7aiwTKloUcui1N+wBGx1RoVCbm
kLfvaMMWelDw/+eb+R156Z/74DPIN4pmwAzOB0u4xJUMwoiTD6I9g/Um76+qmVknIRketiXj3AcX
QSkBIN8ZWTJtcHiyccRj0V7JIvkwweHzMlRlWFP6xhlDhkZ0HVh03O5Fp5ueEWRFT71l3+ftxNRf
xceWEDgRE+1vJBMtLkkbJB0mFKppOnW9dgKD/WftwOjMlyahzm3HxY8P4Piq9btTyPLDeyKzEnGY
uoaas8z3Ae+bSjGVefX8AOx1b4UKZW5kc3RyZWFtCmVuZG9iago3NCAwIG9iagoyMjkKZW5kb2Jq
CjcyIDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUgL1RMV1JYSitXaW5n
ZGluZ3MtUmVndWxhciAvRmxhZ3MgNCAvRm9udEJCb3gKWzAgLTIxMSAxMzU5IDg5OV0gL0l0YWxp
Y0FuZ2xlIDAgL0FzY2VudCA4OTkgL0Rlc2NlbnQgLTIxMSAvQ2FwSGVpZ2h0IDgyMwovU3RlbVYg
MCAvWEhlaWdodCA3MjMgL0F2Z1dpZHRoIDg5MCAvTWF4V2lkdGggMTQ0MyAvRm9udEZpbGUyIDc1
IDAgUiA+PgplbmRvYmoKNzUgMCBvYmoKPDwgL0xlbmd0aCA3NiAwIFIgL0xlbmd0aDEgNDAxMiAv
RmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHNV39wFNUd/773dm/3kktyCSGkOZU91qRI
7kgCIgFiOJLcmeRqm5Aw3KGWu/yAIAnE8GPAH0wsWPESOtdCndGqBBWNCLpHUAPDdCg2NDO2Yx2x
I0K1nYmjY40zTkU6nZr0s7shI7T27+43n/2874/9vvd972323daebe3kol4SFGjtineTdWU2gApa
t2/VbF06SiQvXde9vsvWnZ8SSWvXd+5cZ+uZW8EfdLTH22yd/gW+rQMGW2e3gm/u6Nq6w9Yza8Fq
5+bWKX9mJ3RHV3zHVP90Cbq2Kd7Vbsdn9YJ93Zu3mP3gyjLHV9rd0z4VzyJEonnT+va0itLSyopQ
qDKtfVMbMURx5qIS2keZxMmN1hIi9rm0Fj5TUJbySr3UeXltVsVl1aPCQHT42P4Jk0f3VqK+iYa0
j5QyqC4r3nTgOaVsAmNI7yeafDvto2mP6TUvHnBRKIRGTrYaqNWG+W3HaxeAdlvEjtr0sk0v2TRo
04s2PWfTIZsO2lRnU61Nd9hUZVPApkqbKmxaYpPDJskmYRML/AhjugRcBD4A/gS8CbwOvAa8ChwD
jgKDwIvAQeAZ4GmgH9gNtAJrgWH2qp36mE1HbHrBpsM2PW/TMzbV2LTCptttKrdJsUm2idtEgQB6
ugC8B4wCvwPOASPAG8AJYAh4BRgAfgHsBNpqF+Q6c52Lk8Nse6BOSR5SkvuV5D4luVlJdirJdUqy
XUnerSTXKMmokowoN6tzVE29Sb1BLVDz1Tw1V81R3Wqm6lLTVFV1qJLKVVLJmCHCPNxUxcLGmVYK
t2jG1036MEtrXGPIehUzcsIUbq7KN8qLDb53mFFzZJhNphj72SMeI6c6cpIYm3xkn2eKo1HKK/7P
K/8aU7hh52mazRaTgvvCIWX2bxX4w02wJi1r0rQmLWs+O95AC8LxvtiNdE2S6xV2veE7dRbcYJbb
EEmpVBWtvtvmIZ6ehnpiHm+0Ks/dXWkVt8ybv8tzSiI2SOnFUcOlVxkZgFm3f4V/hemS8BrBlQlz
1pQrf9cyr+cUG5xyuWHOxlSaL9b/1fXOd46mjMqolUX4w3wNWr+iFtyfBNqAJ+gAHeBDaCGGFgIG
WvX0iTxKC6jHsi+kB8E19A9M3E8tSwW1wN+C6BFwJXytYAZfKx1g/RY/RHuQ+0s+xM/ys5Z3OfLW
mxG28CF5FHaz5930Cn3IziDDA7Qf3pP0jvkUMh+gY3SFzYX0sY/ZOG+AlRH6R56NiD6A8f6aLtDf
WS6rZAl2GjE5/GFrLHZvvYgZgbxjZTEz3ck62WbWwx5DzjEu+CJk3cz38gFu8LMiKlXKo44cx2Kl
E1kY/lMLykaFZrYfUhN6bqH78I2ys5qZR+iPjLNG1sw62ONsAGMYYeOQr7ifL8esm/JLEZNc0qfy
RvlZyKhjlfK06kBumRxUQBoV0q2oKog+GlFZG91L91vyAGp8kB6in9BBGqBD9BKl6BT9xuyTLtKH
dAWzkwUx61rMlrDVkCikh+1iezAffd+SfewpNsROYXxvsff4bFRtSyeqt0e5mz/JT/C3+O/5R3yM
f8a/FCScYq1oEVvEYXFEvC3elmqlAemQdEm6JDPZsGYqx5HruMfRB+lXnMpGZY/yc+Vp5fW0+TQL
dflQVz2tRlU7UcmDtJcS1qqlUMkJeg0ySp+ZdUAmpyoxq1nCaliIrYJE2RoWY11sC9sxXdHz7AU2
yE6glvcg77OL7K/sb+wLS65wB8/jxdP1NfAmvppv5I/zJ/hT/GXsyCF+mr/PP0SNY/wyakwXOWKm
uEkERQjSLO4SO8RucUycFRfFONbNJd0uVUqrpHtQ+zlpTPoUK8llIRfKi+SlkA55k7xL7pOfwY4e
l8cdLuwfU2Y4ljkedRx0DDkuOL5RZip5yhzIfKVMaVI6le3KEWVM+UQ96lzh3ODsSfPRESqlN657
j1/D7n6T3+MooQJ2EbvhPpGFKA3zOcJdSqdzAx8yR6c0sblYqT/TFeGksHSOVou7qFNuEenK5zTI
tkgPs5dFiI7SYWU7Oy1iYlwclgsdy+z9wZ8UR5SdSkz5BCP9SuyXO5T5bIXcxwb5crzRPayRvmaX
6cfoeSufR+foMdrLtuODc0A9yjLwBo/w2axPflYclwZEUN7FbsEKeuRR8Qgtopk4rcylOdjrMuUC
FFhcvvjWhQvKSkvm+33F826Z+/2iwpv1OV5t9k033uAp+F7+rLyZuTNyst1ZmRmu9DSnqjhkSXBG
vqAeimlGUcyQivTaWr+p63EY4t8yxAwNptC1MYZmPheH65rIACLXXRcZsCMD05HMrVVQhd+nBXXN
+EONjqPFmsYI2vtq9KhmjFvtO622VGQpGVC8XjyhBfM7ajSDxbSgEdrekQjGavw+lkpPq9ar29P8
PkqlpaOZjpYR0rtTLFTJrAYPBZemOKkZqNGo12uCRp2OR5FGFAbjbUZDYyRY4/F6o36fwapb9RaD
zG9WsRVC1VY3hqPaUKxutA0GyqE+LeU7k+gfdlNLrNjVprfF744YIo4cQSO72LhDrzHuuH8s3+8b
Zi80RwxntXVCOEn1k72put6amqjZGz6Xj1rhsxA+6/4xj0gE8zdoBtRE4lHNGGiMmMmuer1mTDSK
pH5feGXEi1HrwX7NLGNlxKoASVl+CQZu2swy7YLb9aBpid2rGU69Su9I3BvDYhUkDFq503u8oD5w
cvIvVB/UEs0R3Wss9+jReM0NqVxKrNw5VBfQ6q71+H0pd7Y906nMrKmGK+PbjXasgu2zWla42cKo
r041M0ek1xkB7LFWDSOJ6AYvLDdv7eWUaC3HiuCKMszoBsxfLOFeiuoMudCta4nLhI2gj39+rSU+
ZXEUui+T6TS3y/SWM1j8atsoLjbmzTN3ilKNpcXIKi19kd+33Qjr3W7NCGPKqCGCh6JLSzDlXq+5
yn3DAWqBYvQ2RmxdoxbPcQqU4KjDY6bnzFXPzFWmp/eqZ/rxmI7tfAKfQ6KZhlo0/ZflzpsR7Fhq
sLz/4W63/Xh9glpKkgsTDZGieKLPUxRL9Eexq0N4qxOJkK6FErFEfHiyt0XX3HoiFQ4nuoN4G+2S
hifP9HmMQH+0g2FSjYX2bBgzqiPCw82diRb3iKjfPMX1Kl6cHMj6gpv/UF34zrrA3mkLURGZvyA5
vuUkenESETjC6oEs5TyTzrPn8KNykuRJcZJ9TFQyMe4ep+Vf4F5WujDbm13ozfb2Cvqml9MEyaP/
LO+VRvGE2adj21SudMqiBYFCYlxIDkV1pqW7MrMy5d4MdCokGSZYMmByPstKxmctoeW4lZU6hXDy
Qief4eTswsR55mP+Q+Zt4l02zHwT5yfOD5g3mKCahinzu4ds80St5fRZteGGX4XlOFH8t4tjgri6
o6djc1fLti1mBKMca5FRBuUTNf9g9cpIffHqDZvWtwFb/Cvb12/rjPcQ/RuRR7s0CmVuZHN0cmVh
bQplbmRvYmoKNzYgMCBvYmoKMjU4MwplbmRvYmoKMjAgMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1
YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvV1ZRR0RCK0FyaWFsLUJvbGRNVCAvRm9udERlc2Ny
aXB0b3IKNzcgMCBSIC9FbmNvZGluZyAvTWFjUm9tYW5FbmNvZGluZyAvRmlyc3RDaGFyIDMyIC9M
YXN0Q2hhciAxMjEgL1dpZHRocyBbIDI3OAowIDAgMCAwIDAgMCAwIDMzMyAzMzMgMCAwIDI3OCAw
IDI3OCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMzMzIDAgMCAwIDAgMCAwCjAgNzIyIDAgMCA2Njcg
NjExIDAgMCAyNzggMCAwIDAgMCAwIDAgMCAwIDAgMCA2MTEgMCAwIDAgMCA2NjcgMCAwIDAgMCAw
IDAKMCA1NTYgNjExIDU1NiA2MTEgNTU2IDMzMyA2MTEgNjExIDI3OCAwIDAgMjc4IDg4OSA2MTEg
NjExIDYxMSAwIDM4OSA1NTYgMzMzCjYxMSA1NTYgNzc4IDU1NiA1NTYgXSA+PgplbmRvYmoKNzcg
MCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Gb250TmFtZSAvV1ZRR0RCK0FyaWFsLUJv
bGRNVCAvRmxhZ3MgMzIgL0ZvbnRCQm94ClstNjI4IC0zNzYgMjAwMCAxMDE4XSAvSXRhbGljQW5n
bGUgMCAvQXNjZW50IDkwNSAvRGVzY2VudCAtMjEyIC9DYXBIZWlnaHQKNzE2IC9TdGVtViAxNDUg
L0xlYWRpbmcgMzMgL1hIZWlnaHQgNTE5IC9TdGVtSCAxMjEgL0F2Z1dpZHRoIDQ3OSAvTWF4V2lk
dGgKMjAwMCAvRm9udEZpbGUyIDc4IDAgUiA+PgplbmRvYmoKNzggMCBvYmoKPDwgL0xlbmd0aCA3
OSAwIFIgL0xlbmd0aDEgMTgzMzIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBnXsJ
fJTV1fe999lm3zJ7lpnJJDNJJiEhmRACkTyBJCwRCKsZNCWsQl0IAqK2SuoGBpdoXXAr0VahomUy
QUxYaqpVu/mKWlu17Stfi6VaeeVtKaKSme9/nwkobb/3+33fk9zn3O3c5dxzzz3n3Gc2XrNpFTGR
HiIQdcVVy7qJ9gQ/AfjVims3BrPpnHJClCWruy+/Kpv2byNE+u3lV16/OpsuBCg2rFm1bGU2Tc4C
TliDjGyaxgGL1ly18bpsOtgFeOeV61aMlYeGkJ5x1bLrxvonv0c6ePWyq1YB4pm+Ea+S7nUbOMQz
3YTXmu5rVo3Vpx2E2N/ilcsZIQ2trVMMq65eSSgywuRvpIHcQ2TCiI1UkkWYSQN7iUhI83LJetmP
Zm99Zam14R86nw4ZhDz5p4Z8Dl95dPmiL744O2ojuiLU1Wv1eQHwlCnpOWSajXzxxRc32LQcXnD+
CQ8s7GkyC8+SvQjoGO8gQj8CCC08O6iYq9UhQIdTgyl3rHo4MyI8m5pUo+VX3F/dc0jYQ5aSGmTv
SS3i2XsG1WZefc9gzeQsrByvwZQuW6w4qwNNfqBVIjBiHYvNBbwHYSfCiwgyBrSHfICQQRCE3cKT
qdYAGn4KDVmbnMJTmKKK9xsIGQQBo38Kc3mKfDqWI2JU3x/Um3j339ewcoXvA8uKtw2hB2EvwhsI
ElmH906EDIKA2JMoe5Iw4UnhiZQtYGsyCN8jWxCY8AixUkoCaH3HoE2jzcOD1pxqtckmPEDaERhJ
CrPJCAJDs/cC7V7CUL0tVTFeI2HboMFSbUP97Rj0dgxkO7rsx5tqaRUxXn/7YI6bD/6WlNWu4X0r
VRXPRgZt3up2UOE6QoVVwtVgoYBwE2AB4ArAfMDlwkpi1sapDlpt1T3orxHVGwUXKUVxk+Am1YDN
gp/katU2pSzZfjalSsqqMeNpglerYhXMJI6qOkFJVQeCBwVVI/62Qb2Rj29byuaqPizcJijEiVo9
qOUJWA8LBqyxQZvJwkG9ubqvySQsxDQXgiwBjJGCyvytClen0FCTXWgR8ogbZVcI+cQF2CoUaHCX
8ARpRfrxwUheYOSg8F0N6z7eKLqfkmWtKYNmS/VIk16YgtKkcDcW4G6t877ByMRq0hQRSkgVAgON
tyC2BTGb0ItYL1atFyvVi5XqxaB6wX1EuAMld6BOpXAD6RY2kz6EnYhztnKlQFC+GVypopLqYcEn
eEEY20GQkiLXP6i38JF5U44crZp30GSpbjwsbCBzERimvHHQ461ed1Ao06ZSPujN5QjdKbDrYcGT
XRq05OZLcljIAyE4YfKFgpQrkGwKIM0ZOUAo+wU7wonE3mbv8OVmbyDN4S/H4Otj8D+yMDPCjmQ3
BXuLw6NNeexDNLaU/YHsRIyxg+xlUoUG3mdDfPXZe2yYNAK+i/RKwGHAGsADqdDPAkNsaBAAY380
ZXbzybKXU7HKsUigeCziyR2LONzVTcXsJfYTkocmfgtYBPgTNkIKAV8E9AKOsI3kZ4DPs1oyGXDf
GPwpO8RZnL3A9pOJgIMpCx9CMqVwsDclc/CjFMmm2isDh9iP2B7iR9XnUhE/CncPRooC1oNoj7Kn
2MZUfsDRZGBP0A56CpX6ybscEgd7MlXHG+lLHQoGhlkf61O9dWqxWqE+LVQVV1VUPS0Ei4MVwbrg
08EmG7sbAmQnw/5l2/GuI0EG7kFQEfrYHSmxLtk0ijnxeTHSg3e/FuvCu1uLEbxtWoyXntRijew2
MheBoY2bELYg9CB8h4h434DwLYRvI9yo5WxEbBPCZkiTbmB0A6MbGN0aRjcwuoHRDYxuDYP33A2M
bg2jCxhdwOgCRpeG0QWMLmB0AaNLw+Dj7QJGl4bRDox2YLQDo13DaAdGOzDagdGuYbQDox0Y7RqG
CgwVGCowVA1DBYYKDBUYqoahAkMFhqphVAGjChhVwKjSMKqAUQWMKmBUaRhVwKgCRpWGEQRGEBhB
YAQ1jCAwgsAIAiOoYQSBEQRGUMOwAcMGDBswbBqGDRg2YNiAYdMwbMCwAcOmYRwFxlFgHAXGUQ3j
KDCOAuMoMI5qGEeBcRQYR9nmAeFI0ytAOQKUI0A5oqEcAcoRoBwByhEN5QhQjgDlyNjUOSE4w4wA
dwS4I8Ad0XBHgDsC3BHgjmi4I6g5AtwRDTcJjCQwksBIahhJYCSBkQRGUsNIAiMJjKSG0Q+MfmD0
A6Nfw+gHRj8w+oHRr2H0A6MfGP0aRh8w+oDRB4w+DaMPGH3A6ANGn4bRB4w+YPRpGP/PS8O+Qzt0
OGtZDy3V4BbyiQZvIu9q8EYyoMFvk6c1+C1yswZvIHUa3EwiGsRSa3AjCehoKlBnbXJDBMxFWIqw
DmEnwl6EFxEULfYGYh8gZFitWihalbnKTmWv8qIi7VWOKswqz5V3ynvlF2Vpr3xUZsGmXGbW5ChE
C7kHeJRswftTBBwieDdqsUYWR79xyNla/MVZXLWfCH5aRt8ooy+W0b1l9J4y2qRn06moSbogqWMg
AO1QTZEpgXcR6iLRKZBMd+//xBNIRSYEhuihLChVY0h+gjCA8DTCzQh1CNUIFQjFCAGEukgZ0DrU
wrEmDwFGEUIIQYQ64nZDT3TYdeowM9OnB18xEz3vJ1oCvIOpaBXAUCo6F+CFVHR5oElP95Mo14ro
89hUewD3pgLHUPxcFjybChxEancqEAfoTEXHAVyair4eaDLTRSQgctSFY3ABFpyn56cCi1FtXipQ
ChBLRSO8dhk6KkZpKTTqY4CIa9hF2Z7CqcBk1C5MBep5bR2J8oWnMqnQhichztPCIAb06TDtEKlq
DJwIfDfwCcb7VxAW7PFecEgEeKN4iC5WDYFDFd9D5aZAqsnA6+N8GBiDSQ6fDzxdfEfgUbRFi/cH
Hg6MC9xdMaRD9l0Y9x1aF6nAzcEhtkfNCfQEqgIbK44FNgRmBZYF5gc6i5GfClwWOMSHSRK0g+3Z
H2hHgzMxi+JUYHoxxoIhtgauD6iBaKA+eIjTl0zkXYOTKw5xCpDqbO/loG9ZMXpPBRbVDVG7Wqac
VPqUS5WpymQlrBQqBUq+4tQ5dDadRWfSGXQ6nawTdUxHdM6hzFE1xu0Ep6yZC7LIE6IWt8FmoeBj
/iaM6hiZRZI5QhtrWzCVtiVHVpC25cHk6QXhIWqYtyQphafSpKONtC2cmpwYaxtSMvOTdbG2pNJ+
accApXcnkJtk24YoWdgxRDM867bcpGMaCsltd+UOE0p9t92VSBCv+9pGb6Njir2+tfnfvLq0zK7m
2FeP9+vR/OSDbQs6ks/kJ5LVPJLJT7Qlv7MgeFnHMLMyc0vzMLNwkOgYFruZtWU+zxe7mxOodkyr
Bm62oBqJcoBquqkkyKtBnkzl1bBG2XoRoKNeiAPUM5hJRKsXMZi1eiLl9QbeDbY0DwTxQp1iQt7V
6rxbTL5WBxwD3OaBCF6oFQ7SDl6LdoSD2sBKtYYCAVSpwAtVKPQ9raEA1TpLVn5VpXisSu35KrVa
X0J2PFoz/IVmnCXn6jhLUOcrQv7/xVZNjdHB8ZtuerllVbilK9yyCqEruf3aNd5kz/JgcOCmTbwg
mBQiXctXrOFw2arkpvCq5uRN4ebgwHgN75+KX+bF48PNA+TlloUdAy+rq5pT49XxLeFlzYnBxoaO
pgv6uuN8Xx0N/6avBt5YB++rUcP7p76aeHEj76uJ99XE+2pUG7W+WtZyvm/vGNCRqYlpWFcOB5nR
AB7uyg0lprpt3VM4Qw9PDnlvyj0gErqbGGOJpCk8NWlG4EUVTRVNvAj7jBdZkG0dK/LeNDmUe4Du
HiuyIdsenkrOLQTh+G3J2nltydCCJR2cVZIqSPDv1mwDf7RiL2lZ24x/pDdqYeOGjeda5JDwmv/6
bPx3z6ZNmzZsxGtTbAMhbcmyBW3JCfMwEkVBV13NCeSNO5cnCFregF7fMpQZQWEMg6AbeXc8FqMx
UFA1EJkorF/uVxi3IjYO+vOr1x2G3rAFAeYw25yCK4EXbR4sLIa1hCqVtVkIc5WnU/5QNXoYrAMq
h8VZqNorEOkr7qvoq+sv7q/or5NRuv9pZAae5kdpqvJpgWyMbThHDEQ3JkBsDIv390QqL1/ruJ9H
YrFEbAPV6HWu/ldQy0fyK8JijtqzQWue01ujMN48CqLzUqxHtvdNPMWfbETDBZ01JOSiVjalZfHX
Vw9ScBUdIHla2EXyxAhsLJI5di6k12aO8TIO2ceQ5PAg8TD2pMiz5Le0hAbJIP2CeMgZ6qPjyUxw
52ewJ/aSUfIAzPuF5EHqIEWwRheRmVREnRi5kz6auTbzEbmI3EeezLxAb848g/J7yKvkDEbwnzgx
68gc1F9EVpGPhA9JIvMI0ZGtxEgmk/nUTZaR3+DvHxjHd8n95Mf025kz6NVJbkZ7DaSJNGV+kjlL
ysidYp/0rv55ci85SOXMisxaaEiFpJfFMr/JfEAiJEG+T57FmGJ0RJxBQuQKchvZQX3Cq4g9QH5A
0tTEOoVp0ovoaSZZTK4mm0kveYb8gjpou/SudDLzrcxxcGEOKcGY1pKPaC2dzZ4STZkpmffJpWSY
/Azz5X8j4qXiLunSdGPm8cxLsL5foAZ6iP5EqpbuHv1O5onMj+CvjJDxoMgc9LOc3EJ+Qn5O/pv8
jW3JbCEzyAL0/ArNp0EaAcV/w3zsJnaT8DYZh9l2YrSbyE6SJClygBwkh0Gb35Gj5EPqpLl0Fl1O
76V/Yya2kr0hPCrsE34tUvGHoHeYFINGG8lTZD/5FXmdvEEltF9F2+k36Tr6EH2cHmVJ9gn7TNSJ
t4hfiqNSJH00/WVmTuYfsLn95GJyA9kC2n6fDJJ95D/IO/BK/p2cpjY6ka6hT9AkPUo/YXpWyOay
bvYgrOfnhDnCvcJPxFpxqniF+Lr4vnS7tF1ZpqTPPp3+bvq59JuZFzJvgncsaD8CB85a8h1wxVPk
RfI2Wn+P/IH8kfMP2p9Ml9BvoJcNdBu9nz5HX6Fv0o8xS2gc+Ctkk1kzel3HrgGdbmbfZfej9ze4
pwNOij+wv7J/CJJQKEwQ1gtPCElhSDgi/Fm0iRFxnDhenCsuETNYmWppurRA2i3tkV6STsoN8kq5
W/6LcrNyq+5Xo2Wj/5km6TXpZHoQvKsDJ90ASnyPwAkIWhwkvwBF/wMjPkpOYRX8NESjGHc9baVt
dDa9hF5GV9Gb6VZ6H91BH6VP0h9hBpgDUzD2GGtiC9gytordyrayu+DL2McOsJ+z38ChcgIj9whh
ISaMF2YKS4RLhasxh41w5d0Kyt4rPCO8IbwtHBf+IpzAqnnEAnGTeIP4sLhL3Ce+KV0sXYW/J6UX
pRHpTemsdFZmsl/Okyvlb8q75T8qsjJBaVfuUH6t/F3XTfNoGUYeBO+ff5gPe7CAPcOc4hZ6Atn5
sDqsmHkM67AAu+LvpFFIY10svBxjczGfmMPRZVVMQhHcSA+SWvoK2SIzAYqheJSk6O/ZUfFldhF5
h3ZRn7hLuFr6BQuRPZBGfewQO0inkn2sgS1mjwmEfohT8UPw+3XkfnoF3UD20BN0Er2R1tEt5NfM
LSygt5KGzJNMpHo6k54kGAH5jriSfOP8FP5thNbDO/9R+nuiWfw25NMQeRAr+iz5gP6QfEGlzCeQ
bgKk0TJImTvB77cRLvU6sc+2YD/6IEGulN8g+6gMH3qdPEW8gZwkn5OPpAPgqKmQpsfTa8XviX/K
1GUqsMOwy8hu7Ls1ZDp2zIfgksNI89Rl2OkGyBI4H0k7WQLn2Y2QevdmkpnHMrdkrs+sI78E7he0
nH5B+7EjhoDRAL/Xz7BL3qPbsQ+n/9vp/V8z0yvJCPmYemkxrcZ+OCFdK/VJz0j7pB9Lr8vjQe1b
yaPg6D+Cmw2YwQryJvmYfEZ1WBsfKSdxjHcixt5BrmQJ4TCZRv2kG3u2BHJ86thMNqCVm0G9x7Cf
D2NvnIScuIz8GP4zRj2Y0Qr0r0M7baDzUrKBPI0VvIUOImclpHYZ+SvmbaET4R4oJypaehBSawRj
+j35M6id0cZVDrnQTBejrc/IJWQlephA2ukAVmA/qYdkbRZ+BXoXURuZSgvpD4DXhR1qgfO7XvoT
ZaQ8PSczka0VDuOMySC/H6dXLrmIrscorJjHKHHRuaQ2PR9jeJsKYpK+pY3iYbYqs1XYnL6S/JL8
EGuiitcqzYSoTQvVxikXNUyeVD+xrjZeUz2+qnJcRXmsrLQkGikuCheGgoGC/Lxcv8/rcbucOQ67
zWoxm4wGvU6RJVFglJS3hFu7gslIV1KMhGfMqODp8DJkLPtaRlcyiKzWC+skgxxvGYouqKmi5up/
qqlma6rna1JbsIE0VJQHW8LB5OvN4eAQXTIP1kTyruZwIpg8ocVna/E+LW5GPBQCQrDFu6Y5mKRd
wZZk67Vrelu6mivK6YDRMC08bZWhopwMGIyIGhFLesLdA9QzhWoR5mmZNMCIzowpJv3h5pakLwxU
NCMUtyxbmWyf19HSnBsKJSrKk3TaivDyJOHab0yrQqZp3STlaUlF6ya4FtptkmwPDpSP9N45ZCPL
u2KmleGVyy7rSArL0EZL0h5Dv81Jzw3HvF8l0Tj05K1fL80Velu8a4O8cm/v1mByZF7H13BzQ7yF
RAJtAJcVt3b1tqLrO7FSbdykSrLbEh1Jehu6hLFQrM0qO7+sJVPc9c1gUh+eGl7T+80uLI2/N0nm
Xx9K+f3qcOYo8bcEexd2hEPJxtxwYllz3oCT9M6/ftCnBn0XllSUD9jsWcIOWKxjEZP565FVIHq2
TItp1Xmsbf55ylI+xvBM6OPJ4IogRtIRxpwm8teqiaR3xUQsAJ4EBVZyJVZkbVI/ravXNonnY4o0
KRXbwsHefxBwQPjEJxfmLBvLkYtt/yC8kPPJeVZL0mXn4slYLFlWxllEmYY1xRinaOnaivJrh9iE
cLcNvpEJMARJO2i7LDGpEuQPhfgCbx9SyXIkkj3zOrLpIFmemyJqJewl1sVLsIDZEtciXtJzruQ8
elcYnLyP+y2IK6mLnP+32tw5LWsmJan7fyhelS1vWxBug3UTbOntGuPatoUXpLLlnKCgG8rGYsmc
aR1CLkMej7FcQSsFU1625HwVJDpMSbEY/zIfNHaHAKbUMmiwNWnrmpF9Jwyh0NiW+VecIUX3NaSh
zEmOpYGv0MZmkZwUGxtndtTJyRekLxidqVdoWwiJw9oWLuntNVxQ1gpZ1tvbGg629nb1LhvK9CwP
B23h3mG2i+3q7W6BFMou6FDmwPbcZOudCUxlDZ0EtmVk6kCYbps3oNJtMF+H4WIKblvYkWKUTeua
mhgoQlnHcBAiV8tl53N5nSBPkTYKRk8xnVaUO6wS0qPVFbUMLb0C7iUtL1sJeZSsGGLZPJtWL5FI
VEDhh2erHtrMM+QKhGmIb0L4LuI/l14jD0qLyQPin8hDyLsTsFxanBkVN5CZiG8FXAS4ELAJ9b1a
/E/kPg0fbSj55Cbk3YswH2E7LjY5ThXqBpC+C3GjXE/0gCYECyEYDGdVAgtCxnlKSBCaQzZHy9Ze
DPoLf+AeIJIW+9cXtJcLHkVL6fCNAH8M2vufX8bzGfzrha8/ZozNiq8T7MQB+8gJm4c/bmhSXugM
fsRzYevlc581RhyCXcafCfjDJQVsSQ9O8jPsEujtHwlxYa+4X4pLb8mzoJ8e0f1YP0V/j/4Vw06j
03inyWD6tiVg2WsNW1+3/c7+quM2+BvRlMQnKsA1P3Ufo2lZGWKNag6RxLRADIqYpsSnk6U0Ew7R
CNHDWPESb8x2umG0YY7tVMPs0QbSiLjtLF7jq0L2kL0YL3g3ydmgMHJWlciXJCiOcOpfkZ7H1khv
Y66tqqXEuktgOj2+rLARh+4wLeSfWOBN2P2qQf9306NBsUpk4hB7cND+1BW8x84To6dO2E6QxkZb
gw190U4ajrBaW86EuhrGXE6Hx81W/eTh/hWLbx254/KLasPpecfp3z6CScGOHk6/mb7kv36Q3v3o
aj6SaRiJqo1kpuqNsqjhcna54SFsr90WRa/DJx8Yk42PiWDG2pj26f4uPWrio3F8cxofzYnRYxcO
JmeKUBtnQo3b4XIqTGhZ0Dwpb/UdLz60a2rbs+l5qR+f+WDTf9Ef0srfpgvOvPlp+lT6Sz6STelh
+hTl1kLj83qdUTYoQ7RAzZUfoxONBsM1NKIUWbWFrwJFfabLr/XGQPbO2cdGQYjZJ06NUns9sdfX
j6/KCbmcsqxEJ0yoC99JfWWbltQtmsG2Ud/Pb7irO7gxbzk+fqHwAxD6LPoTSJHqYhOJgUW+1r54
vv1R3vr4qhqs53e5YZ4+jpWBpU3oH2FvcG4Zp+YKE6ksTxQN+r0CY3KEBqUqiUl7da/v0daLs0XD
adJ4ohEt5aAlivBz3hZcB2YOz/4927IALZVIy+FDyQGPl5N31cbNZXSN5bqyP4unRVEfcunlkvJQ
sdsRcM11sSrXXhdzuZzhwmJHji7oLIaYyY12yz0w09pKontN1MSdVHpjHCt2pxqqGqeOax/XNa57
XM+4vnH943TBcVXj2DhnYZAEc6pyWM4Q2z5YMX5Blracp2fbOtefjq0HgTtBZ0yEB3t9Zed67rki
rkxPKr/ehU5Sfg56BnLq4S9KoBK1O7AgDiwIvPdGOOqs3HlnCE5M0E7SmROqLgCryoobeixWS5ZC
1F5TXTdhQm08Eo2EBXtoLBEJP8hm/WjP1iXrlt7e1/nEtbPSH6bNtOSl58ouvqRtVvmbz1BHf2zq
AvX6X0gH8i97eOnlz8aih7asPLzerGPiq+nnJP0l05sX6aXR4fR1elPnnKmXlfH1fwCi7STobCR9
6kU6SVR0xbIjINEqaS+WTtILYjHOCoO+2EigW7cJbIaBGKnRHzRXmVWzYBb1QRrERwyMcJqZvk6z
ObbO050Ns081nMqKhAtJJoFW+fUSaAWScfAVyQTJ1oD9DF5zQXRo4QGx8exH7OhoUKiRDpxJH/ws
vf4zjP4hjP5WjF5PrlEbMXpZKlaCuirdi7oPdGKlrg/XLTqSnYIe42/ETSKT5wuQc8wfNFYZmfHC
8Rv+3fg7+fD54B18vQH/ZXwPCSdGJ7OVo4/xsT11ZvReTtk78dqHsQlk3TDBbAer43HMc2QwXKxB
tdHpiRNJldqlHumoJAWkLqlbOimJPRIsOyYQHRPegzxOwtISRmByMU7nI0iJ5Gpx/M4sc66/Zkzk
NmoScP01YDu+Se+kJdKBL1oxDnytJw5jHApoFK7UV4lVUru+W9+j79MrMpVYMewlhej0Ho9f3CJR
aYhWqAZZgUMLTiosK5J2wdIOT1QP62Mi8+lGn8323TavY4CpExNY406QBa+WVc3HxojFV5B2Yv1q
+QrSD9KzxbvSc8SXzpz5Ep8NZUaxvzswKh15ZRgf+vxYnWKsHTFQURAlQRFhw0nZeJBRJ2NUywnK
Ct8jVFQEWaeIVGCCXiSSQUcX45C6XDXKsiQJED1EZzjIPGhbZp7nFUUXJGyIeV6g5zl19aD+Gyuy
MslnO+a1jTZoAGNvhIjC3+ljfN866rkw9dTbHZ76rdK4mO5G208BvVpE0dkatupsP+XTJDFMMUTx
b2fu0eP0Upqg8+mi0Q9hE88bPcSazz43+jCIOTPzF3jKpsCDWE3Xq2sUvy5Pynf7Z+XOyJtZ/Dvb
B3b9BF+r75LIat/lkdsj9/m+63/aP5z7mv9nuSZZNrvcss8dlUtdCd9mdjt7Wn5eflU2vRh/z8by
i6rH28vNRWpsXLxILSzBy5cfX1d0togVteaD69QqizV+UT4l+bb8ZP7n+WJ+fjmtISpyubxnZFFI
zbM3htRcG15efzwEL//zomIyG8o506JMgyjWIGqUo4aqOo0F4yO6Un2JOREw7TSxgIlmIG9Viztu
8s+N03gXePDuKkppTWloqYd+4KFzPUs96zyCx1eztukcF0Oyrj/RyUVGrHP9NUgd44rECXAz9t4o
wKnO2DFtA8YGZDYN6mllPl2fOJFNDJOizMgLufnxhUUri1hnLNEJDCygYIEk4Yy4HrJ2PcVZWFMN
SSs43Z4QxGtUlsOFkdo4jsgJ8DNEwoUyDjBFdjndXAbXTailqzKxt944NNQm5BanPzbaFGHGDzp/
cHjxo/e9cnH7uraF9BsTPi6q62i+uKXGZmR/HPfI/Yk7XkgP3XnbxXl1Pl1ra2rbkrva8oqDefNa
JqffclR7ow2TF1dH6opWgeRbwQ33Yw9Yoc89PkwcmTPqeGN9Xe70XOZYLC82LHYv9ibyPlPkWnGy
eXJObW6L2GZuy2nJvV95WG8wWSAmiJ9fxkiKk69FjtFoJQZPSOfvLqAFtlImRKxDtFQ10W7Sg/58
+Y1Zeq9vmH1itOHPc2zrT8/mxxk/kbn8IOs7aee0DtW4Wl5tWO1e7V2bJ3UmSKcmUUA6+FkICBZ1
5Tg9oBA/o0CyrdR3c+qldHp0+NIB1RGfeX3nLbdevup26cDoyfvTx9Ofp0+m37808Rgre2pu9849
+594nEvHRZh7I3aCj/wvdV6HNeFIuNdY1zrWum/0Xu97iD1ketX2qve3tt94P5I/0n2U85HrjJwz
MWeia5ZjlrvVmzCtNSmTHHXuOq+wWdps3Srdbr3Dt9uxyz3s2O/WWzjHenPjHD7vcMYtNWae4yuI
a9Bqj5sPwP9qAM0cdiNRUZWoqEdq+sCnB/DZgoiioEehPJeGSKWZR8yhuRZq8ecqIafP35El5ewT
c6CJzj4RO3UiRhpHT3UeA8eOnorFAEFQMB1oKkU4nTSumlAncaYjoCRYURyf/qtlxdy1N265on21
izpjp17/KP1X6j7x0ofsk+oFC+995vBjl66r/PFL8JaKVKHFu7jWtRC0WzbGN31qhSMhJwwJR5Zb
doA1zuj13QU9BWySEDdNcsV9s4Rm0yxXs+9hvZ7zSUoycq5RLUbFYsVSGDylFnOEck6xWon/Hs47
IZ0vv6NB25x8hutPZzlGk+1Z/Y10YmbgFfNaea1hrSPLLXInvFm1YxN01FR7oPl/nVXEZekvmwaW
vJD+Mv1S6mbqG3VUNt+wbNutl6/c+tilCbj6dXBV+u5ntrPdz1x89VM/eOGJnZhvE+YbBa84SR79
/jCxYZ+0Gusf1j9iftC2W9plOKg/aB7y63ROOoNNl1sNcwt2m/fL+/2vGX5m+o3hXdMZ5TOzOc+a
51IhIVyqxR63ul50veESuMI2aC1o1KDFA8juUk1Wi6Pd0mVhFq+DosJ+X26c1jgIr5sfjGuwsDQL
YxVZ6M3ToGqFOO0HSWHSMLLU4QCZB0Wjw8vJXWRUSIhWurJMVFmwtGBdwc4CscAa0qlmaxwEH5OG
MU5xqE4QgticJ/iNrdOrljgbvWqBFS+IYC+X1RBxsUTjqKaAOjA41HDwQaKSBlGPw9S5qqc613MU
7a4Vnt2RFBRTXu7hIDmoN0zRkk2hRu2qNHGMS9BOrXuLCipZeKcW3r1FBbG069REZQOEM5QO6Lk1
/CRcD2lBOYsHo5FazuNECLm5rMjhe0CRPewL6p3w0d70X29bS51vn6AOeVQVbl42dUlUuG7xZQ0N
lM6vfOSJ5+/9A3ghln4tffjG7TPolTdsmTYN198UNjBhf4al5iZDavUEkZaJQVvQnhB7vJJOfNHL
XG47czrcdksObGhLDsVnhE69zmqkS40ZqHt8IQwytVvdNOOmbp4s4J/dnETTco7ToK9p1M3VtesE
XYmt0r7UzuxDVFTNlpwIcy4l/e4RN3ODZvv1prjb57lumK2F8QsDLAaRyi3es51Qg3zHiBdCleuK
CI141Vdb8YydQzk1/MTB5lA0qeCqcYWhsIW9j9U/vOm6DZFpUy6qfeut9PHHxEj77bcuKPqprX5e
2x/OviDM1PZ+ep7YpWkQlXSOunxz/tZ85jCZu8ffbu4ZLwZpmIWFKlrDagSVTmPThEutCWeieHHp
4lii8grrGfuZHMdkc417cklNeZu52d1W0lx+0jTqMdyNM9toMhvLTOaoxe1xVZhNHrfoLeI74Hlt
B2iMb7FrTDJoNGVhSVl2A0Cn1crHx7MbQe/K1Q7+pRJInApYoxxYDBWc4EaX4vXJZaXGiN/LhY7e
5/P77xlPx0MEDeHjhJqikMNXdV76nBqTP7YTtlFNueSH1egprujiOXf+g58HsbE1DsbiYGcci1Gu
t3HbCwpcfT3X18aOuPWa3LKuda4tvrx0dWxtJeQW6fRIbn6qaed+LWT0GAN7akN2p4WFg1AUcrhi
MHbsXU+bdPkli6+uK84x3zTymxuXU/riKz1UmdJ98J703/549pauy+/etmbVLa3Ria6CkHt8+BuP
Pvv8Pe9QI/U/98DZ6YcOfLNh+G4Lu+WHjz/xvaf6HwcD3gdNPQG57iYpNWalAVx7YiFtU+lU+3/S
z6lekdxSEeuwr7FLlLIcp92RIzgZtXKi5guK3mBwugz4nNBoiOj0arAovldPM3qqB5mhALoLi+J9
3n4v6/ae9LJPvfDbOCNuLvpUK+r2u+hJF3X5PI1ZsQ9LglsWkESInR5LafIf+nHjCdDUo6lXOk3P
x2lgB0vDlgUrx7XjTuZRumfb4WWPzc1PHw/Ou6j16pr0cagFH+6c0b3tntF72fhdS2qb77h99BNM
GgJT80Ugyr0Jm4eJHiNrtBsaVX27nvXok/oR/RH9p3opoO/Sb9H3I0MSZAWOKQGnmKpZRgLphE4k
S7IiGpiCM5PPTh8qios+3di8tFllzzFte2rGnGZv4jy7JnbOLQEnB3dLiPupmD775Swx8uX7WKGv
RrhAs+nUUj4+WHCsR0ribviI9GnWkNsi9SNDwmDgNIMeRjljaiMhPvFfRqIJhms0LQv9jtltN+Hu
dwd2epROHialwO5EX5CsJpfsNsWFuC7ujYebWYuuxdscNgWFytIF+q7SntKdpT+QdylPm56Xnzcl
S4+UHi21kNLK0nYUvFj6Qalcqvrz4o1I92iFkhISFX8+F4Upg8K1frVAVGx2ezQ3Ly8SNYCcVlvE
YVeX1HbZ6Tr4bIZYq2r150by85C3Lo925dE85O0rjkSiXItIERLFbAet+kYO1QkYdxRVo2oTQgNC
UTQeVSddFK+MvhH9ICpYo4FoT1Qg0WC0KpqJilFfyZ+yTMh5L/vAA4P933AaZxjE7On1nRycY0du
snGtBBv+nK/lmhhX+WkMXjDwpdujaf64LOTsGeVyV2PPrzj1JipsH1n9YFXrk5dterIE/JofnTd5
zbj08YLGCU1rKtLHxci9P1y4aNHCpZc17xhNsKXfG9cwY/uDacZaH11S3nrrw6NnwR8w/MUE1sxN
dqpeJceTs0S3Rifis1Kslq1Z12z9yCbJ2na1KxazbDIaoX4xGnETbbvCLkYj/6ftajBGTBZOX7OZ
u7Oyu9ZET0JyX7hrNUr9y8blNAKVuFIKTg9dsE01ImHzion08aJ59TM3xsD80va3Ox+ZG2AFz66a
2H5rKh0QI4/tm7bm1m/xvTofOtkjmKkZGvxD6oy/0OO6z3I+c4mvsb9IzOGTfHqWsC3OWexOeB9i
O+QduodMQ/p32O+k3+vfMR2Xjst/Mdt26X7JfiW/rHvVJG3S3SHfqhPAW+BCo4eTyCkqznrF35Xb
nctyLSFygcqdNVw0R6JmtHCJrl9rWw09dK1XpJ0Q57QzJ+7A2hOXE0ZLUaT4a7J7fu/oY/9N4+mf
f3Jf+rNeGnzw6qsfeODqqx9khXdSuTf92qf/nX751szu7+3e3f/Y7t18vtvTV4oPYb422GqPqOMm
5szIYY64UG+uz4nnNgszzTNzmnM/z9Vzu+2cLn5a+TwX3xrLX7fR3EYj7qrP2Wj2UovFGrHZNOXb
+M9W2uwTDWB527F/sdO455DyM4zbaV/Tvbk/0cU5nZsX3FDj6rf7/Im1nco1P/rmMGXps8Md98zF
ErvvXr385ttXXL4NS9u+Mv2f6dH06fR7rYtGPxKGB/c8PrjryZ1gyK24DqjT5r5bLXlIonoLXSCt
ljZJQqWjw7LG0u2Ay9dqCpjYPaaMiTWa5poYHK2b1VJFAX8LTDaUwK2vr4LbSdT7tzh2OthSxxbH
XscRh+iwkQgVuB5gZKyH9sOo9dkbh2leVrGCXnWenU93+mZnVSvwMURDPb4L4KRYj08gPfCs1mqe
1eqJWHywd5YSWSVLttN+ztHTrmjuSlwy/aLJ8yvFyENXNNf+Y1zTM+n/xhyrwM82zLGMvaSOyHY5
rIt67J7wDscO50PRB8r0irPVyRwHzcOW10Ifhs+YTxfKpeZF5lXmB4wPOXYVDpuUprBa1By5vHBl
ZKtjq/P2wluK9HWRFrnVOMs819oamlqoFBZFI3Wm2lBtYW24tkiRDZJdH/Kao6bCwsKwUlSolm8w
Xee83nVt6aayba5byx5xPVC2r3Bf2NxD7/Hc6X247IdlyXLZE3KroXDcrebhC3Q3/QBqbI0u1F58
TzErVr358WI/d9CoHkjd9nJaVU4ry2l5QajKRm01NKRpaZDMGkSV7LmkN8eJL3bdENdlz0Lgat6Y
MQmieb25HD5BssqWWitTKlM3jRROCLWGFtKEZyVd6zmNL0k8TPSHCllJjtnESvxL8b1ca4mx3U/9
rTkK9GD8c5XsXOhcnztMCjO/HIQWGRrKwkJ8Gz9YUMTTRwcDRXEt7ePuKHwzn4vIFWY6obC1cIf5
/sKfFv66UA4Vmsyi6Ofz4HoqqeEa66CnohFQM2q0dGFxnEM1H2cfwad6Kj7WE7toDz1J8XGUDaku
GNgcM8eNmpSqs4lIl4onceWEKbhVNO2u8aho16PCUvKotXVxD/e2edTiUrzQrtUT0BxbomeRX4Wy
ZfXTdn/Gz8Ymv567sLTnGDwEnetPcUcXT3M7y1M/ZpzFEpoyQNbj6eTGF3dt/VzVGx2N1hK8QkOZ
T/ab601OUz2Ppkz1oNDHA8Z6zRzDR7EJyMOcYm5ywX2Foy4KpoO9wc9AzQ3BvVvQ7Pl3M9BxI1XU
77h6xVV1xU7XzPSzl970/ofv/7ok/Zl9ace6qmBehP4k0XHq0/dGaWVs/qKSvMqgy2lvm7L44d5D
d28fP2VqwB0ucOWtntV2+31vJbGLApm/sHulx3EmvK6WBgnMEUOpdZJlliVhVXwu4hXcLuJx5Dip
x8Gc1CvoFYNighFAVSvx9HuSHqELYAS+QZhdKThEcBAMEhe/g4S/wmTUVxoqCamkSyEluGFW4hUi
HsciV6Nzp3OvU+hy9jj7nEecJ50ScdqcQWeVU4Sr5rr+c17GtmQd5MRkyIlh4syMcNc1t9rgubad
0qw2uMEgcWEpH4MqYa8Zs9o6KUw0p0ZTDycaXIe19nBtTW2xnd0wYozmRWd5l3/74hvqjfrvfIf6
xcjR9MKbY3m575fVzGsZ/wB94+jbP0jfAfrcBSmzAPdlbvKY6rnEfrn9QUnQyz65gTXY8QsP+3Gm
aNq8XTS6icHlhEEKqzTicsENXwqXqqYlZE3X/0FL0Os4q2tKvY6e1FHdherB15X67BEDPerr2kFn
1oUTwSRh+mjW+wQeFeZMOrz2imcupr7A/MYZ15RR385Fy7/xzIOsP+09umry3E3H6AjUZMwTt9v4
FjSCm6Jc1SWV+CvjCn/J/KXjL2Eo8+4goKagB/2T4o+IVBaMOp3BZIQVwhyCX+83FJIK42tGE/b2
SdUN34uBSEYn8Rnx+a0xTiYZtxJ9ViTtM1CzSWvLqPfE8Rm0nsq4eIc3H8vI7cD6+lzVYSQGEd+I
6XGfICOur+feQNWbVxI3mgPafZZoxi2IzdBomGsQDEOsSjWKrN4IR+VcXEwcYFVQ0HpUqwm/OAtC
hAjUZ/opeMvHb2Bj3tknOqGidvrm4Bbkz1pa00+5cuqopxiCtrVjOLDwHT5/QjSU4+Gu5xxcHbyQ
XkijP5vkkS22X9BQGtQb/ePzLe6KClaQpSm+JsDdaoSY6B/U8aAsvuJnBkXS5xI3KxDtkl9x6gsM
dpPJERNicthYL9TLM4QZ8g5hh6x5RNXN5dNBQqOIyxS90SCacolfdEtOvc/gMpnCpESMShX6EkPU
NJ7USVP0rWQ6my7NUGbqN5PrxM3SdfrrDJtNW8k2cau0Tb/NsNX0HnlPfEd6R/+e4R3Tx+Rj8Zh0
TP+x4Zjpc/K5eFo6o5zWf244baoYWyP49sz85wCD+hBf/xHVhYgRRlFcMMqQwrjRkfV81aCnYt08
/AY1u3T7XjKKUnAoM3tQNugBL1arBWIKAksw4S5PNAmSwYiLetwKKZIkinyBTQasNDFUWhrhycOq
6vDLOQsuk2V2FTEiqESgln1B6jP/dJj6s8qG3zd71O8dHfX7Rr3ZVcRgNONCe/OYNiDuUajH7ZB2
OYRR8oWF/CZcXu8zquZ6TPNMylyPWZ6BsDaqJp5zEsIaORwgdTSFFQI4J7o5Q2hXwpwrcvg/DQkC
TaST1P7aC9Q68EvqSu9J/+2FfeCMGWyIhy/fZ3tGF2G/4RsSeIX4ftuhbi9RfiayHcow/T19Rzlp
lnSKX/TKJXIdmaibgYupb9NNiiFCY8oEOklppbOUHcYz8hlFXyxGlDJDXJxkmCbOMbws6i42LBQT
hpXiVYbr6I2G+8UHlQOGd8TfG84azIKowN/gFoNimaFGbDS0inqX6DNMMswxXGHYJb4g/txwWtQr
mO2gw8t3+buDLmxMfoi7TPY4FfElCV85AHwnoxM4JfaXVsQzAnRBVLK6i+JChOlx96eXZKNxrPgk
rp55sQfFxgiRnLhF5Hd+TNbp9UYCZ9NVKblGD6Aadavmmneaj+KOWuDZrAbOv6tUB/f0QYvnd6ki
WfXV/l2P/XvqhA8X/ae1GKnMykSsOb/6i62Pbb3xp1tx95eNgQ8035KnPsvdzxuCYGQ+wRQgDmPw
BD+SO9evvwa8sf6aGqqtK95gWrolfS+95NCrdFZ6B70jvevd91mYCenf06K0fvRNOjP9ApeiFvj6
5mNVc2h8n6NEojl86l4TfMVuOIwV/pL5S3Ijj/EdFYAkhYtANBstso2RHFnMYSK4iDs3u6AADtG9
EINWc6WlhARdVa4ul8CdPnxTFkbimi/IkVcQd/G74HpB9friW/iC0KiqZ1oKF9M85aD1RM2bEM/e
/PucXApqQnD2qA+ikEvDUW0DgVrXzLadgt/uRGdldi9BEvJbVX67ioiCGzpOqaxE7GxL2nBAT8IB
ncLPIQ9ksFqZkwMCfhmBh//8i7td/qJazPbGHFuODy+HtxG36icHkeAwhXS2rUR2EykWAa68KLeC
6izwKJ+h4fQd04qnXbKlfd4c39Ta5d/wYUNZ2N/OsuHO5RcV2n9v3pAgeBh/wU8eJb/Nxv7pHUZa
wElnwv2dHd9jFeOr7VLctteRBtJMWvArjOn4snsmfr7Zhl98zMVX0PPIfPweZRF+p3IJvvhO4Guz
S/HNM19pB2dKPPwXMeSSxfOmN0+NNV2zdtmVFVPXXbly9kIU/W903zNzCmVuZHN0cmVhbQplbmRv
YmoKNzkgMCBvYmoKMTMxMDAKZW5kb2JqCjI0IDAgb2JqCjw8IC9UeXBlIC9Gb250IC9TdWJ0eXBl
IC9UcnVlVHlwZSAvQmFzZUZvbnQgL0FCWEpBTCtIZWx2ZXRpY2EgL0ZvbnREZXNjcmlwdG9yCjgw
IDAgUiAvVG9Vbmljb2RlIDgxIDAgUiAvRmlyc3RDaGFyIDMzIC9MYXN0Q2hhciAzMyAvV2lkdGhz
IFsgMTM5IF0gPj4KZW5kb2JqCjgxIDAgb2JqCjw8IC9MZW5ndGggODIgMCBSIC9GaWx0ZXIgL0Zs
YXRlRGVjb2RlID4+CnN0cmVhbQp4AV2QwW7DIBBE73zFHpNDhO0zQqpSRfKhbVQnH4BhsZBqQGt8
8N8XiJNKPeyBmXkwLD/37713CfiVgh4wgXXeEC5hJY0w4uQ8azswTqf9VDU9q8h4hodtSTj33gYQ
ggHw74wsiTY4vJkw4rFoX2SQnJ/gcD8PVRnWGH9wRp+gYVKCQZuv+1DxU80IvKKn3mTfpe2Uqb/E
bYsIuVEm2kclHQwuUWkk5SdkommkuFwkQ2/+WTsw2j3ZtVLUaTpb80+noOWLr0p6Jcpt6h5q0VLA
eXytKoZYHqzzC37acEoKZW5kc3RyZWFtCmVuZG9iago4MiAwIG9iagoyMjIKZW5kb2JqCjgwIDAg
b2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUgL0FCWEpBTCtIZWx2ZXRpY2Eg
L0ZsYWdzIDQgL0ZvbnRCQm94IFstOTUxIC00ODEgMTQ0NSAxMTIyXQovSXRhbGljQW5nbGUgMCAv
QXNjZW50IDc3MCAvRGVzY2VudCAtMjMwIC9DYXBIZWlnaHQgNzE3IC9TdGVtViA5OCAvWEhlaWdo
dAo1MjMgL1N0ZW1IIDg1IC9BdmdXaWR0aCAtNDQxIC9NYXhXaWR0aCAxNTAwIC9Gb250RmlsZTIg
ODMgMCBSID4+CmVuZG9iago4MyAwIG9iago8PCAvTGVuZ3RoIDg0IDAgUiAvTGVuZ3RoMSA1MDY0
IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ab1Ye3AURR7+9Tx2NyScSQDZJCwze8OS
tyFROSCc2Sy7ISEBAwFuF0F2k2xMIpEUhhxgwW0peLIgpyKoYKncwxM4ZNhQ3AROLlJaavlCLT31
rFLO19WVlPeQKxXN3NezyUqok8oflNPV83t299df9/bMbM+atVEaSzESqXFZpLuNrGvcwxAlLV2R
7qSd/SfI3JbeHjVpywVE4qq27pu6krbjfqIxrptWrR9qn/0B/O3t0UhrMk7fQE7njqTNroGc0t7V
sy5pZx+FdKxa3TIUz34btq0rsm5ofHoPtnpLpCuazB/H203pXn1rz5BdCzmte010KJ8Fge9VYvAK
dB+l0c1kh5aJsoLI/vcxLpIQ5XFc6+4oe2nlFbPPUZbDslfO/5UlX3zgi0e/jH6Tn36v4ys40obz
ubQVDhYSZTDEz6bfm4pY7XATDGoqNqgOtQr1WtTi4monxdjjdA/qY6gidbBttB51K+pDqFJK2w+r
n21LSA7vcbaectk8b7qkLB6fozjHpCuvG8x29BHlHeeHJ1gOVu8My0mMpbTqMewx9ii1ksJ+Rx62
gWqpgO3pK1ylhBHaT92oMVTRujO2PzG5QjnJSsgjMbSZSpMldkz5tLxU+bjcEFhCOZVvSBBPT4bl
vUIZcD2i/Nl1k3IS9WAydKAQGceU/a5Vys7JBtuTUO5zGQxt7k2KtS40PaZ0Fe5WWsuteMNuQziY
UGYivtSbrkyf4VaudX2klOUbDga71NWgFJW/rExBQ6Sp6NTjzVImuXYqsxCa7Arkz0I9wQ6wvVTE
9iY885TjUDHdvrrCGbsNdltfbUG5x2AbvNNrC3YX1uZ7ChsUT2FNfj70pc/bN9tvsFfbK+zF9gL7
VLvbnmcf78h2ZDp+5MhwjHE4HHaD/SFRpdhOsINUBVoO9jlsDtlgT8IpnWCHLOehPzokh+Agx3jD
/ACbl9F4gx08msk1KMdslmYz2KG+pOuQV5G4JlmBTIHruOFOAnMINI90drdhoy1X9lY5q7Kvy5pZ
4/++W9iKDN+Lv/9yMpe+u74pqB9whfQKrpiu0HC6c1j5XtmzFqGor7i4ftH6vt7uzrZAVAuEtUAU
Naxv62136rFmVT3S2c0Dqi5ODTe3tHMZierdWtSvd2p+9Uiv1e6icBsP92r+I9QWWBw80uaN+hO9
3t6AFvGH+pp9a1aMGGtraqw1vv8zlo93toaP1Wy1u2isFTzczMdawcdawcdq9jZbY/HJBzqafLf2
YHeqgY56VS9o0usWLgvqaiTkN9jjcPrXkjxAmfJTVCDHKFcqI4XIfAf1XS4Hl5ifyM9R5mCX+S+x
Eovaz6swWDWbBuhu2kuHyUZPQC+gG+lBeoF14re9nI7SW2wyXYWzVyKDGuglZpqvURv9Fvk9dIp2
0RHKQJsumoDoDuYxN8D2Qm+mzeavaQrNoDvpKZqJXnfQWXO/2YfoIlpCB+gg2r/INOGINM580vyI
HLQQfW5G5DWzwTxM2VRCPmqEdzOdZB7xXbOdnFQJdA/To7SPnqbP2O3sqNlu9pqnzTPYqk6aRE0o
G9lRdkY8LN1pPmz+wxwEEwVUhFHDtJN+g/4PowzgaA2wm1kP28l2CV7hduGotEWeOPgteCikuSi1
tJruAgP99Az9m75inwtOMVPsEZ81rzX/Q+lUj1nymUSpF+WXKDswpxPMxqaxOayRbWT3s13sDaFI
WCIEhZ8L64RPxAXicnG9+IZ0q5SQt8sP2tIHz5knzOfMN2kiuegGWkObMLtTdJq+oK+ZiL4mMQ+r
ZD52I0qM7RX62T7WLzSyAXZaOMDeZx+yz9l5QRYyhAlCsdAj7BQOCqeEV8QOcZf4kPi+eE66Thbk
ffLHNo/9r4PNg1sHXzErzTPmlzhiHeTGyvhoAa2kCGbbTdfQLzCLQyiHsWrP0LP0glU+ZJPoLH0J
Fohls1xWweajLGDXszbWwR5hx1FOWlj+K2AhhDQhS5goTBKahGahS4gJbwoxMU8sEueJy8TDKM+L
b4nnxfOSLI2TJkhzpTraLnVJe1Ael56QEtKr8kz5OnmBvFSOyVvl7WKL/Jr8lm2TbYctYfvc9k8c
iw321fbtWJ0XsGefxl7+7pLYFKCvoFuohflZM+3GauxjEYpjd7Wyu8BXNxWYK8RN4lxhGnbDSboN
u3UPbaSt4nLaZ74tHqC/YKesQpcx+r3kI5f8AFbndpqGXTRUvIVFhQX5Uz1TtB+7VRz5k/Jyc5wT
r5wwflx2VubYjPQxaQ67TZZEgVFJQKsJq/rUsC5N1WprS7mtReCIXOAI46es6jUjc3SVt4sgNCLT
i8y2izK9yUxvKpNlqrNpdmmJGtBU/WW/phps2cIg9Lv9WkjVz1r6fEu/x9LHQne70UANONv9qs7C
akCv6W2PB8L+0hLW7wUdY0pL+MHhpXTesU5zIhtxwNIcnhHQczV/QM/RoCMmegKRVr1xYTDgz3O7
Q/DBtSiIMUpLOnTgpG0ZrVrrNsNLzWGuRZYHdTES0oUw7yurWJ+o+fWJGz52fmcOa4HtFwR1wVMT
icZrdG94G8jlZphbke2w6ptUdCtsCQV1tmUIBMfYCaQcbvKZ4Al3qnqa5tPa451hkEuLgolcb651
+OrUGEzkeHMso7Sk37mp0o3Z95dWl1ZzWel2bkrKT+9I+l8f4NK56ZkPIOsXpQhgnAGtDjh1tcUa
RAPYGfwWnUHxlhngCVeIYZodwDNHF7BnRI8ue+oieqxpGEa7Pwku3OlPpOXkWg8hXwj54XjmLKwU
8jM1NX4OT+uwdvazkZ7IkMfmyTxHPMgXOrVXdBYZ1nv5w9KDWbc7tXa+vr3WmsLWnIELHLA5NRyz
Ph4P8MagW1dDcOBtsqTeoLTG4BHGdoQMZm4xyO/qxzuquPJGhEv4VuvwY3wYpSVwFLmhXVWi1mDk
Gr5X1Lgar2uNqzVqOzaT5LEkAtF4qAwMNgXBEy3GiN5QXkqNhkKz0E8Z7wdNkB4PoYfOoR4gLVfZ
t0iaVoKHqTi1MbgwqMf8ebrXH8IqYPsONAb1AezcUAhZ5SmkQLyxwzmEuQKYy4sQvzrZC95dYugi
FI/zPpuCmlsfiMfz4vz3lrQNRhc7vEMOg3gKp9xgsUa0hdDcedYauDU3YIU4p9dgSw/vKLyzX5rh
6SncaPkToJ1uMTzjMjE8czQMzxoVw5UppCMYng3MlZzhn/5wDF83guGqSzPsTeEGyGqg9VoM+y4T
w3NGw7B/VAwHUkhHMFwDzAHO8NwfjuHaEQzXXZrheSncAFkPtPMshhsuE8PzR8PwglExfH0K6QiG
G4H5es7wwh+O4UUjGG66NMOLU7gBcgnQLrYYXnqZGP7ZaBgOjorhUArpCIaXAXOIM3xDimFvnk4X
nsOxi45duuwH8/ILKMebkpxNPuaCwj+f8QGNKwNfFhmQ7pSH8L7N/2US8A5O0ml8u4n4D6gq+b+M
owwPT1RHpkF0GpXb0MX3DJJQCbr9PTqOFkRLi4+jFxlyWvnVWe6sfFSftMP45m/yU1/PMaT55/GN
jwzrMqP4Zvl/F+JMsK+9paNiWkWNlcDwFZZEb8P/UlTtC86rbiiuja7qjfZ0tESQk4zyZMRpkjl0
cUdKZ2oZt/8H2iRk7gplbmRzdHJlYW0KZW5kb2JqCjg0IDAgb2JqCjI3MTcKZW5kb2JqCjE5IDAg
b2JqCjw8IC9UeXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlwZSAvQmFzZUZvbnQgL0lPR0dRQStB
cmlhbE1UIC9Gb250RGVzY3JpcHRvcgo4NSAwIFIgL0VuY29kaW5nIC9NYWNSb21hbkVuY29kaW5n
IC9GaXJzdENoYXIgMzIgL0xhc3RDaGFyIDIwOCAvV2lkdGhzIFsgMjc4CjAgMCAwIDAgMCAwIDE5
MSAzMzMgMzMzIDAgMCAyNzggMCAyNzggMCAwIDAgNTU2IDAgMCA1NTYgMCA1NTYgNTU2IDU1NiAy
NzgKMjc4IDAgMCAwIDAgMCA2NjcgNjY3IDcyMiA3MjIgNjY3IDYxMSA3NzggMCAyNzggMCAwIDAg
MCA3MjIgMCA2NjcgMCA3MjIgNjY3CjYxMSAwIDAgOTQ0IDAgMCAwIDAgMCAwIDAgMCAwIDU1NiAw
IDUwMCA1NTYgNTU2IDI3OCA1NTYgNTU2IDIyMiAwIDUwMCAyMjIKODMzIDU1NiA1NTYgNTU2IDAg
MzMzIDUwMCAyNzggNTU2IDUwMCA3MjIgMCA1MDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMAow
IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAg
MCAzNTAgMCAwIDAgMCAwCjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw
IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAKNTU2IF0gPj4KZW5kb2JqCjg1IDAgb2Jq
Cjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9udE5hbWUgL0lPR0dRQStBcmlhbE1UIC9GbGFn
cyAzMiAvRm9udEJCb3ggWy02NjUgLTMyNSAyMDAwIDEwMDZdCi9JdGFsaWNBbmdsZSAwIC9Bc2Nl
bnQgOTA1IC9EZXNjZW50IC0yMTIgL0NhcEhlaWdodCA3MTYgL1N0ZW1WIDk1IC9MZWFkaW5nCjMz
IC9YSGVpZ2h0IDUxOSAvU3RlbUggODQgL0F2Z1dpZHRoIDQ0MSAvTWF4V2lkdGggMjAwMCAvRm9u
dEZpbGUyIDg2IDAgUiA+PgplbmRvYmoKODYgMCBvYmoKPDwgL0xlbmd0aCA4NyAwIFIgL0xlbmd0
aDEgMjY2MzYgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBtb15YFTV2T9+zrl37uwz
d/Y1mZlMZhIygUASCIFILktAjeyLBIkE2TdZAi64EKoIIiraulvBpYoLZQgBA9KXVKnWhUKrtdVW
pRUVrVHaUupCZr6fc2aC6Nv3+33/+P3m5pzznOXee+45z3ae89yb1avWzCMW0kYkos1ZNnsFEb/g
DkLo2jlXrY7m8lY/IcqU+SsWLMvlXUuRv3LB0mvn5/LhLYRc/MeF82bPzeXJWaSDFqIgl6fVSIsX
Llt9TS4f+DPSN5Yun5OvDxcjv3DZ7Gvy9ye8Pnrl7GXzcu0XfM7zK5a3rs7n+X02rVg1L9+eTifE
/F+8sJzxFjxvQwKwivyD1JGfEj1hRCUVZBoh8nNyAdEhz+t19pk/PvDU4Fn2un8ZQgZ+Mnnsw5Iy
nv7qoSsu/WZXzwKVGCzIGkV7XoHz9MMy48hIlXyz65u1au5OvKb3V7WfTJFK9yT9kWMHpT7kOAKT
+rSnCiL7pRKpoH1oROuU4nucnkr78L5SFFesEHEU8XKEXQiHEGQySypErYp4HUIbwi6EQwjHEBRC
EPPaKMJyhG0IxxEUqUAKt0cj6vASKYBzA3heu+QjXyJkESQSQVyBMB5hFsKdCNsQFNGOlyxHWIdw
COEUgkI0ydd+dxX67mu/TSR7Fi+tFNnZuezMZpHdc2lTLh07MZeOuijXbEiu2YDqXHG/Ebm0pDyX
OhOVbbj4HpO1smu4V/LiIb3o+ArElB0mdkpJhGyXPCSNwCR0VZRoknNPcbJy2yFJJlRiEiVzSSTb
JdF2q6NyuIll2ZfESSLsC9adq2Hde2yOym3DL2Z/JbsQDiFI7K84/sL+Qtax43zMEdcjbEM4hHAU
4UsEhR3H8QGO99n7xM7eIxUI9QizELYhHEL4EkHP3kOssj9zjBExh+sRGPszYpX9CY/1J8R29i6g
d9m72S72ZntNbeV+AaQq8kAkkQd8oTzg9FZ2st+1f90HGJXETAOjXpCKyDBSJRW1JwZEOiV/e92i
SCf7cE80Fdk+vD97i6QRGHryFu78FokiTEBoQViBoAB6G9DbpA1hK8J2hDQCsAyxihBlryG8gfA2
6Y+gIUxAMLBj7bhNJzvanhwRGe5lv2GvEB9G/Aj7tUjfYC+L9HX2K5G+irQQ9a+xl9sLI2S4GfUE
56hIVaQVqNexX+4pdkaywx3sEEYwgrgCoR5hPMIshDsRFHaIFbXPjThxkRfIa6DhCGsnn4r0SfKY
gWiLI1pyJBAwyqPkkAsAIdoW3ZZkWvLeB5DlUfKOuwHxKHnzFkA8Sq5dD4hHyaVXAeJRcu5iQDxK
zpgFiEfJ8VMAIepkjzxfXBKpGb+ERofb2dUYpasxSldjlK4mMruaH+RrmffxofayMozYg1qqT1mk
7QBtO0jbJtG2x2jbPNp2I21bT9vqaNvltC1F28K0rZC2abTtBToYQ9FGtY7vZWs1P217jbbtpG2t
tC1J2xK0rZi2RWmN1sli7ReB6pA0iGTPcE50LLbngmHgPnYWw4jGgPMx8IRDiI8iZEVOQ6NoUa5x
oJCnRXvK6nP5fkMqlw+/kL2EE1/CNLxEPkCQMUEvAY1ewkVewuXsiOsRZiF0IXyJkEVQ0LoIz3Gn
iO2IKxDqEWYhrEP4EkER3fkSXWFkOWLexV2iYxWI6xHG8xx7CUcRjhiLaQVqWE2pF0p3hqm9kI4v
zBayGuL1gi87HQZHJ7Xu+7f1q39biXG4kd3B7iQFmIit+fTO9q8LIp30/vbkC5HhHnofKZSBdbSW
JGkC6WDSKvIDSdjAy6tJmD2LtLI9PA2n2duT5ZED1MbP2hf5Onwi8mm4kwE8GX4h8odop0zbI79H
ybP7Im+Fb428WtFpQMnBZCdFciAqmu4PD47sfE00XY+KB9sjN/JkX+SG8JjIkrComJeruLwVOc0e
mZScEbkQ1xsVviKiteKa+yL14csjdblWA/k5+yL90YVUDixDZ/uExU3jheKCU2s66UKtXH+vfrp+
vH6QvlJfro/pI/oCfUjvNjgNqsFmsBhMBoNBMcgGZiAGd2f2uJbiUs+tCOGnAKEpkQWsgsNQzmYQ
E0YNjFxM0i6pkTVOHkEb011zSOMV0fSZyfFOapo4I62Lj6BpZyNpnDIiPTjV2KnPTkrXpBrT+gmX
Td9N6R1NKE2zTZ2UTJneSbO8aEMo7Rw5fT+h1LHh9hBPSzfc3tRE/N6r6v31zmGO2tGj/kPUIgpb
RqW++/m/A1P+VEH63sbJ09PPFDSlKzmQLWhqTP94cnTm9P30H/RUw6j99O88aZq+XxpG/9EwiZdL
w0Y1NTV20mmiHYnSv6MdMAYJ2hkgmHk7EjUU5to9mGuXwPloV8wTtDMaSUK0SxiNop1MebvdrcUN
o3YXI0IbX5S0ijatvuj5bV5LoE0CEdp428hros1r3jbeJj1MXCYcRpNCRGhCgyQsmoRpUDQRPd8t
mlTkm9x6rsmt4k5SrjeiDY9wGevx3jbW42hz3kD+38F5I1Ipumdo05yZDfPiDS3xhnkILenbrlro
T7ddEY3untPEK6JpKdlyxZyFPJ09L90UnzcqPSc+Krp7qDjvB9UzefXQ+KjdZGbDlOm7Z2rzRrUP
1YY2xGePatozZkJ1zffudeu5e1VP+A/3msAvVs3vNUac94N71fDqMfxeNfxeNfxeY7Qx4l5E4PiE
6bsNZETTSMwfT/cwswn42hKKNY3wqiuGCeQdGvPfGDoAbWUHMaea0pb4iLQVgeN13+F9h/Mq0BSv
sqHYnq/y3zg0FjpAd+SrVBQ74iNIavWa1jXE37BoVO6vFT8UrV7DpyIXp3jZf/yhSUNamz2K69aN
6bLJjen6iTOm79brUdoyqgllQ3rLzOaGzmxXrrAfCofwhpJ0riEvq+NlRmO+4X/HBdEnFGN09kPR
eGEP1QrpatLaJKULG6cwsIIpMzAMM2dMPwBdiguJ1iY8YCtN0dbeq/HnEDDJlRA8dmtvWL0mD+XH
YnU+FU1bUyTV2jskvZdL8cESkRir1SmwNt0BEkAI6p4iATlJsP7JfoJwkqeZRdmTvJ6n7DMwus58
IGQH2UkXkZ3kEHmRnsJZu8h+0kG4CjSKPEyuJz8hGyHWZqDkVjIJhw7lP6GBbAdWJo9CYD5KjqDt
peRGcoB4qT/7KVlHNkhv4qwNxEqKyHAygSwnt9NLsmvITPKBfBOpIZeQK8kK2padnr0je3f2CfIz
sl/6dbaHmEmQzMFxJPuF7o/ZP5O+OOMe8gD5gN5t3Es03KUNLX9KVpEHpWaZZhdkv0EPYuRq9EEm
Y8kR2sVSuPo88gn10+ulkbjK49l09jBahUkzWUgeJAfoQDqGxXQzs2OzR4gX97gGV32AtJN9ODrJ
L8i71KI7lX0ie4oESDm5CM/TQX5Du6RMz/pMPcZNh1HqQ2pRs5z8F3mFHKNx+ku2XGfRVeo03drs
W8RNBpCp6O1TOPNj+m92I4510svy6OwILPI2kLv4aJNfkb/QIK2g4+k01octZ49Iq4gBdxyAYy5Z
hPG+H1d/H2i0j1nYUelx+Vn5W6Ugczxrw4wkyUPkp+SX1IonjdJW+iP6Nv2QjWSz2EPsr9JP5Kfl
3+ln46kvJ8vI7eRZ8m/qpIPpRHoZXUivpxvpXfQBeoQeoyfZcDaFLWFfSgulldIv5BE4Jsut8k26
W3S3KScz0zOHM7/N/Dtbmb2FTAQ+rEfv7yGP4Mn2k6PkHRwfkL9SHTVTG44ojdGp9DocN9Lb6WN0
B32aduAux+hf6acQSf+i3zJIWqawEJQfrgLF2SpomD9hD7OjOI6xz9nXkk8qklLSQKlOapKWo1cb
pa049kp/kYPyUTmLca7U3avbptuhe1b3ou6UYtH/CDL+jbOP95T1vJ8hmU2ZezPtmY7sX4gHcwjp
gSVYHXo/G8dizPe9wLhd5E1qwdgFaRkdRi/ByMyii+lKeg1G8mb6IP2Z6PvP6UGM0h/ol+izlYVF
n/uxgWwEG4/jcjaPrYQydjfrYG+zbyS9ZJbskkcqk8ZIzdI8abV0rXSvlJbekN6T/iqdkc7iyMom
OSIXyUk5JY+RZ8lr5EfkT+RPdDN1r+s+UkzKMuUWpVP5O7SaYfoJ+on6Zv2d+n36twwtwM6XyF7y
PDDw3I8el9ZLDdJecgerkgNYwvwG+DyLzJXGMmAq20E3sRtoByvWXaMMZUPpOHJKTmKsX2bb2Bk2
VBpLG+lkspgNyF1QccvPAKqTXyLd8kE8229w5WsUC72RfalYSDt0pFroSL+S+ssp6XXyrvQB1cuP
kj/JJuqj3ewpaQKw4BfyMN10EpMeJj+XVtIbyF7WQIjpW8MW4PE4+gz4whRaSb+SslCDxwGLaqQP
yU1kCfsj6QYdbyL30bnyAnIHqaLXk0/Ik6CKProrlTLFQ19li+TNzEU7CJOfxtPV0mIq6dzkZtos
Pah8yd4ha8hR2UTel55D74+yn0tj5VO6SXQhKOAGcgtZmV1PrtVNl39HFxCJTiMJ+Ti42/VSpRxD
ug5cZSZ42j5Q9wHwgeHSWJT4gTmXAC+mgkM8iON+8AkZGLQINH4puNhvSIcyhXWSBTobBdeBpeb1
zCQyI/skeSC7gFyZvZv0BT/YmL0eV9xBPiJ3kh10Q+Y6sgJLyXdA25foRrOjutHZvmwze4dNZvd+
f34x2gnqJ5/h+DlmZpjuBbJZ/gOZTOqzW7K/B3aXgsM+QK6AwnoCT/kF7nCh1EWqMuPY7uxoaQWe
9wMyMftUNkJNZGF2KRlPDpKf6XVktj6FOU7T3+F5ryPz2KTsamleZhHG4U6MgobRWgP+c6s2cuqU
4Vr9sAvqhg6pHVwzsLqqckD/in59y1NlfUpLkonieFEsGiksCIeCAb/P63G7nA7VbrNazCajQa/o
ZIlRUt4QH90STSdb0nIyfuGFfXk+PhsFs88raElHUTT6+23SUX7ebFR9r6WGlvN/0FLLtdTOtaRq
tI7U9S2PNsSj6SOj4tFOOmPidMC3j4o3RdPdAh4r4K0CtgKOxXBCtMG/cFQ0TVuiDenRVy3c3NAy
qm853W02jYyPnGfqW052m8wAzYDSvviK3dQ3jAqA+RqG7GbEYMUjpoPxUQ3pQByn4jJSomH23PSE
idMbRoVisaa+5Wk6ck78ijThmlJKNCEjxW3Sysi0Xtwmugg6TprcFt1d3rV5S6dKrmhJWebG586e
OT0tzcY1GtKOFO47Ku1be8L/XRYXh0628fzakLS5wb8oyhtv3rwxmt4+cfp554Zi/ApNTbgGzmWJ
0S2bR+PWWzBTjVwXT7MNTdPTdANuCcUyIZ4q93w5rTfRsjiaNsZHxBduXtyCqQluTpNJ18bag0Ft
f/Y4CTZEN0+ZHo+l60PxptmjwrvdZPOka/cEtGjg+zV9y3erjtzA7rbZ84DFej4wD4OeqxOQaM6h
xknnRpbyPsYvgiaYjs6JoifT43imwTyaN5hsnjMYE4BfE8VZ6bmYkUVp48iWzeoQXo5HpGldQo1H
N/+LAAPi3Z9/v2R2vkRJqP8ivJLjyTlUS9PZvXA6lUqXlXEU0Y/EnKKPw0R+YN/yqzpZPL5CxfqZ
LxrIBIzt7KYhFRj+WIxP8G2dGrkCmXTbxOm5fJRcEWonWgV0a9bCa7p6azxTeU1bb82501viwOQO
vp4lnrQhee7PrnpdDQuHpKn3/1I9L1ffODneCNU42rC5JY+1jVO+l8vV8wHFuKEuD6VdI6dLIYYy
DrGQJGpzGnJvE6jL0y1pOYE/RSD13E69AVgpSmh0dFptuTAXN5lisTzN/L9O6sye4meJ5LvT8o+R
HpLKdzTX7fTQ7+W/1z3LZqlxClgOg2a/ebPpe3VAtVwvL8onwHgs9GPRkWkyFZSZwB+WHIN5aAql
NQwZaqaAikRxUyif/V7DUP6kJvw4dvYtHw2euXnz6Hh09OaWzbM7s21XxKNqfPN+9iJ7cfOKBnC7
HOJ0Zg/cFkqP3tKEEVtIh4A8GBmxO043Tdyt0U2TZ0zfDxNHdNOU6e2MspEtI5p2F6Nu+v4oIZoo
ZbyUF/ImUZ4hjRQP2c4Mon1ov0ZIm6iVRYHIz4F1Q5TlGqGMkjmdLFem9rZjKJNzZZoo48/HeczI
KdPz0yIQgpMecAg7NLiM0DE2khnsGXK9CLXkGZQdkFuhmbSSqQizEaCjkqko34/wjG5atkc3jdyr
e4XMR3gE8GPyh2SHUkuWof4Qyh5G2SNIH0U6E3X99bdjndRKLsbKdALS0QiNaOtCOgJhI32FbELd
JqQ3KdBbeBnCKJ6iXxtQV4/2xcjfBDiIa3OjUowdIcvk1izfT6I4+M9CFIr9JxIlu/MlohgRw8oE
J+GnQ4DVWvz0IuZbO0ZiwqrIgpXUdz8bsWNfyEGcxAUtBAR+roobDX0IfqH18uIQj37wCyNfwE3Z
6E8M+kMc+WKSwIqiBPpEH+TKSArrkL6kH/QhQvoj/P/xy2ud/x9fujJ/PQ/GZTA0tdepnibYEKwp
lsnP636ryyqX66v0WcPDRs34mLHH9CtzjcViudP6K3vQvlLd6vja+aZrp3uLZ5C3n4/41vpfDowK
zgzVh6MFrGBDpCnyt+iB2KvxTKIsMSGxFNZC3E7HJ0/Cfh2JOWKOBCJYFsnZqNR1VtORb0lU7uK4
MEPaQ0uwCteRpOYhOonqvsD0r4/SrZTRxcrKp/wp9UxzN6nvpg5nbe2A/i5pYJVH2tTvSH+c6fzX
vzJf4CrXZyayFt2bwIALNFOJHZs+Tr1BVTtp1R6yzWZAqjn022yXE0mVopIkPef46RZx4Z4z3eoZ
XL2uvm5Af9pMk8xRXTOopkrR4/ColH5wz2/Gzji4/tqSC+IpmspMPEi/orYv3u359ljT5ntf+EUm
kol+7/7zNEspK1WZ0aRS4jTyHpi2SRRpB3blLreBD3eoKpsK4KsOu10AJzqsVgF8rtlNJjbVbovY
mO05Z76P3L7xg3664sRRXZLEUeWFhqmynvU0lSq6oGTt+oMzxh7NTKTH6V8O7r9384zffdvz7heZ
f2QM6OUzmffpTbAKmMi4vSZMzbNKJ52gJalUxxg10TpiwpabVEeUwfoh47FiWg79fztmZrv50fsx
WqebT59Qu+vUOkwGYrVb7RGTMqB/FabErehLBg2q2XdkwqWVtYOkI0dW3pYcG5h9Ge57ABO9EfeV
SELzM36butzFdxF5O+q3y+L6Z5rFPOcud+DIkSM4DStUIut1XaSQvrJb4SxSMzpUq9/lUqZaO7On
OxwOAXyhGVUVUKFbV9iZPan5eIPCQl5bGLahptBitSLuZC9oFmby+bCj6mAsGgFSVbx1hMdHSEU3
H+p6Hh+GSh/aDTGQv6HF6WTihprR7gCUu89xzex0samFbl7Gr92OS+P2HWYzmwrgc83GZ/Y/3S2V
yt2P303cTBs0VDdUeUF3SHlB/4rh1bD+IkuTZYptiWWuba1zretW50HnR8GPQqeClkPm510shA2S
ArVQVf4LJhk9NEoDUmP2lBYsNKkGRXktHHSHw0FDOChRZgiGJWuh2sme2DPeQbF94t/Ln4CI4bBT
ZjG1+t7EaGuxeDV9ga0HD1TpYM3i2FsP08lyto7J7AArxibJnbtvE3RzGmSTqlNPc9Lpqavv7mk+
4XD6akGjvtqNtn4p2w3qYU6wA/qTwfhRHpFm2ryqqSnhiSVrgCmDBg2sTsaLBNpUVWKZpIDkFL2s
P1vDfInHH/xyxwPX/ehhut/11W/fPHPhUy8+NrNw587hdXO6bjz80fwlP354s+voO5/tnP7MwSc2
zR4ATJma/USO6Z4EpkzLTRx2FLJdmpXPAA3bTIUeT9jJ599sl+XCsNVGid7fmf1MUKEAeEt/BWam
4kgFcLy+G1jRc1g9nAIuaH2cAoPsIm4MXluwueBe11OulyxvW/4UMhhdfltZUDL21/U3H8BsSNhZ
UV0mj9Ples1md9tcbpvdivHXXLwjmm07CNxm1zw036nn7TJ9U8NTYG60KO+eY5a6XF2n3qnKapu+
1c+npr+fEr/qZ+js6ec5Ovu3Rp0H6UDsnt9DrHRwu20vPUAHw7bZpZnRPoo1KyNbsal1d37aUt2n
cWDqmlcCbOaUjJkTD9rsqK1oBk2f2Gjol9Jh+oiYPjFzdGVzKtXkqvF6qyrPzZor5olJg6oqicet
V+JFyam/8Dyw9EcdO7dcuqX06TvYOz3Pj7/5ri5qWH376V/30DZ1822HH3uwfXy9l/39ucxVMzNn
fvvKXe3HOY3PBo17YaG1khWa7bCVyvhjBtkoWQmfr/6MykaLtVWSGB+F8QIlJRa0G1qNfyPjYaKa
xaR6JMvpOirTgC3/vOPAsVbWjT3dPU49szJVN1YFsnJsrXVwPAVq4rFcA2MehUiKPj7I6ayZLe3d
kuluHGTfL/3on7fK3+zcck/Gmfm280876Wf0lYe5PJsMLAuAH/mgIfRnJIdpHRYSKuwH5ZbzHTa1
Xz9nrFDRlRY6rYVGyFE21YgZ28fRy5iycwnAGT+AHKPggKi0+6Ve8SAA3grAaS3AT5WKPRbOVzzi
ih7gIWBgK9D1/OhIL+amurm4DOW45vOiI0pvRwDwjpxARxTekRO4P4Dc/XkZbntWK+KF/LYWi4Lb
8pxHPOl3z9d7M9yLCsrJdYd36QinmpqBXtrHe5H3ouTHlk/764z9Yfy6gV4vrzasNK+yrLGu9d1G
NtMt8i2G9eabLbdYb/e94XjZ5SzCzmR7OBrkSTRawZO+0STfrizsE7WQQj+xYMC396Pf9aSw9ZCR
GjvZAk1Ntdq1KMgFeoBdtTN7J71rX6W/NQ3hhvr24lYPnyobpxCP5mGerQNeyXE1ThPdHGsEkH+2
5gr+cEAYjjGcj/EfONlKsrKpiSaTA6tBBJx96b2ISbyIoMTl/o5UJPd5dEMXr1j68aGuz5Ys23h7
5sw772TO3HXFLUsWbrh1/oJNQy7aOnn9jp0/WveUFOpz/+Lt736wff59fcoPbzqYJZR23flLOmXh
zTfNmrPx5rPZsVvHP9n2o2d2cG2Zcz6Ok4WkjP48P9/mCJhFwgFWcUZMMucZUDPAM4BiWimfUb9D
TKlD5RmH31GeMpcWct1jvE2y2dxkAqWUD5RVhRSlnCcVcaHBGePhVHMlmGNzd6UYGMw2x0H1yFtH
1Pd+dU5yPv9dJ77jslqZYLMOgcX/w12/f68f3Ap3+u5GWvWQ4CVeLX6Z99L4fGmpd1lwQXxt8IbC
LcHbCh/0Ph08GPzM+3H0TNR1gfcR706vNKTPXIWVcA4dBzL5Y1ElWlo43jaLs+Mwfzz65gTOhdnC
Dt4JOALUEjNEoeP7DHhrOTS6wR1kb6LVcQ6XHJqDObamvsMlMFqOSmA733HZ7jwSkeaVtLkpz1OH
sYHVJQqYKFICZIK9kHGWSoWA9AhcWrHTe/3syTdMGEQHvbBs31mqf/nO7uvW/v2x595lr/9s9TXt
T19/w6N0srr2ykvW/XGFxT9tCTX88QOqPpj5ENrfJ5k9Pz8kVT+07/DDW3bt4jizH4z3FuyIcQ19
MCSOjih6I1PqZKmOKjI0NEhAwqIYi0cNee1vJeef3WpOEc/p4lwVR9gPZU1qOnLk7FNQ2lhOzxTX
xr6OVtFqvsn8Y/Pj5lNmHcYyaaoxjTZNM80z7TX91aQ3m2x6fk99naLobLL5WRPXSeO6Oll0Yz0W
Eoq+TjYNNg/RVcj1MovKVH7U3tulOqikPUIZRd/Unp5u6KVcMxWdJOqrnMmTVStd+Y6eU1KP5NXU
3l73KquEYceN6JqwItETG12wj9rs0NZZZ/YfHXngK0FGKDmtNXHK4RxemaoTcYXaX11gWGhsUTdJ
W9VXdS8rXeop1WzQNWE7a4K60JxW/2n5p/WfNqNska2yTYJJWCfLFqvNoOj1FsAG7NtQbEVmv9Ls
XHKQqN7iRhWTwJK/0sCLIQmissWNs4yFOp2hUJGUTrZCM8K78VMN9gx2gJrBLsya0xIl8/TSpAnY
HvpAlrZi4OAvopknWLr0H1ikrRZq4XnVrj+qZ+v0bXqm/7H97T8ITX9lAFwQf34MZTCgAof99XXB
7voTGFz8bdT1S6WgI2zsB9eLvKoHsVq7UT182Hb48EZdLsXoN6bN2E0uhMmsQ7ZLBv0BqKkk+xXn
oU10Fdcr+C9Oq2hcikmumJQsUfQSq/otm/7esz0PPfoO/fsDo4vCVboD34ymBzOj2Ax67/6rb7+N
y+J7oTd8iplyYOVeRl37iYw5GWM2K1NleXR8Wnx+vNV4s1FZFFyjW2EEFupuMislXqPkLykr9BYY
jS5nYVlZnz4kXFCIcYtguUAM/qRi4eszpTP7sVbFJbDi5AxLUfjIKwZ+dYCYccXN2akyJZG0hPkZ
FhNvZ+F44eGtLMHygsIo5SQU5fWYU86K8wBvi5JvOsQk5wCFl5zScB1AzamhM7mqnRugZugtUGOQ
Gdt9OleUAjly3RsBrLgOZFBb4aiFnKLQwTHyzbhElSNWyaVSTjbZWJzGKnOKdzKOFXllDec8ScD3
suSO11vnL9hw56Vtv9yS+TG9YP3gixtH/+iRzJ/ossuTI2cMmXLPlsxO3YGm/fMuf7Kq5GDbgt0t
A6RJDu/8sRct7/Ptdr1l8JLRk66F+YKS+dlPdFdhNV5A3tw7hy0uYBAjXNURz3dSm8WhKKm0zsGO
z+qCNnJzwVbyoO5Z6WfW/VKH9RXrMXKi4J8FDpuzwFFQIJUppY6ycDQyxjrNfalnWmChbknBdc7b
nA9KD9geDO+gT7Adjt/buNUnqLrVoAzKfL+9tFaIrr6ltaqdUDnkKrRIoULZqCbtF5NkFJItGPEl
owZqgE6lTDUECudgtKExpprHcn0RMV/bQNQ5xGCmUs3NKzGgKbqK+hQ5XlSMgXMWV1XKPj3Gr0hh
HreTi3y548ULMi991J35w0O76MgX/0zLhx6qevHHT384c9nHtzz+V8YGfPntL+mVv/uITt19/PW+
2+9+LPPlXS9kPt18kHPlR8B7ZgCj7Ri7j7SKaISONOSw06EW2okBXTbSCNY00CQFUhlNHKOMflEi
UE+wpGCkQP1fo96/gYNiar7qRb3CH6JeHg35+jyPcgP6j7xWGySF9PAm08GfTFYC/qCfKWYT6MAk
KR6v2+vySkpI8sWo04bIbwjHqNfkiMHbA8aKMvzW02aOoT7YMJweNwN+JmKV+ZVhCbDyEfr1szNu
bFrdOm7tXUc2ZHbT2rt+NqBh7H1Lx+3MvKE74Cm45IrM0cNPZTJPz67cOWhAw6dPfvzvMu5n/Rg4
A/ftMJN7NI+iKzQY9HoiyZzMTcZCMzHoudQuUJ3V+inSxVFT1MpMQats/F+PGafb75OrZehlOQQS
1NlcN1YQbPPY0ydS5wYtT6ewcDiweMqHx+Tis49IqbO/l27WHdiZqX8uY93JqQiqnbwBz2Akt2sp
8Qx36um5x8AjPBxlUTNjQfP/ot+aWfAZgexgMpn/1n0Tn3KO/7nfd/0/kVs0cW2P85jz+75Deu/s
RyzdM4H3e8jOnvno9TLQ/n7QfoK6tGDIHfKwlhJ6ucFFnVJxMYk5fSxBMA18+KN8CClVfIU2Cesl
I6XJkkQxzHN4rpIWJoGQ+QIlL305hqPkXcEwhfQN8fPZqrYSWlKQjJqoSSiypkByTn4mQMRj1WbB
QfE86DyY47mFfQqIjDznlwh8OQiEHiXHQ+FgOBCWFEtSTXiSkaQhgQ3ahN9aECNeuyuGxm5XVI9c
kS4Ro2EzMNvtQFRojMVIsYRIeDMBw7kqkh9OoDtwHQaQgQnH97iH16fvx8A+uLXR7ZTBQGoc0iVs
2Z2ZY9v/mNnWsYdO+NM2Su9O7opdsW/5hhevjg3eSNldN54axuqfoz3HV7Xup5f/8W3a2rGg8yf9
V7SNnXjz+E3bDme+aptdQx2Yj0NApfXAIom8sZdiG5bpMPR7Bl9QLdKq6lzat38uLe2TS+OJXFpQ
mEv9QZFCd1ero7qtul06zBLUlDthH0wTuQKGhglweTlFdM4oCrcSiV9eMwsp589Lv897pd8Xwt7J
5aGGKeM6jpANj8lvN50n8bAZ1t4GRaa5aeWqup68opBKwWZRz5GwynHoRa4U4BmxMNdFOKXQG3Y7
zfzGJpen2uC3eMX6+aQW45ABKlRUb4AyZWB6STIYZcaMeoMsRaF5wlYnegfgH7lu65y8a8j/Wwvy
7umao2YaNU8wt5hXmNvMOrMB3ALPgPURbhZFN/4vUj5PfrJ4Tlyyl/zOcVzT0PMePdXMkVOFAsbR
h1MdOEg9pDxQFTqW3C+18YbDuXXefm5pet7iqDZEEQHzmgb05+wVg9dh0EbXQmns2je61qBV5sDK
Wn1RoJaLyH0BgJU5kJfGBaiZ47V6mxvBxfOn97kAFuTAAoAeDn6121ObR2ygOf8JlG/CpFDMS5w6
Hn5FYgdeOZvRHfh2vbzum9Fy27dtefkm92CmrNiNadfK5zmWuFmj2ui+TL3MLZstWH3aiM/P2TQx
OJMGoVEZVCGhuXATFG8IRoMUf0G/9f/Jrn/A9v471w6cL+lSOS1rpWAZY/lqJ69bcbbHyVcIq0KI
ehaLOSC4uC1MyCnW5+6xS+9u+iLzamYTve7gI82XDLg5c6vugM05b9+yFzI9Pc9JdMu6mTd5sGXF
4B1IdFClMAZF9KwWc5pt1DkoPCMy37AsAhWFq38GEetFXIw5FFxPGLw5VnIlU5QA2XOAszP71z3O
YDXSU3uKSqqxKv3rnoKSajWfwsYj8qj/456CZK4e7UU9Ul6vXQQgYbs4fHF0snlmeFl4lfEa27X2
DaZN9vusT9s77Sdtn9hVm8USddjdDofdYbcYnfBYC3pNClasVovObzR6fcFAIUzfXVqAT5vPR2JF
Yj79frvdZihM2h6Gan1SEBuAM4IVADiuFfEnUxShVDdHi1cUtxVLxUX+/+0cK/8jbcWH7vhvoi0v
FgIn/Fyl4Zw6P9cpvpqsrRC27Jwpm9tC+fTnMD0fc4RvBpFpJoNmr7WrQxzOIShqoitRuJ/Ysu9r
wUCtA7TmRLBp4Vq1yI0QQThHPCCYc+o5dCBXXOrHgE5xgVrCzhp7lG0+/Mba194cWzr1kuzpF6de
eWnfWONf6KMb7h133+OZ/roD43997cNvFySKx63JrKQDbt4y2KzvWSNV1Vw7ZuEtXIuYCdvQ3yCP
+zOPVjJHmiO3SqtlOVEyUKoNj5Qu0l9S0BAZVTy6ZLLUpJ9ZcGnprS5bnC92Oc8G4uWARC+Q7AVK
egE0xhzmGucANM4BaJwD0PiMNpo3KrUmi1mxVJIYZIdndqKhYkZ0WnxqYql5sXWJbb57nv9a81rr
WvsN6pri1sQt0mbzrdbN9tvVDcU3Je623mu/11OY3wTqG0s6Q8mgMdmHJgnpE3TKlQOScHFlxNr3
2tCtIRZKeK19C0sSNKHzgomf1nKr9MK+xsJCryQ0+xTkfnNOBeBJM0S7r7aiO3eEtL6JYpvVrItB
/w7BbQteWwpNFBehDMpYqG8QV2RT7wQf6oa/rFBohMRQaZROgPvLCuxgKrASpTVXX35LHW6NHl9s
TJI+tA/fd7DZ2FQApzUrv1KfYCWeiSZBoZ+LKgAYPmg9APLGAOcULmcCA/IKTvPYE8A5rNDFyvC7
JYsKaQmzSHPqNH8iLGDwdGJVCOEAu1MehZHQ5pWumkIGrSPHyYpLhDmT2zOhmIh1jcft88o+sYaE
Rao4OfN566xf37D8mckTZg7NLJ24aMGN//jJ41/fojtg3/l0+tHawfSd6W1rb/n2p69k/vkA/YN6
5e2Xjmgd1bAg7pudqnl83vJfzl30xnrbbXesv2x8VdWS0qF7r1pztHX1pxxTsaMuHwBX1MPDzqpj
hRhwKLlwl4NRt3UPN/vAWvG8EqWsghtyKd1LKR8OcBPNLFQMQ351/Q/BG1Hx115F42yvwM2ghOvt
uKJh3wPnaRvYy+L67YnmjzkzyLH+Af2ho2ODIOZgrkyBvDkT0ll37vzmn7y3Abw7ehXn4fRPWrIP
STr6OJP+WjLIUesc5L+IjHFc5Bzjn04udUx3XupX7zfcb2d51K1SaTCQ8lTrqi2jdKMsjZ4puimW
yzxzdXMtSzyrdast13nsOo9FItQJ/107PE4gDev5j88mx9La2pBWKMk6HVP0BoPOBN3eaLXZ7RZ4
Gjo9Xp/fDwN33R64ZEd5anE6eKrN8EBlwdt4LIoXfii2knQGQ6HH7/Z4/E6L0VjocQJ0Oix2e1R1
uFXV4TRaDH6Pzg4LMWHokk7yq3a70WgwYL+Y+Z1OBwwmQZ8vqA430okkSiyIPQga0dGJ+6J8mR0I
dNLbducYcHMwMLYn6O/pCQZ6/OMa5o36+Bzv5YPOD8538Xz8GUWAujNWqDvc0gSt5/sJUHijDaYm
RHU8EtD5EcxPdpifHDA/tTtN3BjOzU6N6QQKy1AIKyj3SMLLEdxKZUPJHoum09AIpEJXNcdolcvr
G1SDxInEBSsVFimKntJHMte98kFxcDC8fD/73fh4uO/HL2WufCHzeone5868qjtwtv6+e/5WLL3f
E8x8/s/bOqSfQwlq3hKdN+bbx8GkLs6elMPyMHiW1LC+WrnRaiwLWINlfaxlZbXWQZ6a0JCyi8qa
rc1li62Lylr6b7be0udB70PBp62e0l5TCpjqyZyMfTLwTOm+wAulhwNHS3/nea/UMMpLsQl+WoON
XZnqBFfqNU8O5HJ2Ks9HfBF/qrysulauLb9IvrB8mqEpNd+wKHWVZaPlVcvX1q9TjppqG5XViuJq
X2XM7Z/VZ3kf1idcYau33WnbZsvadNtsu2xfYqcA+CKcFz7r9WuA/YvvxdvE7oJN4dtJMK5Lvk72
zD7/PdiV1oM0T2tB3g/SUGKqDEvmPrPV2QSyH4uBRAxy5/NeAfR5ThsvljmPRMUJsbcO4LQwKAH4
M6d+ZWqxuBHyOVov7mSXabYSjSTVZDTZP7krqavlehRnuhBMb+8TwABeplkLsVlU21XLttfSWugu
p7Xh/Iq+hL+ooviQclRhEaVeYQpIDBqK2HhT/EJbERtyilhVK9jqhzlQrEGVAYN7DXfYaYUlKQVl
PoWFaPM54x00/NRHH3E5dAIeBz3YPa/lWyhosrJ7JTIc+4VA4iybl4s9WLIyofCNAewwwUzCD2wc
cPOTvmQY2Di4tteD7QJfPIktTRsUVW6SQiOpbu7+xbsOjmm9cOCSdxfQqoZN664tSPuvPHbrpmcm
qEZf0cGw74rDy2dWLlu08LFkwU1TRz+7Ydz6cW6bNVicMF3Z94Kmlf6VtzVqsy/ud82pbzdcMJi+
VxpWS8dWXNhy2fgLrgY/nJA9KXUDo4N0Rt5totq2zk7tZsqXhiuw/pSdYbPeH5bxToRHb+DDrxdD
qYdkBgwtH7EYgyNvvSwEtHq4uZIHvpE4xmihkfBI10jfZNdkX4urxfcQe0h60PqE+kTQYrAGTIvZ
Immxbo1lhbXN+qRlr3Gfaa/F4rXcYvmQSbaiWfbl9nV2yU6BhNq1/cV6tQXd2ooF7HGsW43EbjdD
APX2MYyuF9sMfEptRSE8X7E5FQHPBEfTuKIJszkwhF7IcZgGeTN6UdhTfFRPI/p6GNJtvJHexBvp
BQHqB4SqD+flDaY4hx7Nq/IOf8JVYXBT96rTqe5V4tmBDtiQV5tP4E9IbcjqJpgeMftw/XFyEX1O
QvNJlup2F3z583cz/1716a07/xzZFVg3Y9MzT9y8+A66wff8UVpATc9Rtn7Xo6ElS1968+0Xf8TX
IaMxZx9AhsF+TqdqT5iYbE1Yq62jrLqB7oHhS9kU0yT35PACNlc3zzjH3RLuiryl+73rvcBHro/c
X/r+Fvio4HgkG/FGIqlgnbcu2BhcEdkagT2j2NrPO4QNtDayButo90XhS03TrAusHymfeL+hp20q
9Ug2M8yyIeCDg5g8IH9/Fd+stCdU9ZiDqthIa3G0OeQIhppNzZk7HU4u4rGsAVvjZOhQOAY5hOET
pVi08xF32PiII/+FEPgAvtJG8NlxrHYWH8I+xwf6rF7mUzReL+kLBcoJStYXct6jF5TM0RLTJviT
PlBYPeG81UPzyrHdPZwccz/4F3A3qDoYybqxREcQFng+YaBXsjI2kFMryDU3YVgc0/M3hgfPO7zu
92sWv3VTy70Ve3qiz6256mc7rrvm0Vse2fLt49uotHnicGb7ZjRzvvHaL19+943DfM4aITkKQWce
zNlkzRchYQ+MHM26ZuNU8zxpiW65cZ7ZAPHPfcrESJzQJnGoIMzjEuc7um/cZ4LyAOeQwIDwcOfY
4PDwROfMwKTwbOey4OzwNco1njPsjF/Fa2t2q883wdviXYEPOITtW9XtKlNVORQ26ckB+HrCuUYw
aaH6qnzc4S5H73GBwn0alqp/FsoXAG7uEU5an4lJQUmXZiwpq05bqTUYQW5PIlnNU204Z8QRGvFW
qcV6rbisunemYCDC7ORmCg8COEdgYU5/ei+/Pp+pmvNnKjW258Q4FdounD/w4+t5bMOmUnl3l7qe
lXVClxKeIHyzhPNYbt0XJKZiH5Y43PqY2LunMb7OL1Kkyw+Uf7H/08yX1P3n3+PNrrMnTe0b5mzp
eZdNtAyeduv1T9Npvsc7aIRKeI2qNPN+5ms1uuvAQnrPLSMXPgku4sIUtmE15qNWrdBtpPZARaB/
QAusCDxkedj6tNUQtJZa04GugBzg41EajFQXGKySxR42UQ9LuV0yvpVh2uam7qxLk30JGe8L3Q22
xAdxwOBqnmqpcKR6K6EBjZNJQLOCTAi0OcSlvIQUccIh5ULWCsLh7Je488tnLsWFYftjLNEF8M3z
QlA/7g8cpAdIjJzBWzPY9ctvTAk6wNhBf4b6hrVIdzNXnuv4NkE3tgSFWdUNDwKjXjFAhqowGRCH
Yg9RWKnK1sNtEXSyCkajgVUD4XkJvga2hpH2eKo8cUf7tm2u4E1XXTIzNLhy0qijR6UHt6xcUj36
UudPTaNbrthydj4oYkRmovQZKIJ7PyzXWsxmnbvcnHBfYm5wK8aCQEG5Oekuj9eaB7kvNo92T9NP
Ny80f2P6l8fWL15eMiw+rOSSkq3l28v1g2KD+tSXjzaPjjX0mRKb0meRfk5sTp+W8rbyd0tOxr6I
f1ni8HkVTyfb3VEadumFJFGjWLZwOdJGusgxLF062Q1apS4ctpsaisIWk9dTlagyJfz+Yz6q+jRf
i6/NJ5fDKsWmlotdHJ9ga0LnEGzNJ9iaDxgtHAg/y7E13gr6SC9bA3BWu5gjvW+1nSZIUaT4kP2o
/QN71i5H7PX28RB0gmLs4GFwNIIfD+Iwn+Gc+xovBxxIla+OcfaWGpe3+3P2Bv+wH3C4nhNnuKcY
CEc4i53I+cpiO2ylj2/dCBWjBFTDt8T4BA6scsCZD4zvfC+Y+bvMlSNX37DJb6NXpf906srf3n5w
7ZPz/rT9vz574Mkbrt+xc+01O6YHJyYq586oSd9G6967n9It97edXfzV0Wuelcp+23XojZdefomv
vDZi65fv7bjp7P3EC8T3+Kph5jzOfS2VqQl5IN79O2CVRdEQX6DaZ3BYHG5JB2egsE7vxgZVwqhV
DarOGmmXkXoxwmyqF+Ic22ilInZzAoHH1ueagw8ctuoxiEYYgUXpmdyUGEFSwp3qK66gAsJGnMif
2cfH1jjOy2nRVz2oOu095WUrvNu9aW/WK3uZO5EzG6vowyk8D9ZNx6CDyCDebwRD5YDmE1Qqbk2w
6QwK7TUef6N5BWUyQZaM35yM84zBNJ7TObl7X86CnOrd0MnRKbxRuCm5ux5iii+0BHXaFJs+YVMs
IWo1gC4J351bT2CEptg/rnJgRrH8d8QdwhlF8Tg2dtzYddXPGzvWLJlwe53uQM8/7m5+4uGeWezR
jddNvuOGnhdAk5swUaiC1qcnR7TLjYP4E4w3bjVuN6aNXcYPjKeMemKMGFcY24zb8kXHjVmjKWKE
jqWXmWRUpBspUXTwRVH0CR2Rt8nb5bTcJR+XlS75lMyIHJWPISfLEPJi3ADkxw2+EZgy2cTvKgvO
hrocZwOQswEAOKuZ+BjK4ww/HD1sOAgbQN7rnCvj3AS4amVKeJJgVDZ1dHTIfzt69FuPnPz2XY6X
eGbpKzyzmc3WQnyVAJmkTFNmGCW79Z+6M4pk7HUsyJlsTXwNI1CrFwDKntSEyXeqdLWJOZWoK1Zt
4BZdZ0k1EPJUB1InrFkoiIkC7WaUKLKsk5Ua4xhZl1D6mqabrpbWmN6VPlT0Tyo0riT1CUOtMthY
bx1vbZKblOn6JuMN8rW6B4wvK7+T31ZOKJ/q/618bfA4TSZs68gMm1FY4yODhX5Cr2DDRJFgMtSZ
3DqdyYSJkQ2wSMjwyzEAM4kJdhm7BtcVPpa6Ijjb27VYVGjBYjGkD26FoDcnCEtQCsFUj/ctGXA8
ow0QOI4HBnbnNoLEjBGnkEVCbcZ7gxy/AxbrX2Jj5p/HqYDi3KOT275Wwp2Ve0V8Z8mFGgbbLXxU
ZO6jooPpgPsj61VDnaFOEnHeFmNtxHa68WaJYQedb59Ax8Y8C7uusbyg1mgoKKiDcfr99oJaJG+1
R0WyO5bb/miChgc9D7ZgYfRVsl3tMbHN0u7lyfvtKm/OE5GziGS3Ob930sT3TvitnO/J1OD24m5u
d52IcNaZdj8/+fPdoVxzbIPl1oHcaCfoEi4zsEbogYn0mU8zi+mh9zOProPh4SBNZ67qmcsiazOX
cby8CVGNoMUP9+kEIQKDuvbUDM5t7VUPzKX9B+TSotzWn5YAW7VjW22b7gOdPB7RKZ0U0a3Qtemy
Onw/h78rkGNk/EpC8fBAgm8jtAvLKXY+V8tRp+BqBedxtdxc5/QOvKshdI1e81w222uwy9MoGSd/
n0YxVaugdQgy5aTJc/zHOdZNHWJjEM8OWaEkoRvE6Sv7iRX0xrEJFJUDQFJ/1MaardUJ+YR8wvgX
30dR3e91Z6LMZ4jGjf5Q1ChJ8cKw4uGiU0+VODyhTMcSdGtie4IlYPeyJbbCnV4WKxNsb4j1CQwW
/CEdbk7aWIDgXQTOhhyMI7UDLACxMFWgLrcfxVcpeW2dNmsWf2JriIbE5UJcCInLhcTlkP9Cc/DL
hYQ0CIkFJkozOSEUgi1GmYp8zgYS6sT18N21qniCHiOgve2EReDWNx58mZ+Tm43z6U/YM4hX0B+/
Sn5aTmtuIXIEuyRCzpJAcaKTXrMnxqflnP6ACcBMwPfhxDlPgu8ZPZDpEYa/lVjlQkmEpiiIGOTK
dfFegQRDZtJtcYSo0+rpFUjCn0nMr4dribDKIcqJJaEvni+gHq18cvFV90VufO2RZ/bEZw5b8ZOO
6XMvWT9ETt4zbtYV0w/s2tdTwn66dNaQe57ouY+1X3PNhAfv6nmH0wrXLT4GvnjpDZpLJykutkPt
VD+UPnGdks64FMiMU1odEOZald6vHvMf92f9ctTgtrm9TugWVPFaTVabxVbsF/qEX+gWZqFVmIVW
gf26vFZhFiLKXMQnk+/i5bQKs9AqkP86N6FmoVUgfwbefGCvZqG4mGnWTM3jYM7s0oJcw/Cf8rMV
/u3+tL/LL/vhPefxCto8g9djwFv/R8UiR4LfKRZQQUGGOcVCFoyX38L5Q0VlnE84tgp64xGoEMo/
t3AhnP/LvSyEWe7+TtvwKg6jyWDSw0dITWIVH6J2kzM/ydxJAuy0eSWo2CP0DtizxMTmpnjjY2ve
a3l0gmrqKFtyYetTcvK+XQ0rxlbe0NPKbrly2fC73+gRXlSjsEYuwSxaSYAu2eeBjUCZ6uJ2Uw5g
p/Ok1sqhgKhw6k0ByxjlQsM0pcmwQFlkMFSrQ5xDvAP9DWqjs9Hb4J+pm2mcpDY7m72T/Mt0y4xz
1WXOZd65/qupx6jorJdJMOCbLrMslebp5pmWWky+sKx3gGW4i0NCxw8JNIDH0Wc504VeGC3yBi8u
1Tm5ofqU6J8A+DwIgE86gC7NVZyo7g/PUL2qj8J0MeAD8AhefhFfMgO2FROLjS/vhLciETY1gk6g
RCyV81Qr+A/x8ssSDZfk7ICRAUG+dMaknpu8biycm/FC1rkCLl3hDQdWy+0aXGwZJ+smG6/QXWGU
uWziDV1qDSYN74OIJfT5yv+oJ2791Z+o97q/3fZBpnt/+8Zb2vds2NiOz1aU3HFV5i89R/72I1pI
rW+8/sZvf/X6a+jQxswiOYYZdOJtniu0OyxqX/UCtVGV66PpKItE+1jiBZWeyoIRBSuiW6OGIb4h
oYt9F4eaDJdZZvpmhhYbllgWqct8S0Jd0Tfd7/nfC75ZeMJ9ovB4NBv1xuWUmvIMlIeoo+WL1Rnq
R+a/FWRUs8MGI0eYc3lv2GYmtkDxMRNVTZqpxdRmkqNiCqNiOqG3fYx3iDDWJjGRyHM+jixfn/G5
FJodn0IAJ7U4H2zTauqqYlXOBCFd0ILodpqmp6gcofX40g1eD4QuKrgxFdyYCm2ICpMoFTYptDgj
uLFoKhYAVOxogkUClWkgMqbGT89z4MozYrWHO0j3ziIMj1icdwt65LyWv5EFTrzSxclN0BtcG/jC
rcSBlxawrsu9obXxiSF3L9x0bPGaD66bcWc/x5NXXfPsU6tbd2cW6X6xeeLELdn7H898e9slQ3q+
lZ44cvj137/+2h84L90AW8fLmEMHeVUbWuGiqkzjcrU8Eh/SmS+vlhWjw2A0GK0uh9FKJAM1i8En
JmPpVnhlFkVd1MWKHP/zWumcVvGV5jhPq4AbgOB458mu3HIJTrvA+Zw6Oc45ptcWK4YGbKsOIqv5
9Cru7ca5FXdmFtYh+JBvtN0ABwDSvIp7K+YGKmejgM+WY8NjwxbVX3b5sBEjhl7uLpSTj668cMhT
JWPqW1b1vMVHoR421t0Yhf6ST7tOLnIXDTFebBxVPK1oXtH1xjuMNxc/6Xq2/EXJavQF/b7+jeVv
+3QhOLoxtZKa/DMNM40zTTPNMy0zrYsNi42LTYvNiy2LrR3JjhJ7SbK4pLjPoOIZpibz3OTc0tXx
1XCZ+LHpYcvdpfeV39P/CdPTlsdLnsDXa3+V9GLbKKfzFPUC8V6guBcQbfgoiTYcEG04INpwoAD6
rOYsrJ1hKElYTHIwmvTI5n4FQW5WLwqU88GPBOoD4wOzArsCRwOKPRAJLA98EJAjgTsDLPALzI0H
eCGshxp0PwajoUaZim8hMUJVvPMLprbH7a3mqabaHNWU9ptZsLSAFYQ9eshfvu2DRR1oUJADBzQX
pzU53M8cwW58cUBz+asr+ekVwgImNCnO62ENA+NDDEctcP8oPysgligBYUEMYMuoXV9chlP3hmuP
lVFAHwvKBpDzWBEAHwcAn4l3psqC4lYx2DNbKrsqWX1lWyWr5JbQYiLuScSCjkRzo8ymCoB3gANa
gHciWmwXpG4X3bNHhbmGL2bRRf42ML9h3nBT9EHvAiowIG/uhM0mv8jnL66qcAhYNS6/3ZRKrTzP
X5zXgImjUX33SrHdxLVm7ijAE6hf+MtvOcEVUivpWxiHKS3pUJ2qS5WUIms0RIyl+hDV9UVU6EY2
ZouHSFHcajH0MYVoaYnRpKTkEImoBVyi5zwg+bYuNynABzK1fj0MC70//gYM3gA491oh3mbGV6Sq
sV+VE/3fOSDAysS9roRNqb7dfut1118zMPHjlx8YP3xw2V2Tb/jFDEfa0rro+sVeb0Xo5kP3TVv0
8g1H36EXhJesmjfqgrg/UXnR+nFjri2NpC68boF/0sxJNfFwgctUXDX8+pkztl36HKfT4uw/WJnu
AbzX98f9xAQcjCf5Chs2aQBtAVglLFYTlYhXxZtzJggJyWxXi+DAZXUmLDSrNzQYG1r0K/AWxVa9
TCCjt+vT+i79MbxHzsUCXyIAOC38ngD8Q2xEAuCav6j6SmAaSrgRKCf9uZQBJDgXKnL6i/4AWwyv
g0G7sRr+zuADnUm8nA3vpROnubGOuzPBF6HWUVUl3oKBJE/4OGtPDuS2VkcNOFncId5MY2rwkror
lpbffPOevXtdqdLCR7epw+Y9xuZsofqlmdu39Px4bHmQj9FN4GXH+Vf06Pj9JIixMWKNyKIuL3cf
O6VVOd3VKRctNri8FurymmGpdmCYSJU34fdxxTUotGKf0Id9Ts60YcnEAoePgE/ow8IQKnZyfG4+
Csjn7Ws+sbRB/gx3l1GmZn20y0d94/CKYJfm4Upw8FSQrQhuD6aD2aAchJGP1wgjG2xKxqjxmPG4
Eb4keWMRB3KCI2/fgy6cs9/lzGtGoQUbhXnNOC7wvcUnxEX3f1d3IUH4uNfX5SSHMK0FZdVmtVu5
nwZ3k4fKK1tCxGpw4BMU3P5dth4iGPSQ3ycqweTAduoTew6DOCzVX//7yx8fr5o7zI4rJ068Y2jH
wx0XLhs/sJXd3bPn9gFjJk6+cxOrhQGKEkyRdBKzY6Kf5XdgfToDMRkUqpgIbDk6ynTFnKHoKlLv
4T29I0ANLu24IhB6fqCOkiJHrYnzd6uj1ogFTbWBR/D3/GwPUjBkkaLFHzVjYayalCJC7qRmhM2A
eBEh9652Y2m/ahJFZLf0IaXGpKmWDDRdSMaYpuEdqCbDdON8Op8tMiwyXkOuplezaw3XGK82baQb
2S3SrfpNhs3Gn5L7jXeZniOPmX5BntfvNr1KfmV6l/ze9Dn50PQtOW0qx+OY/MRrKiX8ZbLxRMNL
VJrTW60DKlXnLTtGPA9/dII+ndbsXEkyEWGU42PBy4TixEdFlDKdzmIGA6x4L4WxQTiSOpIiFdzp
ho+PVmOCtSthNLmNRhM2XWDLEj40MIhBZREOMYreZITTjq4C71UVGTRNg22T4QMQob0ajCbwu6Yh
zRhlGi0yf/Y7Trt4saqnuac56O8+wf3PQKy15/xhHMJ89Z3DC8xSYJzCB6CXfcLrtrmp10EFnin0
55ml/3UiAb+Oz/dnrpSTPTcvWD7lKrYpZ51U4HP6PLDDKRf0vh3vxCAIC7c+53ghYgzXWx0WECQk
K/yqOOSI8hgV8J4AG0MFRCuHHJrImxwSJRZ4sFPFjtGwWsSrUhYHZfiqnwM2A2EHyTE6Bzb4jxxR
3z6ivoUPIAD7cl5N4un4g3FiCIEC3bRM7mNiFzsuc9zhkBwQiUKbPi6WSOhBDoDl5JRmjMSq1TB8
XUHSp7TnI8XVsmIxupSQMeDU4fOritlothmcKnFJbn3YEDIXYK2U0JcZUrZqMlA/xDDUNkoao2j6
sYZG80j7GMfFzsvsk5xL9HMNC5zXKmv1qw37lQP2fc5/Kd8aS82OUlJqLbGV2kucFe7BpMZ5teEW
w/3SfZan6A62wwzXA7JPOWD7NSyr7xhPyiftnzhPK98Yw2bh2WoRsSpim4jtInbm0TZkstllJ3EY
9DC92hM2vmCw6SUrtSSwb/q2VsO5lBXYV8YBfOfS7VJMZkfSlHJMkSeZZjqWOq53bHaYHCYZuMin
Izcx3w11zoGsInUaf9yhTD3BD+Bf7i+kYauEO5bpdUaTyQDXMpMKX9/ObCP8yZzQWS7S5pvstuhL
Dr0hqnc4nSnsqeh0ehvmOWG1ua14lRFmhJTJ4Mbp3NssTyn4KozeKRvsDovNKrrnBB/n7+XAl0xx
wjfYRkzuM6qVtli5C4dk7aRPaaboeBNdblpnYqZONlUz4usVyx3r8Jotz5lVHW0RFkm8bUCf2kvP
uM5AKOIllsDY083Nfug1+ONE1uz/z55meaqDrg/a+184munhZ8YDdzXjoTEdmTy9wxq1RNlBvFJM
EWzZYx2kvz0Kp83j594WxwecqyfD2cyQPbZbz18iR0EMDmdVwgXNkD2+Wx/NlTpRyl+W5C7Ex/ZB
FcS1wa2Otev78yu2k8GMv7yMO527uLgaP88nznNkj+8xReUo/+6G8GITtmlb9q19zlpSjgAC3+3i
RuUmTnA5O6pw4IctO8dQhKebyyfc3fBvLmhj5oUDT9fLVU/v3zbwgn27Mh0vPN3nD2AwD51wvMau
7Ln/9SNs/rfvsuv3nj0KORTDfuwX4DRB+u+8HCowue34CGg4YHcqZsWlObE7qVmidqGZYws8FXwv
6D8C4ypPxAIMeAmmu8eOr79zgbQsXFvqnmbfZZI0q4YX+qOl/atVHuGVWafX6neWmEssJdZBlkHW
gbYHHOZSZ6nrQm+Ts8nV5FnkXORa5LlWucp6rWOte61ng3WzY4tzi+tW9/2mHeaD6guOA+7PTJ+4
/2XtUb92Z8OFvaTodZnDIdk+yn4ztlMD57ov+gfE6XXErIHfJVwlnZAKAbfLlXCa3MjYLUD0hNmE
JY4JTpkWi1nhz0/CaphVhA+FGb4gX7/XjrHQ3J1simaud2pONst5yMmcnXTEPjstIg0hIP2U3Gjh
Zan+lvEWaYIla2F4bXfEngp4KOEaHaHo9UB6DF4Pf18XwoS/rutXT58IqCew3g/61W4B4QVeKIVc
GecbI4bzN0b4lz6AznV1BmC0DZjkBya9QCz4TLI5e5IjJsQP3xXZT9x4caSm1lRUU4sPGJ3c64GL
e86dvYmb/rAdgu2JJlcJtx0I/7S8/yTEE+QD1M917qHldRf6HEmdObPsxfdSRZHUhx2ZpcOL+18/
rTqz4Gm1tDi0xF4gl/Y8sGb99VexJd/+eteIpslc+1xGj7GF+MKqmUTw1gucX2xG5Q2+/87IGsul
vd+JqoCJytX7RQaou8vuWbjonnsWLbyH/WbRT36yCDCulT1LX5OXs8tgBy/U7HQgYUFdFLcIyHvW
cgZyoln9mFSMxaUkuP/Kcit97a67sGwl4pct4W8e/4dfFcqk/LfJ7LB7ePCGR5CE8KVd/mWx878m
Via+aFxFBpJB+PLzEHw9ejQZQy7E15MvJo34VvM42Ogn4Nu8k/BV06n4XzeXkumkCd+bngkLdTvu
gk9LIfCfwv9BzkXjx4yZODw1fNWi2UvHTvk/ydHsGAplbmRzdHJlYW0KZW5kb2JqCjg3IDAgb2Jq
CjE4Njg3CmVuZG9iagoxMCAwIG9iago8PCAvVHlwZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUg
L0Jhc2VGb250IC9DTlZNU04rQ2FsaWJyaSAvRm9udERlc2NyaXB0b3IKODggMCBSIC9Ub1VuaWNv
ZGUgODkgMCBSIC9GaXJzdENoYXIgMzMgL0xhc3RDaGFyIDExMCAvV2lkdGhzIFsgNjYyIDU3OSA1
MjUKMzM1IDUyNSAyMjYgNTMzIDIyOSAyMjkgNDk4IDUyNSA1NDMgNDcxIDM5MSAzNDkgNDc5IDU1
NyA1MjcgNjE1IDQyMyA1MTcgNjIzCjI1MCAyNTIgNDg4IDQ4NyA0NTkgODkwIDYzMSA1MDcgNTA3
IDUwNyA1MDcgNzk5IDQ1MyA1MjUgNTI1IDQ1OSA4NTUgNjQyIDQ1Mgo0OTggNTI1IDUyNSAyNTIg
NDg3IDMwMyA3MTUgNDU1IDUyMCAzMDMgNjQ2IDMwNSA0NjMgMzk1IDMwNiAzMTkgNDk4IDQzMyAy
MzkKMzg2IDY4MiA1MjkgNTQ0IDUyOSAyMjEgNjE2IDQyMCA0OTggNTgzIDQwMSA0OTggNTA3IDUw
NyA1MDcgNTA3IDY3MyA2MzQgXQo+PgplbmRvYmoKODkgMCBvYmoKPDwgL0xlbmd0aCA5MCAwIFIg
L0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBXZTLjtpAEEX3/opeThYjGrftGSTLUjTR
SCzyUEg+wI82YykYy5gFf59zC0KSWVykS3WV61Q/Vi/bT9txWNzq23xsd3Fx/TB2czwdz3MbXRP3
w5isU9cN7XJz9l97qKdkRfLuclriYTv2R1eWiXOr76SclvniHj52xyZ+0H9f5y7Ow7h3Dz9fdvbP
7jxNv+IhjovzSVW5LvaU+1xPX+pDdCtLfdx2xIfl8kjW3xU/LlN0dETG+tpSe+ziaarbONfjPial
91X5+lolcezehW4JTd++1XNSpkXFYr9x/HT8pJ6f2lvmbc27jPxZGakW151L/fq/xbm/NtT0t07S
dVVK3md9xfdSLMKuZQMWef+Uy2ZYhM1kcyzyvniWfcIicoMsjUhEW9kNFmE3sjUWYa1yg0XYqGiL
Rd7nqWyHRUSfZCMW0YZ9qMcirBYHZiuxWAgBGgkrwACNRJNCCNBIRFUqQCPxXcZWBqYvsViAATiJ
8YooACcRFVEATsKKKAAnUco+BFwwwKxQFDiJqIgCcBK5ZoELBkjnRIHLjAiupGRnTN4DggVOAqGT
BU5iGuoKShNW06A1E4vVFb2YaMNKAUcDasNKAQc4NhcRlCZKCSEDTiKqwWbASUStSeAyAyyEQD0T
o9P+ZsBJ5FqTArQd5MAkJbM3UUrTyOGV6LmRhVWiSbOw0jyW00UUXomoPkTjJnLpmev25+Cn92tz
uwg5o5CYqnDYFhM91LKwS5Q1C3eOuF6aWw63xGLrH+78ym6LYc9tczmlLIZbomGNkeGZ+sZrgwrY
JT6kuXGETUTNws08lavJsIcmFutAcpNMIGj7IDaRqx3h6pjItVJsLNdWpTRGLmVZ2G5y4LHQSJTS
OeEGm7AaMgfNxPbR8z9T1Xumd/f+TrbneeaJtMfZXk+9isMY7+/3dJxUwPQbY556MgplbmRzdHJl
YW0KZW5kb2JqCjkwIDAgb2JqCjcwMgplbmRvYmoKODggMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNj
cmlwdG9yIC9Gb250TmFtZSAvQ05WTVNOK0NhbGlicmkgL0ZsYWdzIDQgL0ZvbnRCQm94IFstNTAz
IC0zMDcgMTI0MCA5NjRdCi9JdGFsaWNBbmdsZSAwIC9Bc2NlbnQgOTUyIC9EZXNjZW50IC0yNjkg
L0NhcEhlaWdodCA2MzIgL1N0ZW1WIDAgL1hIZWlnaHQKNDY0IC9BdmdXaWR0aCA1MjEgL01heFdp
ZHRoIDEzMjggL0ZvbnRGaWxlMiA5MSAwIFIgPj4KZW5kb2JqCjkxIDAgb2JqCjw8IC9MZW5ndGgg
OTIgMCBSIC9MZW5ndGgxIDM1MDQ0IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AdS9
d3xdxbU2PLP36b1X6RQdnaNy1HuzdGx12bIt2bIl27IldwPuNsYFMJ0YCAQICYQESKGZgCzbIAMJ
TuKEkMSEJJQ0CNwUCIkTSKNZ0vvMnjOSbOC+9/t9/9xXeOl5ZnbRnjUza9asmb3ZtWP3OmIkB4lM
StZsHt5GlJ+KtwDH1ly8K8LT8Y2EqDPWb9uwmafzryZEH9hw0d71PF3VQkjvZRvXDa/laXIWWLUR
GTxNK4DZGzfvuoSny+8lhHZctHVN+njl3ci/f/PwJem/T36LdGTL8OZ1/PzrT7H0th3r0sdpP25n
Q97rTFT4xX5mkXbSUFLS2NDW1mhYt2UtocjspRFiI98jWiIBiwnuaL+FXklUOMqOq78ydtN7P7av
sjb8m/h1yCDkqb8c+AnDZ6978IaPPhy/Qf9X7eNI6nEH/oPrtF8Z/zUhhns/+vDDe/V/Ve6UPqhA
76hejoxJVx/T+2gXyFWCXCnIFYIcFORyQS4T5FJBDgiyX5B9guwV5BJB9ghysSC7BdklyE5Btguy
TZCtgmwRZLMgFwlyoSAXCLJJkI2CbBBkvSDrBFkryBpBVgsyLMiQIKsEWSnIoCArBFkuyDJBBgTp
F2SpIEsE6RNksSCLBOkVpEeQhYIsEGS+IN2CzBNkriBdgnQK0iFIuyBtgrQK0iJIsyBzBJktSEqQ
JkEaBZklSIMg9YLUCVIrSI0g1YJUCVIpSIUg5YKUCVIqSIkgxYIUCVIoSIEgSUHyBckTJFeQHEES
gsQFyRYkJkiWIFFBIoKEBQkJkilIhiBBQQKC+AXxCeIVxCOIWxCXIE5BHILYBbEJYhXEIohZEJMg
RkEMgugF0QmiFUQjiFoQlSCyIJIgVBCSJnRSkAlBxgU5K8hHgnwoyAeCvC/Ie4L8R5B/C/IvQf4p
yD8EeVeQdwT5uyB/E+SMIH8V5C+CvC3InwV5S5A3BfmTIH8U5A+C/F6Q/xLkDUFeF+R3grwmyKuC
/FaQ3wjya0F+JcgvBXlFkJcFeUmQFwX5hSA/F+RngrwgyE8FeV6Q04L8RJAfC/IjQZ4T5IeCPCvI
DwT5viCnBPmeIN8V5DuCnBTkGUG+Lci3BHlakKcEeVKQE4KMCfKEII8LclyQY4IcFWRUkCOCjAjy
mCCPCvJNQR4R5LAgDwvykCAPCvKAIPcL8g1Bvi7I1wT5qiD3CXKvIPcI8hVBvizI3YJ8SZC7BLlT
kC8K8gVB7hDk84LcLshtgtwqyOcEuUWQmwX5rCA3CXKjIDcIckiQzwhyvSDXCXKtINcIcrUgVwly
pSBXCHJQkMsFuUyQSwU5IMh+QfYJsleQSwTZI8jFguwWZJcgOwXZIch2QbYJslWQLYJsFuQiQS4U
5AJBNgmyUZANgqwXZJ0gawVZI8hqQYYFGRJklSArBRkUZIUgywVZJsiAIP2CLBVkiSB9giwWZJEg
vYIsFGSBIPMFmSfIXEG6BOkUpEOQdkHaBGkVpEWQ5qPMW4bXPBpqDMNnHg25AVfy1BWjoTqkDvLU
5RwuGw2ZkHkpTx3gsJ/DPg57RzNn45RLRjObAXs4XMxhNz+2i6d2ctjBM7ePZs7BBds4bOWwhZ+y
mcNFHC4czWjFmRdw2MRhI4cNHNaPZrTglHU8tZbDGg6rOQxzGOKwisNKft0gT63gsJzDMg4DHPo5
LOWwhEMfh8UcFnHo5dDDYSGHBRzmc+jmMI/DXA5do8FOlKGTQ8dosAupdg5to8G5SLWOBucBWjg0
c5jDj83m16U4NPHrGjnM4tDAz6znUMcvr+VQw6GaQxWHSn6zCg7l/C5lHEo5lPCbFXMo4tcVcijg
kOSQzyGPQy6HHH7rBIc4v2c2hxiHLH7rKIcIvy7MIcQhk0MGhyCHwGhgPpTl5+AbDSxAysvBwzPd
HFw808nBwcHOj9k4WHmmhYOZg4kfM3IwcNDzYzoOWg6aUf9C/HX1qL8HoOIg80yJpygHogCd5DCh
nELHeeosh484fMiPfcBT73N4j8N/OPx71Lc4PEb/NepbBPgnT/2Dw7sc3uHH/s5Tf+NwhsNf+bG/
cHibZ/6Zw1sc3uTwJ37KH3nqDzz1e576Lw5vcHidH/sdh9d45qscfsvhNxx+zU/5FU/9ksMro96l
KMrLo94lgJc4vMgzf8Hh5xx+xuEFfspPOTzPM09z+AmHH3P4ET/lOQ4/5JnPcvgBh+9zOMXhe/zM
7/LUdzic5PAMP/ZtDt/imU9zeIrDkxxOcBjjZz7BU49zOM7hGIejo54mFHp01LMccITDCIfHODzK
4ZscHuFwmMPDox5YffoQv8uDHB7gx+7n8A0OX+fwNQ5f5XAfh3s53MNv9hV+ly9zuJsf+xKHuzjc
yeGL/IIv8NQdHD7P4XZ+7DZ+l1s5fI4fu4XDzRw+y+EmDjfyM2/gqUMcPsPheg7Xcbh21D2Msl8z
6l4NuJrDVaPu9UhdyeGKUXcfUgdH3Rhs6OWj7irAZRwu5Zcf4Nft57Bv1L0Wp+zll1/CYQ+Hizns
5rCLw05+6x388u0cto261+AuW/nNtvAzN3O4iMOFHC7gsIlft5HDBv5k6/nl6zis5Weu4bCawzCH
IQ6rOKzkhR7kT7aCw3Je6GX81gP8D/VzWMofdwn/Q338Los5LOLQy6Fn1JVCwRaOuphaF4y6WIed
P+q6CtA96ioEzOOnzOXQNeqCI0E7eaqDQzvPbBt1XYZjraOu6wAto67LAc2jroOAOaOONsBsDikO
TRwaRx3wC+gsnmoYtQ8gVc+hbtTO+lEth5pReztS1aP2fkDVqH0ZoJIfq+BQPmovQGYZP7N01M4K
VjJqZwapmEMRv7yQ/4UCDkl+s3wOefxmuRxyOCQ4xEftTEvZHGL8nln8nlF+swi/S5hDiF+XySGD
Q5BDgIN/1DaIe/pGbSsB3lHbKoCHg5uDi4OTg4NfYOcX2HimlYOFg5mDiZ9p5GcaeKaeg46DloOG
n6nmZ6p4psxB4kA5kNSkdXWYyYR1TXjcujZ8FvwjyIeQD5D3PvLeg/wH8m/Iv5D/T8g/cOxdpN+B
/B3yN8gZ5P8V8hccexvpP0PegrwJ+ZNlQ/iPlo3hP0B+D/kvyBvIex34O8hrkFeR/i3wN5BfQ34F
+aX5wvAr5tLwy8CXzBeFXzQnwr+A/Bz8Z+Zk+AXITyHP4/hp5P3EvDn8Y/AfgT8H/kPzBeFnzZvC
PzBvDH/fvCF8Ctd+D/f7LuQ7kNTkSfx+BvJtyLdM28NPm3aEnzLtDD9p2hU+ARmDPIH8xyHHcewY
jh1F3ijkCGQE8phxb/hR477wN40Hwo8YLw0fNl4WfhjyEORByAOQ+yHfMBaGvw78GuSruOY+4L3G
C8P3gH8F/MuQu8G/hHvdhXvdiXt9EXlfgNwB+TzkdshtkFtx3edwv1sM88M3GxaEP2vYEL7J8I3w
jYYHwtfI8fDVck34KloTvrLvYN8Vhw/2Xd53ad9lhy/tM15KjZcGL5176f5LD1/6m0tTDo3hQN++
vv2H9/Xt7dvTd8nhPX1PSteS9dI1qYa+iw/v7lPtdu3etVv+1256eDdt2U1LdlOJ7LbtjuyWTbv6
dvTtPLyjj+xYuOPgjpEdqvqRHa/vkMgOahibPHl0RzDUBkwd2GG2tW3v29q37fDWvi3rN/ddgAfc
VLOhb+PhDX3ra9b2rTu8tm9Nzeq+4ZqhvlU1g30rDw/2rahZ1rf88LK+gZr+vqU4f0nN4r6+w4v7
FtX09PUe7ulbUDO/bz7yu2vm9s07PLevq6ajr/NwR197TVtfKwpPMmwZkQzZxh5gfgaehATpnJJg
Kvh68J2gigRHgieDssMaCAekPKufNi/w063+y/03+2Wr76c+KeXLK2izen/q/Z33716VM+XNK2oj
Hpsn4pHdrGye7sWsbEc9TS0cSyuVsnZ7Yok2q5ta3WG31Bp2U2J/3f6OXXY/Y/upTbJaqdU6aZVS
VpxutYQtEvs1aZFTltLqNqs5bJbYr0mz7EmZkcMePse0cHGb1Rg2Sn1NxgVGKWVsam5LGQtL2ohM
IxQrPzaArGNPQ93htjFKjnqomo7RW44sXpRMzh3Tkd65I7qFy0fo9SPxRex3qmfZiOb6EdK3bHn/
EUo/O3CESs2LR1xze5bx9DU33UTmZM4dyVzUP3Jv5sDckYMgKUYmQUjmEQ+ZM5BcuXP3zmRy10r8
WrlzV1L5hxTdzVL4wQH827kLafYfAGnCjnz6Dz8N563aiR/lNvzun37J/wNH6P8Dz/i//BGPEDTR
/tmT0tVkrXQV5ErIFZCDkMshl0EuhRyA7Ifsg+yFXALZA7kYshuyC7ITsh2yDbIVsgWyGXIR5ELI
BZBNkI2QDZD1kHWQtZA1kNWQYcgQZBVkJWQQsgKyHLIMMgDphyyFLIH0QRZDFkF6IT2QhZAFkPmQ
bsg8yFxIF6QT0gFph7RBWiEtkGbIHMhsSArSBGmEzII0QOohdZBaSA2kGlIFqYRUQMohZZBSSAmk
GFIEKYQUQJKQfEgeJBeSA0lA4pBsSAySBYlCIpAwJATJhGRAgpAAxA/xQbwQD8QNcUGcEAfEDrFB
rBALxAwxQYwQA0QP0UG0EA1EDVHNnsRvGSJBKISQtRR5dAIyDjkL+QjyIeQDyPuQ9yD/gfwb8i/I
PyH/gLwLeQfyd8jfIGcgf4X8BfI25M+QtyBvQv4E+SPkD5DfQ/4L8gbkdcjvIK9BXoX8FvIbyK8h
v4L8EvIK5GXIS5AXIb+A/BzyM8gLkJ9CnoechvwE8mPIjyDPQX4IeRbyA8j3Iacg34N8F/IdyEnI
M5BvQ74FeRryFORJyAnIGOQJyOOQ45BjkKOQUcgRyAjkMcijkG9CHoEchjwMeQjyIOQByP2Qb0C+
Dvka5KuQ+yD3Qu6BfAXyZcjdkC9B7oLcCfki5AuQOyCfh9wOuQ1yK+RzkFsgN0M+C7kJciPkBsgh
yGcg10Oug1wLuYasnX2QXg12FeRKyBWQg5DLIZdBLoUcgOyH7IPshVwC2QO5GLIbsguyE7IDsh2y
DbIVsgWyGXIR5ELIBZBNkI2QDZD1kHWQtZA1kNWQYcgQZBVkJWQQsgKyHLIMMgDphyyFLIH0QRZD
FkF6IQshCyDzIfMgcyFdkE5IB6Qd0gZphbRAmsna/+Vm+n/74w38b3/A/+XP51u1ku0YImTitpmb
hMhCcgHZSQ7iv2vJTeQ28gz5DVlNrgK7k9xL7icPkRHyHfIceeWcq/5/Jib2qjcTk/wE0RAnIZMf
Tp6ZuB8yprbMyLkNKacqMp0zaZv823l5f5u4bdI2MaZxEINyrVn6Oe72Tzo++SHGVw0xT1axtHQd
uFX5S+9qvzLx2MQD5xRgIekhy8hysoIMkiEyjPKvJRvJJmjmQnIR2Uy2KKktOLYBfD1Sq3AWbInC
p8/aSraRrWQH2UV2k4vx3zbwnekUO7ZdSe8me/DfJWQv2Uf2kwPk0vTvPUrOARzZp+RegiOXkctR
M1eQKxUmkOdcRa4m16DWriPXk8+gxj499Zmpsw6RG8iNqOfPkpvJp/GbzjlyC7mFfI7civZwO/k8
uYN8Ee3iS+Tu83K/oOTfRb5C7kGbYVd8Hjn3KOwO8gXyNPkBOU4eJY+RxxVdroFuuUaEXtYrmt4G
HRxAma+a8cRcm3umtHUZtMHKfShd7kugvytnXHFxWo9Me1fhTKadQ+l6YHe5NJ0jNHELSsb5dDmZ
jlgZbj6nnOKK/1suKzHT093Ql9AM09kdyLvrY7kzz5jJ7yBfRg+8D7+ZVhn7Kjhn9yh8Zv5Xps69
Vzn2NfJ18g3UxQOEMYE8537kPUAeRN9+mBwmj+C/aT6T8aOPkm8qNTdCjpBRcpQcQ00+Tp4gY0r+
f3fsMdiO8685mr7X6NRdTpAnyVNoId8mJ2Fpvov/RM63kPdMOveUchZPfxd7KU8pZ7Gj30XbehYW
6kfkx+Qn5Kfk+0g9r/z+IVIvkJ+TX5BXqBnsZ+TP+D1OXlD/gVjIbGy8fBK1cTdZSVam2teuWjm4
Yvmygf6+xYt6exYumN89b25XZ0d7W2tL85zZqabGWQ31dbU11VWVxUWFBbmJeHYsK+xz2W1Ws9Gg
12k1apUMz7agNdY2FBlJDI2oErGOjkKWjg0jY3hGxtBIBFlt554zEmHXDePQOWemcOb6885M8TNT
U2dSW6SBNBQWRFpjkZHTLbHIGF3W0w9+U0tsIDJyRuHdClcllIQZiWgUV0RafRtbIiN0KNI60nbx
xkOtQy2FBfSI0dAca15nKCwgRwxGUCPYSG5s2xGa20gVIuW21h2RiM7M/uyIHG8dXjuysKe/tSUY
jQ4oeaRZudeIpnlEq9wrsmkEz0xuiBwpOHnoxjEbWT2UNK2NrR1e0T8iD+OiQ3LroUPXjdiTI3mx
lpG8fX/wQYHrRgpiLa0jyRgebG7v1B+gI+q4LRY59G+Ch4+d+SueekbOcDpHE7f9m7CDrIhTahqh
w4ITPBueEOWLRtmz3DCWIquRGDnY08/TEbI6OEpSxcmBEWmIHTkpjrj72JGD4sjU5UMxaLY11jqU
/nfxRt/IwdWRwgLUrPIvPqKK43hkRE4MrV6zkeHwukOxFpQQuiSLEbRpAUkNp5XZeqSkGOcPD6EQ
m5gaevpHimPbRlyxOVzbyMBN4q2bFvUrl/Dc1hFX8wgZWpO+aqS4FdeiibQeYhXDHpDdK9bTf4KU
T75+pCISPFpOKsgAe44RTzMqJdF6qH/t+pHwUHAt2uf6SH8wOpIagPoGYv3rBlgtxWwjea/jz+EH
FahchbKdd7Y4GcUe0cZ1kX4pKA+w2kJGpA2/YnMacMA2ouFJVqNzGiL9NEjEafgr6TMYO+c+SMjx
5g5cDMSlzR3BKBq38vPfPFKQFwCPMaKbeiYVHkI9/Uz873zqo/Gz2QPlRVrXtcx4wHNuioTygOm7
ffJzSkwXaWXgEXSsOjtYGQoLJPAIDutGJJRTyWK16IuMkIWR/ti62EAMbSi1sJ9VDtO1Ur9zF8VY
YFCp7XQrWXxOih+v4cdGSHTu4n6RYDGbkbakUq+sWpV0u5KeSnacd7hTHI4c0sXmLjrE/ngsfUMS
QQ9C5WgSncM31Dgq0FnbYChjbcOxiC3Sdmh4bPLg6kNHUqlD21qHNtahGxyKda49FFvU34C6VPr9
pcF97E87yFw6d/GcwgLYnjlHYvT6niMpev2iZf0nsBk/cv3i/lEJQdGhOQNHsnGs/0SEkJSSK7Fc
lslOibAEu1MvEjrl/OCJFCEHlaMqJUNJr0FcVsnjJyGPkjVjEs+zifMk5Kl4XkrJG8APephvI6oA
drg1spZVz4GBjYeGBljnIh5UJf7RERprJCNSrBGhXI1pxBBbN2fEGJvD8ptYfhPP17B8bWzOCPVQ
KGcMNunQUAx2Ck2uHyHyAbQOG2v9UjwyNjm5uD96OnhmIIousQKyrH9En8Q4oI534bx2JkPIbh85
uGaYPQfpQ1dnPbNzzQD6grghTukc0eMO+vQdcEabcg1rjrhoDeoGFahcfxCJkYMDIwNJ9kf7N7En
ikRsI6QjVodq5/dUJ9gfKh445IiVsYaNU0cM8esY6PFsBEFqJSeIJP4YDC4rkdaEJ18Tw6E1QxHU
gIqsWYSmzm2pgdUbctbBJKoS6xQxBNMHCSuWHDeaDSP6ItwQ/xg3FuGG+KcdgFJY4ZXUdekT8Ldt
I0Y8UWKGKtMXQDs41MmeBf+uw8OzU7/DbtMzRnpjl8A0sodW/pQWh0fM8c5hGH9+vRE5sRpxMe6l
i7Msdo9TPFfLSm6C3uX44rHJB2J7mQUQP4UFMTY4sIZJgifQsMnAofMzRpYnCwt05+ealexDh3Tm
T76A60tnnkJ2l0grxhpCVBZCEOsiqvtITLWMPKJqIcOqv5JH5Lcg3ySPqE1kueoseURSQW4iWlUu
8gfJI5pXcCwfMo+sUWUBVwP7lWva5T8RqzqLPKwNkVngIfklskJVQe6UV5NlwCH5IzIobSdx1WFI
Q1rOkLh8ilSy8xCXu4a+PfmS/DWF36lZS+5k+aoa5XrGh6Qf4X5R0iM9SqKq3VzUTmAFuV3+MslS
j5FKeQ/Jk+8hWXIeGcA9iXwc950k+YhafkH2EoqIc6t8dvI/kA8Qab4Gsg+xvBvkSnKDereimwuh
nw7Io5AdkA2QEgjLXwPplc+SNgjm37Ad7H0fQkyYj94PjJL5eCNIwphbQrJxTEVySZxkknzMi2N4
U6iI+EkpSRI1CRI73v5pIAZc6cabRF6iI12kg3SSuSSP1JBCkkFc8Go9pBKebQEJ4FUkH5lDqkgO
/lozZr8hUk9qSRPetEqRapIgjaSNRPDOVZS0kCxixhw4TFoRD+jGM80jC4iDlCvPeh+5jxbTP0qr
pZ/Kc+VjquWqj9Rt6sOafM0l2rj2pK5Gd0Q/T/+e4TljifEp0zzT0+YLLSrLLdYc6w9tc23/tF/r
sDiedj7kKnTd7y50P+sxeP7iPeAz+O7z1/mPBvYG/h2kwT0ZeRknMreFOkK/DM8K3x0+GamObIwc
ioxGXop8GA1G10aPRV/NimX9IXZrdmv22fjdiVty+nIGc87mHs9T5TXhOdWIbOyUf44ogAzt1Cql
WP40MSNc5yF19Phxd0uLrlD7bYTiJBJBME9HKG1OWVWS+YlAoCn2RKXmJtneOUYLjzVpb0KYumn8
tfHni8dfO+OoLT5Di19947U3bO8+b68tLn/jxTdKS6g9alfEZZG0WpcmllUkVeYkqsrLyxqlyopE
LMsiKXkVVdWNcnlZSJJxJs9plFiayj8/u0xeMK6RLos1LSlXhwJWl1mjljJ8jsKGuG3R8nhDUaZW
1mpktU6bWz0na+5FrVm/1toz3Z5Mh07nyPS4M+3a8d+oLR/+Q235qFl10Ue3y5r6FU3Z8hcNOkml
0YyFfP78+mjnEqvTpjI6bXaPTuuwm3JbVoxf685g98hwu/m9xruhltjkh6rL1C60hgT58gmSPfnW
MZONzouNpUlibPKdY0bkGAXBevE7qQDLitvYb7Py26T8TuXSODtcYKTd2bFE/F8mo8mXlRkzmKlH
ZSImm0l6LPZM7KcxOWaKmRyZvY4+dR9pampy1NYWFw8O2r21dlB7ue1Mmb0cGk8O8hgbViLjHo9G
UXmOHJUtciwrkaiqplzPXm1MRn/XUVs8HI479aqt43+6QDY4YxmZcSvV0VGV2Z8TiuQHLKr99Hf0
u7M8QYtK1pr0tH7iOb1Zr1Jbgh7VqNGik2Wd1XjT+H6YBcyRiYqidYXQG2vID1OBsM9Gu8M2K/tl
xi+fCb8iKCt2LxalcgPuFI67UzjudhsL2MkF7OQCdnIBO7mAnVzwpFSGuNTJ4+AkUQ5NH8WZwHeO
4mQFcT7wP0dxiXIcZ5aPSbaU+V7jSaNkDOT8q7RUmz1Gsaukp2KMGo9oF5OmM01Ku62lxYNvKFor
ezHJCZpzMlnLOZTqsqhi0axEpb2iqjyKVulm7Tkk04oiKRazs8bsnKYqGq5ZsGZ758Sj3rw8L03s
un1NmSc5O79yRWvuxHigZlnX6Knm3ir//Hj7hT3Pf1jf35ygO2dt6G3Md4dzVFfmhAsW7+suWtxe
4zBU9m6RaPG8yoyJwVj9gvFX6/obwhM1GdW9sILDk++oTOoQevHqoxmkPpnWClDRCvCvR6EV4N+Y
VpTj0Ery21I5LKCPFsOmJWjBqHOR6imaD4NYQouO6JegS794hgkt5sW3vXyqtCTusvDOW6F0Sw1T
AOumrAO7XSF0Vd5dVSZJrXOlVu3vvOzHN3cvuuNnl9dcsKwtqFPLKp1RZylbsH3BkpvWVleuuWV5
986eCqvWoJGfsPkcFldeTnDx19/98n1nH1vhjuQHLc6Aw5Xh1OcU57Re+50D+791+exEcUJjD6EH
slZ2M1qZA7Z4TyqzKUqdrOU4WctxulBmpwMFdvpQWudTrOWQAG8xgbRuFMR5QKXFAN86irMDT0ls
/PBR06ilJzhGE0fUvJUIXbwoWsQgmoR0TpPQzmgANy/5xjv3T/xNqf74g299ued4xdaHr33syIGH
d9RKdz340Td6eUUv/dpbd246fnXXWXvjwe+wcQ8lkw+gZAXk4iOBnHSNApUaVRBPDVSeWjmOp84Z
k+wpvd4ZcUbw8IExqkuZDyboyQR9IUETCY1/DOUx9+QAjmimWv3g9h2o4mLFjNh4scqUej63WEpF
R+2i0cc4lQ+oDGbd+G2shNJ6nVmnVuPXhIaO6mAaVHrw+RLVmQ2qdkfQoeOl1TmCLkfQrpu4QG/L
cDoCNu1Eqc4eVMo9+aG8GOXOISuOaJ3pcgOVcivIajVdbuU4q1uU+7g5k4QytSjaUafTrxmjuUez
evzMQKZHpOJT9nQ3Rul4pc0sjBhtRMeWF6Ng2gloT4uHV3hK54oEfFkuHYrapuSecmagFB1aW9Dt
DNr143/UmrVqNX6pHs0JY8hhJVo++TfVJeoIPImvpjIzMqw+1kJ9rIX6mG3zGdBCfTaUwsdqz0ye
yaGRnFTOUI6cY02XH6iUH6j0ZKDSk5XjuNI6JpUdK66gFb4xajiWlVVb3PgUNWCMN9C80dpFrjFa
cKQY/VnpzRgk2ACdtnMvDg6e4nWO7LRezunNVdV2Zu9Yb1eq3s4sIBu8ef9XqS5R6UxaU83Kq5Zd
+PDFTa37HlrXsL9y4kW7XaXHGPElo8dhcNStWL229I6/fm3J4ENnbum6cl1rwKBa6cx06hJFifmH
vr31wMmrWzIz6d6sbKhRp7NlOCacgURmls80+Mg7t9/14chwIJYXyGL9AmPuQoy5xWTsWFMpjZnS
KgIqKlIQagUqXUM5DhWZmHIzvNlGpn0j076Rad/ItG9k9sHIxggvSbkxsKSc7JfNTueRFI4TL9t0
hAMMH8cxb34vBpCClPWkib5goqZzR+Piwe1nmihGjRfZSJLuUNMdaxAWlDs2cImmKNem5EaeoKqF
OlfUF4i4dONHwfys5elcWT5/1KWTupW2CBaA9tHkTDqpcfy7gqt+Ldj4h5JG8HT/ov3Qn5ssfKLJ
u8D7mFcmaRUCFRUqCN0AFRUqx6Eh8iRsomHy5BPQhMHWqzgfKOaUIZwulygB7RfPrXdHvey5p552
+gnZU2kn/0b/gKfKJQitEW6i/0ePk4nHsdPuTEusV/8ULcM0wIexS50eu2DVph5P6fFZRZp0u1XG
KYzifLBy0z9ktGztzaguyjJq1ZKMEUrnjxWFs0oiNl4Ep562dR9cVqq32k0mu9/hgS9pdVjtRT2z
5a9A+yrWC3j7lN9HScrJ6pS9lHXrEta6ihmLwv1T/BXmBjJ/RUFoGqhoWjmOEw2ssZrcOb1Rgy3Y
a5v289Cspgw02hbXeCKRQz+hIaXdO7dLo6XU45Hf17qygrECj3YiW9SKaE30RxqbNxoIRJxas2Ni
EX3ers1gplxjM0jXje+dMmrTreo7UpPepFWpUWhzwDs+OX5XwMlKj1FrLkofIB0niJsXFvsIlcIq
iMIClcIClaHWjcIeI3prr3uMJtPDEi0+LZqVUkbucaXrSrHa8lyMLfrxU968qUK8wJzRua6gU49R
5lHR6D+6T2/PSLd8TRIjSwN5JGUbatzWKJlLSrzFxYYin08Z9mEYFHcAFaMgnhWoPKtyHBUTYBUT
yi41mQzMjhiYHTEwO2JgdsTAatrAegk81JQfCZJd1WP0ec3FvtIiTTi3J9wnnPYmB9z1ctSn8DPh
swsbYS+3184qLi9nXvwMaxGjzHMvknJobEZ1sxlUSPLSclbfjLo1SZ0r7PdGnTppolw2ujNd7pDL
KE20U9gMvw+VXBDcGCnJ9unpHjW91hgIJ/ybrUGnabpzbvjodq1BK6vglGGadKfQper+/GxTIDd4
dql8fyjfb9Q7M91pm3yZ2o4Z9DVHc6xWV7qVKwgFKQgdAd9h/qeShnJcijJDhqKiMqbMMh/OLfPh
xDIbzipjyixjp9hIqKbXUGTNUfnZiM4cF0x6vLVMeeneMK27YuhMaTJcU+gbMY/H/Qn6Csne8gTz
49OtSnWZ2R0wVwdyYjH3xMbI7AxJknTOsM8XdugKAr2ZOeFMO63LrCor9VE4NM6w3xNx6NpdmBca
M8typNdrL63vuKPr7D+nesvDuVkGb154/IcVa4YGixccXiB9G7Mm+EQwFPBd10yeUb2ljsJk5ZAD
qYCL6cDFGpSLOa4u5ri6mA6gpvKUPoKIx0HMq0Jp5QKVXgVUXAKg4hIox3FV6Ck49wbihwNgXRRj
PYsZRUxzhAV5Me0ATI/5wjIq/usMb171Vtdtr91+60s3tHTd/trtN794U+vxnOVf3Lbti6vyEsu+
sGP7XStzpTu+fPbIqqX3/+feOz98bNWSb/zzoS3fumH+4huf2rDj5A3di29+mvnq8OyeRf/LQPzl
kiPZmnRBgEpBFETBgUqXU46jIBrWBLz2TKaeTKaeTJvJTOdlstlgJvyeUWKPw+s5qtGYUEzjUXeP
aYbTxxuI6Fjpsp7bfeDVqGa47PKzqT3fvOQ2vTPqZwNWfoC687s3bZ6Xd7x+6WDBPV+av6EtW75t
+O4tDRNFU/0CVa31Nq3Yu3TBBRWW8Q9y29fwGp6tvg41nINI0mdTmYaoI5eVIpeVIpdVci6r5FxW
ybkoScpAIhklGQcz5IyytHKAinKASi0DlVpWjuMy9I/yY46owVw4RvOOeRfFVdWsqs2sql88zTxf
zGh5H3lx2s+rLS1Rpx2PHB4WEFXPZ7NqZTY7owWgFAaTxjWw6+rG0jvWiJZwwy9u7nDmNeZ3bunI
dekmHjm/Uezwhu2aaNOyhlDBkvvfu/euD1jL+MeXe26/elthQ3OW1RmTXt/y9A3zF9305MYdz9yI
ZvItpjXm4RnRTqoQZ/tcKmQrslfrUNRqprVqpe6rmRarmdqqUf4n8ljkIK/JznQFpiDOVRBKBioN
CqiMN3Y0qNGMIhtmR49vS9FUyjsL7eZ4tMebHmfZfGHwzJTiZkQCoDg+5MIIy0UyJvzT/hsLB3i8
ITkdEPA6PR5akchJJNJhAZVR48oOBaIuo2qPu7Bxcf1O0cQQGXCWzg7M3Tk/JzZnRW2kojDXtcui
mxhvWehvKv/cgy1r5oRhmuFi6GEYSyuWNsXGfzXV9DDRUMvmmiVbm2dvWFDnsiQb5pdO/D47U75m
3iavVjMxL1q/EDa6ffKMvAZtsZO8eYLMRoDKivDTbKYyqEhBqE5BNEmgoqrZY1JBKlmWcrrovLIU
/KzssuwyU9DHrg2yYS9ow1VBZq6DrDqCT2K3Lca+o0HFezx51J9GF8fHrcylNhU9RXMQUjXQRMpo
j1TT6pTRROehfk6mDIxV26vtngbM5I7PDqrzFnnQttPWC+35jJ2Fu5LJQdsZG4zZDB9bmcAKh3vK
rKlE2+aBxikH8PzAhUZe07znvsHZW5fWe41w5nSW8oXbu2oGm7PLejdt2dhbXr/pc4uTS7sbnBqV
JGuMWmNxy2Bd1cKKQNmiC7ZcsKicXrj8swjvRLJ88TAijtqs3FioemF59fz60vLGxdsX9Fy+pNDq
DzuNdp/TgXhGRiwzs2ROvGp+Q1n5rEXbUUdWWMhX0PKzyLonfCmo12eHE3zyGBhRzCGUrZhJtG4F
cQB4rrlk7ocdATIcs2scbBqcmbaIZXDW31WCW99P2k4l0xqaMQeJimkdm+jJryiT99uFrzhxu5jc
y1crU3tl7vvRV6Ya4mqdPcPp5OFR5m89jPFtL3zBJLkzlTlUSCOs10ZYL46wphNhHlOEtRp8a8uW
ss+ceaGlEU/aBAIVE6ggrgMqBVaO42rPk9hdjVkJm5/Bfz6Z0mOCZkj02noRthHtRpmOpe3g1JwM
zlV6UiBNuwH2dAhrOke1t/Xg2O4LRy5r4dN/p65g0e7Oubt74GZhUhbFzOC1i08cnNO49/E9ckyo
4+w/ll2LFc3+K5fKXpHHtDJr8kPN69BKA9lwNNFAYcjfTzWzRh9H9egYyS2mCA6znDjN8jGSl0V9
EUYKS2lhCS3MpoUxWt2b3xsrMcozA8HwiZpQKvyw4G/6v/iU16hEfpn/iOhv1Qyvcdp/LEOcWKu+
SmXLyAuFkxkW1cS70oeyJZAXiRZkWOWJhzXUnoiEs51aicYodcl6VzyUEXXpZZon0UxZ44xlhmI2
qk5Y7MzTsVvkn50tFlx12IsgsqyzGD86paozWtmkyWr86AeqegO42hLwMg2FFD/BhTWdgf9vc0ET
GoFXmfmfTMFF6DbFe4MaR6+GuQMO5i3OsA3ThntaGbDY3vKqqmoni4szRUidfG7h1k3calRbc6Kh
uMeoPuovC0jeUv8x2ejMCmTn2dRG+t7EVMXTV6Vfs2KqECCauLFyV33t9mp6scGCyZIl4MH4tgKW
uEn+EWaIKTKSiljnhOcUz5GNem+FCT2igvWNCtYtKmzMzCJC/V4K4bAcK6EmwnoPqWM9AqcC32LW
W0FcwFAx63Vjki7lsnu/TypsFVL9yQpKEBuqKJqdP0aDKesLWTQrS5X5dlHXrN+aulWkOB39HjzD
QkOD21cOCifxVHLlYG0x957KMPitxGyEOQzwmytnOA7llSziObWA06hSpiFaHhH2lJdVVctNtoxg
IGyp/1xP+86ewsZdD2464CmdXztruLPUpINTrA3OWbK+Yvj6xYmv39Sydk54YOHsrbN8JhO8OtOy
prZ42/rZ87Z1xdsqFlYGM2OZOpvf6s8MxDKdBX2XLT7lLWzKa1s0pwXavRPafUm9Ha0Hs5HjTU3U
EK1KWwygMtoBldGNpRV9VY3R91NBd5J5Y8kINJpk+k8ye5VkGk+OSYaUnrgNVZVRlbpkjKofT3QF
22zzakGPqLuZX83CjF74DOkZybTOpmxMjoiUT5sWO1+BEQ631u6Bthol+aXyNbcMJjvb2nIQKXVj
iqHROiM+P+YbuXM7OnJX37A091F3xZJUpDHVmtNyoLmxv9pP39z91NVt9kRd3hbYGzQ/k05do3gN
+DX+x7yamG3+VSO7W69cO8uRP6ds4s5FSxvW7Ed/WwaNReTnEPb/zJEMNt4wJwr4OmtbwLeOQRlE
CTHjgBJ6hk6Aiic6HXqefJtdgBC0MWUutlCL/81wymDuCCNSJh1zdsl/KWVjmd7cUVowRjVH9FDb
+ItJFpJMTocjT8E68+DzeYsMSjKWhVE7NLXEIEcktdbfMLe/ePiOdZWzt985kOxpqfTpNZLDbM1p
6Kvbc3k0NdhQu6QpaWLT2a/a/XazP57pSO0/uvuaZ/bV2wJZPovT58gJR3OjTzy69Kr+ZHYypnMi
biuRIejlbuy7TmBd5YZUuKmeGoO1rHfWspGrlnk+tax11LLGUvsU3sIhpJhrrZi1MBwHKmOXgrhI
ycfZxaxBGZzRNmNtTlBlQbdUj/q60NVVRy3dWP5HY1KaE2xWetDiwPrgdEBgZheE6zk1k5Xhc85w
3qvlu7X2DBdbwGy/c/maG5fmlq3+3KoFV6W0rjBrU/r7my9taUILQouaHZ2Vasvxiwa0p3tJ91VH
Vu966ur21mbJKGa2461oO6sPpFquXIe21AyXTyKD0NadsGpJrM0/msovrmqq2lolO1lvckagJacz
WsD8xAKmLb6op9g3tIUPjrckv56U2HLVcdbbKlTpxgdU2piSxmVAbuBUTH/RaMGzB1W3qKSTKvqC
iqpUGcW/TXT53h6ybLNIFv3bGUoDG+Qre3yNQ9Fi2atJPvWFsUvCC0IH1cSiM5oV+unMxie5c6oU
hWrlO3P846Ohtm09qbWdxSatUSNLstZYtWR7ausDO+oatt+75oLPDxXeL+/dM2tFYxYCCDnRuZcs
KXIH3FqL32F2Wk1Gv8/ZuG9s364TV7S27PxSv/PK24vmratm414ce/CvVV8Cz2DtqMfGOqDS8YJp
q8VQsVYgigMEVMwY3JwPRkvysXb8QsrBYtZxw5mq9kDiTElHZJ6tgwVLzpSxeX/yVLni/p1KlmMd
T7g+SlNxKxYbepgxo4GZV1xnWHclRKKSrkW8T6N1h/KC8YqI5TmdUa92WJ/TwTQhqKS73GZjbvPl
sY7NXbE52SadrLY6vRa13qj3lffUrdbaA87syNm/ILaKcd+ok92RbGfArh1ced2SPLPV5FTWf6AF
1Un1XjJMeo+1t2ctgvX4YLTIhDnAB6nw4ixHloPUlhfpzixrX9Sx4ExTW8xTfKa2I29exjyTUlSU
FYVFkWnxqfJTbKpQ/kaZ7Y0ybERgZZ4yI59U4hmu8HmF5xO76YujXCcsW3US61/ucG6ga9ZzbCSz
26Y0MnHR+brJ7riwvWCO2wDlsKsiuKqB3h5HbrLZrTdrZbUtkgG9rt+25uPq+rjq+gavWZJn1aug
O2ckE4pev23p8HQe65fQp/w49OkkfaT5SCt5Cu+AGkgYSu3rwa7nD1LuqpKCno7uMw3tkYIzVVZ1
VUdinp+ZoKYXT2MnAXSJYCx0+Oq7L77x/HSzEbOqqV0aMxczztNeCFZ7hu7KPG75cb0nJ5SZ4zUY
vDmZoRyP3iFU9QlKa9/U4inIDiIWKUFz9kA8o7VO0gb8qp9kJNgdEhkZcb9e749/VDrduD6uLUUz
Kp3eYLT57JEMrU4LNQd96b4nfx19byFpPBYOx9oMrNUt9COg9EHKVVtePLfNeaapPcabmr9DMdG8
W6W182K6hYnwQKWd+0f/897l5b6AW/660ISk0xpLKks8jQuL7Cd40zohjonOlr/02sFATWWO1yJT
rR2rk+iIfqEE1fdlGZ3NX9Fb/am9b2jw2r48lVarNegMJqxzogcrtujvqkegj3Vk4Eiqi7lHpnWx
GKlYt87U1l9OoJajHptpPgaslHtVd6qjvKOuzlN4JqO9i5jOeDo0yhDGOiJsLLM/vAm9eArJcgj6
I1rStA9+fntRCVeJqy/d2xDantlrFVeJ2630iqSdXnC+fmLtm+E1hkxaWdbosB+B2a5yjEd36Bws
FO7Q/YnNah3WN6s6PPEMtxYnIcoSyiv2tK9NZcpFH29FirmymlmXm2ndXhah3Zd5x50wDK7SG/Rq
i8+RmWWz6DVxxHfw/q9MKidukz8j/xD7yebjvagXUm5HYTvzI9p1GB7bIzYnndde3oR5IfPxgYoH
AXz9cXaoSbsANGW2Oui8BUGVtUQu12rZeAl3AyPCyZQZpLBcGwxqywtVbBRJVWDoJP3sT/RHbLis
Pz+eMgLj1hKtXNP1a9Oit9zuoRr5zw0d+ZE5v6rpWv6ryAIlVoxZkzInOPMyd26T5aeTyVNJL6wq
C8HY4fHaTifxLyl+cRvLQu5KZCyB+KLb5fGm42Ji3bgaEwjs82K/2dDi8SJ0hmAZ91qUenUidJZj
QTCNO8SfcVqviGWUDR6cX70m6PDOrvpL87beoooL79+++c7VBbZoaaS0uCwezq5YccW8vPYwtdnt
ExPrBkvai73rlpd2FHsXrer5cyTPp7/64rnrGoPyrlg4e2nx/EsWFWR6HEWhWJFkkKKzBuobt/WV
xlMDFdHGmnK/f17BrKFEfHBO977FhXpddOLdFRsiNZ25A+vD1R3jK+uaJJ2/MC/XPbs5s6SRWZE7
YWvvxdyjjOw91lRB86e3J6SH7hn7FpSZiJP1LG+IL0Iz15KvRCuOkZEdM/D1Z6y1IFypeaKwK7vN
P09YHwemG+n1TT7dOMc7tCtzMo12upeJlQ47n/y75XvRCZRZha+os6TxQAvvE06tmGy039K5bP+8
6JQ9kazdK1uy+/vGbxAWZuYMY27nrPWfGWZjzjWTH9IedTHWmKPkxieaYgtiW2Oyh7krKCJwOn6D
UA3SSuMFijiP4tZ4nsJ+1gwsIiqa+viiYVqlWDR8/3FDmO0bw0eIGo/5bZ2Kfl4+k0w7z+kZGfP0
pq2z0IWTDUysMaIV0sbzFeAsqK9LMplSgXy1WOulJXX5ebUQlHjypYnb6FqUOBurNNceXVDGdvIp
0yHgP1g/BnLXFeQdtsEozr5TmTShgyrnARWtALmXB6KogdnalMHvJ2VFrIxFKOPR3HAntnSojqiV
XoqS2svL04U9xUuLsqYj/Onwp9KNpiee5xS7J5Ra2x4p9OlVVNbqtZqYN1ocsghLynSQn6yvz7eu
3b84qTOY7Q4z27GjdhV2dMqHP64O3g8OoB9UkM+nTE1VNK+UlqYctBsTwBcUFxZEmV0C32baUdJQ
SulT+ApDFjGldfDpeznQNQKewkLCVMK7iCfLqM7tzGizi+6hLH1gOonRRvF6y15XQp/QzFQz+B8t
mx/QIcoTjPmsmomrz28fdLHO4ceGjCz4btaJJ+kWs1EJ1Mtas57+Y8L88W5y9ueIBZn1MqYNepPP
NvHkRNzuTtsO2giduUlK2ZexVdmXobT9GW0j3SSm2gh9/5jB1qY0+HQD+MRW/vGWPdWgp3tw+inU
L2AWt5C8nQo62J4FZe9cQolH5ijByG29tG2GHVOeCGll6UVBVAlQadWKfQuFPOj2oVAZXyNnZo4v
lCtmjnlaTyxkawsLGxFLUDrBjJiCclukFdOgIC7PeYq+DyNro5rRuV2YIGhS5tldjW2FNZ2FcF3T
5hH1z2bRYgZdm15nxzwgvSWEWUvlIz0zrAILY51jMj+WkV4tdqcDqGmnTf0CN6VOnaugpah2Zyvr
PViB13oKmotqd01ZVo0jw+vJtGnn3dxZM9BSYivsmduevfTizvBUfUix2vNs7MdzEIA3ognpjbo9
fQsCxbNzS1vynTC+88QYhBosI7enrLwGWTWmh6Pzayk9CnG1o9bStYnuFQwZbfAk+CYp5jvM3ClF
338iPTCxYSllKOzK92d3CtUzr2FqZEqm117T2v7vdH2uaj99eJpS4he6/y/D0zmKgoKG2OjE4l2v
QUNs3f3BVEZTHs110Dw7TZhpwkQTOprQ0nwlnq2spUMJQKX9ARWzBTx3rZ2FI0LFBmqYsYjPIh8z
FvGflAxsZewJK+nehmrCTkw6au3CBENKBxChssF0yxR785itSv+I2bqYdomQoQiHya/V7fzmjq3f
2FJVu/ORncDqR4ONFyzo3NQSDTZdsKDjgpYI/eOWE9fOnXPZsR3ALuCBzitX11asurK768rh2oqV
V0I3d07cLr8E3bDo6UEWPY1WfcIeJT5CTW9WYk6MmwdOlRCqsj7IY6ifGDnttC341MjpJwVOP+7C
uD89cHrrytyW2alsYarRWFzuoEObN6+7p3D1IRY4LVcCp205LfuaGweqA/TPFz99VbstqyI20Sji
pao/o3NhO7tRvze/Mc897+rHdrdesbbBmddcOnEX3rFbe4C1pCFo6+60tq5NBaGusDHJ7FuSRQi5
AhQjl2TRwXy8M6o0m/J0cwIqVhIodrEr/Q+71REddMc7jbOSYZUNQ756NNBVw6KDtm425n9ydFAJ
Dk61E6y8CG9bWekRDcf98eignnmBYZc2r6ujM4epqGzN51bltrW257MXHlwZdu3HIoQTx4Sm6Om8
2phVRAnt8fq8zUJ1E//mYUIeckaYUPEMpAegsXKy5ti2Spqwpi0+UCk6kDcuRpi3aGVesCO9IZMt
C7JuRQIYNeIpfbIrYXVHOt1stqmYe8R8xOoeszdCGWxe8Ql+MG9EGukBSaPX6byZ2W5/SWVdbEbL
UWx1fHZdbaY5mp1pUslUXu0J2fV6vc5VNK96fEQM8NOG5qqqlhyrrDMY9BYlntUzeUZ6HiXuJM+n
TMVzm+YumHv53MfmqmcsvStjnpKGmQWePAq3WEnD9igIAz57jP42Febr76yJBVkTSy+/43CQmejg
k/j8E9t6ZkCCmFLIhwt1MpXA/ZpMj5kkU9Gr1Ya/2Bfah+zb7DJfZv8NW2Pv8rzFlzGgRr7Anl5e
xyskYoMaDhWnw9E8amphu1j/x8vr0vPlK6+cX7K0tcRjULHl82TTkpr8lrJgTmphX08qJ693f292
R12eG1N1GfvO9FlVncX5qTx3bqq3b1Eqh1paL0J9e/2u7LAT/mcwEnTEquKJitxwVrJxSUPlcGeB
yeG2mawem91v03r8HmesJCOnMjeSld+wmHk30cm/S5tV3yR1ZMWxPGKPFaY7ooLQKVCpC6DSIRWE
ErG5BgEQr7nwTKwj03zG21HKvG+tsu5zBrtsKGKMinNZdvoUX7zgO6Tt58c1PiWAIW3W2SJ5Rd42
hBwuszrYBvpLxRzsTRb4QXyiut2bneHSqfVq1fKZAQUeQ/306AOZnGTllv+uLsbXzdgbEFpSJ+G7
Nlwf8m+hj9lk1mjxbAzl7x9LhkJJ9LkPUia5Mjm7w5Y8U1/ZwSYbR+Pder4wcRpBQVpc9uobPJDD
wqqI6E3baERRldnGuaGZT1CF/GDIAz/J60fMaqJ4RgE/XRvyE8HA2S9M9Tr3zChL1D4VZTlfKbys
qp+pfomI1hDKakFZR5Pz+1lJw+Y55gz8RyqTi8n8jtkd9fWRjpIOqaPfkjxT2YEtFKrRePeKGVXO
YsynsDAKg198igW00DHYDkQWZ4Y64OOk6/88VSgx0MpPahXTm77xChF7qUiJxE+pUfUznZ3HpJpC
E7NnaArLD9ZQ7ie3HPqMmML9SWlDljer2qdiXMszozaLIR2UmqFFu8tuNptFtOp8PVIqtjJMTJ4f
5oKOb2crZvLTaGW3Yr2sghpzmKXKYZYqh23hylEGwxzmj+IVlA8eJ8ztJ+G0qQcqvQ/4vjJLZIRN
ldkJIkOZO2Oi/wG2eRR25hjV/k5MANTTy2ZsHBA+/5TpOicwIpbNptbL+JYPvOcgggJYMHNkur2Z
dk33HYqLqXXxJQ5vcUdJ4/5WLJyx2KF+ymnf0ze/YcNnVktZwi8f/9eCVc3x/j5pt8hh/S0L8aH9
0E8B+f0JvDwIr4lt6ggruz7iYRriJESVUAgKruyYBooNs8JBd6RHSzsUk6rGCdXwXu00x0Zz1TQr
Fxmzsmh2Fo0yineisqM0ouRGaHaE5ljpxVEaZctFeru7IxrB6IDUWyk9hptoBEMHS7FpOfCdlAn3
iOZ2Ro2BTiMfaKFfxdqR5KDioSYHsdNkMEmZq6ocUHaeJNnoq53asjz1wojkdXr5FgvsMdpPJVma
OK0yB3JDoVw/9ps8r1KzzbXezBjeRJxQyR9JWCcNekN2rXyPSm8wac8+xN40VOksBnmpyaGX0SKx
X9+kHw+YTNKf9FhZkXRGpu3KyQ/VV0PbreS1E9j+djI1C0XDijj2CtbQaobxIpqI0kSEJsI0EaKJ
TJqTQXNVNE+mdfW0vo7WF9KGAmqLYGsRPrCrhKkYYlkbGRHcwQY/RclmqGw6sbJs6+xO5TymzCbb
AttW2+U2lS3l8HTYyjvjnXW3FNACdqyAjc42p6djQ8GeAqkVud55ipV9iWly8FRT02nokutb0Xlp
CWFaVlTNCNviA0Vjh396k4+co52xy0c4fTNUPoOqr1apJ96Tzd7cUDjfb5K/JUmPyeYAdv7kIDXx
gVrFrHNGlkMn/0qSnpX0DjR77IaWXpHoyxJ2LwZ8eAlCvkfrsk5XinSTXj++c7qKrC6t3ogaQkRk
PKDXo4awyoW3R3XjPpGSdJgaUZKH3jEX9VVMrj1BSqEYO1oetkQh6MUsRn0R9aE9Pg5a4aN4E0ex
DayrKFkeqmetNR+HCbumgdCaGK0yUmOETWNZrRiNpSV5nTGjPbNTRImYtbA7KF8IhmopUzv7h194
aVbZ7ML2ek6/Mztju9DUPiEqN+ucOeFQzG1U/fIVldGdhVdn7VRPfRPv6agzJ5IZcxlUp19QGezh
YGbcIeknPiiwOE1qRIG0dN3ElwCy2uS00CfoAxanWSVrDNqJI3QBQFYZXdaJlcx6YLZxAPrJJr0n
SBBlrUQxq4M0L0h9bFE94aMJS5VFytHTAHP96gLUXwOs99Nwp9/g7DTMVS3A2+9Yj2HbodB1UUrW
kljnjcp8varayd4mSVRM7Q9zKgF6j0srlV+iKS0LROyS5oDeJk88o7Nlh0JZLr2aUvl9jT0rkpFt
10wct9nVJpeF1qocBnmF22dR46Vg83iR9LLTqGarISjJACZPr+BrdklSf4LYUBIP29GdUPb2FuN4
hb5FL+njdkyOj/o7rBgrMEnGg7PVSOySGzwNu5N++YW9GMJaeTU95yU1tvqgpWwbo/SKRmfRjb/s
DjKTQW+auNzmZG+OSCqjHdtkkDexm96PDY2aNrx6ps2IZlk8Hr9NuiAaxxuKWo3FY49YfN6AbfwO
vOXHZn1EfkKJbhvxnQAXdqhJ249p9DJbfX7tNEYevgIyFVOmPSKGPPGY6nQ6ZDyBj/wiSv4feal6
JaKkHSSRsmRnh/Wuo2p1ib6ljoWy6RF8+RozvVfZO/TKKgy7M4olXp6XE6ia9KbWj+2+ElMfYQHk
pWXLLuvWxnLcIYdOQ/WODIdn9oraQCQ1PKduaSrPoMVCocZV2zNcceFda0smTul9eaFILltVzY2E
sHAi/67/+qEq9btWK+u8FKOjU5vXsqKsdlVrwh/yaeyZHp/fGQ44Zm288Wx9NBk0GoNJfLLEbzT6
C1Gn+ROv0Z3kdXyXwTBq9GYQ24un+WZqrZabrmqneFa6U2Px2j+jNjv9TrvXQFXXGH3ZAX+213hz
uKKo0P881ioVE0KdB4MRm0ZjizD78YXJ9+gW/AUj8R5h22VPPo4+j5rBoIV6SX6H/bkZwf4txY0N
RUw2txcXtULYPejEm7JB/W1EYXVHbGpSDG8OK6tsIi3eltc+qDK7Mt3+qEOlkQZVZmfIjT00KvW7
Zmxh1JqdZs1+s1UPHbnMuF8rPSYVSbPwNQnLMaI1nsFmO8wWUHJlzwlvJEorLXLYJ1Y68EO/irao
ph/khMKJREhjDxA6+R96RiXhu89WYh/FXU7QDHz44pNvpJKczrNNTofDKX9Hb9WrJWxdwbcEYnrl
7drJDyZuU5FJH75eYT1OtIY/wyCw6cv5D+RREZv97Cy7w2GXv2ezT7wci4RiWVkRlOiaiQfoP9U3
4GsbWSm3zAyzzKaestJ5ZXfYeA1pKsaECPYTpdTAlXV4pz4+UCQrfZUHb+jfVw2uWq6mlky/I+A0
yVW9NRnh2t5yineCPd4Mm6Re/dzEwMuvTCz7scluVOM1RvX6n/3y1e3bf/urn2/A1xpgJPEFI0r2
4YnexBNFSfkJ4kDYAM8ED0mJ2DE8zoyLA0H0k2ygQOyAP2GyjD8i61KsitkXEaoclRVSDutXbEus
x0HfzKjpqZJNeAM9kGmm6hUrV65USbYMrxuv/Uobdkv+7a/+8mfrsStGUsOc/Ig+8MrL9IHn9Da8
y67RqE5PLMDz3SCvp7X49omb6EfVtna0Rt6RlfCMnPY5tTRLa/U5HH6L1mvAu5K+qFtP5Wunoiw/
ZUyGd8MsEO4o3aXcMY9YjquDiXZ226bT4r1mto17+sYo4Iw/5XFLV+FlP4cDCxpeg4v9JZeeTlx3
Tl5J4vw/zfYF4B1t/p6jjiqPY7OhGRJ8YzSs7iKL8Z1K9m3O4pShc2dF6BL/Mq11yxiVj8/vzsuz
ItynOd7SvfavVsWmKdsC2JJyaYmTGW/eLtITRvY5BWyGUMy6kqUY8xD25FYpy8pKd8TaMAs+UGzb
Yuem95/K6V1cuCFOoBeFUhs6c2vjtvzBWzf2X9GXTCy+ajBr4dLlBfDnTVobXuEKu+DHlIYKm4vD
BoPDiHo0RQKuklRfbf7gpp3NTduH5lXCLbSGC8OdaxqC7qK20srOYs+uWMv65rz57algxYahgXhZ
c55j4g3aV71mcGlBVf+81ljj9qXlibY1s+pXr1heljewbGlusLV7YV421n5UktZq9tdctGFlbnZJ
yCTpfH5/yGrQWWINRVl1eV5PXuOC1bIUrJnVlsxrTaWyMyvzfMHChvHciiVNMXtmnrdwePVwUaSp
KSVfg9ZwIWZd38L75WwcufME6YLn5LVK3UNdNLm7ia5vos1NtKKJZjfRpjGpOeUyZWSY9lXSCyrp
3EpaV0mTlbQSBx5HWJp1cObQokOz9ccncBtSgvebxyY/RExJ6jbVTZaUqBP4xNeoc6BljLqPqFel
Nwowc5QcxNsYg4NvKJ6pEh1QGJolHA3eDFm4iG0PPuftC+150dx0Lcrfqrjo/u09B1bMitscRQv2
3L8lPi9VgI3UEsXqmTFR1V3ONq/IgdndS0o33TKQeNRbtWxOvKu1KRBtWtmUWtmYSb/Wd8/eztyu
iw59feWih79yw4YGvdVhNFudFixh6ix2y7yDD62whnzW2nWfGapbNSfb7A07rnh0U2FJzzrW0zqg
22eVd/SSWBHzn7dQEBcLBQgUnUzFmdIL6YwlALbu5WKzXxd7Wc3FPmLiekrCF6JIhAeYImkzBVQi
wUBlCgx8i41emK3h5YjClN7AXv9LEZkF41N6VE+xYYFBIsocDim8h4qaYg/Bagn7u/AdSmwLNODV
P/ZunHj1j3m6CFXA7sHns73BfFxs3OChKxbSQ93xn/O9B6w2IKIx9X0Plfxs8eaRK/Y9sD5ZctHI
wf3AEUsw2dBd0nfBLE9o9rqOmr5ZuT69dOjz/zkyvPSh9+69/T0FHxm+6+K+av/CG5++6HM/PliX
3bxyxzVoco/Cp7pH7cXXm/6Yys4O0exMmp1BY0GaHaDZfsocWy/NUxZpHMybL2ElNTN1l1DCVEvy
2IwVR4CK3VcQ2gcqCgUq04U89jKhJYS3KfByjZH9NmISrTR44ItHcU/gSXarGfkn2WQYaageV9yL
7xg5ERVqOhrrzUPQTMvfWS5rGj/NlnCUn9PYJcM3Wya/r2iW8OkxV6+yCDb9sg28TA3fClMd5z3B
rUSB5Hs0+ALF+AqtyajR4EMa1PIh23GEd4/0NF9lcvgcCEJo3tZZ9OoWFhHV2gL4loZdL//y8waV
OeS1+2wmzTOyCntjsVX1o5v1cCag7R3Q9t1o041YITTnVdFkiOZlsvlviqlVMR0p6mGb37HFC0On
h6nJg2b4eHkc/5HatK5rn8T/jsIIZUE5Rjb9NaIlGu01tZFILRpf0ePlHk3RIhtMf67QEKZbiC6z
L42wEMIbydOsOSoNkLU+osxrz1EOCxQI464MYhWNmqlhQqu8pnS3Gn7OeKXFbdXKBqvpo6Wbah0Z
lQsrlFcLMLFS4TM0vvqBC+tX3jRY5Gm/dutpqRxvnai72DtYWlvI4wp5vWZqWHHrJauTye66rKzc
LJ0j5EYY2eLOjvkqV+xrbdx/82M7XtY7lIj+BtiEW6G/fqo+gcXEk6kM1hKX0VIdVFbKnKFSRW+l
TG+lY1JlyjB/UWL+fB/iLFDxW6kETkmw6X8KuYmUbAmyK3kEX7kyyK7EZi6lyQah+ePKlBYdHHtI
0L8t6SYLVFo78GTKiWqw1Kdw23oWiJhXXE+VpowMhikDy6y319s9eN3BiFF6UcE/IxF1J3u9zjj1
eh12ONqm3rBDaIEZCxh1biMwYCv7vrDxq5abjRmWXaNsognx7yooX8ARb5N9whxluhLdIVm+tXHX
wxfO3t5fZ9VpZItZX7loa8uctS1ZyUV7u/ejrrQao0W/fc6mzpxARU9l3fC8MkxXtDI8Qmdd39bU
suuXF0Yal9U3b11YSHcM3Ly+2p0ZtljgpWdnROKRrMa+sur+VBa6h9vpt2qzUgPVuZ1V4VhuTG0N
eqxeu8WJei5avLt91qaeWqOkrVx4IWx/CeIRv8CbWvmwSx+l6liwqJDmFNDsHJqdoPEMmgjSmGKg
4j4ax9edPDThpgkXTdiwsEWz1TRbRZNBqlgrB7dWhR4fiIcZMWXfEyqH4ROoO09GEd5JnTybysQZ
Ntb9bKwt2VgI1cYGERtztm3su0Q5RMVtFTbEv8C6H9sgnzLgsEpVUpwTxIohKliVjNpshmivgb//
hF5Xjrh1OtqRTK9YJPHZAbZ9j710IXqgGAWmBgMlGJ32IvExGB7KExMiZqs8eBksKv/C5bhVfGFg
/G2TzQyf3aClP1c7QwUhOFm2W+3uifukieX0Abotmph4R8TxqU1jC/mcIb/XLDvgY+IDbmb92R/E
pD+P17H1i7SHg/87SjvGTnxPFDXzGN6TDJNXTuBdx7dSBnuUzrPboDM09beY+8KsNVs/VNLQEBC7
6aChXUqoFIpOX2VjV7EkuwqoXKUcNrLg7G7UJfaZsHxcjIDoycdZTUaZn6QME8BfKvv0EaxVTOH0
Zy34PZF+/TiucasRzyg8GugxKq+nI47B1A7dM8WzEAz7ScOM2KnyobaZsQ35MVmt10wUqa3e7EBW
AuEY+vb4bU6n2mDRS/+wuI0a1SlHZtBv+eh5EyaiGkxJVV252U5YO6yFo133wn7dD/tVgq8dfivl
zCui+Wqap0Q98/GVKANtYeYiworZAqMGJXJ7lrmvlNaWdpZuKpWT2NDFXg3WE4slgg/1M08Eg6ji
g7x+DIok9cx64VLgOykHMz2762lVfVv9+no5G7HVMSmZshTHsYr7j0hEW/Wv/EX4dJHuiJZ/owC+
I9xJxZFk+02TyktoaI6YsvFmyiOgcFPYQss5S5DVM95LEy/2T3kuVfL9rpKe/Q9tS/bMLsBLixqj
zpg7q7d8+Ib+Aqny9qGLbhvIKbvg6zt6Ll2R+j9TF1yv5JRg7xhjLSNpEeXk3cO0K2TN/O4Ma24B
ISF5KTEpPlbg+S/edcti5A2s03qCw2aXuWn65nYtdGtYn2Og759iap3kogps7DECz43MYd7GIgYc
2RTZpKUiBzqEiwd4BYO+8dm/Z0EH9YGaxkh7D2A5zBhpVghc1W1j4wJuC98B3GcrKiILPHdqBycv
FxuwjcDB6MkhCDzlA9gpBbJ4gX1lB2HgWVvAHbvcoOO4uDkYc4D7yIRB528BWcDhBVbQsVxTgGKg
Nm4cowXzXGZPBl7g2IzsFgY+dlHuPYxcwK6dIJCUAI4zXAPGhTGkcwncKAMbtBATBI6mIHjMc8X5
/wLnXkUEmb4IiSCzmZk15OU1VJSU/oWDBvlVlZSAmRicj0FjgSDAxgA8MdXZL8w32E/bOTEnM6ko
EwBpeLQXCmVuZHN0cmVhbQplbmRvYmoKOTIgMCBvYmoKMjAyNDUKZW5kb2JqCjkzIDAgb2JqCihN
YWMgT1MgWCAxMC44LjQgUXVhcnR6IFBERkNvbnRleHQpCmVuZG9iago5NCAwIG9iagooUGhpbCBI
dW50KQplbmRvYmoKOTUgMCBvYmoKKFBvd2VyUG9pbnQpCmVuZG9iago5NiAwIG9iagooRDoyMDEz
MDgyMjE5MjE0M1owMCcwMCcpCmVuZG9iago5NyAwIG9iagooKQplbmRvYmoKOTggMCBvYmoKWyBd
CmVuZG9iagoxIDAgb2JqCjw8IC9BdXRob3IgOTQgMCBSIC9Qcm9kdWNlciA5MyAwIFIgL0NyZWF0
b3IgOTUgMCBSIC9DcmVhdGlvbkRhdGUgOTYgMCBSIC9Nb2REYXRlCjk2IDAgUiAvS2V5d29yZHMg
OTcgMCBSIC9BQVBMOktleXdvcmRzIDk4IDAgUiA+PgplbmRvYmoKeHJlZgowIDk5CjAwMDAwMDAw
MDAgNjU1MzUgZiAKMDAwMDA4ODAxNiAwMDAwMCBuIAowMDAwMDAwNTY3IDAwMDAwIG4gCjAwMDAw
MjUwMTEgMDAwMDAgbiAKMDAwMDAwMDAyMiAwMDAwMCBuIAowMDAwMDAwNTQ4IDAwMDAwIG4gCjAw
MDAwMDA2NzEgMDAwMDAgbiAKMDAwMDAwNDcyNSAwMDAwMCBuIAowMDAwMDAzNTE4IDAwMDAwIG4g
CjAwMDAwMDAwMDAgMDAwMDAgbiAKMDAwMDA2NTk2MyAwMDAwMCBuIAowMDAwMDAwNzgyIDAwMDAw
IG4gCjAwMDAwMDM0OTcgMDAwMDAgbiAKMDAwMDAwMzU1NCAwMDAwMCBuIAowMDAwMDA0NzA0IDAw
MDAwIG4gCjAwMDAwMDY3MTEgMDAwMDAgbiAKMDAwMDAwNDc2MSAwMDAwMCBuIAowMDAwMDA2Njkw
IDAwMDAwIG4gCjAwMDAwMDY4MTggMDAwMDAgbiAKMDAwMDA0NjI3OSAwMDAwMCBuIAowMDAwMDI4
ODE1IDAwMDAwIG4gCjAwMDAwMDAwMDAgMDAwMDAgbiAKMDAwMDAyNTM4MSAwMDAwMCBuIAowMDAw
MDAwMDAwIDAwMDAwIG4gCjAwMDAwNDI3MTggMDAwMDAgbiAKMDAwMDAwNzc3MSAwMDAwMCBuIAow
MDAwMDA2OTcyIDAwMDAwIG4gCjAwMDAwMDc3NTEgMDAwMDAgbiAKMDAwMDAwNzg3OCAwMDAwMCBu
IAowMDAwMDA5Mzc4IDAwMDAwIG4gCjAwMDAwMDgwMTggMDAwMDAgbiAKMDAwMDAwOTM1NyAwMDAw
MCBuIAowMDAwMDA5NDg1IDAwMDAwIG4gCjAwMDAwMTA0NTUgMDAwMDAgbiAKMDAwMDAwOTYyNSAw
MDAwMCBuIAowMDAwMDEwNDM1IDAwMDAwIG4gCjAwMDAwMTA1NjIgMDAwMDAgbiAKMDAwMDAxMjg4
MCAwMDAwMCBuIAowMDAwMDEwNzAyIDAwMDAwIG4gCjAwMDAwMTI4NTkgMDAwMDAgbiAKMDAwMDAx
Mjk4NyAwMDAwMCBuIAowMDAwMDE0NDY1IDAwMDAwIG4gCjAwMDAwMTMxMjcgMDAwMDAgbiAKMDAw
MDAxNDQ0NCAwMDAwMCBuIAowMDAwMDE0NTcyIDAwMDAwIG4gCjAwMDAwMTYwNTcgMDAwMDAgbiAK
MDAwMDAxNDcxMiAwMDAwMCBuIAowMDAwMDE2MDM2IDAwMDAwIG4gCjAwMDAwMTYxNjQgMDAwMDAg
biAKMDAwMDAxODA5MiAwMDAwMCBuIAowMDAwMDI1MTM0IDAwMDAwIG4gCjAwMDAwMTYzMDQgMDAw
MDAgbiAKMDAwMDAxODA3MSAwMDAwMCBuIAowMDAwMDE4MjAwIDAwMDAwIG4gCjAwMDAwMTk0NzQg
MDAwMDAgbiAKMDAwMDAxODM0MCAwMDAwMCBuIAowMDAwMDE5NDUzIDAwMDAwIG4gCjAwMDAwMTk1
ODIgMDAwMDAgbiAKMDAwMDAyMTQyMiAwMDAwMCBuIAowMDAwMDE5NzIyIDAwMDAwIG4gCjAwMDAw
MjE0MDEgMDAwMDAgbiAKMDAwMDAyMTUzMCAwMDAwMCBuIAowMDAwMDIyNzU1IDAwMDAwIG4gCjAw
MDAwMjE2NzAgMDAwMDAgbiAKMDAwMDAyMjczNSAwMDAwMCBuIAowMDAwMDIyODYzIDAwMDAwIG4g
CjAwMDAwMjQ3NjMgMDAwMDAgbiAKMDAwMDAyMzAwMyAwMDAwMCBuIAowMDAwMDI0NzQyIDAwMDAw
IG4gCjAwMDAwMjQ4NzEgMDAwMDAgbiAKMDAwMDAyNTIzOCAwMDAwMCBuIAowMDAwMDI1MzMwIDAw
MDAwIG4gCjAwMDAwMjU4NzkgMDAwMDAgbiAKMDAwMDAyNTU1NCAwMDAwMCBuIAowMDAwMDI1ODU5
IDAwMDAwIG4gCjAwMDAwMjYxMjEgMDAwMDAgbiAKMDAwMDAyODc5NCAwMDAwMCBuIAowMDAwMDI5
MjM4IDAwMDAwIG4gCjAwMDAwMjk1MDUgMDAwMDAgbiAKMDAwMDA0MjY5NiAwMDAwMCBuIAowMDAw
MDQzMjAxIDAwMDAwIG4gCjAwMDAwNDI4ODMgMDAwMDAgbiAKMDAwMDA0MzE4MSAwMDAwMCBuIAow
MDAwMDQzNDUxIDAwMDAwIG4gCjAwMDAwNDYyNTggMDAwMDAgbiAKMDAwMDA0NjkwMyAwMDAwMCBu
IAowMDAwMDQ3MTYzIDAwMDAwIG4gCjAwMDAwNjU5NDEgMDAwMDAgbiAKMDAwMDA2NzIzMyAwMDAw
MCBuIAowMDAwMDY2NDM1IDAwMDAwIG4gCjAwMDAwNjcyMTMgMDAwMDAgbiAKMDAwMDA2NzQ2OCAw
MDAwMCBuIAowMDAwMDg3ODA0IDAwMDAwIG4gCjAwMDAwODc4MjYgMDAwMDAgbiAKMDAwMDA4Nzg3
OCAwMDAwMCBuIAowMDAwMDg3OTA2IDAwMDAwIG4gCjAwMDAwODc5MzUgMDAwMDAgbiAKMDAwMDA4
Nzk3NyAwMDAwMCBuIAowMDAwMDg3OTk2IDAwMDAwIG4gCnRyYWlsZXIKPDwgL1NpemUgOTkgL1Jv
b3QgNzEgMCBSIC9JbmZvIDEgMCBSIC9JRCBbIDwwNGM2N2NhZTc3Yzk2OTAwYTczY2Q1YWI3NDJl
MTY3YT4KPDA0YzY3Y2FlNzdjOTY5MDBhNzNjZDVhYjc0MmUxNjdhPiBdID4+CnN0YXJ0eHJlZgo4
ODE2MQolJUVPRgo=

--Apple-Mail=_E40EC1FE-D1C0-4B13-97E5-2C6DF7CC08CF
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii








On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:

> I messed up the conference bridge time; here is the corrected version =
but the details are actually the same.=20
>=20
> Meeting Number: 702 442 101=20
> Meeting Password: oauth=20
>=20
> -------------------------------------------------------=20
> To join the online meeting=20
> -------------------------------------------------------=20
> 1. Go to =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
RT=3DMiMyNQ%3D%3D=20
> 2. Enter your name and email address.=20
> 3. Enter the meeting password: oauth=20
> 4. Click "Join Now".=20
>=20
> To view in other time zones or languages, please click the link:=20
> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
ORT=3DMiMyNQ%3D%3D=20
>=20
> -------------------------------------------------------=20
> To join the Teleconference=20
> -------------------------------------------------------=20
> Global dial-in numbers: http://www.nokiasiemensnetworks.com/nvc=20
> Conference Code: 944 910 5485=20
>=20
> To update this meeting to your calendar program (for example Microsoft =
Outlook), click this link:=20
> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&ICS=3DMRS3&LD=3D1&R=
D=3D2&ST=3D1&SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&RT=3DMi=
MyNQ%3D%3D
>=20
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On =
Behalf
>> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
>> Sent: Wednesday, August 21, 2013 6:35 PM
>> To: oauth mailing list
>> Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu =
22
>> Aug, 2pm PDT: Conference Bridge Details
>>=20
>> Here is the conference bridge and Webex information.
>>=20
>> =46rom an agenda point of view I guess we should start at a basic =
level,
>> namely with what we have already in the dynamic client registration
>> document (and folks may have actually missed it). There are two use
>> cases described in the WG document, namely
>> - Use Case #1: Open Registration (Appendix B.1)
>> - Use Case #2: Protected Registration (Appendix B.2)
>>=20
>> Then, we could talk about some more sophisticated use cases where
>> information for protected registration is provided by a third party.
>>=20
>> --------------------
>>=20
>> Meeting Number: 702 442 101
>> Meeting Password: oauth
>>=20
>> -------------------------------------------------------
>> To join the online meeting
>> -------------------------------------------------------
>> 1. Go to
>> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
RT=3D
>> MiMzMA%3D%3D
>> 2. Enter your name and email address.
>> 3. Enter the meeting password: oauth
>> 4. Click "Join Now".
>>=20
>> To view in other time zones or languages, please click the link:
>> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
ORT
>> =3DMiMzMA%3D%3D
>>=20
>> -------------------------------------------------------
>> To join the teleconference only
>> -------------------------------------------------------
>> Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc
>> Conference Code: 944 910 5485
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_E40EC1FE-D1C0-4B13-97E5-2C6DF7CC08CF--

From ve7jtb@ve7jtb.com  Thu Aug 22 12:28:16 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5264421F9D95 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:28:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.166
X-Spam-Level: 
X-Spam-Status: No, score=-3.166 tagged_above=-999 required=5 tests=[AWL=0.432,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id texbjkngGJAO for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:28:10 -0700 (PDT)
Received: from mail-oa0-f48.google.com (mail-oa0-f48.google.com [209.85.219.48]) by ietfa.amsl.com (Postfix) with ESMTP id 5E90421F8C93 for <oauth@ietf.org>; Thu, 22 Aug 2013 12:28:09 -0700 (PDT)
Received: by mail-oa0-f48.google.com with SMTP id o17so4216662oag.7 for <oauth@ietf.org>; Thu, 22 Aug 2013 12:28:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:from:content-type:subject:date:message-id:cc:to :mime-version; bh=V231o6IqjoFlWiC6jMZmm5tG/4M/IxzGRdSO5N0TvRc=; b=ANfqNDLZFOgFi4484bgIwkQJswiJIr4Z1VE1mqzl++H+guklV0vfBnwNTasWsVPRDV DUemhZ4Uq6o8Jt7Pzo5iIWWTqDiNFMhGDXzmxYCIBTPEuwdoVgpVjejVEuhwTzUYddvi I5O1kQhElEH5SA3bUlONjTLnx9FwBPUrGbHboBotxHGKC1B6LQxkeAMPgiEX7kNaCTl8 MJNHZBAQmIFt0sLyLheaNzMnvsYD4IfI8sOdfqG7+Jun2R+hKT369vdKTTBlmnDrmClZ bdA6cLzVolGoeFJBsyxayHJRuCNDHqntiXUjLgYNHZMMyhw92H/kDCanUi40gtD04Kls 8ogw==
X-Gm-Message-State: ALoCoQmWtKAn6hnTanaT/SEz8Cz7X6L+I/5LG0ASMieOKSXnusGnuqQ/9ZZYeSDKVKResWbAcPD2
X-Received: by 10.182.204.4 with SMTP id ku4mr16361132obc.21.1377199689415; Thu, 22 Aug 2013 12:28:09 -0700 (PDT)
Received: from [192.168.1.216] (190-20-47-6.baf.movistar.cl. [190.20.47.6]) by mx.google.com with ESMTPSA id jz7sm20720837obb.4.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 22 Aug 2013 12:28:08 -0700 (PDT)
From: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_11B61431-BEF6-4408-AA08-974452CE0F70"; protocol="application/pkcs7-signature"; micalg=sha1
Date: Thu, 22 Aug 2013 15:27:26 -0400
Message-Id: <F1E037AF-1F7B-458E-B961-91851E9E07C3@ve7jtb.com>
To: "Justin P. Richer" <jricher@mitre.org>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: [OAUTH-WG] Text for an additional registration life cycle
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 19:28:16 -0000

--Apple-Mail=_11B61431-BEF6-4408-AA08-974452CE0F70
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_7207A857-D9A8-4E64-BD05-A9B01E42957C"


--Apple-Mail=_7207A857-D9A8-4E64-BD05-A9B01E42957C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

A additional life cycle showing how the server can avoid storing state =
for the client in the current spec.



B.2. Stateless Open Registration using JWT

Open registration, with no authorization required on the client =
registration endpoint. The registration endpoint/Authorization server =
maintain no state for the client. All information is storted in the =
client_id that is returned to the client and passed back to the =
Authorization server and Token Endpoint on subsiquent requests. If the =
client is using the implicit flow then the JWT MUST include the redirect =
URI and be signed by the AS for its later consumption. If the client is =
registering it's public key for use in the self signed assertion flow, =
the JWT MUST include the client's public key in the signed JWT. If the =
client is using a symetric client secret, the AS MUST include the secret =
as a claim in the JWT and encrypt or sign and encrypt the token to =
itself as appropriate. This method is transperent to the client and =
requires no aditional paramaters.

The flow works as follows:


A client needs to get OAuth 2.0 tokens from an authorization server, but =
the client does not have a client identifier for that authorization =
server.
The client sends an HTTP POST request to the client registration =
endpoint at the authorization server and includes its metadata.
The authorization server creates a JWE containing the required metadata =
such as redirect_uri and client secret for http basic authentication. =
(For clients using the assertion flow for authentication the =
registration endpoint can create a JWS containing the clients public =
key)
The authorization server issues the JWT as the client identifier and =
returns it to the client along with a JWT registration access token and =
a reference to the client's client configuration endpoint. (The =
client_id cannot be changed currently so updates are not possable the =
registration access token would only allow for reads)
The client stores the returned response from the authorization server. =
At a minimum, it should remember the values of client_id, client_secret =
(if present),registration_access_token, and registration_client_uri.
The client uses the its client_id and client_secret (if provided) to =
request OAuth 2.0 tokens using any valid OAuth 2.0 flow for which it is =
authorized.
If the client's client_secret expires or otherwise stops working, the =
client must re-register.=

--Apple-Mail=_7207A857-D9A8-4E64-BD05-A9B01E42957C
Content-Type: multipart/mixed;
	boundary="Apple-Mail=_2966F511-3E23-4A83-ABA2-ACA0629D511B"


--Apple-Mail=_2966F511-3E23-4A83-ABA2-ACA0629D511B
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>A additional life cycle showing how the server can avoid storing state for the client in the current spec.</div><div><br></div><div></div></body></html>
--Apple-Mail=_2966F511-3E23-4A83-ABA2-ACA0629D511B
Content-Disposition: attachment;
	filename="new use case jwt.xml"
Content-Type: application/xml;
	name="new use case jwt.xml"
Content-Transfer-Encoding: 7bit

      <section anchor="OpenRegistrationJWT"
               title="Stateless Open Registration using JWT">
        <t>Open registration, with no authorization required on the client
        registration endpoint. The registration endpoint/Authorization server
        maintain no state for the client. All information is storted in the
        client_id that is returned to the client and passed back to the
        Authorization server and Token Endpoint on subsiquent requests. If the
        client is using the implicit flow then the JWT MUST include the
        redirect URI and be signed by the AS for its later consumption. If the
        client is registering it's public key for use in the self signed
        assertion flow, the JWT MUST include the client's public key in the
        signed JWT. If the client is using a symetric client secret, the AS
        MUST include the secret as a claim in the JWT and encrypt or sign and
        encrypt the token to itself as appropriate. This method is transperent
        to the client and requires no aditional paramaters.</t>

        <t>The flow works as follows:</t>

        <t><list style="letters">
            <t>A client needs to get OAuth 2.0 tokens from an authorization
            server, but the client does not have a client identifier for that
            authorization server.</t>

            <t>The client sends an HTTP POST request to the client
            registration endpoint at the authorization server and includes its
            metadata.</t>

            <t>The authorization server creates a JWE containing the required
            metadata such as redirect_uri and client secret for http basic
            authentication. (For clients using the assertion flow for
            authentication the registration endpoint can create a JWS
            containing the clients public key)</t>

            <t>The authorization server issues the JWT as the client
            identifier and returns it to the client along with a JWT
            registration access token and a reference to the client's client
            configuration endpoint. (The client_id cannot be changed currently
            so updates are not possable the registration access token would
            only allow for reads)</t>

            <t>The client stores the returned response from the authorization
            server. At a minimum, it should remember the values of <spanx
            style="verb">client_id</spanx>, <spanx style="verb">client_secret</spanx>
            (if present), <spanx style="verb">registration_access_token</spanx>,
            and <spanx style="verb">registration_client_uri</spanx>.</t>

            <t>The client uses the its <spanx style="verb">client_id</spanx>
            and <spanx style="verb">client_secret</spanx> (if provided) to
            request OAuth 2.0 tokens using any valid OAuth 2.0 flow for which
            it is authorized.</t>

            <t>If the client's <spanx style="verb">client_secret</spanx>
            expires or otherwise stops working, the client must
            re-register.</t>
          </list></t>
      </section>

--Apple-Mail=_2966F511-3E23-4A83-ABA2-ACA0629D511B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div></div><div><br></div><div><h1 id=3D"rfc.appendix.B.2" =
style=3D"font-size: 14pt; line-height: 21pt; page-break-after: avoid; =
font-family: verdana, helvetica, arial, sans-serif; "><a =
href=3D"file:///var/folders/sf/kxyj093x2_98cs2dg9sdjz180000gp/T/xml2rfc-xx=
e-6819676615736589242.html#rfc.appendix.B.2" style=3D"text-decoration: =
none; color: rgb(51, 51, 51); ">B.2.</a>&nbsp;<a =
href=3D"file:///var/folders/sf/kxyj093x2_98cs2dg9sdjz180000gp/T/xml2rfc-xx=
e-6819676615736589242.html#OpenRegistrationJWT" id=3D"OpenRegistrationJWT"=
 style=3D"text-decoration: none; color: rgb(51, 51, 51); ">Stateless =
Open Registration using JWT</a></h1><p id=3D"rfc.section.B.2.p.1" =
style=3D"margin-left: 2em; margin-right: 2em; font-family: verdana, =
helvetica, arial, sans-serif; font-size: 13px; ">Open registration, with =
no authorization required on the client registration endpoint. The =
registration endpoint/Authorization server maintain no state for the =
client. All information is storted in the client_id that is returned to =
the client and passed back to the Authorization server and Token =
Endpoint on subsiquent requests. If the client is using the implicit =
flow then the JWT MUST include the redirect URI and be signed by the AS =
for its later consumption. If the client is registering it's public key =
for use in the self signed assertion flow, the JWT MUST include the =
client's public key in the signed JWT. If the client is using a symetric =
client secret, the AS MUST include the secret as a claim in the JWT and =
encrypt or sign and encrypt the token to itself as appropriate. This =
method is transperent to the client and requires no aditional =
paramaters.</p><p id=3D"rfc.section.B.2.p.2" style=3D"margin-left: 2em; =
margin-right: 2em; font-family: verdana, helvetica, arial, sans-serif; =
font-size: 13px; ">The flow works as follows:</p><div =
style=3D"margin-left: 2em; margin-right: 2em; font-family: verdana, =
helvetica, arial, sans-serif; font-size: 13px; "><br =
class=3D"webkit-block-placeholder"></div><ol style=3D"margin-left: 2em; =
margin-right: 2em; font-family: verdana, helvetica, arial, sans-serif; =
font-size: 13px; list-style-type: lower-alpha; "><li style=3D"margin-left:=
 2em; margin-right: 2em; ">A client needs to get OAuth 2.0 tokens from =
an authorization server, but the client does not have a client =
identifier for that authorization server.</li><li style=3D"margin-left: =
2em; margin-right: 2em; ">The client sends an HTTP POST request to the =
client registration endpoint at the authorization server and includes =
its metadata.</li><li style=3D"margin-left: 2em; margin-right: 2em; =
">The authorization server creates a JWE containing the required =
metadata such as redirect_uri and client secret for http basic =
authentication. (For clients using the assertion flow for authentication =
the registration endpoint can create a JWS containing the clients public =
key)</li><li style=3D"margin-left: 2em; margin-right: 2em; ">The =
authorization server issues the JWT as the client identifier and returns =
it to the client along with a JWT registration access token and a =
reference to the client's client configuration endpoint. (The client_id =
cannot be changed currently so updates are not possable the registration =
access token would only allow for reads)</li><li style=3D"margin-left: =
2em; margin-right: 2em; ">The client stores the returned response from =
the authorization server. At a minimum, it should remember the values =
of&nbsp;<samp>client_id</samp>,&nbsp;<samp>client_secret</samp>&nbsp;(if =
present),<samp>registration_access_token</samp>, =
and&nbsp;<samp>registration_client_uri</samp>.</li><li =
style=3D"margin-left: 2em; margin-right: 2em; ">The client uses the =
its&nbsp;<samp>client_id</samp>&nbsp;and&nbsp;<samp>client_secret</samp>&n=
bsp;(if provided) to request OAuth 2.0 tokens using any valid OAuth 2.0 =
flow for which it is authorized.</li><li style=3D"margin-left: 2em; =
margin-right: 2em; ">If the =
client's&nbsp;<samp>client_secret</samp>&nbsp;expires or otherwise stops =
working, the client must re-register.</li></ol></div></body></html>=

--Apple-Mail=_2966F511-3E23-4A83-ABA2-ACA0629D511B--

--Apple-Mail=_7207A857-D9A8-4E64-BD05-A9B01E42957C--

--Apple-Mail=_11B61431-BEF6-4408-AA08-974452CE0F70
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODIyMTkyNzI3WjAjBgkqhkiG9w0BCQQxFgQUMn5T73FD
wr3uRXZnaVZ9VH45LDAwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAEW8OG7kMjIPA2yzqICux6VOltvyCFYmM/26FuCN1
S43v+kV0KeJQ3Jg4AXJQLbVtyZgxpVPVo8Ma+UU/LmdiHBiEzWtVPy9LFrlx6i6UJUhqGjPIqnla
0dT3B5+2Z5EfvxkK+a1BK5f3cCnx0lDv1YermFAfrD2rztraEuliGhOmIqCahB1vltaLcldJfvSj
/llKs4RRMIddQZeoGC8GzM+Dx2AUF7ABqd/BpvCmIaF7LD+2HRFswW+wKEaZHc5jdw2ZgDD0Er5M
dwugSdx858/2s1gpx1pSA93Wk9xJIYU3CzX7rMGjj86HtnnFs9uqQZAGBTuIHwKgsiVVktNUtAAA
AAAAAA==

--Apple-Mail=_11B61431-BEF6-4408-AA08-974452CE0F70--

From tonynad@microsoft.com  Thu Aug 22 12:39:46 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5A0C21F9C91 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.422
X-Spam-Level: 
X-Spam-Status: No, score=-3.422 tagged_above=-999 required=5 tests=[AWL=0.177,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FYiCJjk2TQXS for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:39:38 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0212.outbound.protection.outlook.com [207.46.163.212]) by ietfa.amsl.com (Postfix) with ESMTP id AC49A11E8203 for <oauth@ietf.org>; Thu, 22 Aug 2013 12:39:37 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Thu, 22 Aug 2013 19:39:28 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Thu, 22 Aug 2013 19:39:27 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
Thread-Index: AQHOn20Ec4WLUZOMaEqCrEjEgXbKrZmhnr8w
Date: Thu, 22 Aug 2013 19:39:27 +0000
Message-ID: <06ddb438b2f04a2fbb0139ee0bc3b97b@BY2PR03MB189.namprd03.prod.outlook.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com>
In-Reply-To: <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e8:ed31::2]
x-forefront-prvs: 0946DC87A1
x-forefront-antispam-report: SFV:NSPM; SFS:(13464003)(199002)(189002)(377454003)(30513003)(81342001)(83072001)(65816001)(19580395003)(19580405001)(83322001)(76796001)(81686001)(74316001)(80022001)(76786001)(80976001)(74366001)(74706001)(74876001)(69226001)(74662001)(47446002)(74502001)(31966008)(46102001)(51856001)(81816001)(50986001)(47976001)(56816003)(77096001)(47736001)(4396001)(79102001)(49866001)(15974865002)(63696002)(81542001)(76576001)(56776001)(59766001)(54356001)(76482001)(54316002)(53806001)(33646001)(77982001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::2; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 03
X-MS-Exchange-CrossPremises-AuthSource: BY2PR03MB189.namprd03.prod.outlook.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC: 
X-MS-Exchange-CrossPremises-originalclientipaddress: 2001:4898:80e8:ed31::2
X-MS-Exchange-CrossPremises-avstamp-service: 1.0
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0; 
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-ContentConversionOptions: False; 00160000; True; ; iso-8859-1
X-OrganizationHeadersPreserved: BY2PR03MB192.namprd03.prod.outlook.com
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22	Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 19:39:46 -0000

Phil, this just brings me back to the question, "why are we doing this in O=
Auth" ? Configuration endpoint (nothing to do with OAuth), Registration End=
point (too complicated, goes beyond the bounds of OAuth), why not just a st=
ateless and state full registration message and that's it?

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of P=
hil Hunt
Sent: Thursday, August 22, 2013 12:23 PM
To: Tschofenig, Hannes (NSN - FI/Espoo)
Cc: oauth mailing list
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22=
 Aug, 2pm PDT: Conference Bridge Details -- Correction!

I have attached a PDF including some of my thoughts, concerns, and suggesti=
ons for the upcoming meeting.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

From jricher@mitre.org  Thu Aug 22 12:47:33 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0279E11E8228 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:47:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.488
X-Spam-Level: 
X-Spam-Status: No, score=-6.488 tagged_above=-999 required=5 tests=[AWL=0.111,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FM5glxUphr76 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:47:28 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id B60DD11E822B for <oauth@ietf.org>; Thu, 22 Aug 2013 12:47:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E9B202260081; Thu, 22 Aug 2013 15:47:23 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D4138226007C; Thu, 22 Aug 2013 15:47:23 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 22 Aug 2013 15:47:23 -0400
Message-ID: <52166AC9.3030804@mitre.org>
Date: Thu, 22 Aug 2013 15:47:21 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com> <06ddb438b2f04a2fbb0139ee0bc3b97b@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <06ddb438b2f04a2fbb0139ee0bc3b97b@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 19:47:33 -0000

Tony, I look forward to seeing the concrete specification and 
implementation of your idea.

  -- Justin

On 08/22/2013 03:39 PM, Anthony Nadalin wrote:
> Phil, this just brings me back to the question, "why are we doing this in OAuth" ? Configuration endpoint (nothing to do with OAuth), Registration Endpoint (too complicated, goes beyond the bounds of OAuth), why not just a stateless and state full registration message and that's it?
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Phil Hunt
> Sent: Thursday, August 22, 2013 12:23 PM
> To: Tschofenig, Hannes (NSN - FI/Espoo)
> Cc: oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
>
> I have attached a PDF including some of my thoughts, concerns, and suggestions for the upcoming meeting.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Thu Aug 22 12:53:59 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9993B21F9EB5 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:53:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.493
X-Spam-Level: 
X-Spam-Status: No, score=-6.493 tagged_above=-999 required=5 tests=[AWL=0.105,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bcad5hh1BBRi for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:53:49 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 1FE9B21F9DF0 for <oauth@ietf.org>; Thu, 22 Aug 2013 12:53:49 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id AB83B2260084; Thu, 22 Aug 2013 15:53:48 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 9066C1F0B71; Thu, 22 Aug 2013 15:53:48 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 22 Aug 2013 15:53:48 -0400
Message-ID: <52166C4A.9060502@mitre.org>
Date: Thu, 22 Aug 2013 15:53:46 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com>
In-Reply-To: <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com>
Content-Type: multipart/alternative; boundary="------------090509000109040002070408"
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 19:53:59 -0000

--------------090509000109040002070408
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

Phil, thanks for writing this down. I think that part of the confusion 
in this conversation may come from the nature of items such as the 
client id, client secret, and even the registration access token. In 
many instances, these are simply random values that the server generates 
and stores for later use. However, as you point out, OAuth doesn't state 
that that has to be the case any more than it states that a server must 
store access tokens. The important thing is that the auth server be able 
to recognize and verify each of these values. As such, nothing is 
stopping the server from staying stateless and sending signed values to 
the client for each or all of these fields, much in same way that a 
server can issue signed access tokens that carry all their rights and 
state within. As long as all of these values remain opaque to the 
client, everything in OAuth still works. It also works fine within the 
current DynReg framework, as John has just pointed out under a separate 
thread.

  -- Justin

On 08/22/2013 03:22 PM, Phil Hunt wrote:
> I have attached a PDF including some of my thoughts, concerns, and 
> suggestions for the upcoming meeting.
>
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" 
> <hannes.tschofenig@nsn.com> wrote:
>
> > I messed up the conference bridge time; here is the corrected 
> version but the details are actually the same.
> >
> > Meeting Number: 702 442 101
> > Meeting Password: oauth
> >
> > -------------------------------------------------------
> > To join the online meeting
> > -------------------------------------------------------
> > 1. Go to 
> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&PW=NOTlkZjIwNTEy&RT=MiMyNQ%3D%3D 
>
> > 2. Enter your name and email address.
> > 3. Enter the meeting password: oauth
> > 4. Click "Join Now".
> >
> > To view in other time zones or languages, please click the link:
> > 
> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&PW=NOTlkZjIwNTEy&ORT=MiMyNQ%3D%3D 
>
> >
> > -------------------------------------------------------
> > To join the Teleconference
> > -------------------------------------------------------
> > Global dial-in numbers: http://www.nokiasiemensnetworks.com/nvc
> > Conference Code: 944 910 5485
> >
> > To update this meeting to your calendar program (for example 
> Microsoft Outlook), click this link:
> > 
> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&ICS=MRS3&LD=1&RD=2&ST=1&SHA2=KseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=&RT=MiMyNQ%3D%3D
> >
> >> -----Original Message-----
> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> >> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
> >> Sent: Wednesday, August 21, 2013 6:35 PM
> >> To: oauth mailing list
> >> Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22
> >> Aug, 2pm PDT: Conference Bridge Details
> >>
> >> Here is the conference bridge and Webex information.
> >>
> >> From an agenda point of view I guess we should start at a basic level,
> >> namely with what we have already in the dynamic client registration
> >> document (and folks may have actually missed it). There are two use
> >> cases described in the WG document, namely
> >> - Use Case #1: Open Registration (Appendix B.1)
> >> - Use Case #2: Protected Registration (Appendix B.2)
> >>
> >> Then, we could talk about some more sophisticated use cases where
> >> information for protected registration is provided by a third party.
> >>
> >> --------------------
> >>
> >> Meeting Number: 702 442 101
> >> Meeting Password: oauth
> >>
> >> -------------------------------------------------------
> >> To join the online meeting
> >> -------------------------------------------------------
> >> 1. Go to
> >> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&PW=NOTlkZjIwNTEy&RT=
> >> MiMzMA%3D%3D
> >> 2. Enter your name and email address.
> >> 3. Enter the meeting password: oauth
> >> 4. Click "Join Now".
> >>
> >> To view in other time zones or languages, please click the link:
> >> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&PW=NOTlkZjIwNTEy&ORT
> >> =MiMzMA%3D%3D
> >>
> >> -------------------------------------------------------
> >> To join the teleconference only
> >> -------------------------------------------------------
> >> Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc
> >> Conference Code: 944 910 5485
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------090509000109040002070408
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Phil, thanks for writing this down. I think that part of the
    confusion in this conversation may come from the nature of items
    such as the client id, client secret, and even the registration
    access token. In many instances, these are simply random values that
    the server generates and stores for later use. However, as you point
    out, OAuth doesn't state that that has to be the case any more than
    it states that a server must store access tokens. The important
    thing is that the auth server be able to recognize and verify each
    of these values. As such, nothing is stopping the server from
    staying stateless and sending signed values to the client for each
    or all of these fields, much in same way that a server can issue
    signed access tokens that carry all their rights and state within.
    As long as all of these values remain opaque to the client,
    everything in OAuth still works. It also works fine within the
    current DynReg framework, as John has just pointed out under a
    separate thread.<br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/22/2013 03:22 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote
      cite="mid:D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div class="BodyFragment"><font size="2"><span
            style="font-size:10pt;">
            <div class="PlainText">I have attached a PDF including some
              of my thoughts, concerns, and suggestions for the upcoming
              meeting.<br>
              <br>
              Phil<br>
              <br>
              @independentid<br>
              <a moz-do-not-send="true"
                href="http://www.independentid.com">www.independentid.com</a><br>
              <a class="moz-txt-link-abbreviated" href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br>
            </div>
          </span></font></div>
      <div class="BodyFragment"><font size="2"><span
            style="font-size:10pt;">
            <div class="PlainText"><br>
              <br>
              <br>
              <br>
              <br>
              <br>
              <br>
              On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN -
              FI/Espoo)" <a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:<br>
              <br>
              &gt; I messed up the conference bridge time; here is the
              corrected version but the details are actually the same.
              <br>
              &gt; <br>
              &gt; Meeting Number: 702 442 101 <br>
              &gt; Meeting Password: oauth <br>
              &gt; <br>
              &gt;
              ------------------------------------------------------- <br>
              &gt; To join the online meeting <br>
              &gt;
              ------------------------------------------------------- <br>
              &gt; 1. Go to <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=MiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=MiMyNQ%3D%3D</a>
              <br>
              &gt; 2. Enter your name and email address. <br>
              &gt; 3. Enter the meeting password: oauth <br>
              &gt; 4. Click "Join Now". <br>
              &gt; <br>
              &gt; To view in other time zones or languages, please
              click the link: <br>
              &gt; <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT=MiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT=MiMyNQ%3D%3D</a>
              <br>
              &gt; <br>
              &gt;
              ------------------------------------------------------- <br>
              &gt; To join the Teleconference <br>
              &gt;
              ------------------------------------------------------- <br>
              &gt; Global dial-in numbers: <a moz-do-not-send="true"
                href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
              <br>
              &gt; Conference Code: 944 910 5485 <br>
              &gt; <br>
              &gt; To update this meeting to your calendar program (for
              example Microsoft Outlook), click this link:
              <br>
              &gt; <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;ICS=MRS3&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=KseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=&amp;RT=MiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;ICS=MRS3&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=KseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=&amp;RT=MiMyNQ%3D%3D</a><br>
              &gt; <br>
              &gt;&gt; -----Original Message-----<br>
              &gt;&gt; From: <a class="moz-txt-link-abbreviated" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a
                moz-do-not-send="true"
                href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>]
              On Behalf<br>
              &gt;&gt; Of ext Tschofenig, Hannes (NSN - FI/Espoo)<br>
              &gt;&gt; Sent: Wednesday, August 21, 2013 6:35 PM<br>
              &gt;&gt; To: oauth mailing list<br>
              &gt;&gt; Subject: [OAUTH-WG] Dynamic Client Registration
              Conference Call: Thu 22<br>
              &gt;&gt; Aug, 2pm PDT: Conference Bridge Details<br>
              &gt;&gt; <br>
              &gt;&gt; Here is the conference bridge and Webex
              information.<br>
              &gt;&gt; <br>
              &gt;&gt; From an agenda point of view I guess we should
              start at a basic level,<br>
              &gt;&gt; namely with what we have already in the dynamic
              client registration<br>
              &gt;&gt; document (and folks may have actually missed it).
              There are two use<br>
              &gt;&gt; cases described in the WG document, namely<br>
              &gt;&gt; - Use Case #1: Open Registration (Appendix B.1)<br>
              &gt;&gt; - Use Case #2: Protected Registration (Appendix
              B.2)<br>
              &gt;&gt; <br>
              &gt;&gt; Then, we could talk about some more sophisticated
              use cases where<br>
              &gt;&gt; information for protected registration is
              provided by a third party.<br>
              &gt;&gt; <br>
              &gt;&gt; --------------------<br>
              &gt;&gt; <br>
              &gt;&gt; Meeting Number: 702 442 101<br>
              &gt;&gt; Meeting Password: oauth<br>
              &gt;&gt; <br>
              &gt;&gt;
              -------------------------------------------------------<br>
              &gt;&gt; To join the online meeting<br>
              &gt;&gt;
              -------------------------------------------------------<br>
              &gt;&gt; 1. Go to<br>
              &gt;&gt; <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=</a><br>
              &gt;&gt; MiMzMA%3D%3D<br>
              &gt;&gt; 2. Enter your name and email address.<br>
              &gt;&gt; 3. Enter the meeting password: oauth<br>
              &gt;&gt; 4. Click "Join Now".<br>
              &gt;&gt; <br>
              &gt;&gt; To view in other time zones or languages, please
              click the link:<br>
              &gt;&gt; <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT</a><br>
              &gt;&gt; =MiMzMA%3D%3D<br>
              &gt;&gt; <br>
              &gt;&gt;
              -------------------------------------------------------<br>
              &gt;&gt; To join the teleconference only<br>
              &gt;&gt;
              -------------------------------------------------------<br>
              &gt;&gt; Global Dial-In Numbers: <a
                moz-do-not-send="true"
                href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a><br>
              &gt;&gt; Conference Code: 944 910 5485<br>
              &gt;&gt; _______________________________________________<br>
              &gt;&gt; OAuth mailing list<br>
              &gt;&gt; <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
              &gt;&gt; <a moz-do-not-send="true"
                href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
              &gt; _______________________________________________<br>
              &gt; OAuth mailing list<br>
              &gt; <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
              &gt; <a moz-do-not-send="true"
                href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
              <br>
            </div>
          </span></font></div>
      <div class="BodyFragment"><font size="2"><span
            style="font-size:10pt;">
            <div class="PlainText">_______________________________________________<br>
              OAuth mailing list<br>
              <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
              <a moz-do-not-send="true"
                href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
            </div>
          </span></font></div>
    </blockquote>
    <br>
  </body>
</html>

--------------090509000109040002070408--

From phil.hunt@oracle.com  Thu Aug 22 12:55:36 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A85011E8119 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:55:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Level: 
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[AWL=0.006,  BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ArFL9U-K8k9W for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:55:05 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 8665121F9EED for <oauth@ietf.org>; Thu, 22 Aug 2013 12:55:05 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7MJt2Xk014736 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 22 Aug 2013 19:55:03 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MJt1E8008508 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Aug 2013 19:55:02 GMT
Received: from abhmt105.oracle.com (abhmt105.oracle.com [141.146.116.57]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MJt1g7001227; Thu, 22 Aug 2013 19:55:01 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 22 Aug 2013 12:55:01 -0700
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com> <06ddb438b2f04a2fbb0139ee0bc3b97b@BY2PR03MB189.namprd03.prod.outlook.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <06ddb438b2f04a2fbb0139ee0bc3b97b@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <C3F7A4E2-9200-460E-99FC-5BA23B0DADB6@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Thu, 22 Aug 2013 12:54:59 -0700
To: Anthony Nadalin <tonynad@microsoft.com>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 19:55:36 -0000

I don't think open vs close has a big impact on design. The issue of state f=
ull vs stateless are foundational.=20

So we need to talk about when and why state full registration is needed.=20

Phil

On 2013-08-22, at 12:39, Anthony Nadalin <tonynad@microsoft.com> wrote:

> Phil, this just brings me back to the question, "why are we doing this in O=
Auth" ? Configuration endpoint (nothing to do with OAuth), Registration Endp=
oint (too complicated, goes beyond the bounds of OAuth), why not just a stat=
eless and state full registration message and that's it?
>=20
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of P=
hil Hunt
> Sent: Thursday, August 22, 2013 12:23 PM
> To: Tschofenig, Hannes (NSN - FI/Espoo)
> Cc: oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 2=
2 Aug, 2pm PDT: Conference Bridge Details -- Correction!
>=20
> I have attached a PDF including some of my thoughts, concerns, and suggest=
ions for the upcoming meeting.
>=20
> Phil
>=20
> @independentid
> www.independentid.com
> phil.hunt@oracle.com

From phil.hunt@oracle.com  Thu Aug 22 12:57:52 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA2CD21F9622 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Level: 
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[AWL=0.005,  BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uFDrFQMpqxDP for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 12:57:48 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 91D4221F95DC for <oauth@ietf.org>; Thu, 22 Aug 2013 12:57:45 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7MJviRb017633 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 22 Aug 2013 19:57:45 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MJvhTB000082 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Aug 2013 19:57:44 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MJvh1n004025; Thu, 22 Aug 2013 19:57:43 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 22 Aug 2013 12:57:42 -0700
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com> <52166C4A.9060502@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <52166C4A.9060502@mitre.org>
Content-Type: multipart/alternative; boundary=Apple-Mail-3B7FA5C8-46D2-4C1E-B5C5-E098162A47C4
Content-Transfer-Encoding: 7bit
Message-Id: <50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Thu, 22 Aug 2013 12:57:40 -0700
To: Justin Richer <jricher@mitre.org>
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 19:57:52 -0000

--Apple-Mail-3B7FA5C8-46D2-4C1E-B5C5-E098162A47C4
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Agreed.=20

The problem for dyn reg is most params are optional and passed at reg time. I=
 think this also represents huge complexity to client app developers since e=
ach sp may be different. Move bulk of info to statement simplifies the regis=
tration and encourages uniformity.=20

Phil

On 2013-08-22, at 12:53, Justin Richer <jricher@mitre.org> wrote:

> Phil, thanks for writing this down. I think that part of the confusion in t=
his conversation may come from the nature of items such as the client id, cl=
ient secret, and even the registration     access token. In many instances, t=
hese are simply random values that the server generates and stores for later=
 use. However, as you point out, OAuth doesn't state that that has to be the=
 case any more than it states that a server must store access tokens. The im=
portant thing is that the auth server be able to recognize and verify each o=
f these values. As such, nothing is stopping the server from staying statele=
ss and sending signed values to the client for each or all of these fields, m=
uch in same way that a server can issue signed access tokens that carry all t=
heir rights and state within. As long as all of these values remain opaque t=
o the client, everything in OAuth still works. It also works fine within the=
 current DynReg framework, as John has just pointed out under a separate thr=
ead.
>=20
>  -- Justin
>=20
> On 08/22/2013 03:22 PM, Phil Hunt wrote:
>> I have attached a PDF including some of my thoughts, concerns, and sugges=
tions for the upcoming meeting.
>>=20
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>> On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.=
tschofenig@nsn.com> wrote:
>>=20
>> > I messed up the conference bridge time; here is the corrected version b=
ut the details are actually the same.=20
>> >=20
>> > Meeting Number: 702 442 101=20
>> > Meeting Password: oauth=20
>> >=20
>> > -------------------------------------------------------=20
>> > To join the online meeting=20
>> > -------------------------------------------------------=20
>> > 1. Go to https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNO=
TlkZjIwNTEy&RT=3DMiMyNQ%3D%3D=20
>> > 2. Enter your name and email address.=20
>> > 3. Enter the meeting password: oauth=20
>> > 4. Click "Join Now".=20
>> >=20
>> > To view in other time zones or languages, please click the link:=20
>> > https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNT=
Ey&ORT=3DMiMyNQ%3D%3D=20
>> >=20
>> > -------------------------------------------------------=20
>> > To join the Teleconference=20
>> > -------------------------------------------------------=20
>> > Global dial-in numbers: http://www.nokiasiemensnetworks.com/nvc=20
>> > Conference Code: 944 910 5485=20
>> >=20
>> > To update this meeting to your calendar program (for example Microsoft O=
utlook), click this link:=20
>> > https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&ICS=3DMRS3&LD=3D=
1&RD=3D2&ST=3D1&SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&RT=3DM=
iMyNQ%3D%3D
>> >=20
>> >> -----Original Message-----
>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf=

>> >> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
>> >> Sent: Wednesday, August 21, 2013 6:35 PM
>> >> To: oauth mailing list
>> >> Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 2=
2
>> >> Aug, 2pm PDT: Conference Bridge Details
>> >>=20
>> >> Here is the conference bridge and Webex information.
>> >>=20
>> >> =46rom an agenda point of view I guess we should start at a basic leve=
l,
>> >> namely with what we have already in the dynamic client registration
>> >> document (and folks may have actually missed it). There are two use
>> >> cases described in the WG document, namely
>> >> - Use Case #1: Open Registration (Appendix B.1)
>> >> - Use Case #2: Protected Registration (Appendix B.2)
>> >>=20
>> >> Then, we could talk about some more sophisticated use cases where
>> >> information for protected registration is               provided by a t=
hird party.
>> >>=20
>> >> --------------------
>> >>=20
>> >> Meeting Number: 702 442 101
>> >> Meeting Password: oauth
>> >>=20
>> >> -------------------------------------------------------
>> >> To join the online meeting
>> >> -------------------------------------------------------
>> >> 1. Go to
>> >> https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwN=
TEy&RT=3D
>> >> MiMzMA%3D%3D
>> >> 2. Enter your name and email address.
>> >> 3. Enter the meeting password: oauth
>> >> 4. Click "Join Now".
>> >>=20
>> >> To view in other time zones or languages, please click the link:
>> >> https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwN=
TEy&ORT
>> >> =3DMiMzMA%3D%3D
>> >>=20
>> >> -------------------------------------------------------
>> >> To join the teleconference only
>> >> -------------------------------------------------------
>> >> Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc
>> >> Conference Code: 944 910 5485
>> >> _______________________________________________
>> >> OAuth mailing list
>> >> OAuth@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/oauth
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20

--Apple-Mail-3B7FA5C8-46D2-4C1E-B5C5-E098162A47C4
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: 7bit

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Agreed.&nbsp;</div><div><br></div><div>The problem for dyn reg is most params are optional and passed at reg time. I think this also represents huge complexity to client app developers since each sp may be different. Move bulk of info to statement simplifies the registration and encourages uniformity.&nbsp;<br><br>Phil</div><div><br>On 2013-08-22, at 12:53, Justin Richer &lt;<a href="mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; wrote:<br><br></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  
    Phil, thanks for writing this down. I think that part of the
    confusion in this conversation may come from the nature of items
    such as the client id, client secret, and even the registration
    access token. In many instances, these are simply random values that
    the server generates and stores for later use. However, as you point
    out, OAuth doesn't state that that has to be the case any more than
    it states that a server must store access tokens. The important
    thing is that the auth server be able to recognize and verify each
    of these values. As such, nothing is stopping the server from
    staying stateless and sending signed values to the client for each
    or all of these fields, much in same way that a server can issue
    signed access tokens that carry all their rights and state within.
    As long as all of these values remain opaque to the client,
    everything in OAuth still works. It also works fine within the
    current DynReg framework, as John has just pointed out under a
    separate thread.<br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/22/2013 03:22 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote cite="mid:D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div class="BodyFragment"><font size="2"><span style="font-size:10pt;">
            <div class="PlainText">I have attached a PDF including some
              of my thoughts, concerns, and suggestions for the upcoming
              meeting.<br>
              <br>
              Phil<br>
              <br>
              @independentid<br>
              <a moz-do-not-send="true" href="http://www.independentid.com">www.independentid.com</a><br>
              <a class="moz-txt-link-abbreviated" href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br>
            </div>
          </span></font></div>
      <div class="BodyFragment"><font size="2"><span style="font-size:10pt;">
            <div class="PlainText"><br>
              <br>
              <br>
              <br>
              <br>
              <br>
              <br>
              On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN -
              FI/Espoo)" <a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:<br>
              <br>
              &gt; I messed up the conference bridge time; here is the
              corrected version but the details are actually the same.
              <br>
              &gt; <br>
              &gt; Meeting Number: 702 442 101 <br>
              &gt; Meeting Password: oauth <br>
              &gt; <br>
              &gt;
              ------------------------------------------------------- <br>
              &gt; To join the online meeting <br>
              &gt;
              ------------------------------------------------------- <br>
              &gt; 1. Go to <a moz-do-not-send="true" href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=MiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=MiMyNQ%3D%3D</a>
              <br>
              &gt; 2. Enter your name and email address. <br>
              &gt; 3. Enter the meeting password: oauth <br>
              &gt; 4. Click "Join Now". <br>
              &gt; <br>
              &gt; To view in other time zones or languages, please
              click the link: <br>
              &gt; <a moz-do-not-send="true" href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT=MiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT=MiMyNQ%3D%3D</a>
              <br>
              &gt; <br>
              &gt;
              ------------------------------------------------------- <br>
              &gt; To join the Teleconference <br>
              &gt;
              ------------------------------------------------------- <br>
              &gt; Global dial-in numbers: <a moz-do-not-send="true" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
              <br>
              &gt; Conference Code: 944 910 5485 <br>
              &gt; <br>
              &gt; To update this meeting to your calendar program (for
              example Microsoft Outlook), click this link:
              <br>
              &gt; <a moz-do-not-send="true" href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;ICS=MRS3&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=KseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=&amp;RT=MiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;ICS=MRS3&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=KseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=&amp;RT=MiMyNQ%3D%3D</a><br>
              &gt; <br>
              &gt;&gt; -----Original Message-----<br>
              &gt;&gt; From: <a class="moz-txt-link-abbreviated" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a moz-do-not-send="true" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>]
              On Behalf<br>
              &gt;&gt; Of ext Tschofenig, Hannes (NSN - FI/Espoo)<br>
              &gt;&gt; Sent: Wednesday, August 21, 2013 6:35 PM<br>
              &gt;&gt; To: oauth mailing list<br>
              &gt;&gt; Subject: [OAUTH-WG] Dynamic Client Registration
              Conference Call: Thu 22<br>
              &gt;&gt; Aug, 2pm PDT: Conference Bridge Details<br>
              &gt;&gt; <br>
              &gt;&gt; Here is the conference bridge and Webex
              information.<br>
              &gt;&gt; <br>
              &gt;&gt; From an agenda point of view I guess we should
              start at a basic level,<br>
              &gt;&gt; namely with what we have already in the dynamic
              client registration<br>
              &gt;&gt; document (and folks may have actually missed it).
              There are two use<br>
              &gt;&gt; cases described in the WG document, namely<br>
              &gt;&gt; - Use Case #1: Open Registration (Appendix B.1)<br>
              &gt;&gt; - Use Case #2: Protected Registration (Appendix
              B.2)<br>
              &gt;&gt; <br>
              &gt;&gt; Then, we could talk about some more sophisticated
              use cases where<br>
              &gt;&gt; information for protected registration is
              provided by a third party.<br>
              &gt;&gt; <br>
              &gt;&gt; --------------------<br>
              &gt;&gt; <br>
              &gt;&gt; Meeting Number: 702 442 101<br>
              &gt;&gt; Meeting Password: oauth<br>
              &gt;&gt; <br>
              &gt;&gt;
              -------------------------------------------------------<br>
              &gt;&gt; To join the online meeting<br>
              &gt;&gt;
              -------------------------------------------------------<br>
              &gt;&gt; 1. Go to<br>
              &gt;&gt; <a moz-do-not-send="true" href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=</a><br>
              &gt;&gt; MiMzMA%3D%3D<br>
              &gt;&gt; 2. Enter your name and email address.<br>
              &gt;&gt; 3. Enter the meeting password: oauth<br>
              &gt;&gt; 4. Click "Join Now".<br>
              &gt;&gt; <br>
              &gt;&gt; To view in other time zones or languages, please
              click the link:<br>
              &gt;&gt; <a moz-do-not-send="true" href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT</a><br>
              &gt;&gt; =MiMzMA%3D%3D<br>
              &gt;&gt; <br>
              &gt;&gt;
              -------------------------------------------------------<br>
              &gt;&gt; To join the teleconference only<br>
              &gt;&gt;
              -------------------------------------------------------<br>
              &gt;&gt; Global Dial-In Numbers: <a moz-do-not-send="true" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a><br>
              &gt;&gt; Conference Code: 944 910 5485<br>
              &gt;&gt; _______________________________________________<br>
              &gt;&gt; OAuth mailing list<br>
              &gt;&gt; <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
              &gt;&gt; <a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
              &gt; _______________________________________________<br>
              &gt; OAuth mailing list<br>
              &gt; <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
              &gt; <a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
              <br>
            </div>
          </span></font></div>
      <div class="BodyFragment"><font size="2"><span style="font-size:10pt;">
            <div class="PlainText">_______________________________________________<br>
              OAuth mailing list<br>
              <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
              <a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
            </div>
          </span></font></div>
    </blockquote>
    <br>
  

</div></blockquote></body></html>
--Apple-Mail-3B7FA5C8-46D2-4C1E-B5C5-E098162A47C4--

From jricher@mitre.org  Thu Aug 22 13:18:59 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 853E411E820C for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.498
X-Spam-Level: 
X-Spam-Status: No, score=-6.498 tagged_above=-999 required=5 tests=[AWL=0.100,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zaLSm-gzXUMp for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:18:54 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9661F11E8113 for <oauth@ietf.org>; Thu, 22 Aug 2013 13:18:54 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E44F31F0B71; Thu, 22 Aug 2013 16:18:53 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id CB9821F0B6E; Thu, 22 Aug 2013 16:18:53 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Thu, 22 Aug 2013 16:18:53 -0400
Message-ID: <5216722B.2060001@mitre.org>
Date: Thu, 22 Aug 2013 16:18:51 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com> <52166C4A.9060502@mitre.org> <50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com>
In-Reply-To: <50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com>
Content-Type: multipart/alternative; boundary="------------000303010808040804030804"
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 20:18:59 -0000

--------------000303010808040804030804
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit

But it also assumes, in many cases, a pre-registration step. I think you 
might be simplifying for the case of one piece of software with the same 
parameters talking to the same server many times. In some sense, it 
doesn't matter to a client developer whether they have to send their 
display name as part of a JSON object or as part of a signed JWT (though 
the former's simpler, the results are the same), they still have to send 
it to the server. You kick the can down the road and set up something 
where there's a pre-registration step where common elements of the 
client's registration are fixed -- but then the server's going to have 
to be able to get those common elements at registration time and (later) 
at authorization time. Unless you're building inside of a single 
security domain, this becomes tricky, with all kinds of trust and policy 
issues. But it's useful and it can be done -- that's what we did with 
the "trusted registration" extension that BB+ uses, with registries and 
discovery using the initial access token. The server effectively parses 
the initial access token and looks up information about the client at 
the registry. We also toyed with the idea of packing the registration 
information into the token itself. Either way, the server has to decide 
that it trusts whoever issued that token, and it has to be able to 
verify the token's veracity. In BB+, we're using discovery to find the 
JWK that was used to sign the token and (optionally) token introspection 
to verify that the initial access token hasn't been decomissioned by the 
registry server. In this case, it's the registry that holds the fixed 
information about the client -- not the auth server -- and so the trust 
model is different.

I think we're better off starting with the fully open case, where 
neither the app nor the server really know anything about each other, 
and build from there. We know that that's a case that people want to 
solve. Note that BB+ builds directly on what's already there -- you 
don't have to burn down the house in order to hang a painting. I think 
that there are so many similarities between the two that the software 
statement work can do the same.

I'd also like to point out something about passing client information 
around: in the "fully stateless assertion" world that's being proposed 
(where there *is* no registration step), the client ends up passing its 
full registration information (as a software statement) with *every* 
call to the authorization endpoint. The fact that the registration is 
encoded in an assertion is immaterial. Having the server be truly 
stateless dramatically increases the amount of information sent over the 
wire at runtime -- that's a pretty universal tradeoff, and that's not a 
cost that everyone wants to pay.

  -- Justin

On 08/22/2013 03:57 PM, Phil Hunt wrote:
> Agreed.
>
> The problem for dyn reg is most params are optional and passed at reg 
> time. I think this also represents huge complexity to client app 
> developers since each sp may be different. Move bulk of info to 
> statement simplifies the registration and encourages uniformity.
>
> Phil
>
> On 2013-08-22, at 12:53, Justin Richer <jricher@mitre.org 
> <mailto:jricher@mitre.org>> wrote:
>
>> Phil, thanks for writing this down. I think that part of the 
>> confusion in this conversation may come from the nature of items such 
>> as the client id, client secret, and even the registration access 
>> token. In many instances, these are simply random values that the 
>> server generates and stores for later use. However, as you point out, 
>> OAuth doesn't state that that has to be the case any more than it 
>> states that a server must store access tokens. The important thing is 
>> that the auth server be able to recognize and verify each of these 
>> values. As such, nothing is stopping the server from staying 
>> stateless and sending signed values to the client for each or all of 
>> these fields, much in same way that a server can issue signed access 
>> tokens that carry all their rights and state within. As long as all 
>> of these values remain opaque to the client, everything in OAuth 
>> still works. It also works fine within the current DynReg framework, 
>> as John has just pointed out under a separate thread.
>>
>>  -- Justin
>>
>> On 08/22/2013 03:22 PM, Phil Hunt wrote:
>>> I have attached a PDF including some of my thoughts, concerns, and 
>>> suggestions for the upcoming meeting.
>>>
>>> Phil
>>>
>>> @independentid
>>> www.independentid.com <http://www.independentid.com>
>>> phil.hunt@oracle.com
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" 
>>> <hannes.tschofenig@nsn.com> wrote:
>>>
>>> > I messed up the conference bridge time; here is the corrected 
>>> version but the details are actually the same.
>>> >
>>> > Meeting Number: 702 442 101
>>> > Meeting Password: oauth
>>> >
>>> > -------------------------------------------------------
>>> > To join the online meeting
>>> > -------------------------------------------------------
>>> > 1. Go to 
>>> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&PW=NOTlkZjIwNTEy&RT=MiMyNQ%3D%3D 
>>>
>>> > 2. Enter your name and email address.
>>> > 3. Enter the meeting password: oauth
>>> > 4. Click "Join Now".
>>> >
>>> > To view in other time zones or languages, please click the link:
>>> > 
>>> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&PW=NOTlkZjIwNTEy&ORT=MiMyNQ%3D%3D 
>>>
>>> >
>>> > -------------------------------------------------------
>>> > To join the Teleconference
>>> > -------------------------------------------------------
>>> > Global dial-in numbers: http://www.nokiasiemensnetworks.com/nvc
>>> > Conference Code: 944 910 5485
>>> >
>>> > To update this meeting to your calendar program (for example 
>>> Microsoft Outlook), click this link:
>>> > 
>>> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&ICS=MRS3&LD=1&RD=2&ST=1&SHA2=KseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=&RT=MiMyNQ%3D%3D
>>> >
>>> >> -----Original Message-----
>>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On 
>>> Behalf
>>> >> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
>>> >> Sent: Wednesday, August 21, 2013 6:35 PM
>>> >> To: oauth mailing list
>>> >> Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: 
>>> Thu 22
>>> >> Aug, 2pm PDT: Conference Bridge Details
>>> >>
>>> >> Here is the conference bridge and Webex information.
>>> >>
>>> >> From an agenda point of view I guess we should start at a basic 
>>> level,
>>> >> namely with what we have already in the dynamic client registration
>>> >> document (and folks may have actually missed it). There are two use
>>> >> cases described in the WG document, namely
>>> >> - Use Case #1: Open Registration (Appendix B.1)
>>> >> - Use Case #2: Protected Registration (Appendix B.2)
>>> >>
>>> >> Then, we could talk about some more sophisticated use cases where
>>> >> information for protected registration is provided by a third party.
>>> >>
>>> >> --------------------
>>> >>
>>> >> Meeting Number: 702 442 101
>>> >> Meeting Password: oauth
>>> >>
>>> >> -------------------------------------------------------
>>> >> To join the online meeting
>>> >> -------------------------------------------------------
>>> >> 1. Go to
>>> >> 
>>> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&PW=NOTlkZjIwNTEy&RT=
>>> >> MiMzMA%3D%3D
>>> >> 2. Enter your name and email address.
>>> >> 3. Enter the meeting password: oauth
>>> >> 4. Click "Join Now".
>>> >>
>>> >> To view in other time zones or languages, please click the link:
>>> >> 
>>> https://nsn.webex.com/nsn/j.php?ED=268691357&UID=0&PW=NOTlkZjIwNTEy&ORT
>>> >> =MiMzMA%3D%3D
>>> >>
>>> >> -------------------------------------------------------
>>> >> To join the teleconference only
>>> >> -------------------------------------------------------
>>> >> Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc
>>> >> Conference Code: 944 910 5485
>>> >> _______________________________________________
>>> >> OAuth mailing list
>>> >> OAuth@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>


--------------000303010808040804030804
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    But it also assumes, in many cases, a pre-registration step. I think
    you might be simplifying for the case of one piece of software with
    the same parameters talking to the same server many times. In some
    sense, it doesn't matter to a client developer whether they have to
    send their display name as part of a JSON object or as part of a
    signed JWT (though the former's simpler, the results are the same),
    they still have to send it to the server. You kick the can down the
    road and set up something where there's a pre-registration step
    where common elements of the client's registration are fixed -- but
    then the server's going to have to be able to get those common
    elements at registration time and (later) at authorization time.
    Unless you're building inside of a single security domain, this
    becomes tricky, with all kinds of trust and policy issues. But it's
    useful and it can be done -- that's what we did with the "trusted
    registration" extension that BB+ uses, with registries and discovery
    using the initial access token. The server effectively parses the
    initial access token and looks up information about the client at
    the registry. We also toyed with the idea of packing the
    registration information into the token itself. Either way, the
    server has to decide that it trusts whoever issued that token, and
    it has to be able to verify the token's veracity. In BB+, we're
    using discovery to find the JWK that was used to sign the token and
    (optionally) token introspection to verify that the initial access
    token hasn't been decomissioned by the registry server. In this
    case, it's the registry that holds the fixed information about the
    client -- not the auth server -- and so the trust model is
    different.<br>
    <br>
    I think we're better off starting with the fully open case, where
    neither the app nor the server really know anything about each
    other, and build from there. We know that that's a case that people
    want to solve. Note that BB+ builds directly on what's already there
    -- you don't have to burn down the house in order to hang a
    painting. I think that there are so many similarities between the
    two that the software statement work can do the same. <br>
    <br>
    I'd also like to point out something about passing client
    information around: in the "fully stateless assertion" world that's
    being proposed (where there *is* no registration step), the client
    ends up passing its full registration information (as a software
    statement) with *every* call to the authorization endpoint. The fact
    that the registration is encoded in an assertion is immaterial.
    Having the server be truly stateless dramatically increases the
    amount of information sent over the wire at runtime -- that's a
    pretty universal tradeoff, and that's not a cost that everyone wants
    to pay. <br>
    <br>
     -- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/22/2013 03:57 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote
      cite="mid:50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <div>Agreed. </div>
      <div><br>
      </div>
      <div>The problem for dyn reg is most params are optional and
        passed at reg time. I think this also represents huge complexity
        to client app developers since each sp may be different. Move
        bulk of info to statement simplifies the registration and
        encourages uniformity. <br>
        <br>
        Phil</div>
      <div><br>
        On 2013-08-22, at 12:53, Justin Richer &lt;<a
          moz-do-not-send="true" href="mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div> Phil, thanks for writing this down. I think that part of
          the confusion in this conversation may come from the nature of
          items such as the client id, client secret, and even the
          registration access token. In many instances, these are simply
          random values that the server generates and stores for later
          use. However, as you point out, OAuth doesn't state that that
          has to be the case any more than it states that a server must
          store access tokens. The important thing is that the auth
          server be able to recognize and verify each of these values.
          As such, nothing is stopping the server from staying stateless
          and sending signed values to the client for each or all of
          these fields, much in same way that a server can issue signed
          access tokens that carry all their rights and state within. As
          long as all of these values remain opaque to the client,
          everything in OAuth still works. It also works fine within the
          current DynReg framework, as John has just pointed out under a
          separate thread.<br>
          <br>
           -- Justin<br>
          <br>
          <div class="moz-cite-prefix">On 08/22/2013 03:22 PM, Phil Hunt
            wrote:<br>
          </div>
          <blockquote
            cite="mid:D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com"
            type="cite">
            <div class="BodyFragment"><font size="2"><span
                  style="font-size:10pt;">
                  <div class="PlainText">I have attached a PDF including
                    some of my thoughts, concerns, and suggestions for
                    the upcoming meeting.<br>
                    <br>
                    Phil<br>
                    <br>
                    @independentid<br>
                    <a moz-do-not-send="true"
                      href="http://www.independentid.com">www.independentid.com</a><br>
                    <a moz-do-not-send="true"
                      class="moz-txt-link-abbreviated"
                      href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br>
                  </div>
                </span></font></div>
            <div class="BodyFragment"><font size="2"><span
                  style="font-size:10pt;">
                  <div class="PlainText"><br>
                    <br>
                    <br>
                    <br>
                    <br>
                    <br>
                    <br>
                    On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN
                    - FI/Espoo)" <a moz-do-not-send="true"
                      class="moz-txt-link-rfc2396E"
                      href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a>
                    wrote:<br>
                    <br>
                    &gt; I messed up the conference bridge time; here is
                    the corrected version but the details are actually
                    the same. <br>
                    &gt; <br>
                    &gt; Meeting Number: 702 442 101 <br>
                    &gt; Meeting Password: oauth <br>
                    &gt; <br>
                    &gt;
                    -------------------------------------------------------
                    <br>
                    &gt; To join the online meeting <br>
                    &gt;
                    -------------------------------------------------------
                    <br>
                    &gt; 1. Go to <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=MiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=MiMyNQ%3D%3D</a>
                    <br>
                    &gt; 2. Enter your name and email address. <br>
                    &gt; 3. Enter the meeting password: oauth <br>
                    &gt; 4. Click "Join Now". <br>
                    &gt; <br>
                    &gt; To view in other time zones or languages,
                    please click the link: <br>
                    &gt; <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT=MiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT=MiMyNQ%3D%3D</a>
                    <br>
                    &gt; <br>
                    &gt;
                    -------------------------------------------------------
                    <br>
                    &gt; To join the Teleconference <br>
                    &gt;
                    -------------------------------------------------------
                    <br>
                    &gt; Global dial-in numbers: <a
                      moz-do-not-send="true"
                      href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
                    <br>
                    &gt; Conference Code: 944 910 5485 <br>
                    &gt; <br>
                    &gt; To update this meeting to your calendar program
                    (for example Microsoft Outlook), click this link: <br>
                    &gt; <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;ICS=MRS3&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=KseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=&amp;RT=MiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;ICS=MRS3&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=KseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=&amp;RT=MiMyNQ%3D%3D</a><br>
                    &gt; <br>
                    &gt;&gt; -----Original Message-----<br>
                    &gt;&gt; From: <a moz-do-not-send="true"
                      class="moz-txt-link-abbreviated"
                      href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a>
                    [<a moz-do-not-send="true"
                      href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>]
                    On Behalf<br>
                    &gt;&gt; Of ext Tschofenig, Hannes (NSN - FI/Espoo)<br>
                    &gt;&gt; Sent: Wednesday, August 21, 2013 6:35 PM<br>
                    &gt;&gt; To: oauth mailing list<br>
                    &gt;&gt; Subject: [OAUTH-WG] Dynamic Client
                    Registration Conference Call: Thu 22<br>
                    &gt;&gt; Aug, 2pm PDT: Conference Bridge Details<br>
                    &gt;&gt; <br>
                    &gt;&gt; Here is the conference bridge and Webex
                    information.<br>
                    &gt;&gt; <br>
                    &gt;&gt; From an agenda point of view I guess we
                    should start at a basic level,<br>
                    &gt;&gt; namely with what we have already in the
                    dynamic client registration<br>
                    &gt;&gt; document (and folks may have actually
                    missed it). There are two use<br>
                    &gt;&gt; cases described in the WG document, namely<br>
                    &gt;&gt; - Use Case #1: Open Registration (Appendix
                    B.1)<br>
                    &gt;&gt; - Use Case #2: Protected Registration
                    (Appendix B.2)<br>
                    &gt;&gt; <br>
                    &gt;&gt; Then, we could talk about some more
                    sophisticated use cases where<br>
                    &gt;&gt; information for protected registration is
                    provided by a third party.<br>
                    &gt;&gt; <br>
                    &gt;&gt; --------------------<br>
                    &gt;&gt; <br>
                    &gt;&gt; Meeting Number: 702 442 101<br>
                    &gt;&gt; Meeting Password: oauth<br>
                    &gt;&gt; <br>
                    &gt;&gt;
                    -------------------------------------------------------<br>
                    &gt;&gt; To join the online meeting<br>
                    &gt;&gt;
                    -------------------------------------------------------<br>
                    &gt;&gt; 1. Go to<br>
                    &gt;&gt; <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;RT=</a><br>
                    &gt;&gt; MiMzMA%3D%3D<br>
                    &gt;&gt; 2. Enter your name and email address.<br>
                    &gt;&gt; 3. Enter the meeting password: oauth<br>
                    &gt;&gt; 4. Click "Join Now".<br>
                    &gt;&gt; <br>
                    &gt;&gt; To view in other time zones or languages,
                    please click the link:<br>
                    &gt;&gt; <a moz-do-not-send="true"
href="https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT">https://nsn.webex.com/nsn/j.php?ED=268691357&amp;UID=0&amp;PW=NOTlkZjIwNTEy&amp;ORT</a><br>
                    &gt;&gt; =MiMzMA%3D%3D<br>
                    &gt;&gt; <br>
                    &gt;&gt;
                    -------------------------------------------------------<br>
                    &gt;&gt; To join the teleconference only<br>
                    &gt;&gt;
                    -------------------------------------------------------<br>
                    &gt;&gt; Global Dial-In Numbers: <a
                      moz-do-not-send="true"
                      href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a><br>
                    &gt;&gt; Conference Code: 944 910 5485<br>
                    &gt;&gt;
                    _______________________________________________<br>
                    &gt;&gt; OAuth mailing list<br>
                    &gt;&gt; <a moz-do-not-send="true"
                      class="moz-txt-link-abbreviated"
                      href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    &gt;&gt; <a moz-do-not-send="true"
                      href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                    &gt; _______________________________________________<br>
                    &gt; OAuth mailing list<br>
                    &gt; <a moz-do-not-send="true"
                      class="moz-txt-link-abbreviated"
                      href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    &gt; <a moz-do-not-send="true"
                      href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                    <br>
                  </div>
                </span></font></div>
            <div class="BodyFragment"><font size="2"><span
                  style="font-size:10pt;">
                  <div class="PlainText">_______________________________________________<br>
                    OAuth mailing list<br>
                    <a moz-do-not-send="true"
                      class="moz-txt-link-abbreviated"
                      href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    <a moz-do-not-send="true"
                      href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                  </div>
                </span></font></div>
          </blockquote>
          <br>
        </div>
      </blockquote>
    </blockquote>
    <br>
  </body>
</html>

--------------000303010808040804030804--

From phil.hunt@oracle.com  Thu Aug 22 13:44:03 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D664721F9EB8 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:44:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.197
X-Spam-Level: 
X-Spam-Status: No, score=-5.197 tagged_above=-999 required=5 tests=[AWL=0.005,  BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d3amy1cNRm+g for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:43:59 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id F170321F9EB6 for <oauth@ietf.org>; Thu, 22 Aug 2013 13:43:58 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7MKhv1Y018637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 22 Aug 2013 20:43:58 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MKhuu8004341 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Aug 2013 20:43:57 GMT
Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MKhuei004334; Thu, 22 Aug 2013 20:43:56 GMT
Received: from [192.168.1.89] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 22 Aug 2013 13:43:56 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_1F5BF2C3-799A-450D-964A-17EA8F152A6D"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <5216722B.2060001@mitre.org>
Date: Thu, 22 Aug 2013 13:43:55 -0700
Message-Id: <AE7720E0-5025-452E-9B14-4C9D20216A0B@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com> <52166C4A.9060502@mitre.org> <50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com> <5216722B.2060001@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 20:44:04 -0000

--Apple-Mail=_1F5BF2C3-799A-450D-964A-17EA8F152A6D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

TLS doesn't define how servers obtain certificates. It just assumes they =
are installed.  The same thing is happening here.

I'm not sure why this is objectionable. It is simply a broader model of =
your proprietary (meaning specific) solution for BB+.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-22, at 1:18 PM, Justin Richer <jricher@mitre.org> wrote:

> But it also assumes, in many cases, a pre-registration step. I think =
you might be simplifying for the case of one piece of software with the =
same parameters talking to the same server many times. In some sense, it =
doesn't matter to a client developer whether they have to send their =
display name as part of a JSON object or as part of a signed JWT (though =
the former's simpler, the results are the same), they still have to send =
it to the server. You kick the can down the road and set up something =
where there's a pre-registration step where common elements of the =
client's registration are fixed -- but then the server's going to have =
to be able to get those common elements at registration time and (later) =
at authorization time. Unless you're building inside of a single =
security domain, this becomes tricky, with all kinds of trust and policy =
issues. But it's useful and it can be done -- that's what we did with =
the "trusted registration" extension that BB+ uses, with registries and =
discovery using the initial access token. The server effectively parses =
the initial access token and looks up information about the client at =
the registry. We also toyed with the idea of packing the registration =
information into the token itself. Either way, the server has to decide =
that it trusts whoever issued that token, and it has to be able to =
verify the token's veracity. In BB+, we're using discovery to find the =
JWK that was used to sign the token and (optionally) token introspection =
to verify that the initial access token hasn't been decomissioned by the =
registry server. In this case, it's the registry that holds the fixed =
information about the client -- not the auth server -- and so the trust =
model is different.
>=20
> I think we're better off starting with the fully open case, where =
neither the app nor the server really know anything about each other, =
and build from there. We know that that's a case that people want to =
solve. Note that BB+ builds directly on what's already there -- you =
don't have to burn down the house in order to hang a painting. I think =
that there are so many similarities between the two that the software =
statement work can do the same.=20
>=20
> I'd also like to point out something about passing client information =
around: in the "fully stateless assertion" world that's being proposed =
(where there *is* no registration step), the client ends up passing its =
full registration information (as a software statement) with *every* =
call to the authorization endpoint. The fact that the registration is =
encoded in an assertion is immaterial. Having the server be truly =
stateless dramatically increases the amount of information sent over the =
wire at runtime -- that's a pretty universal tradeoff, and that's not a =
cost that everyone wants to pay.=20
>=20
>  -- Justin
>=20
> On 08/22/2013 03:57 PM, Phil Hunt wrote:
>> Agreed.=20
>>=20
>> The problem for dyn reg is most params are optional and passed at reg =
time. I think this also represents huge complexity to client app =
developers since each sp may be different. Move bulk of info to =
statement simplifies the registration and encourages uniformity.=20
>>=20
>> Phil
>>=20
>> On 2013-08-22, at 12:53, Justin Richer <jricher@mitre.org> wrote:
>>=20
>>> Phil, thanks for writing this down. I think that part of the =
confusion in this conversation may come from the nature of items such as =
the client id, client secret, and even the registration access token. In =
many instances, these are simply random values that the server generates =
and stores for later use. However, as you point out, OAuth doesn't state =
that that has to be the case any more than it states that a server must =
store access tokens. The important thing is that the auth server be able =
to recognize and verify each of these values. As such, nothing is =
stopping the server from staying stateless and sending signed values to =
the client for each or all of these fields, much in same way that a =
server can issue signed access tokens that carry all their rights and =
state within. As long as all of these values remain opaque to the =
client, everything in OAuth still works. It also works fine within the =
current DynReg framework, as John has just pointed out under a separate =
thread.
>>>=20
>>>  -- Justin
>>>=20
>>> On 08/22/2013 03:22 PM, Phil Hunt wrote:
>>>> I have attached a PDF including some of my thoughts, concerns, and =
suggestions for the upcoming meeting.
>>>>=20
>>>> Phil
>>>>=20
>>>> @independentid
>>>> www.independentid.com
>>>> phil.hunt@oracle.com
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:
>>>>=20
>>>> > I messed up the conference bridge time; here is the corrected =
version but the details are actually the same.=20
>>>> >=20
>>>> > Meeting Number: 702 442 101=20
>>>> > Meeting Password: oauth=20
>>>> >=20
>>>> > -------------------------------------------------------=20
>>>> > To join the online meeting=20
>>>> > -------------------------------------------------------=20
>>>> > 1. Go to =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
RT=3DMiMyNQ%3D%3D=20
>>>> > 2. Enter your name and email address.=20
>>>> > 3. Enter the meeting password: oauth=20
>>>> > 4. Click "Join Now".=20
>>>> >=20
>>>> > To view in other time zones or languages, please click the link:=20=

>>>> > =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
ORT=3DMiMyNQ%3D%3D=20
>>>> >=20
>>>> > -------------------------------------------------------=20
>>>> > To join the Teleconference=20
>>>> > -------------------------------------------------------=20
>>>> > Global dial-in numbers: http://www.nokiasiemensnetworks.com/nvc=20=

>>>> > Conference Code: 944 910 5485=20
>>>> >=20
>>>> > To update this meeting to your calendar program (for example =
Microsoft Outlook), click this link:=20
>>>> > =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&ICS=3DMRS3&LD=3D1&R=
D=3D2&ST=3D1&SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&RT=3DMi=
MyNQ%3D%3D
>>>> >=20
>>>> >> -----Original Message-----
>>>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On =
Behalf
>>>> >> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
>>>> >> Sent: Wednesday, August 21, 2013 6:35 PM
>>>> >> To: oauth mailing list
>>>> >> Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: =
Thu 22
>>>> >> Aug, 2pm PDT: Conference Bridge Details
>>>> >>=20
>>>> >> Here is the conference bridge and Webex information.
>>>> >>=20
>>>> >> =46rom an agenda point of view I guess we should start at a =
basic level,
>>>> >> namely with what we have already in the dynamic client =
registration
>>>> >> document (and folks may have actually missed it). There are two =
use
>>>> >> cases described in the WG document, namely
>>>> >> - Use Case #1: Open Registration (Appendix B.1)
>>>> >> - Use Case #2: Protected Registration (Appendix B.2)
>>>> >>=20
>>>> >> Then, we could talk about some more sophisticated use cases =
where
>>>> >> information for protected registration is provided by a third =
party.
>>>> >>=20
>>>> >> --------------------
>>>> >>=20
>>>> >> Meeting Number: 702 442 101
>>>> >> Meeting Password: oauth
>>>> >>=20
>>>> >> -------------------------------------------------------
>>>> >> To join the online meeting
>>>> >> -------------------------------------------------------
>>>> >> 1. Go to
>>>> >> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
RT=3D
>>>> >> MiMzMA%3D%3D
>>>> >> 2. Enter your name and email address.
>>>> >> 3. Enter the meeting password: oauth
>>>> >> 4. Click "Join Now".
>>>> >>=20
>>>> >> To view in other time zones or languages, please click the link:
>>>> >> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
ORT
>>>> >> =3DMiMzMA%3D%3D
>>>> >>=20
>>>> >> -------------------------------------------------------
>>>> >> To join the teleconference only
>>>> >> -------------------------------------------------------
>>>> >> Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>> >> Conference Code: 944 910 5485
>>>> >> _______________________________________________
>>>> >> OAuth mailing list
>>>> >> OAuth@ietf.org
>>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>>> > _______________________________________________
>>>> > OAuth mailing list
>>>> > OAuth@ietf.org
>>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>=20


--Apple-Mail=_1F5BF2C3-799A-450D-964A-17EA8F152A6D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div>TLS doesn't define how servers obtain certificates. It just =
assumes they are installed. &nbsp;The same thing is happening =
here.</div><div><br></div><div>I'm not sure why this is objectionable. =
It is simply a broader model of your proprietary (meaning specific) =
solution for BB+.</div><div><br></div><div><div =
apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-22, at 1:18 PM, Justin Richer &lt;<a =
href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
 =20
    <meta content=3D"text/html; charset=3DUTF-8" =
http-equiv=3D"Content-Type">
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    But it also assumes, in many cases, a pre-registration step. I think
    you might be simplifying for the case of one piece of software with
    the same parameters talking to the same server many times. In some
    sense, it doesn't matter to a client developer whether they have to
    send their display name as part of a JSON object or as part of a
    signed JWT (though the former's simpler, the results are the same),
    they still have to send it to the server. You kick the can down the
    road and set up something where there's a pre-registration step
    where common elements of the client's registration are fixed -- but
    then the server's going to have to be able to get those common
    elements at registration time and (later) at authorization time.
    Unless you're building inside of a single security domain, this
    becomes tricky, with all kinds of trust and policy issues. But it's
    useful and it can be done -- that's what we did with the "trusted
    registration" extension that BB+ uses, with registries and discovery
    using the initial access token. The server effectively parses the
    initial access token and looks up information about the client at
    the registry. We also toyed with the idea of packing the
    registration information into the token itself. Either way, the
    server has to decide that it trusts whoever issued that token, and
    it has to be able to verify the token's veracity. In BB+, we're
    using discovery to find the JWK that was used to sign the token and
    (optionally) token introspection to verify that the initial access
    token hasn't been decomissioned by the registry server. In this
    case, it's the registry that holds the fixed information about the
    client -- not the auth server -- and so the trust model is
    different.<br>
    <br>
    I think we're better off starting with the fully open case, where
    neither the app nor the server really know anything about each
    other, and build from there. We know that that's a case that people
    want to solve. Note that BB+ builds directly on what's already there
    -- you don't have to burn down the house in order to hang a
    painting. I think that there are so many similarities between the
    two that the software statement work can do the same. <br>
    <br>
    I'd also like to point out something about passing client
    information around: in the "fully stateless assertion" world that's
    being proposed (where there *is* no registration step), the client
    ends up passing its full registration information (as a software
    statement) with *every* call to the authorization endpoint. The fact
    that the registration is encoded in an assertion is immaterial.
    Having the server be truly stateless dramatically increases the
    amount of information sent over the wire at runtime -- that's a
    pretty universal tradeoff, and that's not a cost that everyone wants
    to pay. <br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class=3D"moz-cite-prefix">On 08/22/2013 03:57 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote =
cite=3D"mid:50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com" =
type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3DUTF-8">
      <div>Agreed.&nbsp;</div>
      <div><br>
      </div>
      <div>The problem for dyn reg is most params are optional and
        passed at reg time. I think this also represents huge complexity
        to client app developers since each sp may be different. Move
        bulk of info to statement simplifies the registration and
        encourages uniformity.&nbsp;<br>
        <br>
        Phil</div>
      <div><br>
        On 2013-08-22, at 12:53, Justin Richer &lt;<a =
moz-do-not-send=3D"true" =
href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
        wrote:<br>
        <br>
      </div>
      <blockquote type=3D"cite">
        <div> Phil, thanks for writing this down. I think that part of
          the confusion in this conversation may come from the nature of
          items such as the client id, client secret, and even the
          registration access token. In many instances, these are simply
          random values that the server generates and stores for later
          use. However, as you point out, OAuth doesn't state that that
          has to be the case any more than it states that a server must
          store access tokens. The important thing is that the auth
          server be able to recognize and verify each of these values.
          As such, nothing is stopping the server from staying stateless
          and sending signed values to the client for each or all of
          these fields, much in same way that a server can issue signed
          access tokens that carry all their rights and state within. As
          long as all of these values remain opaque to the client,
          everything in OAuth still works. It also works fine within the
          current DynReg framework, as John has just pointed out under a
          separate thread.<br>
          <br>
          &nbsp;-- Justin<br>
          <br>
          <div class=3D"moz-cite-prefix">On 08/22/2013 03:22 PM, Phil =
Hunt
            wrote:<br>
          </div>
          <blockquote =
cite=3D"mid:D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com" =
type=3D"cite">
            <div class=3D"BodyFragment"><font size=3D"2"><span =
style=3D"font-size:10pt;">
                  <div class=3D"PlainText">I have attached a PDF =
including
                    some of my thoughts, concerns, and suggestions for
                    the upcoming meeting.<br>
                    <br>
                    Phil<br>
                    <br>
                    @independentid<br>
                    <a moz-do-not-send=3D"true" =
href=3D"http://www.independentid.com/">www.independentid.com</a><br>
                    <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br>
                  </div>
                </span></font></div>
            <div class=3D"BodyFragment"><font size=3D"2"><span =
style=3D"font-size:10pt;">
                  <div class=3D"PlainText"><br>
                    <br>
                    <br>
                    <br>
                    <br>
                    <br>
                    <br>
                    On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN
                    - FI/Espoo)" <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt=
;</a>
                    wrote:<br>
                    <br>
                    &gt; I messed up the conference bridge time; here is
                    the corrected version but the details are actually
                    the same. <br>
                    &gt; <br>
                    &gt; Meeting Number: 702 442 101 <br>
                    &gt; Meeting Password: oauth <br>
                    &gt; <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; To join the online meeting <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; 1. Go to <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;RT=3DMiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=3D=
268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;RT=3DMiMyNQ%3D%3D</a>
                    <br>
                    &gt; 2. Enter your name and email address. <br>
                    &gt; 3. Enter the meeting password: oauth <br>
                    &gt; 4. Click "Join Now". <br>
                    &gt; <br>
                    &gt; To view in other time zones or languages,
                    please click the link: <br>
                    &gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;ORT=3DMiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=3D=
268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;ORT=3DMiMyNQ%3D%3D</a>
                    <br>
                    &gt; <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; To join the Teleconference <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; Global dial-in numbers: <a =
moz-do-not-send=3D"true" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a>
                    <br>
                    &gt; Conference Code: 944 910 5485 <br>
                    &gt; <br>
                    &gt; To update this meeting to your calendar program
                    (for example Microsoft Outlook), click this link: =
<br>
                    &gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;ICS=
=3DMRS3&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DKseMD/IKx0YGjSRaNyDJbq=
nmJ2i-xirziLGyc2bHNI8=3D&amp;RT=3DMiMyNQ%3D%3D">https://nsn.webex.com/nsn/=
j.php?ED=3D268691357&amp;UID=3D0&amp;ICS=3DMRS3&amp;LD=3D1&amp;RD=3D2&amp;=
ST=3D1&amp;SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&amp;RT=3D=
MiMyNQ%3D%3D</a><br>
                    &gt; <br>
                    &gt;&gt; -----Original Message-----<br>
                    &gt;&gt; From: <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a>
                    [<a moz-do-not-send=3D"true" =
href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>]
                    On Behalf<br>
                    &gt;&gt; Of ext Tschofenig, Hannes (NSN - =
FI/Espoo)<br>
                    &gt;&gt; Sent: Wednesday, August 21, 2013 6:35 =
PM<br>
                    &gt;&gt; To: oauth mailing list<br>
                    &gt;&gt; Subject: [OAUTH-WG] Dynamic Client
                    Registration Conference Call: Thu 22<br>
                    &gt;&gt; Aug, 2pm PDT: Conference Bridge Details<br>
                    &gt;&gt; <br>
                    &gt;&gt; Here is the conference bridge and Webex
                    information.<br>
                    &gt;&gt; <br>
                    &gt;&gt; =46rom an agenda point of view I guess we
                    should start at a basic level,<br>
                    &gt;&gt; namely with what we have already in the
                    dynamic client registration<br>
                    &gt;&gt; document (and folks may have actually
                    missed it). There are two use<br>
                    &gt;&gt; cases described in the WG document, =
namely<br>
                    &gt;&gt; - Use Case #1: Open Registration (Appendix
                    B.1)<br>
                    &gt;&gt; - Use Case #2: Protected Registration
                    (Appendix B.2)<br>
                    &gt;&gt; <br>
                    &gt;&gt; Then, we could talk about some more
                    sophisticated use cases where<br>
                    &gt;&gt; information for protected registration is
                    provided by a third party.<br>
                    &gt;&gt; <br>
                    &gt;&gt; --------------------<br>
                    &gt;&gt; <br>
                    &gt;&gt; Meeting Number: 702 442 101<br>
                    &gt;&gt; Meeting Password: oauth<br>
                    &gt;&gt; <br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; To join the online meeting<br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; 1. Go to<br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;RT=3D">https://nsn.webex.com/nsn/j.php?ED=3D268691357&am=
p;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;RT=3D</a><br>
                    &gt;&gt; MiMzMA%3D%3D<br>
                    &gt;&gt; 2. Enter your name and email address.<br>
                    &gt;&gt; 3. Enter the meeting password: oauth<br>
                    &gt;&gt; 4. Click "Join Now".<br>
                    &gt;&gt; <br>
                    &gt;&gt; To view in other time zones or languages,
                    please click the link:<br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;ORT">https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;=
UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;ORT</a><br>
                    &gt;&gt; =3DMiMzMA%3D%3D<br>
                    &gt;&gt; <br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; To join the teleconference only<br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; Global Dial-In Numbers: <a =
moz-do-not-send=3D"true" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a><br>
                    &gt;&gt; Conference Code: 944 910 5485<br>
                    &gt;&gt;
                    _______________________________________________<br>
                    &gt;&gt; OAuth mailing list<br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                    &gt; =
_______________________________________________<br>
                    &gt; OAuth mailing list<br>
                    &gt; <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    &gt; <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                    <br>
                  </div>
                </span></font></div>
            <div class=3D"BodyFragment"><font size=3D"2"><span =
style=3D"font-size:10pt;">
                  <div =
class=3D"PlainText">_______________________________________________<br>
                    OAuth mailing list<br>
                    <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                  </div>
                </span></font></div>
          </blockquote>
          <br>
        </div>
      </blockquote>
    </blockquote>
    <br>
  </div>

</blockquote></div><br></div></body></html>=

--Apple-Mail=_1F5BF2C3-799A-450D-964A-17EA8F152A6D--

From ve7jtb@ve7jtb.com  Thu Aug 22 13:47:28 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D002D11E815A for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:47:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.227
X-Spam-Level: 
X-Spam-Status: No, score=-3.227 tagged_above=-999 required=5 tests=[AWL=0.371,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OBz+g4zhqihD for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:47:24 -0700 (PDT)
Received: from mail-oa0-f43.google.com (mail-oa0-f43.google.com [209.85.219.43]) by ietfa.amsl.com (Postfix) with ESMTP id 8317411E820D for <oauth@ietf.org>; Thu, 22 Aug 2013 13:47:23 -0700 (PDT)
Received: by mail-oa0-f43.google.com with SMTP id i10so4562918oag.16 for <oauth@ietf.org>; Thu, 22 Aug 2013 13:47:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=GFgLyFZYjIlwhudspFxkRDehBOWvcpOmyfn6m5+nzzw=; b=U8uDQrn6+9D1IdjivKKE1GY6onEgv41+m42Cb2DCe3SsTgqZAFZ4L4HN4qfpWrOOLO b8IWdVre1uLNTffQzgExNJhY5TWFQN9/uHCwqHok57lcD25uqKPvqVQOFprgWggRdacL 4sJBl9hhE7bnrf+FHHPQpKuLVYsk0zBe2BERUE9Yi33Fil5pi4w7qE5UNtXvIGWisVII M9ogm5MK98U6LhnnzKqdR4iZOx2Wrs7poQFjmI/KmGL15cdtlVtIoAG8SrgZMkcF8g8q t/F+00b0hfiWm4Tg43TCnnr+WILZHVWJqtzLLdaoYChnESGCAw0tUtsDebdbyL4jScsx BwXQ==
X-Gm-Message-State: ALoCoQlvGT6c9ZXJA/jm+AUv6gXS7tBAZTzZANjcWX19df4B4aIFv8Ojs09ENX1jM6Xg1s3mDuqT
X-Received: by 10.60.65.227 with SMTP id a3mr5168245oet.13.1377204438383; Thu, 22 Aug 2013 13:47:18 -0700 (PDT)
Received: from [192.168.1.216] (190-20-47-6.baf.movistar.cl. [190.20.47.6]) by mx.google.com with ESMTPSA id s14sm21281141oeo.1.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 22 Aug 2013 13:47:17 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_E969D45B-54CF-4689-A345-395CEB77D1D0"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <52164C9B.2010909@mitre.org>
Date: Thu, 22 Aug 2013 16:47:06 -0400
Message-Id: <228D050C-CFB9-4753-A464-AB49C4522FC9@ve7jtb.com>
References: <e1cdc1b2a4d1841d12938a900355121f@lodderstedt-online.de> <706472E2-DF7D-4963-8C07-552F3690D927@ve7jtb.com> <CA+k3eCR+0MCLC5F5ZtAt28vcn0mCfM9kHOHcc2nO4BQY3vt73A@mail.gmail.com> <520FBDAC.9080404@lodderstedt.net> <CA+k3eCQNE5ScN0ebvoiS+GSpCie8L1486P45SeUVSJbVShFd0Q@mail.gmail.com> <52164C9B.2010909@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1508)
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authz Header + client_id in message body
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 20:47:28 -0000

--Apple-Mail=_E969D45B-54CF-4689-A345-395CEB77D1D0
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_9F864D7C-AD82-47E6-8602-F8299C851D63"


--Apple-Mail=_9F864D7C-AD82-47E6-8602-F8299C851D63
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1

Yes the was the intent.

On 2013-08-22, at 1:38 PM, Justin Richer <jricher@mitre.org> wrote:

> +1, I believe that was the intent of the edit.
>=20
>  -- Justin
>=20
> On 08/22/2013 01:33 PM, Brian Campbell wrote:
>> I so believe that was the intent and what it probably should have =
said. So maybe errata makes sense?
>> On Aug 17, 2013 12:15 PM, "Torsten Lodderstedt" =
<torsten@lodderstedt.net> wrote:
>> Hi all,
>>=20
>> would it make sense to issue an errata and add a "public" to the =
sentence as follows?
>>=20
>> "A _public_ client MAY use the "client_id" request parameter to =
identify itself
>>    when sending requests to the token endpoint."
>>=20
>> regards,
>> Torsten.
>>=20
>> Am 01.08.2013 15:57, schrieb Brian Campbell:
>>> I thought I remembered that text from RFC 6749, section 3.1 as =
saying that a *public* client MAY use the "client_id" request parameter =
to identify itself...
>>>=20
>>> Apparently that's not what it says. But I believe that was the =
intent - hat a client with no means of authentication could identify =
itself by sending only the "client_id" request parameter to the token =
endpoint.=20
>>>=20
>>> Sec 2.3 (http://tools.ietf.org/html/rfc6749#section-2.3) says, "The =
client MUST NOT use more than one authentication method in each  =
request."
>>>=20
>>> And 5.2 (http://tools.ietf.org/html/rfc6749#section-5.2) has
>>>=20
>>>          "invalid_request
>>>                The request is missing a required parameter, includes =
an
>>>                unsupported parameter value (other than grant type),
>>>                repeats a parameter, includes multiple credentials,
>>>                utilizes more than one mechanism for authenticating =
the
>>>                client, or is otherwise malformed."
>>>=20
>>> There is some room for ambiguity in all that but, based on the =
above, I'd say that the way your server is behaving is correct Torsten.=20=

>>>=20
>>>=20
>>>=20
>>> On Thu, Aug 1, 2013 at 2:13 PM, John Bradley <ve7jtb@ve7jtb.com> =
wrote:
>>> Hmm allowing sending the client_id even if there is no =
authentication was intended to mitigate cases where the client =
presenting the code or refresh_token was not the one that requested it, =
and for logging.
>>>=20
>>> I don't think the intention was to allow the client_id to be sent =
twice.
>>>=20
>>> If it were my Token endpoint I would ignore the extra one and only =
processes the one sent as part of the authentication,  if there is no =
authentication then the value of the "client_id" parameter MUST match =
the client_id that was used to request the token.
>>>=20
>>> It is probably a open question if the request should be considered =
malformed if it contains both.
>>>=20
>>> Personally I would recommend that the client not do that.
>>>=20
>>> Others may remember it differently.
>>>=20
>>> John B.
>>>=20
>>> On 2013-08-01, at 11:34 AM, Torsten Lodderstedt =
<torsten@lodderstedt.net> wrote:
>>>=20
>>> > Hi,
>>> >
>>> > while setting up our OIDC interop tests, we run into the following =
problem:
>>> >
>>> > The test client sends a request to the token endpoint, which =
contains the client credentials in an authorization header. =
Additionally, it adds the client_id to the message body. Our server =
treats this as an invalid request and responds with HTTP status code =
400.
>>> >
>>> > Now my question: The last paragraph of RFC 6749, section 3.1 =
(http://tools.ietf.org/html/rfc6749#section-3.2.1) states
>>> >
>>> > "A client MAY use the "client_id" request parameter to identify =
itself
>>> >   when sending requests to the token endpoint."
>>> >
>>> > This seems to allow the client to send the client_id in addition =
to any other credential used to authenticate it.
>>> >
>>> > I'm not sure what the intension is/was. How is the server supposed =
to handle such cases? Shall it compare both ids (from the header and the =
body)? Must they match exactly?
>>> >
>>> > Any feedback is appreciated.
>>> >
>>> > regards,
>>> > Torsten.
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>>=20
>>=20
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_9F864D7C-AD82-47E6-8602-F8299C851D63
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
	charset=iso-8859-1

<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Yes the was the intent.<div><br><div><div>On 2013-08-22, at 1:38 PM, Justin Richer &lt;<a href="mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  <div bgcolor="#FFFFFF" text="#000000">
    +1, I believe that was the intent of the edit.<br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/22/2013 01:33 PM, Brian Campbell
      wrote:<br>
    </div>
    <blockquote cite="mid:CA+k3eCQNE5ScN0ebvoiS+GSpCie8L1486P45SeUVSJbVShFd0Q@mail.gmail.com" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div dir="ltr"><p dir="ltr">I so believe that was the intent and what it
          probably should have said. So maybe errata makes sense?<br>
        </p>
        <div class="gmail_quote">On Aug 17, 2013 12:15 PM, "Torsten
          Lodderstedt" &lt;<a moz-do-not-send="true" href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>&gt;
          wrote:<br type="attribution">
          <blockquote class="gmail_quote" style="margin:0px 0px 0px
            0.8ex;border-left:1px solid
            rgb(204,204,204);padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF"> Hi all,<br>
              <br>
              would it make sense to issue an errata and add a "public"
              to the sentence as follows?<br>
              <br>
              "A _public_ client MAY use the "client_id" request
              parameter to identify itself<br>
              &nbsp;&nbsp; when sending requests to the token endpoint."<br>
              <br>
              regards,<br>
              Torsten.<br>
              <br>
              <div>Am 01.08.2013 15:57, schrieb Brian Campbell:<br>
              </div>
              <blockquote type="cite">
                <div dir="ltr">
                  <div>
                    <div>
                      <div>I thought I remembered that text from RFC
                        6749, section 3.1 as saying that a *public*
                        client MAY use the "client_id" request parameter
                        to identify itself...<br>
                        <br>
                      </div>
                      Apparently that's not what it says. But I believe
                      that was the intent - hat a client with no means
                      of authentication could identify itself by sending
                      only the "client_id" request parameter to the
                      token endpoint. <br>
                      <br>
                      Sec 2.3 (<a moz-do-not-send="true" href="http://tools.ietf.org/html/rfc6749#section-2.3" target="_blank">http://tools.ietf.org/html/rfc6749#section-2.3</a>)
                      says, "The client MUST NOT use more than one
                      authentication method in each&nbsp; request."<br>
                      <br>
                    </div>
                    And 5.2 (<a moz-do-not-send="true" href="http://tools.ietf.org/html/rfc6749#section-5.2" target="_blank">http://tools.ietf.org/html/rfc6749#section-5.2</a>)
                    has<br>
                    <br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "invalid_request<br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The request is missing a required
                    parameter, includes an<br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; unsupported parameter value (other
                    than grant type),<br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; repeats a parameter,<b> includes
                      multiple credentials,</b><br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; utilizes more than one mechanism for
                    authenticating the<br>
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; client, or is otherwise malformed."<br>
                    <br>
                  </div>
                  There is some room for ambiguity in all that but,
                  based on the above, I'd say that the way your server
                  is behaving is correct Torsten. <br>
                  <div>
                    <div> <br>
                    </div>
                  </div>
                </div>
                <div class="gmail_extra"><br>
                  <br>
                  <div class="gmail_quote">On Thu, Aug 1, 2013 at 2:13
                    PM, John Bradley <span dir="ltr">&lt;<a moz-do-not-send="true" href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>&gt;</span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0px
                      0px 0px 0.8ex;border-left:1px solid
                      rgb(204,204,204);padding-left:1ex">Hmm allowing
                      sending the client_id even if there is no
                      authentication was intended to mitigate cases
                      where the client presenting the code or
                      refresh_token was not the one that requested it,
                      and for logging.<br>
                      <br>
                      I don't think the intention was to allow the
                      client_id to be sent twice.<br>
                      <br>
                      If it were my Token endpoint I would ignore the
                      extra one and only processes the one sent as part
                      of the authentication, &nbsp;if there is no
                      authentication then the value of the "client_id"
                      parameter MUST match the client_id that was used
                      to request the token.<br>
                      <br>
                      It is probably a open question if the request
                      should be considered malformed if it contains
                      both.<br>
                      <br>
                      Personally I would recommend that the client not
                      do that.<br>
                      <br>
                      Others may remember it differently.<br>
                      <br>
                      John B.<br>
                      <div>
                        <div><br>
                          On 2013-08-01, at 11:34 AM, Torsten
                          Lodderstedt &lt;<a moz-do-not-send="true" href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>&gt;

                          wrote:<br>
                          <br>
                          &gt; Hi,<br>
                          &gt;<br>
                          &gt; while setting up our OIDC interop tests,
                          we run into the following problem:<br>
                          &gt;<br>
                          &gt; The test client sends a request to the
                          token endpoint, which contains the client
                          credentials in an authorization header.
                          Additionally, it adds the client_id to the
                          message body. Our server treats this as an
                          invalid request and responds with HTTP status
                          code 400.<br>
                          &gt;<br>
                          &gt; Now my question: The last paragraph of
                          RFC 6749, section 3.1 (<a moz-do-not-send="true" href="http://tools.ietf.org/html/rfc6749#section-3.2.1" target="_blank">http://tools.ietf.org/html/rfc6749#section-3.2.1</a>)
                          states<br>
                          &gt;<br>
                          &gt; "A client MAY use the "client_id" request
                          parameter to identify itself<br>
                          &gt; &nbsp; when sending requests to the token
                          endpoint."<br>
                          &gt;<br>
                          &gt; This seems to allow the client to send
                          the client_id in addition to any other
                          credential used to authenticate it.<br>
                          &gt;<br>
                          &gt; I'm not sure what the intension is/was.
                          How is the server supposed to handle such
                          cases? Shall it compare both ids (from the
                          header and the body)? Must they match exactly?<br>
                          &gt;<br>
                          &gt; Any feedback is appreciated.<br>
                          &gt;<br>
                          &gt; regards,<br>
                          &gt; Torsten.<br>
                          &gt;
                          _______________________________________________<br>
                          &gt; OAuth mailing list<br>
                          &gt; <a moz-do-not-send="true" href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a><br>
                          &gt; <a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth" target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                          <br>
                        </div>
                      </div>
                      <br>
                      _______________________________________________<br>
                      OAuth mailing list<br>
                      <a moz-do-not-send="true" href="mailto:OAuth@ietf.org" target="_blank">OAuth@ietf.org</a><br>
                      <a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth" target="_blank">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                      <br>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </div>

_______________________________________________<br>OAuth mailing list<br><a href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>https://www.ietf.org/mailman/listinfo/oauth<br></blockquote></div><br></div></body></html>
--Apple-Mail=_9F864D7C-AD82-47E6-8602-F8299C851D63--

--Apple-Mail=_E969D45B-54CF-4689-A345-395CEB77D1D0
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODIyMjA0NzA2WjAjBgkqhkiG9w0BCQQxFgQUvQ82yNz5
lw2iqp8sTuvbdFTqcHwwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEANc7ugBLuxk2IAMcM2IvzG+CxmrSgwsnq99AtUaKL
x5mj4aed0x1QXsH7cGsn/i4GdRWXwEs24yBhclu5mzP0iBq5S7Du6913YHKUdMYZKQNExCMRG3vI
Tf/070zB0CU6d2kD/cmKQTCLJGJgQ0l5C2aWuU6p0NdpX0aiaWIMIrznf0qBpj2gVOuDz7GVrW/u
W2M4CU6xSbG9PmDnFPCSKcGWyRK+kIvbNLXarNbItttXgj5a9/yBq0bb9FiXqAvsxP2U8rx1cFrQ
zRaD2up8+0uEq90KInJabuQKBrfRBH2jbaLzTnLUN64n0TVImEMqUKoKzSSZCRTfRSVA3dPfigAA
AAAAAA==

--Apple-Mail=_E969D45B-54CF-4689-A345-395CEB77D1D0--

From jricher@mitre.org  Thu Aug 22 13:49:42 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1CB11E81F8 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:49:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.503
X-Spam-Level: 
X-Spam-Status: No, score=-6.503 tagged_above=-999 required=5 tests=[AWL=0.095,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UU7FbjtaKDk4 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:49:34 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 6FF5C11E812C for <oauth@ietf.org>; Thu, 22 Aug 2013 13:49:34 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id F30851F0B3E; Thu, 22 Aug 2013 16:49:27 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C287E1F02DC; Thu, 22 Aug 2013 16:49:27 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.104]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.02.0342.003; Thu, 22 Aug 2013 16:49:27 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
Thread-Index: AQHOn3HfN9WfRkxJt0Ca2N1SmqiY35mhscWegABEkgA=
Date: Thu, 22 Aug 2013 20:49:26 +0000
Message-ID: <E38591F6-089D-4BCE-9602-1CEB436457BC@mitre.org>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com> <52166C4A.9060502@mitre.org> <50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com> <5216722B.2060001@mitre.org> <AE7720E0-5025-452E-9B14-4C9D20216A0B@oracle.com>
In-Reply-To: <AE7720E0-5025-452E-9B14-4C9D20216A0B@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.146.15.49]
Content-Type: multipart/alternative; boundary="_000_E38591F6089D4BCE96021CEB436457BCmitreorg_"
MIME-Version: 1.0
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 20:49:42 -0000

--_000_E38591F6089D4BCE96021CEB436457BCmitreorg_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Phil, I'm not objecting to it! I never have been! I've been saying all alon=
g it's a proper extension to the base dynamic registration spec because it =
defines optional functionality in addition to said base spec. Why do you ob=
ject to it being an extension?

 -- Justin

On Aug 22, 2013, at 4:43 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hu=
nt@oracle.com>> wrote:

TLS doesn't define how servers obtain certificates. It just assumes they ar=
e installed.  The same thing is happening here.

I'm not sure why this is objectionable. It is simply a broader model of you=
r proprietary (meaning specific) solution for BB+.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>







On 2013-08-22, at 1:18 PM, Justin Richer <jricher@mitre.org<mailto:jricher@=
mitre.org>> wrote:

But it also assumes, in many cases, a pre-registration step. I think you mi=
ght be simplifying for the case of one piece of software with the same para=
meters talking to the same server many times. In some sense, it doesn't mat=
ter to a client developer whether they have to send their display name as p=
art of a JSON object or as part of a signed JWT (though the former's simple=
r, the results are the same), they still have to send it to the server. You=
 kick the can down the road and set up something where there's a pre-regist=
ration step where common elements of the client's registration are fixed --=
 but then the server's going to have to be able to get those common element=
s at registration time and (later) at authorization time. Unless you're bui=
lding inside of a single security domain, this becomes tricky, with all kin=
ds of trust and policy issues. But it's useful and it can be done -- that's=
 what we did with the "trusted registration" extension that BB+ uses, with =
registries and discovery using the initial access token. The server effecti=
vely parses the initial access token and looks up information about the cli=
ent at the registry. We also toyed with the idea of packing the registratio=
n information into the token itself. Either way, the server has to decide t=
hat it trusts whoever issued that token, and it has to be able to verify th=
e token's veracity. In BB+, we're using discovery to find the JWK that was =
used to sign the token and (optionally) token introspection to verify that =
the initial access token hasn't been decomissioned by the registry server. =
In this case, it's the registry that holds the fixed information about the =
client -- not the auth server -- and so the trust model is different.

I think we're better off starting with the fully open case, where neither t=
he app nor the server really know anything about each other, and build from=
 there. We know that that's a case that people want to solve. Note that BB+=
 builds directly on what's already there -- you don't have to burn down the=
 house in order to hang a painting. I think that there are so many similari=
ties between the two that the software statement work can do the same.

I'd also like to point out something about passing client information aroun=
d: in the "fully stateless assertion" world that's being proposed (where th=
ere *is* no registration step), the client ends up passing its full registr=
ation information (as a software statement) with *every* call to the author=
ization endpoint. The fact that the registration is encoded in an assertion=
 is immaterial. Having the server be truly stateless dramatically increases=
 the amount of information sent over the wire at runtime -- that's a pretty=
 universal tradeoff, and that's not a cost that everyone wants to pay.

 -- Justin

On 08/22/2013 03:57 PM, Phil Hunt wrote:
Agreed.

The problem for dyn reg is most params are optional and passed at reg time.=
 I think this also represents huge complexity to client app developers sinc=
e each sp may be different. Move bulk of info to statement simplifies the r=
egistration and encourages uniformity.

Phil

On 2013-08-22, at 12:53, Justin Richer <jricher@mitre.org<mailto:jricher@mi=
tre.org>> wrote:

Phil, thanks for writing this down. I think that part of the confusion in t=
his conversation may come from the nature of items such as the client id, c=
lient secret, and even the registration access token. In many instances, th=
ese are simply random values that the server generates and stores for later=
 use. However, as you point out, OAuth doesn't state that that has to be th=
e case any more than it states that a server must store access tokens. The =
important thing is that the auth server be able to recognize and verify eac=
h of these values. As such, nothing is stopping the server from staying sta=
teless and sending signed values to the client for each or all of these fie=
lds, much in same way that a server can issue signed access tokens that car=
ry all their rights and state within. As long as all of these values remain=
 opaque to the client, everything in OAuth still works. It also works fine =
within the current DynReg framework, as John has just pointed out under a s=
eparate thread.

 -- Justin

On 08/22/2013 03:22 PM, Phil Hunt wrote:
I have attached a PDF including some of my thoughts, concerns, and suggesti=
ons for the upcoming meeting.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>







On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.ts=
chofenig@nsn.com><mailto:hannes.tschofenig@nsn.com> wrote:

> I messed up the conference bridge time; here is the corrected version but=
 the details are actually the same.
>
> Meeting Number: 702 442 101
> Meeting Password: oauth
>
> -------------------------------------------------------
> To join the online meeting
> -------------------------------------------------------
> 1. Go to https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTl=
kZjIwNTEy&RT=3DMiMyNQ%3D%3D
> 2. Enter your name and email address.
> 3. Enter the meeting password: oauth
> 4. Click "Join Now".
>
> To view in other time zones or languages, please click the link:
> https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy=
&ORT=3DMiMyNQ%3D%3D
>
> -------------------------------------------------------
> To join the Teleconference
> -------------------------------------------------------
> Global dial-in numbers: http://www.nokiasiemensnetworks.com/nvc
> Conference Code: 944 910 5485
>
> To update this meeting to your calendar program (for example Microsoft Ou=
tlook), click this link:
> https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&ICS=3DMRS3&LD=3D1&=
RD=3D2&ST=3D1&SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&RT=3DMi=
MyNQ%3D%3D
>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oaut=
h-bounces@ietf.org] On Behalf
>> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
>> Sent: Wednesday, August 21, 2013 6:35 PM
>> To: oauth mailing list
>> Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22
>> Aug, 2pm PDT: Conference Bridge Details
>>
>> Here is the conference bridge and Webex information.
>>
>> From an agenda point of view I guess we should start at a basic level,
>> namely with what we have already in the dynamic client registration
>> document (and folks may have actually missed it). There are two use
>> cases described in the WG document, namely
>> - Use Case #1: Open Registration (Appendix B.1)
>> - Use Case #2: Protected Registration (Appendix B.2)
>>
>> Then, we could talk about some more sophisticated use cases where
>> information for protected registration is provided by a third party.
>>
>> --------------------
>>
>> Meeting Number: 702 442 101
>> Meeting Password: oauth
>>
>> -------------------------------------------------------
>> To join the online meeting
>> -------------------------------------------------------
>> 1. Go to
>> https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTE=
y&RT=3D
>> MiMzMA%3D%3D
>> 2. Enter your name and email address.
>> 3. Enter the meeting password: oauth
>> 4. Click "Join Now".
>>
>> To view in other time zones or languages, please click the link:
>> https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTE=
y&ORT
>> =3DMiMzMA%3D%3D
>>
>> -------------------------------------------------------
>> To join the teleconference only
>> -------------------------------------------------------
>> Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc
>> Conference Code: 944 910 5485
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org<mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth





--_000_E38591F6089D4BCE96021CEB436457BCmitreorg_
Content-Type: text/html; charset="us-ascii"
Content-ID: <CFB7ADDF7258624A9793E47C02EEBFDB@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
</head>
<body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
e-break: after-white-space; ">
Phil, I'm not objecting to it! I never have been! I've been saying all alon=
g it's a proper extension to the base dynamic registration spec because it =
defines optional functionality in addition to said base spec. Why do you ob=
ject to it being an extension?
<div><br>
</div>
<div>&nbsp;-- Justin</div>
<div><br>
<div>
<div>On Aug 22, 2013, at 4:43 PM, Phil Hunt &lt;<a href=3D"mailto:phil.hunt=
@oracle.com">phil.hunt@oracle.com</a>&gt; wrote:</div>
<br class=3D"Apple-interchange-newline">
<blockquote type=3D"cite">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<div>TLS doesn't define how servers obtain certificates. It just assumes th=
ey are installed. &nbsp;The same thing is happening here.</div>
<div><br>
</div>
<div>I'm not sure why this is objectionable. It is simply a broader model o=
f your proprietary (meaning specific) solution for BB&#43;.</div>
<div><br>
</div>
<div>
<div apple-content-edited=3D"true"><span class=3D"Apple-style-span" style=
=3D"border-collapse: separate; font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; line-hei=
ght: normal; orphans: 2; text-indent: 0px; text-transform: none; white-spac=
e: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-=
decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-s=
troke-width: 0px; font-size: medium; ">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; font-f=
amily: Helvetica; font-size: medium; font-style: normal; font-variant: norm=
al; font-weight: normal; letter-spacing: normal; line-height: normal; orpha=
ns: 2; text-indent: 0px; text-transform: none; white-space: normal; widows:=
 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-eff=
ect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; font-f=
amily: Helvetica; font-size: medium; font-style: normal; font-variant: norm=
al; font-weight: normal; letter-spacing: normal; line-height: normal; orpha=
ns: 2; text-indent: 0px; text-transform: none; white-space: normal; widows:=
 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-eff=
ect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; =
">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; font-f=
amily: Helvetica; font-size: 12px; font-style: normal; font-variant: normal=
; font-weight: normal; letter-spacing: normal; line-height: normal; orphans=
: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2=
; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effec=
t: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<div>Phil</div>
<div><br>
</div>
<div>@independentid</div>
<div><a href=3D"http://www.independentid.com/">www.independentid.com</a></d=
iv>
</div>
</span><a href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></di=
v>
<div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line=
-break: after-white-space; ">
<br>
<br>
</div>
</span><br class=3D"Apple-interchange-newline">
</div>
</span><br class=3D"Apple-interchange-newline">
</div>
</span><br class=3D"Apple-interchange-newline">
<br class=3D"Apple-interchange-newline">
</div>
<br>
<div>
<div>On 2013-08-22, at 1:18 PM, Justin Richer &lt;<a href=3D"mailto:jricher=
@mitre.org">jricher@mitre.org</a>&gt; wrote:</div>
<br class=3D"Apple-interchange-newline">
<blockquote type=3D"cite">
<div bgcolor=3D"#FFFFFF" text=3D"#000000">But it also assumes, in many case=
s, a pre-registration step. I think you might be simplifying for the case o=
f one piece of software with the same parameters talking to the same server=
 many times. In some sense, it doesn't
 matter to a client developer whether they have to send their display name =
as part of a JSON object or as part of a signed JWT (though the former's si=
mpler, the results are the same), they still have to send it to the server.=
 You kick the can down the road
 and set up something where there's a pre-registration step where common el=
ements of the client's registration are fixed -- but then the server's goin=
g to have to be able to get those common elements at registration time and =
(later) at authorization time. Unless
 you're building inside of a single security domain, this becomes tricky, w=
ith all kinds of trust and policy issues. But it's useful and it can be don=
e -- that's what we did with the &quot;trusted registration&quot; extension=
 that BB&#43; uses, with registries and discovery
 using the initial access token. The server effectively parses the initial =
access token and looks up information about the client at the registry. We =
also toyed with the idea of packing the registration information into the t=
oken itself. Either way, the server
 has to decide that it trusts whoever issued that token, and it has to be a=
ble to verify the token's veracity. In BB&#43;, we're using discovery to fi=
nd the JWK that was used to sign the token and (optionally) token introspec=
tion to verify that the initial access
 token hasn't been decomissioned by the registry server. In this case, it's=
 the registry that holds the fixed information about the client -- not the =
auth server -- and so the trust model is different.<br>
<br>
I think we're better off starting with the fully open case, where neither t=
he app nor the server really know anything about each other, and build from=
 there. We know that that's a case that people want to solve. Note that BB&=
#43; builds directly on what's already
 there -- you don't have to burn down the house in order to hang a painting=
. I think that there are so many similarities between the two that the soft=
ware statement work can do the same.
<br>
<br>
I'd also like to point out something about passing client information aroun=
d: in the &quot;fully stateless assertion&quot; world that's being proposed=
 (where there *is* no registration step), the client ends up passing its fu=
ll registration information (as a software
 statement) with *every* call to the authorization endpoint. The fact that =
the registration is encoded in an assertion is immaterial. Having the serve=
r be truly stateless dramatically increases the amount of information sent =
over the wire at runtime -- that's
 a pretty universal tradeoff, and that's not a cost that everyone wants to =
pay. <br>
<br>
&nbsp;-- Justin<br>
<br>
<div class=3D"moz-cite-prefix">On 08/22/2013 03:57 PM, Phil Hunt wrote:<br>
</div>
<blockquote cite=3D"mid:50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com" ty=
pe=3D"cite">
<div>Agreed.&nbsp;</div>
<div><br>
</div>
<div>The problem for dyn reg is most params are optional and passed at reg =
time. I think this also represents huge complexity to client app developers=
 since each sp may be different. Move bulk of info to statement simplifies =
the registration and encourages
 uniformity.&nbsp;<br>
<br>
Phil</div>
<div><br>
On 2013-08-22, at 12:53, Justin Richer &lt;<a moz-do-not-send=3D"true" href=
=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; wrote:<br>
<br>
</div>
<blockquote type=3D"cite">
<div>Phil, thanks for writing this down. I think that part of the confusion=
 in this conversation may come from the nature of items such as the client =
id, client secret, and even the registration access token. In many instance=
s, these are simply random values
 that the server generates and stores for later use. However, as you point =
out, OAuth doesn't state that that has to be the case any more than it stat=
es that a server must store access tokens. The important thing is that the =
auth server be able to recognize
 and verify each of these values. As such, nothing is stopping the server f=
rom staying stateless and sending signed values to the client for each or a=
ll of these fields, much in same way that a server can issue signed access =
tokens that carry all their rights
 and state within. As long as all of these values remain opaque to the clie=
nt, everything in OAuth still works. It also works fine within the current =
DynReg framework, as John has just pointed out under a separate thread.<br>
<br>
&nbsp;-- Justin<br>
<br>
<div class=3D"moz-cite-prefix">On 08/22/2013 03:22 PM, Phil Hunt wrote:<br>
</div>
<blockquote cite=3D"mid:D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com" ty=
pe=3D"cite">
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:10pt;=
">
<div class=3D"PlainText">I have attached a PDF including some of my thought=
s, concerns, and suggestions for the upcoming meeting.<br>
<br>
Phil<br>
<br>
@independentid<br>
<a moz-do-not-send=3D"true" href=3D"http://www.independentid.com/">www.inde=
pendentid.com</a><br>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" href=3D"mail=
to:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br>
</div>
</span></font></div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:10pt;=
">
<div class=3D"PlainText"><br>
<br>
<br>
<br>
<br>
<br>
<br>
On 2013-08-22, at 4:06 AM, &quot;Tschofenig, Hannes (NSN - FI/Espoo)&quot; =
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-rfc2396E" href=3D"mailto:=
hannes.tschofenig@nsn.com">
&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:<br>
<br>
&gt; I messed up the conference bridge time; here is the corrected version =
but the details are actually the same.
<br>
&gt; <br>
&gt; Meeting Number: 702 442 101 <br>
&gt; Meeting Password: oauth <br>
&gt; <br>
&gt; ------------------------------------------------------- <br>
&gt; To join the online meeting <br>
&gt; ------------------------------------------------------- <br>
&gt; 1. Go to <a moz-do-not-send=3D"true" href=3D"https://nsn.webex.com/nsn=
/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;RT=3DMiMyNQ%3D=
%3D">
https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3DNOTlkZj=
IwNTEy&amp;RT=3DMiMyNQ%3D%3D</a>
<br>
&gt; 2. Enter your name and email address. <br>
&gt; 3. Enter the meeting password: oauth <br>
&gt; 4. Click &quot;Join Now&quot;. <br>
&gt; <br>
&gt; To view in other time zones or languages, please click the link: <br>
&gt; <a moz-do-not-send=3D"true" href=3D"https://nsn.webex.com/nsn/j.php?ED=
=3D268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;ORT=3DMiMyNQ%3D%3D">
https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3DNOTlkZj=
IwNTEy&amp;ORT=3DMiMyNQ%3D%3D</a>
<br>
&gt; <br>
&gt; ------------------------------------------------------- <br>
&gt; To join the Teleconference <br>
&gt; ------------------------------------------------------- <br>
&gt; Global dial-in numbers: <a moz-do-not-send=3D"true" href=3D"http://www=
.nokiasiemensnetworks.com/nvc">
http://www.nokiasiemensnetworks.com/nvc</a> <br>
&gt; Conference Code: 944 910 5485 <br>
&gt; <br>
&gt; To update this meeting to your calendar program (for example Microsoft=
 Outlook), click this link:
<br>
&gt; <a moz-do-not-send=3D"true" href=3D"https://nsn.webex.com/nsn/j.php?ED=
=3D268691357&amp;UID=3D0&amp;ICS=3DMRS3&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&am=
p;SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&amp;RT=3DMiMyNQ%3D%=
3D">
https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;ICS=3DMRS3&a=
mp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirz=
iLGyc2bHNI8=3D&amp;RT=3DMiMyNQ%3D%3D</a><br>
&gt; <br>
&gt;&gt; -----Original Message-----<br>
&gt;&gt; From: <a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviate=
d" href=3D"mailto:oauth-bounces@ietf.org">
oauth-bounces@ietf.org</a> [<a moz-do-not-send=3D"true" href=3D"mailto:oaut=
h-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] On Behalf<br>
&gt;&gt; Of ext Tschofenig, Hannes (NSN - FI/Espoo)<br>
&gt;&gt; Sent: Wednesday, August 21, 2013 6:35 PM<br>
&gt;&gt; To: oauth mailing list<br>
&gt;&gt; Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: T=
hu 22<br>
&gt;&gt; Aug, 2pm PDT: Conference Bridge Details<br>
&gt;&gt; <br>
&gt;&gt; Here is the conference bridge and Webex information.<br>
&gt;&gt; <br>
&gt;&gt; From an agenda point of view I guess we should start at a basic le=
vel,<br>
&gt;&gt; namely with what we have already in the dynamic client registratio=
n<br>
&gt;&gt; document (and folks may have actually missed it). There are two us=
e<br>
&gt;&gt; cases described in the WG document, namely<br>
&gt;&gt; - Use Case #1: Open Registration (Appendix B.1)<br>
&gt;&gt; - Use Case #2: Protected Registration (Appendix B.2)<br>
&gt;&gt; <br>
&gt;&gt; Then, we could talk about some more sophisticated use cases where<=
br>
&gt;&gt; information for protected registration is provided by a third part=
y.<br>
&gt;&gt; <br>
&gt;&gt; --------------------<br>
&gt;&gt; <br>
&gt;&gt; Meeting Number: 702 442 101<br>
&gt;&gt; Meeting Password: oauth<br>
&gt;&gt; <br>
&gt;&gt; -------------------------------------------------------<br>
&gt;&gt; To join the online meeting<br>
&gt;&gt; -------------------------------------------------------<br>
&gt;&gt; 1. Go to<br>
&gt;&gt; <a moz-do-not-send=3D"true" href=3D"https://nsn.webex.com/nsn/j.ph=
p?ED=3D268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;RT=3D">
https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3DNOTlkZj=
IwNTEy&amp;RT=3D</a><br>
&gt;&gt; MiMzMA%3D%3D<br>
&gt;&gt; 2. Enter your name and email address.<br>
&gt;&gt; 3. Enter the meeting password: oauth<br>
&gt;&gt; 4. Click &quot;Join Now&quot;.<br>
&gt;&gt; <br>
&gt;&gt; To view in other time zones or languages, please click the link:<b=
r>
&gt;&gt; <a moz-do-not-send=3D"true" href=3D"https://nsn.webex.com/nsn/j.ph=
p?ED=3D268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;ORT">
https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3DNOTlkZj=
IwNTEy&amp;ORT</a><br>
&gt;&gt; =3DMiMzMA%3D%3D<br>
&gt;&gt; <br>
&gt;&gt; -------------------------------------------------------<br>
&gt;&gt; To join the teleconference only<br>
&gt;&gt; -------------------------------------------------------<br>
&gt;&gt; Global Dial-In Numbers: <a moz-do-not-send=3D"true" href=3D"http:/=
/www.nokiasiemensnetworks.com/nvc">
http://www.nokiasiemensnetworks.com/nvc</a><br>
&gt;&gt; Conference Code: 944 910 5485<br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OAuth mailing list<br>
&gt;&gt; <a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" hre=
f=3D"mailto:OAuth@ietf.org">
OAuth@ietf.org</a><br>
&gt;&gt; <a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mailman/l=
istinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
&gt; _______________________________________________<br>
&gt; OAuth mailing list<br>
&gt; <a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" href=3D=
"mailto:OAuth@ietf.org">
OAuth@ietf.org</a><br>
&gt; <a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mailman/listi=
nfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
<br>
</div>
</span></font></div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:10pt;=
">
<div class=3D"PlainText">_______________________________________________<br=
>
OAuth mailing list<br>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" href=3D"mail=
to:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a moz-do-not-send=3D"true" href=3D"https://www.ietf.org/mailman/listinfo/o=
auth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
</div>
</span></font></div>
</blockquote>
<br>
</div>
</blockquote>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</body>
</html>

--_000_E38591F6089D4BCE96021CEB436457BCmitreorg_--

From ve7jtb@ve7jtb.com  Thu Aug 22 13:52:59 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F93921F9622 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:52:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.576
X-Spam-Level: 
X-Spam-Status: No, score=-2.576 tagged_above=-999 required=5 tests=[AWL=-0.374, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QgFBIFGq+UlM for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:52:55 -0700 (PDT)
Received: from mail-oa0-f51.google.com (mail-oa0-f51.google.com [209.85.219.51]) by ietfa.amsl.com (Postfix) with ESMTP id 4422F21F8C93 for <oauth@ietf.org>; Thu, 22 Aug 2013 13:52:55 -0700 (PDT)
Received: by mail-oa0-f51.google.com with SMTP id h1so4510648oag.38 for <oauth@ietf.org>; Thu, 22 Aug 2013 13:52:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=0mPjpO7gJ8Z0DWm6u8QH+ytWDoaQ4x7YMJBoVC2nCWw=; b=BnDThl4PgElc8ycDbEctY01Dz1ARJZ4Zcb/J6O3e8F9Y7vorkHoy4NEraU/mvsSo2I Y0zlpQWXgVfaf2aWOA3lGYlMML6aAnq/WlGOHdRoxndgR49BtMMPdS3gK1PsDsPuldyU lidJBTs06Ka2J4PchA6fNGNBr2syZeWU0qM3JewSuqjy4JAYhHdby7Qb7YYUOGcA/aKh 4Q4sbgDbK2gy43wWrmjAubfgwuQZsh+vNXJhl2Ji7qxeMri9VmU2Vl92yET0Zym5YIt6 5HojEnMMPS0g7gWRKm/3fMQhmgJxgVHANivLqwiC8nAMp1IkFYMmwSUj64mI4GvtNP2d 08Tw==
X-Gm-Message-State: ALoCoQleAAQbe9RT7bqoKjeBJSk+E/9L4cyXJviPw7hCKje6whMeQzmajCnzIFLW6DuFJo18Gk0i
X-Received: by 10.60.115.226 with SMTP id jr2mr3618693oeb.95.1377204774669; Thu, 22 Aug 2013 13:52:54 -0700 (PDT)
Received: from [192.168.1.216] (190-20-47-6.baf.movistar.cl. [190.20.47.6]) by mx.google.com with ESMTPSA id it7sm21217556obb.11.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 22 Aug 2013 13:52:53 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_0449BCEF-C050-4FB7-ADAF-425A662AD997"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <AE7720E0-5025-452E-9B14-4C9D20216A0B@oracle.com>
Date: Thu, 22 Aug 2013 16:52:42 -0400
Message-Id: <7432AE37-2DF7-49CD-8F14-E80C65EB6281@ve7jtb.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com> <52166C4A.9060502@mitre.org> <50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com> <5216722B.2060001@mitre.org> <AE7720E0-5025-452E-9B14-4C9D20216A0B@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1508)
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 20:52:59 -0000

--Apple-Mail=_0449BCEF-C050-4FB7-ADAF-425A662AD997
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_30369908-D1CC-4838-A326-D094098C92C7"


--Apple-Mail=_30369908-D1CC-4838-A326-D094098C92C7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

True however this is more like a client cert and that didn't take off =
because of distribution and maintenance issues.=20

On 2013-08-22, at 4:43 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> TLS doesn't define how servers obtain certificates. It just assumes =
they are installed.  The same thing is happening here.
>=20
> I'm not sure why this is objectionable. It is simply a broader model =
of your proprietary (meaning specific) solution for BB+.
>=20
> Phil
>=20
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> On 2013-08-22, at 1:18 PM, Justin Richer <jricher@mitre.org> wrote:
>=20
>> But it also assumes, in many cases, a pre-registration step. I think =
you might be simplifying for the case of one piece of software with the =
same parameters talking to the same server many times. In some sense, it =
doesn't matter to a client developer whether they have to send their =
display name as part of a JSON object or as part of a signed JWT (though =
the former's simpler, the results are the same), they still have to send =
it to the server. You kick the can down the road and set up something =
where there's a pre-registration step where common elements of the =
client's registration are fixed -- but then the server's going to have =
to be able to get those common elements at registration time and (later) =
at authorization time. Unless you're building inside of a single =
security domain, this becomes tricky, with all kinds of trust and policy =
issues. But it's useful and it can be done -- that's what we did with =
the "trusted registration" extension that BB+ uses, with registries and =
discovery using the initial access token. The server effectively parses =
the initial access token and looks up information about the client at =
the registry. We also toyed with the idea of packing the registration =
information into the token itself. Either way, the server has to decide =
that it trusts whoever issued that token, and it has to be able to =
verify the token's veracity. In BB+, we're using discovery to find the =
JWK that was used to sign the token and (optionally) token introspection =
to verify that the initial access token hasn't been decomissioned by the =
registry server. In this case, it's the registry that holds the fixed =
information about the client -- not the auth server -- and so the trust =
model is different.
>>=20
>> I think we're better off starting with the fully open case, where =
neither the app nor the server really know anything about each other, =
and build from there. We know that that's a case that people want to =
solve. Note that BB+ builds directly on what's already there -- you =
don't have to burn down the house in order to hang a painting. I think =
that there are so many similarities between the two that the software =
statement work can do the same.=20
>>=20
>> I'd also like to point out something about passing client information =
around: in the "fully stateless assertion" world that's being proposed =
(where there *is* no registration step), the client ends up passing its =
full registration information (as a software statement) with *every* =
call to the authorization endpoint. The fact that the registration is =
encoded in an assertion is immaterial. Having the server be truly =
stateless dramatically increases the amount of information sent over the =
wire at runtime -- that's a pretty universal tradeoff, and that's not a =
cost that everyone wants to pay.=20
>>=20
>>  -- Justin
>>=20
>> On 08/22/2013 03:57 PM, Phil Hunt wrote:
>>> Agreed.=20
>>>=20
>>> The problem for dyn reg is most params are optional and passed at =
reg time. I think this also represents huge complexity to client app =
developers since each sp may be different. Move bulk of info to =
statement simplifies the registration and encourages uniformity.=20
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-22, at 12:53, Justin Richer <jricher@mitre.org> wrote:
>>>=20
>>>> Phil, thanks for writing this down. I think that part of the =
confusion in this conversation may come from the nature of items such as =
the client id, client secret, and even the registration access token. In =
many instances, these are simply random values that the server generates =
and stores for later use. However, as you point out, OAuth doesn't state =
that that has to be the case any more than it states that a server must =
store access tokens. The important thing is that the auth server be able =
to recognize and verify each of these values. As such, nothing is =
stopping the server from staying stateless and sending signed values to =
the client for each or all of these fields, much in same way that a =
server can issue signed access tokens that carry all their rights and =
state within. As long as all of these values remain opaque to the =
client, everything in OAuth still works. It also works fine within the =
current DynReg framework, as John has just pointed out under a separate =
thread.
>>>>=20
>>>>  -- Justin
>>>>=20
>>>> On 08/22/2013 03:22 PM, Phil Hunt wrote:
>>>>> I have attached a PDF including some of my thoughts, concerns, and =
suggestions for the upcoming meeting.
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> @independentid
>>>>> www.independentid.com
>>>>> phil.hunt@oracle.com
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:
>>>>>=20
>>>>> > I messed up the conference bridge time; here is the corrected =
version but the details are actually the same.=20
>>>>> >=20
>>>>> > Meeting Number: 702 442 101=20
>>>>> > Meeting Password: oauth=20
>>>>> >=20
>>>>> > -------------------------------------------------------=20
>>>>> > To join the online meeting=20
>>>>> > -------------------------------------------------------=20
>>>>> > 1. Go to =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
RT=3DMiMyNQ%3D%3D=20
>>>>> > 2. Enter your name and email address.=20
>>>>> > 3. Enter the meeting password: oauth=20
>>>>> > 4. Click "Join Now".=20
>>>>> >=20
>>>>> > To view in other time zones or languages, please click the link:=20=

>>>>> > =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
ORT=3DMiMyNQ%3D%3D=20
>>>>> >=20
>>>>> > -------------------------------------------------------=20
>>>>> > To join the Teleconference=20
>>>>> > -------------------------------------------------------=20
>>>>> > Global dial-in numbers: http://www.nokiasiemensnetworks.com/nvc=20=

>>>>> > Conference Code: 944 910 5485=20
>>>>> >=20
>>>>> > To update this meeting to your calendar program (for example =
Microsoft Outlook), click this link:=20
>>>>> > =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&ICS=3DMRS3&LD=3D1&R=
D=3D2&ST=3D1&SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&RT=3DMi=
MyNQ%3D%3D
>>>>> >=20
>>>>> >> -----Original Message-----
>>>>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On =
Behalf
>>>>> >> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
>>>>> >> Sent: Wednesday, August 21, 2013 6:35 PM
>>>>> >> To: oauth mailing list
>>>>> >> Subject: [OAUTH-WG] Dynamic Client Registration Conference =
Call: Thu 22
>>>>> >> Aug, 2pm PDT: Conference Bridge Details
>>>>> >>=20
>>>>> >> Here is the conference bridge and Webex information.
>>>>> >>=20
>>>>> >> =46rom an agenda point of view I guess we should start at a =
basic level,
>>>>> >> namely with what we have already in the dynamic client =
registration
>>>>> >> document (and folks may have actually missed it). There are two =
use
>>>>> >> cases described in the WG document, namely
>>>>> >> - Use Case #1: Open Registration (Appendix B.1)
>>>>> >> - Use Case #2: Protected Registration (Appendix B.2)
>>>>> >>=20
>>>>> >> Then, we could talk about some more sophisticated use cases =
where
>>>>> >> information for protected registration is provided by a third =
party.
>>>>> >>=20
>>>>> >> --------------------
>>>>> >>=20
>>>>> >> Meeting Number: 702 442 101
>>>>> >> Meeting Password: oauth
>>>>> >>=20
>>>>> >> -------------------------------------------------------
>>>>> >> To join the online meeting
>>>>> >> -------------------------------------------------------
>>>>> >> 1. Go to
>>>>> >> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
RT=3D
>>>>> >> MiMzMA%3D%3D
>>>>> >> 2. Enter your name and email address.
>>>>> >> 3. Enter the meeting password: oauth
>>>>> >> 4. Click "Join Now".
>>>>> >>=20
>>>>> >> To view in other time zones or languages, please click the =
link:
>>>>> >> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
ORT
>>>>> >> =3DMiMzMA%3D%3D
>>>>> >>=20
>>>>> >> -------------------------------------------------------
>>>>> >> To join the teleconference only
>>>>> >> -------------------------------------------------------
>>>>> >> Global Dial-In Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>> >> Conference Code: 944 910 5485
>>>>> >> _______________________________________________
>>>>> >> OAuth mailing list
>>>>> >> OAuth@ietf.org
>>>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>>>> > _______________________________________________
>>>>> > OAuth mailing list
>>>>> > OAuth@ietf.org
>>>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_30369908-D1CC-4838-A326-D094098C92C7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">True =
however this is more like a client cert and that didn't take off because =
of distribution and maintenance =
issues.&nbsp;<div><br></div><div><div><div>On 2013-08-22, at 4:43 PM, =
Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div>TLS doesn't define how servers obtain certificates. It just =
assumes they are installed. &nbsp;The same thing is happening =
here.</div><div><br></div><div>I'm not sure why this is objectionable. =
It is simply a broader model of your proprietary (meaning specific) =
solution for BB+.</div><div><br></div><div><div =
apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-22, at 1:18 PM, Justin Richer &lt;<a =
href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
 =20
    <meta content=3D"text/html; charset=3DUTF-8" =
http-equiv=3D"Content-Type">
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    But it also assumes, in many cases, a pre-registration step. I think
    you might be simplifying for the case of one piece of software with
    the same parameters talking to the same server many times. In some
    sense, it doesn't matter to a client developer whether they have to
    send their display name as part of a JSON object or as part of a
    signed JWT (though the former's simpler, the results are the same),
    they still have to send it to the server. You kick the can down the
    road and set up something where there's a pre-registration step
    where common elements of the client's registration are fixed -- but
    then the server's going to have to be able to get those common
    elements at registration time and (later) at authorization time.
    Unless you're building inside of a single security domain, this
    becomes tricky, with all kinds of trust and policy issues. But it's
    useful and it can be done -- that's what we did with the "trusted
    registration" extension that BB+ uses, with registries and discovery
    using the initial access token. The server effectively parses the
    initial access token and looks up information about the client at
    the registry. We also toyed with the idea of packing the
    registration information into the token itself. Either way, the
    server has to decide that it trusts whoever issued that token, and
    it has to be able to verify the token's veracity. In BB+, we're
    using discovery to find the JWK that was used to sign the token and
    (optionally) token introspection to verify that the initial access
    token hasn't been decomissioned by the registry server. In this
    case, it's the registry that holds the fixed information about the
    client -- not the auth server -- and so the trust model is
    different.<br>
    <br>
    I think we're better off starting with the fully open case, where
    neither the app nor the server really know anything about each
    other, and build from there. We know that that's a case that people
    want to solve. Note that BB+ builds directly on what's already there
    -- you don't have to burn down the house in order to hang a
    painting. I think that there are so many similarities between the
    two that the software statement work can do the same. <br>
    <br>
    I'd also like to point out something about passing client
    information around: in the "fully stateless assertion" world that's
    being proposed (where there *is* no registration step), the client
    ends up passing its full registration information (as a software
    statement) with *every* call to the authorization endpoint. The fact
    that the registration is encoded in an assertion is immaterial.
    Having the server be truly stateless dramatically increases the
    amount of information sent over the wire at runtime -- that's a
    pretty universal tradeoff, and that's not a cost that everyone wants
    to pay. <br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class=3D"moz-cite-prefix">On 08/22/2013 03:57 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote =
cite=3D"mid:50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com" =
type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3DUTF-8">
      <div>Agreed.&nbsp;</div>
      <div><br>
      </div>
      <div>The problem for dyn reg is most params are optional and
        passed at reg time. I think this also represents huge complexity
        to client app developers since each sp may be different. Move
        bulk of info to statement simplifies the registration and
        encourages uniformity.&nbsp;<br>
        <br>
        Phil</div>
      <div><br>
        On 2013-08-22, at 12:53, Justin Richer &lt;<a =
moz-do-not-send=3D"true" =
href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
        wrote:<br>
        <br>
      </div>
      <blockquote type=3D"cite">
        <div> Phil, thanks for writing this down. I think that part of
          the confusion in this conversation may come from the nature of
          items such as the client id, client secret, and even the
          registration access token. In many instances, these are simply
          random values that the server generates and stores for later
          use. However, as you point out, OAuth doesn't state that that
          has to be the case any more than it states that a server must
          store access tokens. The important thing is that the auth
          server be able to recognize and verify each of these values.
          As such, nothing is stopping the server from staying stateless
          and sending signed values to the client for each or all of
          these fields, much in same way that a server can issue signed
          access tokens that carry all their rights and state within. As
          long as all of these values remain opaque to the client,
          everything in OAuth still works. It also works fine within the
          current DynReg framework, as John has just pointed out under a
          separate thread.<br>
          <br>
          &nbsp;-- Justin<br>
          <br>
          <div class=3D"moz-cite-prefix">On 08/22/2013 03:22 PM, Phil =
Hunt
            wrote:<br>
          </div>
          <blockquote =
cite=3D"mid:D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com" =
type=3D"cite">
            <div class=3D"BodyFragment"><font size=3D"2"><span =
style=3D"font-size:10pt;">
                  <div class=3D"PlainText">I have attached a PDF =
including
                    some of my thoughts, concerns, and suggestions for
                    the upcoming meeting.<br>
                    <br>
                    Phil<br>
                    <br>
                    @independentid<br>
                    <a moz-do-not-send=3D"true" =
href=3D"http://www.independentid.com/">www.independentid.com</a><br>
                    <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br>
                  </div>
                </span></font></div>
            <div class=3D"BodyFragment"><font size=3D"2"><span =
style=3D"font-size:10pt;">
                  <div class=3D"PlainText"><br>
                    <br>
                    <br>
                    <br>
                    <br>
                    <br>
                    <br>
                    On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN
                    - FI/Espoo)" <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt=
;</a>
                    wrote:<br>
                    <br>
                    &gt; I messed up the conference bridge time; here is
                    the corrected version but the details are actually
                    the same. <br>
                    &gt; <br>
                    &gt; Meeting Number: 702 442 101 <br>
                    &gt; Meeting Password: oauth <br>
                    &gt; <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; To join the online meeting <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; 1. Go to <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;RT=3DMiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=3D=
268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;RT=3DMiMyNQ%3D%3D</a>
                    <br>
                    &gt; 2. Enter your name and email address. <br>
                    &gt; 3. Enter the meeting password: oauth <br>
                    &gt; 4. Click "Join Now". <br>
                    &gt; <br>
                    &gt; To view in other time zones or languages,
                    please click the link: <br>
                    &gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;ORT=3DMiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=3D=
268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;ORT=3DMiMyNQ%3D%3D</a>
                    <br>
                    &gt; <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; To join the Teleconference <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; Global dial-in numbers: <a =
moz-do-not-send=3D"true" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a>
                    <br>
                    &gt; Conference Code: 944 910 5485 <br>
                    &gt; <br>
                    &gt; To update this meeting to your calendar program
                    (for example Microsoft Outlook), click this link: =
<br>
                    &gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;ICS=
=3DMRS3&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DKseMD/IKx0YGjSRaNyDJbq=
nmJ2i-xirziLGyc2bHNI8=3D&amp;RT=3DMiMyNQ%3D%3D">https://nsn.webex.com/nsn/=
j.php?ED=3D268691357&amp;UID=3D0&amp;ICS=3DMRS3&amp;LD=3D1&amp;RD=3D2&amp;=
ST=3D1&amp;SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&amp;RT=3D=
MiMyNQ%3D%3D</a><br>
                    &gt; <br>
                    &gt;&gt; -----Original Message-----<br>
                    &gt;&gt; From: <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a>
                    [<a moz-do-not-send=3D"true" =
href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>]
                    On Behalf<br>
                    &gt;&gt; Of ext Tschofenig, Hannes (NSN - =
FI/Espoo)<br>
                    &gt;&gt; Sent: Wednesday, August 21, 2013 6:35 =
PM<br>
                    &gt;&gt; To: oauth mailing list<br>
                    &gt;&gt; Subject: [OAUTH-WG] Dynamic Client
                    Registration Conference Call: Thu 22<br>
                    &gt;&gt; Aug, 2pm PDT: Conference Bridge Details<br>
                    &gt;&gt; <br>
                    &gt;&gt; Here is the conference bridge and Webex
                    information.<br>
                    &gt;&gt; <br>
                    &gt;&gt; =46rom an agenda point of view I guess we
                    should start at a basic level,<br>
                    &gt;&gt; namely with what we have already in the
                    dynamic client registration<br>
                    &gt;&gt; document (and folks may have actually
                    missed it). There are two use<br>
                    &gt;&gt; cases described in the WG document, =
namely<br>
                    &gt;&gt; - Use Case #1: Open Registration (Appendix
                    B.1)<br>
                    &gt;&gt; - Use Case #2: Protected Registration
                    (Appendix B.2)<br>
                    &gt;&gt; <br>
                    &gt;&gt; Then, we could talk about some more
                    sophisticated use cases where<br>
                    &gt;&gt; information for protected registration is
                    provided by a third party.<br>
                    &gt;&gt; <br>
                    &gt;&gt; --------------------<br>
                    &gt;&gt; <br>
                    &gt;&gt; Meeting Number: 702 442 101<br>
                    &gt;&gt; Meeting Password: oauth<br>
                    &gt;&gt; <br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; To join the online meeting<br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; 1. Go to<br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;RT=3D">https://nsn.webex.com/nsn/j.php?ED=3D268691357&am=
p;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;RT=3D</a><br>
                    &gt;&gt; MiMzMA%3D%3D<br>
                    &gt;&gt; 2. Enter your name and email address.<br>
                    &gt;&gt; 3. Enter the meeting password: oauth<br>
                    &gt;&gt; 4. Click "Join Now".<br>
                    &gt;&gt; <br>
                    &gt;&gt; To view in other time zones or languages,
                    please click the link:<br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;ORT">https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;=
UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;ORT</a><br>
                    &gt;&gt; =3DMiMzMA%3D%3D<br>
                    &gt;&gt; <br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; To join the teleconference only<br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; Global Dial-In Numbers: <a =
moz-do-not-send=3D"true" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a><br>
                    &gt;&gt; Conference Code: 944 910 5485<br>
                    &gt;&gt;
                    _______________________________________________<br>
                    &gt;&gt; OAuth mailing list<br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                    &gt; =
_______________________________________________<br>
                    &gt; OAuth mailing list<br>
                    &gt; <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    &gt; <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                    <br>
                  </div>
                </span></font></div>
            <div class=3D"BodyFragment"><font size=3D"2"><span =
style=3D"font-size:10pt;">
                  <div =
class=3D"PlainText">_______________________________________________<br>
                    OAuth mailing list<br>
                    <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                  </div>
                </span></font></div>
          </blockquote>
          <br>
        </div>
      </blockquote>
    </blockquote>
    <br>
  </div>

=
</blockquote></div><br></div></div>_______________________________________=
________<br>OAuth mailing list<br><a =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>https://www.ietf.org/=
mailman/listinfo/oauth<br></blockquote></div><br></div></body></html>=

--Apple-Mail=_30369908-D1CC-4838-A326-D094098C92C7--

--Apple-Mail=_0449BCEF-C050-4FB7-ADAF-425A662AD997
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODIyMjA1MjQyWjAjBgkqhkiG9w0BCQQxFgQU7Pk77ZQ+
w58vwVt2npylEMlZpc8wgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEABP7HbCBkNWT2JAiUOh1bMHof/M3N6dsVVAFty6lN
UWBohv6SOxsslYTADt10DPXlzdJRLAIgeokxUqWWf/rFOk3Sgl/hsAT+CrMwxmvEb1lWDbcyLQAr
56dB92n+zXYizz3B1rfGQsfdlWi/cLwbJUfzZ9NO7m7hupjVtSt0ZhhMTekYELVRBFmZwpmWQu+o
gq2In6X1z9TTaQwPW+jzq5mP/nIobESWt3IXVvSVhyNIhvqF9P4y6bAwpvumTzpydGWhu6PrVGJY
oEMpPuvm404fmDTL63gqC27oIcNfwvxXnDZodlPgPCYXMv3kyix9ZsaOxGJZHtVdqLQnL7O3OQAA
AAAAAA==

--Apple-Mail=_0449BCEF-C050-4FB7-ADAF-425A662AD997--

From phil.hunt@oracle.com  Thu Aug 22 13:55:28 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDADE11E823C for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:55:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.198
X-Spam-Level: 
X-Spam-Status: No, score=-5.198 tagged_above=-999 required=5 tests=[AWL=0.004,  BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DsXZHTGvop0Z for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 13:55:24 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id EDE6B11E821C for <oauth@ietf.org>; Thu, 22 Aug 2013 13:55:23 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7MKtM3W016534 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 22 Aug 2013 20:55:23 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MKtMo7019955 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 22 Aug 2013 20:55:22 GMT
Received: from abhmt119.oracle.com (abhmt119.oracle.com [141.146.116.71]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7MKtLbg019934; Thu, 22 Aug 2013 20:55:22 GMT
Received: from [192.168.1.89] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 22 Aug 2013 13:55:21 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_E979599B-7B41-41C7-9E48-330937CC3817"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <7432AE37-2DF7-49CD-8F14-E80C65EB6281@ve7jtb.com>
Date: Thu, 22 Aug 2013 13:55:21 -0700
Message-Id: <F97695B0-A485-4B7F-8062-51ABDEB77854@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA272FE@USCHMBX001.nsn-intra.net> <1373E8CE237FCC43BCA36C6558612D2AA27600@USCHMBX001.nsn-intra.net> <D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com> <52166C4A.9060502@mitre.org> <50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com> <5216722B.2060001@mitre.org> <AE7720E0-5025-452E-9B14-4C9D20216A0B@oracle.com> <7432AE37-2DF7-49CD-8F14-E80C65EB6281@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Thu 22 Aug, 2pm PDT: Conference Bridge Details -- Correction!
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 20:55:28 -0000

--Apple-Mail=_E979599B-7B41-41C7-9E48-330937CC3817
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Specifics?

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-22, at 1:52 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> True however this is more like a client cert and that didn't take off =
because of distribution and maintenance issues.=20
>=20
> On 2013-08-22, at 4:43 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>=20
>> TLS doesn't define how servers obtain certificates. It just assumes =
they are installed.  The same thing is happening here.
>>=20
>> I'm not sure why this is objectionable. It is simply a broader model =
of your proprietary (meaning specific) solution for BB+.
>>=20
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>> On 2013-08-22, at 1:18 PM, Justin Richer <jricher@mitre.org> wrote:
>>=20
>>> But it also assumes, in many cases, a pre-registration step. I think =
you might be simplifying for the case of one piece of software with the =
same parameters talking to the same server many times. In some sense, it =
doesn't matter to a client developer whether they have to send their =
display name as part of a JSON object or as part of a signed JWT (though =
the former's simpler, the results are the same), they still have to send =
it to the server. You kick the can down the road and set up something =
where there's a pre-registration step where common elements of the =
client's registration are fixed -- but then the server's going to have =
to be able to get those common elements at registration time and (later) =
at authorization time. Unless you're building inside of a single =
security domain, this becomes tricky, with all kinds of trust and policy =
issues. But it's useful and it can be done -- that's what we did with =
the "trusted registration" extension that BB+ uses, with registries and =
discovery using the initial access token. The server effectively parses =
the initial access token and looks up information about the client at =
the registry. We also toyed with the idea of packing the registration =
information into the token itself. Either way, the server has to decide =
that it trusts whoever issued that token, and it has to be able to =
verify the token's veracity. In BB+, we're using discovery to find the =
JWK that was used to sign the token and (optionally) token introspection =
to verify that the initial access token hasn't been decomissioned by the =
registry server. In this case, it's the registry that holds the fixed =
information about the client -- not the auth server -- and so the trust =
model is different.
>>>=20
>>> I think we're better off starting with the fully open case, where =
neither the app nor the server really know anything about each other, =
and build from there. We know that that's a case that people want to =
solve. Note that BB+ builds directly on what's already there -- you =
don't have to burn down the house in order to hang a painting. I think =
that there are so many similarities between the two that the software =
statement work can do the same.=20
>>>=20
>>> I'd also like to point out something about passing client =
information around: in the "fully stateless assertion" world that's =
being proposed (where there *is* no registration step), the client ends =
up passing its full registration information (as a software statement) =
with *every* call to the authorization endpoint. The fact that the =
registration is encoded in an assertion is immaterial. Having the server =
be truly stateless dramatically increases the amount of information sent =
over the wire at runtime -- that's a pretty universal tradeoff, and =
that's not a cost that everyone wants to pay.=20
>>>=20
>>>  -- Justin
>>>=20
>>> On 08/22/2013 03:57 PM, Phil Hunt wrote:
>>>> Agreed.=20
>>>>=20
>>>> The problem for dyn reg is most params are optional and passed at =
reg time. I think this also represents huge complexity to client app =
developers since each sp may be different. Move bulk of info to =
statement simplifies the registration and encourages uniformity.=20
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-22, at 12:53, Justin Richer <jricher@mitre.org> wrote:
>>>>=20
>>>>> Phil, thanks for writing this down. I think that part of the =
confusion in this conversation may come from the nature of items such as =
the client id, client secret, and even the registration access token. In =
many instances, these are simply random values that the server generates =
and stores for later use. However, as you point out, OAuth doesn't state =
that that has to be the case any more than it states that a server must =
store access tokens. The important thing is that the auth server be able =
to recognize and verify each of these values. As such, nothing is =
stopping the server from staying stateless and sending signed values to =
the client for each or all of these fields, much in same way that a =
server can issue signed access tokens that carry all their rights and =
state within. As long as all of these values remain opaque to the =
client, everything in OAuth still works. It also works fine within the =
current DynReg framework, as John has just pointed out under a separate =
thread.
>>>>>=20
>>>>>  -- Justin
>>>>>=20
>>>>> On 08/22/2013 03:22 PM, Phil Hunt wrote:
>>>>>> I have attached a PDF including some of my thoughts, concerns, =
and suggestions for the upcoming meeting.
>>>>>>=20
>>>>>> Phil
>>>>>>=20
>>>>>> @independentid
>>>>>> www.independentid.com
>>>>>> phil.hunt@oracle.com
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>> On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:
>>>>>>=20
>>>>>> > I messed up the conference bridge time; here is the corrected =
version but the details are actually the same.=20
>>>>>> >=20
>>>>>> > Meeting Number: 702 442 101=20
>>>>>> > Meeting Password: oauth=20
>>>>>> >=20
>>>>>> > -------------------------------------------------------=20
>>>>>> > To join the online meeting=20
>>>>>> > -------------------------------------------------------=20
>>>>>> > 1. Go to =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
RT=3DMiMyNQ%3D%3D                    =20
>>>>>> > 2. Enter your name and email address.=20
>>>>>> > 3. Enter the meeting password: oauth=20
>>>>>> > 4. Click "Join Now".=20
>>>>>> >=20
>>>>>> > To view in other time zones or languages, please click the =
link:=20
>>>>>> > =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
ORT=3DMiMyNQ%3D%3D=20
>>>>>> >=20
>>>>>> > -------------------------------------------------------=20
>>>>>> > To join the Teleconference=20
>>>>>> > -------------------------------------------------------=20
>>>>>> > Global dial-in numbers: http://www.nokiasiemensnetworks.com/nvc=20=

>>>>>> > Conference Code: 944 910 5485=20
>>>>>> >=20
>>>>>> > To update this meeting to your calendar program (for example =
Microsoft Outlook), click this link:=20
>>>>>> > =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&ICS=3DMRS3&LD=3D1&R=
D=3D2&ST=3D1&SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&RT=3DMi=
MyNQ%3D%3D
>>>>>> >=20
>>>>>> >> -----Original Message-----
>>>>>> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] =
On Behalf
>>>>>> >> Of ext Tschofenig, Hannes (NSN - FI/Espoo)
>>>>>> >> Sent: Wednesday, August 21, 2013 6:35 PM
>>>>>> >> To: oauth mailing list
>>>>>> >> Subject: [OAUTH-WG] Dynamic Client Registration Conference =
Call: Thu 22
>>>>>> >> Aug, 2pm PDT: Conference Bridge Details
>>>>>> >>=20
>>>>>> >> Here is the conference bridge and Webex information.
>>>>>> >>=20
>>>>>> >> =46rom an agenda point of view I guess we should start at a =
basic level,
>>>>>> >> namely with what we have already in the dynamic client =
registration
>>>>>> >> document (and folks may have actually missed it). There are =
two use
>>>>>> >> cases described in the WG document, namely
>>>>>> >> - Use Case #1: Open Registration (Appendix B.1)
>>>>>> >> - Use Case #2: Protected Registration (Appendix B.2)
>>>>>> >>=20
>>>>>> >> Then, we could talk about some more sophisticated use cases =
where
>>>>>> >> information for protected registration is provided by a third =
party.
>>>>>> >>=20
>>>>>> >> --------------------
>>>>>> >>=20
>>>>>> >> Meeting Number: 702 442 101
>>>>>> >> Meeting Password: oauth
>>>>>> >>=20
>>>>>> >> -------------------------------------------------------
>>>>>> >> To join the online meeting
>>>>>> >> -------------------------------------------------------
>>>>>> >> 1. Go to
>>>>>> >> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
RT=3D
>>>>>> >> MiMzMA%3D%3D
>>>>>> >> 2. Enter your name and email address.
>>>>>> >> 3. Enter the meeting password: oauth
>>>>>> >> 4. Click "Join Now".
>>>>>> >>=20
>>>>>> >> To view in other time zones or languages, please click the =
link:
>>>>>> >> =
https://nsn.webex.com/nsn/j.php?ED=3D268691357&UID=3D0&PW=3DNOTlkZjIwNTEy&=
ORT
>>>>>> >> =3DMiMzMA%3D%3D
>>>>>> >>=20
>>>>>> >> -------------------------------------------------------
>>>>>> >> To join the teleconference only
>>>>>> >> -------------------------------------------------------
>>>>>> >> Global Dial-In Numbers: =
http://www.nokiasiemensnetworks.com/nvc
>>>>>> >> Conference Code: 944 910 5485
>>>>>> >> _______________________________________________
>>>>>> >> OAuth mailing list
>>>>>> >> OAuth@ietf.org
>>>>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> > _______________________________________________
>>>>>> > OAuth mailing list
>>>>>> > OAuth@ietf.org
>>>>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>>>>=20
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20


--Apple-Mail=_E979599B-7B41-41C7-9E48-330937CC3817
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
">Specifics?<div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-22, at 1:52 PM, John Bradley &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">True =
however this is more like a client cert and that didn't take off because =
of distribution and maintenance =
issues.&nbsp;<div><br></div><div><div><div>On 2013-08-22, at 4:43 PM, =
Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div>TLS doesn't define how servers obtain certificates. It just =
assumes they are installed. &nbsp;The same thing is happening =
here.</div><div><br></div><div>I'm not sure why this is objectionable. =
It is simply a broader model of your proprietary (meaning specific) =
solution for BB+.</div><div><br></div><div><div =
apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-22, at 1:18 PM, Justin Richer &lt;<a =
href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
 =20
    <meta content=3D"text/html; charset=3DUTF-8" =
http-equiv=3D"Content-Type">
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    But it also assumes, in many cases, a pre-registration step. I think
    you might be simplifying for the case of one piece of software with
    the same parameters talking to the same server many times. In some
    sense, it doesn't matter to a client developer whether they have to
    send their display name as part of a JSON object or as part of a
    signed JWT (though the former's simpler, the results are the same),
    they still have to send it to the server. You kick the can down the
    road and set up something where there's a pre-registration step
    where common elements of the client's registration are fixed -- but
    then the server's going to have to be able to get those common
    elements at registration time and (later) at authorization time.
    Unless you're building inside of a single security domain, this
    becomes tricky, with all kinds of trust and policy issues. But it's
    useful and it can be done -- that's what we did with the "trusted
    registration" extension that BB+ uses, with registries and discovery
    using the initial access token. The server effectively parses the
    initial access token and looks up information about the client at
    the registry. We also toyed with the idea of packing the
    registration information into the token itself. Either way, the
    server has to decide that it trusts whoever issued that token, and
    it has to be able to verify the token's veracity. In BB+, we're
    using discovery to find the JWK that was used to sign the token and
    (optionally) token introspection to verify that the initial access
    token hasn't been decomissioned by the registry server. In this
    case, it's the registry that holds the fixed information about the
    client -- not the auth server -- and so the trust model is
    different.<br>
    <br>
    I think we're better off starting with the fully open case, where
    neither the app nor the server really know anything about each
    other, and build from there. We know that that's a case that people
    want to solve. Note that BB+ builds directly on what's already there
    -- you don't have to burn down the house in order to hang a
    painting. I think that there are so many similarities between the
    two that the software statement work can do the same. <br>
    <br>
    I'd also like to point out something about passing client
    information around: in the "fully stateless assertion" world that's
    being proposed (where there *is* no registration step), the client
    ends up passing its full registration information (as a software
    statement) with *every* call to the authorization endpoint. The fact
    that the registration is encoded in an assertion is immaterial.
    Having the server be truly stateless dramatically increases the
    amount of information sent over the wire at runtime -- that's a
    pretty universal tradeoff, and that's not a cost that everyone wants
    to pay. <br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class=3D"moz-cite-prefix">On 08/22/2013 03:57 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote =
cite=3D"mid:50F21828-5816-4A9C-88A3-13F66C77921B@oracle.com" =
type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3DUTF-8">
      <div>Agreed.&nbsp;</div>
      <div><br>
      </div>
      <div>The problem for dyn reg is most params are optional and
        passed at reg time. I think this also represents huge complexity
        to client app developers since each sp may be different. Move
        bulk of info to statement simplifies the registration and
        encourages uniformity.&nbsp;<br>
        <br>
        Phil</div>
      <div><br>
        On 2013-08-22, at 12:53, Justin Richer &lt;<a =
moz-do-not-send=3D"true" =
href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
        wrote:<br>
        <br>
      </div>
      <blockquote type=3D"cite">
        <div> Phil, thanks for writing this down. I think that part of
          the confusion in this conversation may come from the nature of
          items such as the client id, client secret, and even the
          registration access token. In many instances, these are simply
          random values that the server generates and stores for later
          use. However, as you point out, OAuth doesn't state that that
          has to be the case any more than it states that a server must
          store access tokens. The important thing is that the auth
          server be able to recognize and verify each of these values.
          As such, nothing is stopping the server from staying stateless
          and sending signed values to the client for each or all of
          these fields, much in same way that a server can issue signed
          access tokens that carry all their rights and state within. As
          long as all of these values remain opaque to the client,
          everything in OAuth still works. It also works fine within the
          current DynReg framework, as John has just pointed out under a
          separate thread.<br>
          <br>
          &nbsp;-- Justin<br>
          <br>
          <div class=3D"moz-cite-prefix">On 08/22/2013 03:22 PM, Phil =
Hunt
            wrote:<br>
          </div>
          <blockquote =
cite=3D"mid:D1A778A2-8A40-4F11-A196-8BDBB836DCDC@oracle.com" =
type=3D"cite">
            <div class=3D"BodyFragment"><font size=3D"2"><span =
style=3D"font-size:10pt;">
                  <div class=3D"PlainText">I have attached a PDF =
including
                    some of my thoughts, concerns, and suggestions for
                    the upcoming meeting.<br>
                    <br>
                    Phil<br>
                    <br>
                    @independentid<br>
                    <a moz-do-not-send=3D"true" =
href=3D"http://www.independentid.com/">www.independentid.com</a><br>
                    <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><br>
                  </div>
                </span></font></div>
            <div class=3D"BodyFragment"><font size=3D"2"><span =
style=3D"font-size:10pt;">
                  <div class=3D"PlainText"><br>
                    <br>
                    <br>
                    <br>
                    <br>
                    <br>
                    <br>
                    On 2013-08-22, at 4:06 AM, "Tschofenig, Hannes (NSN
                    - FI/Espoo)" <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt=
;</a>
                    wrote:<br>
                    <br>
                    &gt; I messed up the conference bridge time; here is
                    the corrected version but the details are actually
                    the same. <br>
                    &gt; <br>
                    &gt; Meeting Number: 702 442 101 <br>
                    &gt; Meeting Password: oauth <br>
                    &gt; <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; To join the online meeting <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; 1. Go to <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;RT=3DMiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=3D=
268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;RT=3DMiMyNQ%3D%3D</a>
                    <br>
                    &gt; 2. Enter your name and email address. <br>
                    &gt; 3. Enter the meeting password: oauth <br>
                    &gt; 4. Click "Join Now". <br>
                    &gt; <br>
                    &gt; To view in other time zones or languages,
                    please click the link: <br>
                    &gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;ORT=3DMiMyNQ%3D%3D">https://nsn.webex.com/nsn/j.php?ED=3D=
268691357&amp;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;ORT=3DMiMyNQ%3D%3D</a>
                    <br>
                    &gt; <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; To join the Teleconference <br>
                    &gt;
                    =
-------------------------------------------------------
                    <br>
                    &gt; Global dial-in numbers: <a =
moz-do-not-send=3D"true" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a>
                    <br>
                    &gt; Conference Code: 944 910 5485 <br>
                    &gt; <br>
                    &gt; To update this meeting to your calendar program
                    (for example Microsoft Outlook), click this link: =
<br>
                    &gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;ICS=
=3DMRS3&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DKseMD/IKx0YGjSRaNyDJbq=
nmJ2i-xirziLGyc2bHNI8=3D&amp;RT=3DMiMyNQ%3D%3D">https://nsn.webex.com/nsn/=
j.php?ED=3D268691357&amp;UID=3D0&amp;ICS=3DMRS3&amp;LD=3D1&amp;RD=3D2&amp;=
ST=3D1&amp;SHA2=3DKseMD/IKx0YGjSRaNyDJbqnmJ2i-xirziLGyc2bHNI8=3D&amp;RT=3D=
MiMyNQ%3D%3D</a><br>
                    &gt; <br>
                    &gt;&gt; -----Original Message-----<br>
                    &gt;&gt; From: <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a>
                    [<a moz-do-not-send=3D"true" =
href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>]
                    On Behalf<br>
                    &gt;&gt; Of ext Tschofenig, Hannes (NSN - =
FI/Espoo)<br>
                    &gt;&gt; Sent: Wednesday, August 21, 2013 6:35 =
PM<br>
                    &gt;&gt; To: oauth mailing list<br>
                    &gt;&gt; Subject: [OAUTH-WG] Dynamic Client
                    Registration Conference Call: Thu 22<br>
                    &gt;&gt; Aug, 2pm PDT: Conference Bridge Details<br>
                    &gt;&gt; <br>
                    &gt;&gt; Here is the conference bridge and Webex
                    information.<br>
                    &gt;&gt; <br>
                    &gt;&gt; =46rom an agenda point of view I guess we
                    should start at a basic level,<br>
                    &gt;&gt; namely with what we have already in the
                    dynamic client registration<br>
                    &gt;&gt; document (and folks may have actually
                    missed it). There are two use<br>
                    &gt;&gt; cases described in the WG document, =
namely<br>
                    &gt;&gt; - Use Case #1: Open Registration (Appendix
                    B.1)<br>
                    &gt;&gt; - Use Case #2: Protected Registration
                    (Appendix B.2)<br>
                    &gt;&gt; <br>
                    &gt;&gt; Then, we could talk about some more
                    sophisticated use cases where<br>
                    &gt;&gt; information for protected registration is
                    provided by a third party.<br>
                    &gt;&gt; <br>
                    &gt;&gt; --------------------<br>
                    &gt;&gt; <br>
                    &gt;&gt; Meeting Number: 702 442 101<br>
                    &gt;&gt; Meeting Password: oauth<br>
                    &gt;&gt; <br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; To join the online meeting<br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; 1. Go to<br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;RT=3D">https://nsn.webex.com/nsn/j.php?ED=3D268691357&am=
p;UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;RT=3D</a><br>
                    &gt;&gt; MiMzMA%3D%3D<br>
                    &gt;&gt; 2. Enter your name and email address.<br>
                    &gt;&gt; 3. Enter the meeting password: oauth<br>
                    &gt;&gt; 4. Click "Join Now".<br>
                    &gt;&gt; <br>
                    &gt;&gt; To view in other time zones or languages,
                    please click the link:<br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;UID=3D0&amp;PW=3D=
NOTlkZjIwNTEy&amp;ORT">https://nsn.webex.com/nsn/j.php?ED=3D268691357&amp;=
UID=3D0&amp;PW=3DNOTlkZjIwNTEy&amp;ORT</a><br>
                    &gt;&gt; =3DMiMzMA%3D%3D<br>
                    &gt;&gt; <br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; To join the teleconference only<br>
                    &gt;&gt;
                    =
-------------------------------------------------------<br>
                    &gt;&gt; Global Dial-In Numbers: <a =
moz-do-not-send=3D"true" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a><br>
                    &gt;&gt; Conference Code: 944 910 5485<br>
                    &gt;&gt;
                    _______________________________________________<br>
                    &gt;&gt; OAuth mailing list<br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    &gt;&gt; <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                    &gt; =
_______________________________________________<br>
                    &gt; OAuth mailing list<br>
                    &gt; <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    &gt; <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                    <br>
                  </div>
                </span></font></div>
            <div class=3D"BodyFragment"><font size=3D"2"><span =
style=3D"font-size:10pt;">
                  <div =
class=3D"PlainText">_______________________________________________<br>
                    OAuth mailing list<br>
                    <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                  </div>
                </span></font></div>
          </blockquote>
          <br>
        </div>
      </blockquote>
    </blockquote>
    <br>
  </div>

=
</blockquote></div><br></div></div>_______________________________________=
________<br>OAuth mailing list<br><a =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br></blockquote></div><br></div></div></blockqu=
ote></div><br></div></body></html>=

--Apple-Mail=_E979599B-7B41-41C7-9E48-330937CC3817--

From wwwrun@rfc-editor.org  Thu Aug 22 14:01:55 2013
Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5674E11E81D6; Thu, 22 Aug 2013 14:01:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.057
X-Spam-Level: 
X-Spam-Status: No, score=-102.057 tagged_above=-999 required=5 tests=[AWL=-0.057, BAYES_00=-2.599, J_CHICKENPOX_93=0.6, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLWHCr6cyz9H; Thu, 22 Aug 2013 14:01:55 -0700 (PDT)
Received: from rfc-editor.org (unknown [IPv6:2001:1890:123a::1:2f]) by ietfa.amsl.com (Postfix) with ESMTP id EDC9321F9D0E; Thu, 22 Aug 2013 14:01:54 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id C107EB1E003; Thu, 22 Aug 2013 13:57:04 -0700 (PDT)
To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org
From: rfc-editor@rfc-editor.org
Message-Id: <20130822205704.C107EB1E003@rfc-editor.org>
Date: Thu, 22 Aug 2013 13:57:04 -0700 (PDT)
Cc: drafts-update-ref@iana.org, oauth@ietf.org, rfc-editor@rfc-editor.org
Subject: [OAUTH-WG] RFC 7009 on OAuth 2.0 Token Revocation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 21:01:55 -0000

A new Request for Comments is now available in online RFC libraries.

        
        RFC 7009

        Title:      OAuth 2.0 Token Revocation 
        Author:     T. Lodderstedt, Ed.,
                    S. Dronia, M. Scurtescu
        Status:     Standards Track
        Stream:     IETF
        Date:       August 2013
        Mailbox:    torsten@lodderstedt.net, 
                    sdronia@gmx.de, 
                    mscurtescu@google.com
        Pages:      11
        Characters: 23517
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-oauth-revocation-11.txt

        URL:        http://www.rfc-editor.org/rfc/rfc7009.txt

This document proposes an additional endpoint for OAuth authorization
servers, which allows clients to notify the authorization server that
a previously obtained refresh or access token is no longer needed.
This allows the authorization server to clean up security
credentials.  A revocation request will invalidate the actual token
and, if applicable, other tokens based on the same authorization
grant.

This document is a product of the Web Authorization Protocol Working Group of the IETF.

This is now a Proposed Standard.

STANDARDS TRACK: This document specifies an Internet standards track
protocol for the Internet community,and requests discussion and suggestions
for improvements.  Please refer to the current edition of the Internet
Official Protocol Standards (STD 1) for the standardization state and
status of this protocol.  Distribution of this memo is unlimited.

This announcement is sent to the IETF-Announce and rfc-dist lists.
To subscribe or unsubscribe, see
  http://www.ietf.org/mailman/listinfo/ietf-announce
  http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist

For searching the RFC series, see http://www.rfc-editor.org/search/rfc_search.php
For downloading RFCs, see http://www.rfc-editor.org/rfc.html

Requests for special distribution should be addressed to either the
author of the RFC in question, or to rfc-editor@rfc-editor.org.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.


The RFC Editor Team
Association Management Solutions, LLC

From derek@ihtfp.com  Thu Aug 22 14:57:57 2013
Return-Path: <derek@ihtfp.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9187F21F9BB6 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 14:57:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level: 
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-IraI9NEbg2 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 14:57:56 -0700 (PDT)
Received: from mail2.ihtfp.org (mail2.ihtfp.org [IPv6:2001:4830:143:1::3a11]) by ietfa.amsl.com (Postfix) with ESMTP id BC99B21F9A44 for <oauth@ietf.org>; Thu, 22 Aug 2013 14:57:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 957B12602B2; Thu, 22 Aug 2013 17:57:55 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 07077-03; Thu, 22 Aug 2013 17:57:54 -0400 (EDT)
Received: from mocana.ihtfp.org (unknown [IPv6:fe80::224:d7ff:fee7:8924]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (not verified)) by mail2.ihtfp.org (Postfix) with ESMTPS id 2961F260237; Thu, 22 Aug 2013 17:57:54 -0400 (EDT)
Received: (from warlord@localhost) by mocana.ihtfp.org (8.14.7/8.14.5/Submit) id r7MLvq9c009036; Thu, 22 Aug 2013 17:57:52 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
References: <20130720024322.16346.87648.idtracker@ietfa.amsl.com> <0695B0C0-3D95-4CBE-836C-2BCF4E560439@gmx.net>
Date: Thu, 22 Aug 2013 17:57:51 -0400
In-Reply-To: <0695B0C0-3D95-4CBE-836C-2BCF4E560439@gmx.net> (Hannes Tschofenig's message of "Mon, 22 Jul 2013 11:03:20 +0200")
Message-ID: <sjmk3jdpew0.fsf@mocana.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Protocol Action: 'OAuth 2.0 Token Revocation' to Proposed Standard	(draft-ietf-oauth-revocation-11.txt)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 21:57:57 -0000

... Which was just published as RFC 7009.   Great work, everyone!

-derek

Hannes Tschofenig <hannes.tschofenig@gmx.net> writes:

> A big "Thank you" goes to Torsten for working hard to get the document
> through the IETF process.
>
> On Jul 20, 2013, at 4:43 AM, The IESG wrote:
>
>> The IESG has approved the following document:
>> - 'OAuth 2.0 Token Revocation'
>>  (draft-ietf-oauth-revocation-11.txt) as Proposed Standard
>> 
>> This document is the product of the Web Authorization Protocol Working
>> Group.
>> 
>> The IESG contact persons are Stephen Farrell and Sean Turner.
>> 
>> A URL of this Internet Draft is:
>> http://datatracker.ietf.org/doc/draft-ietf-oauth-revocation/
>> 
>> 
>> 
>> 
>> Technical Summary
>> 
>>   The OAuth Token Revocation specification proposes an additional 
>>   endpoint for OAuth authorization servers, which allows clients to 
>>   notify the authorization server that a previously obtained refresh 
>>   or access token is no longer needed. This allows the authorization 
>>   server to cleanup security credentials. A revocation request will 
>>   invalidate the actual token and, if applicable, other tokens based 
>>   on the same authorization grant.
>> 
>> Working Group Summary
>> 
>>   The document experienced no particular problems in the working 
>>   group. 
>> 
>> Document Quality
>> 
>>   The document has been deployed by four companies, namely 
>>   by Salesforce, Google, Deutsche Telekom, and MITRE. The 
>>   working group reviewed and discussed the document extensively. 
>> 
>>   There was a comment from the appsdir review that was not
>>   accepted. The reviewer (mnot) suggested a discovery 
>>   mechanism was needed, but the wg are working on 
>>   generic oauth discovery and not just for revocation and
>>   so decided not to make that change.
>> 
>> Personnel
>> 
>>   Hannes Tschofenig is the document shepherd. 
>>   The responsible area director is Stephen Farrell. 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

From derek@ihtfp.com  Thu Aug 22 15:17:31 2013
Return-Path: <derek@ihtfp.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D346611E8203 for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 15:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.293
X-Spam-Level: 
X-Spam-Status: No, score=-102.293 tagged_above=-999 required=5 tests=[AWL=-0.306, BAYES_00=-2.599, HELO_MISMATCH_ORG=0.611, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNVqAQRcFi7y for <oauth@ietfa.amsl.com>; Thu, 22 Aug 2013 15:17:25 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) by ietfa.amsl.com (Postfix) with ESMTP id 7BBF211E8122 for <oauth@ietf.org>; Thu, 22 Aug 2013 15:17:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 610662602B2; Thu, 22 Aug 2013 18:17:19 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 07156-03; Thu, 22 Aug 2013 18:17:17 -0400 (EDT)
Received: from mocana.ihtfp.org (unknown [IPv6:fe80::224:d7ff:fee7:8924]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "cliodev.ihtfp.com", Issuer "IHTFP Consulting Certification Authority" (not verified)) by mail2.ihtfp.org (Postfix) with ESMTPS id 2D641260237; Thu, 22 Aug 2013 18:17:17 -0400 (EDT)
Received: (from warlord@localhost) by mocana.ihtfp.org (8.14.7/8.14.5/Submit) id r7MMHFSr009364; Thu, 22 Aug 2013 18:17:15 -0400
From: Derek Atkins <derek@ihtfp.com>
To: igor.faynberg@alcatel-lucent.com
References: <OFE117D818.698E0F58-ON48257BBE.0034B640-48257BBE.00353DF2@zte.com.cn> <51FFD820.2050200@alcatel-lucent.com>
Date: Thu, 22 Aug 2013 18:17:15 -0400
In-Reply-To: <51FFD820.2050200@alcatel-lucent.com> (Igor Faynberg's message of "Mon, 05 Aug 2013 12:51:44 -0400")
Message-ID: <sjmfvu1pdzo.fsf@mocana.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Cc: "zachary.zeltsan@gmail.com" <zachary.zeltsan@gmail.com>, oauth@ietf.org
Subject: Re: [OAUTH-WG] Current Progress in use case document?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 22:17:31 -0000

Sorry, I meant to ping about this document but I've been inundated with
"Real Work(TM)" since Berlin.

Alas, the document expired, which means we need a new version submitted
before we can send it through the process.

Can one get submitted, please?

Thanks,

-derek

Igor Faynberg <igor.faynberg@alcatel-lucent.com> writes:

> Zhou,
>
> The correct addres for Zachary is on the (corrected) CC list.
>
> My take on it is that the Use Cases document has been ready for approval for
> quite a while, and there were no concerns about misunderstandings. The cases
> are clearly delineated by their respective 1) descriptions, 2) pre-conditions,
> and 3) post-conditions.
>
> I might try to to help, but I don't quite understand what "some diagram" means
> here and why it should be added.  Nor do I understand what your difficulty in
> discerning one use case from another is.   If you see something specifically
> wrong with what is there please point this out. 
>
> If you need a tutorial on Use Cases, please write to Zachary.
>
> With thanks,
>
> Igor
>
> On 8/5/2013 5:40 AM, zhou.sujing@zte.com.cn wrote:
>
>     Hi, all                                                                   
>          The use case documemnt will not be updated?                          
>          For a reader it is very difficult to discern a use case from another 
>     one.                                                                      
>          Could some diagram be added? Could some explanation be added to      
>     clarify why some cases cannot be supperted by oauth 2.0?                  
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org
>     https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant

From hannes.tschofenig@gmx.net  Fri Aug 23 01:24:48 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0B511E82D8 for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 01:24:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.699
X-Spam-Level: 
X-Spam-Status: No, score=-102.699 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYji-Ao+yDkz for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 01:24:43 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id EC58A11E8163 for <oauth@ietf.org>; Fri, 23 Aug 2013 01:24:42 -0700 (PDT)
Received: from [172.16.254.200] ([195.149.218.67]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0MDhba-1VHjxs3EH0-00HB8i for <oauth@ietf.org>; Fri, 23 Aug 2013 10:24:35 +0200
Message-ID: <52171C40.4040009@gmx.net>
Date: Fri, 23 Aug 2013 10:24:32 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:kMqI99ld0W+KVOy65Uj5J87kzUv2BlS8GnHtf4x9KAuRbGW3rId dP2Ybk7EL5aLrCrHfSsPIS1i6Pab0uLzxnhdI6xViagPGlu1VdNibD0B5jlMxQiM6gVmAlW g4N4JpekQ4ZVox5yvy6AJKuSeuzVvTTA6eqV2q4pyfEq3uklfxX7JpVAZyghG6wrI4mTEox Lm79igyILhJpOU2Ra8UFg==
Subject: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 08:24:48 -0000

Thank you all for joining yesterday's conference call. I took some notes 
during the call.

---- Meeting Minutes ----

Participants:
- William Kim
- John Bradley
- Antonio Sanso
- Mike Jones
- Phil Hunt
- Justin Richer
- Hannes Tschofenig
- Derek Atkins
- Amanda Anganes
- Morteza Ansari
- Brian Campbell
- Thomas Hardjono
- Prateek Mishra
- George Fletcher
- Tony Nadalin

Minutes

Justin started with a discussion about what is described in Section 1.3 
of the protocol specification and Appendix B describes the use cases.

Dynamic client registration is one way to introduce a client to an 
authorization server.
A client is the relationship between a client piece software and a piece 
of software on the authorization server side.
The client needs a client_id and the authorization server needs to get 
various other piece of information (such as a redirect_uri, display_name).

The group then started a discussion about what the minimal amount of 
information is the authorization server needs to have.

The discussion then shifted to uses cases where trust is established 
a-priori (out-of-band) and is conveyed via an assertion to the dyn-reg 
exchange (protected registration) and the case where there is no trust 
(=open registration); the latter case would push the obligation to the 
user.

There seems to be agreement (on the call) that both use cases are valid.

The following examples for protected registration have been discussed:

  * manual page where the developer obtains a developer key and register 
there; they end up with an initial access token (in the form of an 
bearer token)
  * UMA case where there is someone who is introducing the two parties 
to each other. (Currently not described in the document)
  * Developer Automation: Who holds the client registration information? 
The developer makes the call and you get the client_id back. The client 
is not doing the dyn. registration. (This use case is described in 
Appendix B.3)
  * John's use case: 
http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html

Phil Hunt starts with his presentation slides, which he had distributed 
to the mailing list earlier:
http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html

Phil says that the client_id does not need to be provided by the AS - it 
could be provided by the client. John says that the client_id has to be 
tied to the redirect_uri since otherwise attacks are possible.

Phil says we are lacking good terminology for client, and for client 
instance.

George claims that the client instance concept came up when mobile 
clients and Web clients got mixed in deployments and people wanted to 
have a way to distinguish the two since they were different in their 
ability to keep a secret.

A discussion started about whether an evolution had happened regarding 
different types of clients. The client id is a proxy for some release of 
some software. Someone claimed that with dynamic client registration we 
have the ability to turn public clients back into confidential clients.

Phil argues that service providers want to know the class of 
applications and the instances. A problem with a client can be a 
compromise and you want to disable it. There may also be a bug in the 
software and then one may want to disable the entire class of clients.

Phil asks whether we expect that JavaScript code registers every time 
the code runs. The response was clear that this is not the expectation.

Phil then goes on to explain four levels of dynamic behavior:

  * Client developer hardcodes the address of the authorization server 
and other information.
  * Developer may hardcode some information but the client may 
dynamically interact with the authorization server to provide additional 
information (suggested by John)
  * Confirmation information in the client software can be used to 
dertermine which server to talk to and which parameters to use
  * Client software decides at runtime who to contact and what 
information to provide

Hannes stopped the discussion because we ran out of time and started a 
discussion about where we could go next.

Justin said that he has not seen anything that is not supported yet.
Tony, Phil, and Prateek say that we are trying to find the minimum 
supported information.

It seems that different folks have different use cases in mind. Can this 
situation be solved with extensions? Phil claims that the current 
specification is overly complex.

It is clear that we cannot have one single spec that covers all the use 
cases.
Are we arguing which use cases are covered in the base specification?

Tony suggested that only client_id and redirect_uri should be the 
supported and everything else should be dropped.

Justin responded that the rest is optional anyway.

Discussion started about what "optional" means. Does the authorization 
server have to implement to implement even optional components?

John says that we need a new feature for adding and removing a new 
endpoint. This is a common use case and we don't want to revoke all the 
permissions when we do so.

Mike says that there is some additional material needed beyond client_id 
and redirect_uri.
John agrees.

Prateek says that we need to identify a minimal subset and have 
extensions defined.

Hannes will talk to Derek about the next steps. Expect another 
conference call soon.

Phil will update the software assertion document.



From hannes.tschofenig@gmx.net  Fri Aug 23 01:25:29 2013
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A229C11E8163 for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 01:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.69
X-Spam-Level: 
X-Spam-Status: No, score=-102.69 tagged_above=-999 required=5 tests=[AWL=-0.091, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VW-lEWMTGvdH for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 01:25:21 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) by ietfa.amsl.com (Postfix) with ESMTP id CC33811E82CB for <oauth@ietf.org>; Fri, 23 Aug 2013 01:25:17 -0700 (PDT)
Received: from [172.16.254.200] ([195.149.218.67]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MGjfl-1VGvXf2ohF-00DYoH for <oauth@ietf.org>; Fri, 23 Aug 2013 10:25:14 +0200
Message-ID: <52171C66.60002@gmx.net>
Date: Fri, 23 Aug 2013 10:25:10 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:scFpPg1SXsYrlnPEnlRkQUyX+83i4blZzAowm+REkVFx5fIZHOM CNqRuvgoSFfm4IwGKyK/dwNOBSzbp14fLModEVhSvB7fNGbtTt2L9QE3r+ZxSc6Gu7infJs krwVaOpk2CPZahh1wxWrQJ9QhxaniCCgJNAmxyIDzAfxvC8jXJUrVl4GMOsbVGvrZt3wHIK IT4DSST0QbMlngwHFFguw==
Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 08:25:29 -0000

Hi all,

while we managed to make some progress during yesterday's conference 
call it was clear that we need more time.

 From the information you guys entered into the poll I selected the next 
suitable date, which is Wed 28 Aug, 2pm PDT. This call will be for 90min 
(rather than 60min).

I will distribute the conference call details in time. From an agenda 
point of view we will continue the discussions and in particular try to 
investigate whether it makes sense to move some optional functionality 
from the dynamic client registration WG document to an extension 
document. We also have to finish the slide deck distributed by Phil.

Ciao
Hannes

From asanso@adobe.com  Fri Aug 23 01:56:18 2013
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D492F11E82D9 for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 01:56:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0DSROz2Pw3q for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 01:56:13 -0700 (PDT)
Received: from exprod6og107.obsmtp.com (exprod6og107.obsmtp.com [64.18.1.208]) by ietfa.amsl.com (Postfix) with ESMTP id 9985D11E82E7 for <oauth@ietf.org>; Fri, 23 Aug 2013 01:56:05 -0700 (PDT)
Received: from outbound-smtp-2.corp.adobe.com ([193.104.215.16]) by exprod6ob107.postini.com ([64.18.5.12]) with SMTP ID DSNKUhcjoUADirVQ+Pbjf1bQkYSja7FUrHl0@postini.com; Fri, 23 Aug 2013 01:56:05 PDT
Received: from inner-relay-1.corp.adobe.com (inner-relay-1.adobe.com [153.32.1.51]) by outbound-smtp-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r7N8tx2r013598; Fri, 23 Aug 2013 01:56:00 -0700 (PDT)
Received: from nacas02.corp.adobe.com (nacas02.corp.adobe.com [10.8.189.100]) by inner-relay-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r7N8tw6A018241; Fri, 23 Aug 2013 01:55:58 -0700 (PDT)
Received: from SJ1GWM332.corp.adobe.com (10.5.79.97) by nacas02.corp.adobe.com (10.8.189.100) with Microsoft SMTP Server (TLS) id 8.3.298.1; Fri, 23 Aug 2013 01:55:58 -0700
Received: from eurhub01.eur.adobe.com (10.128.4.30) by SJ1GWM332.corp.adobe.com (10.5.79.97) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 23 Aug 2013 01:55:58 -0700
Received: from eurmbx01.eur.adobe.com ([10.128.4.32]) by eurhub01.eur.adobe.com ([10.128.4.30]) with mapi; Fri, 23 Aug 2013 09:55:56 +0100
From: Antonio Sanso <asanso@adobe.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Date: Fri, 23 Aug 2013 09:55:53 +0100
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
Thread-Index: Ac6f3pO+R33FXyrySzeryD6hD0PJUw==
Message-ID: <7E028126-AC06-45A1-A219-958D0A23BA15@adobe.com>
References: <52171C40.4040009@gmx.net>
In-Reply-To: <52171C40.4040009@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 08:56:19 -0000

Hi Hannes,

thanks a lot for your notes.

As suggested from you guys yesterday I'd like to bring on my little point :=
) (that is really orthogonal to the whole discussion).

IMHO since the dynamic registration is still on a design phase it would be =
really nice to include something that Google already implemented in order t=
o allow server-to-server communication [0].

In order to allow this, in the registration phase, there is the option to d=
ownload a private key (in order to allow the client to sign self produced s=
igned JWT without 'human interaction'), quoting [0]

"During the creation of a Service Account, you will be prompted to download=
 a private key. Be sure to save this private key in a secure location. Afte=
r the Service Account has been created, you will also have access to the cl=
ient_id associated with the private key."=20


IMHO this is a really clever way to use OAuth and would be nice to see this=
 standardized and having it on the big picture. Obviously this should be ju=
st an optional field.

Just my 0.02 $

Thanks and regards

Antonio

[0] https://developers.google.com/accounts/docs/OAuth2ServiceAccount



On Aug 23, 2013, at 10:24 AM, Hannes Tschofenig wrote:

> Thank you all for joining yesterday's conference call. I took some notes=
=20
> during the call.
>=20
> ---- Meeting Minutes ----
>=20
> Participants:
> - William Kim
> - John Bradley
> - Antonio Sanso
> - Mike Jones
> - Phil Hunt
> - Justin Richer
> - Hannes Tschofenig
> - Derek Atkins
> - Amanda Anganes
> - Morteza Ansari
> - Brian Campbell
> - Thomas Hardjono
> - Prateek Mishra
> - George Fletcher
> - Tony Nadalin
>=20
> Minutes
>=20
> Justin started with a discussion about what is described in Section 1.3=20
> of the protocol specification and Appendix B describes the use cases.
>=20
> Dynamic client registration is one way to introduce a client to an=20
> authorization server.
> A client is the relationship between a client piece software and a piece=
=20
> of software on the authorization server side.
> The client needs a client_id and the authorization server needs to get=20
> various other piece of information (such as a redirect_uri, display_name)=
.
>=20
> The group then started a discussion about what the minimal amount of=20
> information is the authorization server needs to have.
>=20
> The discussion then shifted to uses cases where trust is established=20
> a-priori (out-of-band) and is conveyed via an assertion to the dyn-reg=20
> exchange (protected registration) and the case where there is no trust=20
> (=3Dopen registration); the latter case would push the obligation to the=
=20
> user.
>=20
> There seems to be agreement (on the call) that both use cases are valid.
>=20
> The following examples for protected registration have been discussed:
>=20
>  * manual page where the developer obtains a developer key and register=20
> there; they end up with an initial access token (in the form of an=20
> bearer token)
>  * UMA case where there is someone who is introducing the two parties=20
> to each other. (Currently not described in the document)
>  * Developer Automation: Who holds the client registration information?=20
> The developer makes the call and you get the client_id back. The client=20
> is not doing the dyn. registration. (This use case is described in=20
> Appendix B.3)
>  * John's use case:=20
> http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html
>=20
> Phil Hunt starts with his presentation slides, which he had distributed=20
> to the mailing list earlier:
> http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html
>=20
> Phil says that the client_id does not need to be provided by the AS - it=
=20
> could be provided by the client. John says that the client_id has to be=20
> tied to the redirect_uri since otherwise attacks are possible.
>=20
> Phil says we are lacking good terminology for client, and for client=20
> instance.
>=20
> George claims that the client instance concept came up when mobile=20
> clients and Web clients got mixed in deployments and people wanted to=20
> have a way to distinguish the two since they were different in their=20
> ability to keep a secret.
>=20
> A discussion started about whether an evolution had happened regarding=20
> different types of clients. The client id is a proxy for some release of=
=20
> some software. Someone claimed that with dynamic client registration we=20
> have the ability to turn public clients back into confidential clients.
>=20
> Phil argues that service providers want to know the class of=20
> applications and the instances. A problem with a client can be a=20
> compromise and you want to disable it. There may also be a bug in the=20
> software and then one may want to disable the entire class of clients.
>=20
> Phil asks whether we expect that JavaScript code registers every time=20
> the code runs. The response was clear that this is not the expectation.
>=20
> Phil then goes on to explain four levels of dynamic behavior:
>=20
>  * Client developer hardcodes the address of the authorization server=20
> and other information.
>  * Developer may hardcode some information but the client may=20
> dynamically interact with the authorization server to provide additional=
=20
> information (suggested by John)
>  * Confirmation information in the client software can be used to=20
> dertermine which server to talk to and which parameters to use
>  * Client software decides at runtime who to contact and what=20
> information to provide
>=20
> Hannes stopped the discussion because we ran out of time and started a=20
> discussion about where we could go next.
>=20
> Justin said that he has not seen anything that is not supported yet.
> Tony, Phil, and Prateek say that we are trying to find the minimum=20
> supported information.
>=20
> It seems that different folks have different use cases in mind. Can this=
=20
> situation be solved with extensions? Phil claims that the current=20
> specification is overly complex.
>=20
> It is clear that we cannot have one single spec that covers all the use=20
> cases.
> Are we arguing which use cases are covered in the base specification?
>=20
> Tony suggested that only client_id and redirect_uri should be the=20
> supported and everything else should be dropped.
>=20
> Justin responded that the rest is optional anyway.
>=20
> Discussion started about what "optional" means. Does the authorization=20
> server have to implement to implement even optional components?
>=20
> John says that we need a new feature for adding and removing a new=20
> endpoint. This is a common use case and we don't want to revoke all the=20
> permissions when we do so.
>=20
> Mike says that there is some additional material needed beyond client_id=
=20
> and redirect_uri.
> John agrees.
>=20
> Prateek says that we need to identify a minimal subset and have=20
> extensions defined.
>=20
> Hannes will talk to Derek about the next steps. Expect another=20
> conference call soon.
>=20
> Phil will update the software assertion document.
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From aanganes@mitre.org  Fri Aug 23 05:46:31 2013
Return-Path: <aanganes@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9523711E8111 for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 05:46:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level: 
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7osAKvUhaERs for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 05:46:26 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id B7BA911E80F4 for <oauth@ietf.org>; Fri, 23 Aug 2013 05:46:26 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 21CF61F0B86; Fri, 23 Aug 2013 08:46:26 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 06C941F0B7E; Fri, 23 Aug 2013 08:46:26 -0400 (EDT)
Received: from IMCMBX04.MITRE.ORG ([169.254.4.141]) by IMCCAS04.MITRE.ORG ([129.83.29.81]) with mapi id 14.02.0342.003; Fri, 23 Aug 2013 08:46:25 -0400
From: "Anganes, Amanda L" <aanganes@mitre.org>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org WG" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
Thread-Index: AQHOn9pEwIgv0K1nf0mTDxeFh93WgpmivdmA
Date: Fri, 23 Aug 2013 12:46:24 +0000
Message-ID: <CE3CD05E.C04A%aanganes@mitre.org>
In-Reply-To: <52171C40.4040009@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/14.3.5.130515
x-originating-ip: [172.31.56.117]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <EC6ED8D1AA633B46AB3FA979AD71EF36@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 12:46:31 -0000

Thanks for the notes, Hannes.

I didn't speak up on the call at all because it honestly left me a bit
confused. For the first 3/4 or so I was trying to figure out what the
problem was that everyone was fighting about. Phil, Tony, and others
seemed to be pointing out that "in all of these cases that we can tell you
about, it doesn't make sense to do DynReg". That is fine. That's not a
problem; that just reflects the fact that there are different use cases
out there that may not need this OPTIONAL part of the spec suite.

After that there seemed to be some consensus (at least among those that
were bringing up the original complaints) that folks would like to see a
smaller core document, with all of the optional parts removed to one or
more extensions. I'll grant that the DynReg draft has gotten long and
there are a lot of optional pieces. Maybe it makes sense to break it out;
at the very least I think it's worth trying. Perhaps more of the WG would
accept it if that was the case.

I believe Tony commented that "if something is optional, it means that ALL
servers everywhere have to support it". I don't understand that - the
requirement for servers to ignore (i.e., don't throw an error or fall
over) if a client sends over a parameter it doesn't understand has always
been part of the core OAuth 2.0 spec. It's not a new idea.

There was also a comment that the WG doesn't have a lot of experience with
this domain. That's true, but the experience the WG *does* have is with
the UMA and OIDC use cases, which directly fed into the current draft.
DynReg v14 is sufficient for the two major classes of *real*, deployed and
under development, non-hypothetical use cases that we know of today. We
can't loose sight of this fact.

If there is something missing from the current draft, or something present
that disallows a particular requirement, I'd ask the other WG members to
please present those requirements and problems clearly so that we can
discuss them. So far I haven't seen anything concrete in this area. I've
heard a lot of contention and fighting but I can't make out what the
actual problem statement is. Phil's software statements/assertions seems
to fit well as an extension; it's not prohibited by anything existing in
the draft.=20

*apologies if I misattributed comments; I can recognize most of the voices
that were on the call but not all of them.

--Amanda





On 8/23/13 4:24 AM, "Hannes Tschofenig" <hannes.tschofenig@gmx.net> wrote:

>Thank you all for joining yesterday's conference call. I took some notes
>during the call.
>
>---- Meeting Minutes ----
>
>Participants:
>- William Kim
>- John Bradley
>- Antonio Sanso
>- Mike Jones
>- Phil Hunt
>- Justin Richer
>- Hannes Tschofenig
>- Derek Atkins
>- Amanda Anganes
>- Morteza Ansari
>- Brian Campbell
>- Thomas Hardjono
>- Prateek Mishra
>- George Fletcher
>- Tony Nadalin
>
>Minutes
>
>Justin started with a discussion about what is described in Section 1.3
>of the protocol specification and Appendix B describes the use cases.
>
>Dynamic client registration is one way to introduce a client to an
>authorization server.
>A client is the relationship between a client piece software and a piece
>of software on the authorization server side.
>The client needs a client_id and the authorization server needs to get
>various other piece of information (such as a redirect_uri, display_name).
>
>The group then started a discussion about what the minimal amount of
>information is the authorization server needs to have.
>
>The discussion then shifted to uses cases where trust is established
>a-priori (out-of-band) and is conveyed via an assertion to the dyn-reg
>exchange (protected registration) and the case where there is no trust
>(=3Dopen registration); the latter case would push the obligation to the
>user.
>
>There seems to be agreement (on the call) that both use cases are valid.
>
>The following examples for protected registration have been discussed:
>
>  * manual page where the developer obtains a developer key and register
>there; they end up with an initial access token (in the form of an
>bearer token)
>  * UMA case where there is someone who is introducing the two parties
>to each other. (Currently not described in the document)
>  * Developer Automation: Who holds the client registration information?
>The developer makes the call and you get the client_id back. The client
>is not doing the dyn. registration. (This use case is described in
>Appendix B.3)
>  * John's use case:
>http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html
>
>Phil Hunt starts with his presentation slides, which he had distributed
>to the mailing list earlier:
>http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html
>
>Phil says that the client_id does not need to be provided by the AS - it
>could be provided by the client. John says that the client_id has to be
>tied to the redirect_uri since otherwise attacks are possible.
>
>Phil says we are lacking good terminology for client, and for client
>instance.
>
>George claims that the client instance concept came up when mobile
>clients and Web clients got mixed in deployments and people wanted to
>have a way to distinguish the two since they were different in their
>ability to keep a secret.
>
>A discussion started about whether an evolution had happened regarding
>different types of clients. The client id is a proxy for some release of
>some software. Someone claimed that with dynamic client registration we
>have the ability to turn public clients back into confidential clients.
>
>Phil argues that service providers want to know the class of
>applications and the instances. A problem with a client can be a
>compromise and you want to disable it. There may also be a bug in the
>software and then one may want to disable the entire class of clients.
>
>Phil asks whether we expect that JavaScript code registers every time
>the code runs. The response was clear that this is not the expectation.
>
>Phil then goes on to explain four levels of dynamic behavior:
>
>  * Client developer hardcodes the address of the authorization server
>and other information.
>  * Developer may hardcode some information but the client may
>dynamically interact with the authorization server to provide additional
>information (suggested by John)
>  * Confirmation information in the client software can be used to
>dertermine which server to talk to and which parameters to use
>  * Client software decides at runtime who to contact and what
>information to provide
>
>Hannes stopped the discussion because we ran out of time and started a
>discussion about where we could go next.
>
>Justin said that he has not seen anything that is not supported yet.
>Tony, Phil, and Prateek say that we are trying to find the minimum
>supported information.
>
>It seems that different folks have different use cases in mind. Can this
>situation be solved with extensions? Phil claims that the current
>specification is overly complex.
>
>It is clear that we cannot have one single spec that covers all the use
>cases.
>Are we arguing which use cases are covered in the base specification?
>
>Tony suggested that only client_id and redirect_uri should be the
>supported and everything else should be dropped.
>
>Justin responded that the rest is optional anyway.
>
>Discussion started about what "optional" means. Does the authorization
>server have to implement to implement even optional components?
>
>John says that we need a new feature for adding and removing a new
>endpoint. This is a common use case and we don't want to revoke all the
>permissions when we do so.
>
>Mike says that there is some additional material needed beyond client_id
>and redirect_uri.
>John agrees.
>
>Prateek says that we need to identify a minimal subset and have
>extensions defined.
>
>Hannes will talk to Derek about the next steps. Expect another
>conference call soon.
>
>Phil will update the software assertion document.
>
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth


From gffletch@aol.com  Fri Aug 23 08:52:32 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0606E11E81B7 for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 08:52:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.073
X-Spam-Level: 
X-Spam-Status: No, score=-2.073 tagged_above=-999 required=5 tests=[AWL=-0.075, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_62=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t4WVQm8IHtHY for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 08:52:24 -0700 (PDT)
Received: from omr-d03.mx.aol.com (omr-d03.mx.aol.com [205.188.109.200]) by ietfa.amsl.com (Postfix) with ESMTP id 3B1EB11E8170 for <oauth@ietf.org>; Fri, 23 Aug 2013 08:52:20 -0700 (PDT)
Received: from mtaout-mb03.r1000.mx.aol.com (mtaout-mb03.r1000.mx.aol.com [172.29.41.67]) by omr-d03.mx.aol.com (Outbound Mail Relay) with ESMTP id C92B1700E2856; Fri, 23 Aug 2013 11:48:06 -0400 (EDT)
Received: from ping-audit-10-181-176-212-20120320.ops.aol.com (ping-audit-10-181-176-212-20120320.ops.aol.com [10.181.176.212]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-mb03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 7C169E0000B8; Fri, 23 Aug 2013 11:48:06 -0400 (EDT)
Message-ID: <52178435.6060406@aol.com>
Date: Fri, 23 Aug 2013 11:48:05 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
References: <52171C40.4040009@gmx.net>
In-Reply-To: <52171C40.4040009@gmx.net>
Content-Type: multipart/alternative; boundary="------------010907090605070901030507"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93179
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377272886; bh=EasPla8IjtiQAN80MWWuTAnIh6KXsI50O1bb1MgxmK4=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=rnYWKLI9EYtxnd8pNNRR3qkTmP4zqaPmFC71lM06RV0+Uo1g2ed55RexHUYFXn/FV jLRqIJB6q7Vz6V7eHmX3z14ELgM7Pe/y/ci4zZsgfaULa5FTWpqRwmGfLzDM5zKg02 y48YvvIcw9iFy2Qw6zj8PJkNwjOqp+5NU8rsBIt0=
x-aol-sid: 3039ac1d29435217843640ae
X-AOL-IP: 10.181.176.212
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 15:52:32 -0000

This is a multi-part message in MIME format.
--------------010907090605070901030507
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Description of the run-time registration use case I was discussing on 
the phone yesterday.

Consider a protected resource that supports multiple Authorization 
Services run by different organizations (i.e. not in the same domain). 
This protected resource will honor an access_token issued by the 
different Authorization Servers.

There is a client app (possibly built by a 3rd party) using the 
protected resource APIs that wants to support the largest number of 
users possible.

Run-time flow includes...
1. determine which AS is appropriate for a given user (could leverage 
webfinger)
2. dynamically register the client with the AS (one time only but done 
on an as needed basis)
3. go through the authorization flow to obtain an access token
4. present the access token to the protected resource

This model allows the client developer (and client app) to be agnostic 
to any back channel relationships between the Authorization Servers and 
the Protected Resource. A new AS could be added to the over all eco 
system and the client would not need to change.

Note that we do have a partner client deployed that effectively supports 
two different Authorization Servers both authorized to issue tokens for 
a protected resource at AOL. Not all of the current implementation is 
OAuth2 compatible, but the use case described above is where I want this 
capability to evolve to.


Note that the UMA case is similar...

1. requesting client attempts to access a protected resource
2. protected resource rejects access and informs the requesting client 
they need to get authorization from a particular UMA Authorization Manager
3. requesting client discovers endpoints at the designated UMA 
Authorization manager
4. requesting client dynamically registers with the Authorization 
Manager (if it hasn't already)
5. requesting client obtains an OAuth access token representing the 
user:requesting client:AS for use in helping the user provide claims to 
satisfy the UMA authorization policy for the protected resource
6. ... [rest of UMA flow]

Thanks,
George

On 8/23/13 4:24 AM, Hannes Tschofenig wrote:
> Thank you all for joining yesterday's conference call. I took some 
> notes during the call.
>
> ---- Meeting Minutes ----
>
> Participants:
> - William Kim
> - John Bradley
> - Antonio Sanso
> - Mike Jones
> - Phil Hunt
> - Justin Richer
> - Hannes Tschofenig
> - Derek Atkins
> - Amanda Anganes
> - Morteza Ansari
> - Brian Campbell
> - Thomas Hardjono
> - Prateek Mishra
> - George Fletcher
> - Tony Nadalin
>
> Minutes
>
> Justin started with a discussion about what is described in Section 
> 1.3 of the protocol specification and Appendix B describes the use cases.
>
> Dynamic client registration is one way to introduce a client to an 
> authorization server.
> A client is the relationship between a client piece software and a 
> piece of software on the authorization server side.
> The client needs a client_id and the authorization server needs to get 
> various other piece of information (such as a redirect_uri, 
> display_name).
>
> The group then started a discussion about what the minimal amount of 
> information is the authorization server needs to have.
>
> The discussion then shifted to uses cases where trust is established 
> a-priori (out-of-band) and is conveyed via an assertion to the dyn-reg 
> exchange (protected registration) and the case where there is no trust 
> (=open registration); the latter case would push the obligation to the 
> user.
>
> There seems to be agreement (on the call) that both use cases are valid.
>
> The following examples for protected registration have been discussed:
>
>  * manual page where the developer obtains a developer key and 
> register there; they end up with an initial access token (in the form 
> of an bearer token)
>  * UMA case where there is someone who is introducing the two parties 
> to each other. (Currently not described in the document)
>  * Developer Automation: Who holds the client registration 
> information? The developer makes the call and you get the client_id 
> back. The client is not doing the dyn. registration. (This use case is 
> described in Appendix B.3)
>  * John's use case: 
> http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html
>
> Phil Hunt starts with his presentation slides, which he had 
> distributed to the mailing list earlier:
> http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html
>
> Phil says that the client_id does not need to be provided by the AS - 
> it could be provided by the client. John says that the client_id has 
> to be tied to the redirect_uri since otherwise attacks are possible.
>
> Phil says we are lacking good terminology for client, and for client 
> instance.
>
> George claims that the client instance concept came up when mobile 
> clients and Web clients got mixed in deployments and people wanted to 
> have a way to distinguish the two since they were different in their 
> ability to keep a secret.
>
> A discussion started about whether an evolution had happened regarding 
> different types of clients. The client id is a proxy for some release 
> of some software. Someone claimed that with dynamic client 
> registration we have the ability to turn public clients back into 
> confidential clients.
>
> Phil argues that service providers want to know the class of 
> applications and the instances. A problem with a client can be a 
> compromise and you want to disable it. There may also be a bug in the 
> software and then one may want to disable the entire class of clients.
>
> Phil asks whether we expect that JavaScript code registers every time 
> the code runs. The response was clear that this is not the expectation.
>
> Phil then goes on to explain four levels of dynamic behavior:
>
>  * Client developer hardcodes the address of the authorization server 
> and other information.
>  * Developer may hardcode some information but the client may 
> dynamically interact with the authorization server to provide 
> additional information (suggested by John)
>  * Confirmation information in the client software can be used to 
> dertermine which server to talk to and which parameters to use
>  * Client software decides at runtime who to contact and what 
> information to provide
>
> Hannes stopped the discussion because we ran out of time and started a 
> discussion about where we could go next.
>
> Justin said that he has not seen anything that is not supported yet.
> Tony, Phil, and Prateek say that we are trying to find the minimum 
> supported information.
>
> It seems that different folks have different use cases in mind. Can 
> this situation be solved with extensions? Phil claims that the current 
> specification is overly complex.
>
> It is clear that we cannot have one single spec that covers all the 
> use cases.
> Are we arguing which use cases are covered in the base specification?
>
> Tony suggested that only client_id and redirect_uri should be the 
> supported and everything else should be dropped.
>
> Justin responded that the rest is optional anyway.
>
> Discussion started about what "optional" means. Does the authorization 
> server have to implement to implement even optional components?
>
> John says that we need a new feature for adding and removing a new 
> endpoint. This is a common use case and we don't want to revoke all 
> the permissions when we do so.
>
> Mike says that there is some additional material needed beyond 
> client_id and redirect_uri.
> John agrees.
>
> Prateek says that we need to identify a minimal subset and have 
> extensions defined.
>
> Hannes will talk to Derek about the next steps. Expect another 
> conference call soon.
>
> Phil will update the software assertion document.
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------010907090605070901030507
Content-Type: multipart/related;
 boundary="------------080309080808020703040009"


--------------080309080808020703040009
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">Description of the run-time
      registration use case I was discussing on the phone yesterday.<br>
      <br>
      Consider a protected resource that supports multiple Authorization
      Services run by different organizations (i.e. not in the same
      domain). This protected resource will honor an access_token issued
      by the different Authorization Servers.<br>
      <br>
      There is a client app (possibly built by a 3rd party) using the
      protected resource APIs that wants to support the largest number
      of users possible.<br>
      <br>
      Run-time flow includes...<br>
      1. determine which AS is appropriate for a given user (could
      leverage webfinger)<br>
      2. dynamically register the client with the AS (one time only but
      done on an as needed basis)<br>
      3. go through the authorization flow to obtain an access token<br>
      4. present the access token to the protected resource<br>
      <br>
      This model allows the client developer (and client app) to be
      agnostic to any back channel relationships between the
      Authorization Servers and the Protected Resource. A new AS could
      be added to the over all eco system and the client would not need
      to change.<br>
    </font><br>
    <font face="Helvetica, Arial, sans-serif"><font face="Helvetica,
        Arial, sans-serif">Note that we do have a partner client
        deployed that effectively supports two different Authorization
        Servers both authorized to issue tokens for a protected resource
        at AOL. Not all of the current implementation is OAuth2
        compatible, but the use case described above is where I want
        this capability to evolve to.<br>
        <br>
      </font><br>
      Note that the UMA case is similar...<br>
      <br>
      1. requesting client attempts to access a protected resource<br>
      2. protected resource rejects access and informs the requesting
      client they need to get authorization from a particular UMA
      Authorization Manager<br>
      3. requesting client discovers endpoints at the designated UMA Authorization
      manager<br>
      4. requesting client dynamically registers with the Authorization
      Manager (if it hasn't already)<br>
      5. requesting client obtains an OAuth access token representing
      the user:requesting client:AS for use in helping the user provide
      claims to satisfy the UMA authorization policy for the protected
      resource<br>
      6. ... [rest of UMA flow]<br>
      <br>
      Thanks,<br>
      George<br>
      &nbsp;<br>
    </font>
    <div class="moz-cite-prefix">On 8/23/13 4:24 AM, Hannes Tschofenig
      wrote:<br>
    </div>
    <blockquote cite="mid:52171C40.4040009@gmx.net" type="cite">Thank
      you all for joining yesterday's conference call. I took some notes
      during the call.
      <br>
      <br>
      ---- Meeting Minutes ----
      <br>
      <br>
      Participants:
      <br>
      - William Kim
      <br>
      - John Bradley
      <br>
      - Antonio Sanso
      <br>
      - Mike Jones
      <br>
      - Phil Hunt
      <br>
      - Justin Richer
      <br>
      - Hannes Tschofenig
      <br>
      - Derek Atkins
      <br>
      - Amanda Anganes
      <br>
      - Morteza Ansari
      <br>
      - Brian Campbell
      <br>
      - Thomas Hardjono
      <br>
      - Prateek Mishra
      <br>
      - George Fletcher
      <br>
      - Tony Nadalin
      <br>
      <br>
      Minutes
      <br>
      <br>
      Justin started with a discussion about what is described in
      Section 1.3 of the protocol specification and Appendix B describes
      the use cases.
      <br>
      <br>
      Dynamic client registration is one way to introduce a client to an
      authorization server.
      <br>
      A client is the relationship between a client piece software and a
      piece of software on the authorization server side.
      <br>
      The client needs a client_id and the authorization server needs to
      get various other piece of information (such as a redirect_uri,
      display_name).
      <br>
      <br>
      The group then started a discussion about what the minimal amount
      of information is the authorization server needs to have.
      <br>
      <br>
      The discussion then shifted to uses cases where trust is
      established a-priori (out-of-band) and is conveyed via an
      assertion to the dyn-reg exchange (protected registration) and the
      case where there is no trust (=open registration); the latter case
      would push the obligation to the user.
      <br>
      <br>
      There seems to be agreement (on the call) that both use cases are
      valid.
      <br>
      <br>
      The following examples for protected registration have been
      discussed:
      <br>
      <br>
      &nbsp;* manual page where the developer obtains a developer key and
      register there; they end up with an initial access token (in the
      form of an bearer token)
      <br>
      &nbsp;* UMA case where there is someone who is introducing the two
      parties to each other. (Currently not described in the document)
      <br>
      &nbsp;* Developer Automation: Who holds the client registration
      information? The developer makes the call and you get the
      client_id back. The client is not doing the dyn. registration.
      (This use case is described in Appendix B.3)
      <br>
      &nbsp;* John's use case:
      <a class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html</a>
      <br>
      <br>
      Phil Hunt starts with his presentation slides, which he had
      distributed to the mailing list earlier:
      <br>
      <a class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html</a>
      <br>
      <br>
      Phil says that the client_id does not need to be provided by the
      AS - it could be provided by the client. John says that the
      client_id has to be tied to the redirect_uri since otherwise
      attacks are possible.
      <br>
      <br>
      Phil says we are lacking good terminology for client, and for
      client instance.
      <br>
      <br>
      George claims that the client instance concept came up when mobile
      clients and Web clients got mixed in deployments and people wanted
      to have a way to distinguish the two since they were different in
      their ability to keep a secret.
      <br>
      <br>
      A discussion started about whether an evolution had happened
      regarding different types of clients. The client id is a proxy for
      some release of some software. Someone claimed that with dynamic
      client registration we have the ability to turn public clients
      back into confidential clients.
      <br>
      <br>
      Phil argues that service providers want to know the class of
      applications and the instances. A problem with a client can be a
      compromise and you want to disable it. There may also be a bug in
      the software and then one may want to disable the entire class of
      clients.
      <br>
      <br>
      Phil asks whether we expect that JavaScript code registers every
      time the code runs. The response was clear that this is not the
      expectation.
      <br>
      <br>
      Phil then goes on to explain four levels of dynamic behavior:
      <br>
      <br>
      &nbsp;* Client developer hardcodes the address of the authorization
      server and other information.
      <br>
      &nbsp;* Developer may hardcode some information but the client may
      dynamically interact with the authorization server to provide
      additional information (suggested by John)
      <br>
      &nbsp;* Confirmation information in the client software can be used to
      dertermine which server to talk to and which parameters to use
      <br>
      &nbsp;* Client software decides at runtime who to contact and what
      information to provide
      <br>
      <br>
      Hannes stopped the discussion because we ran out of time and
      started a discussion about where we could go next.
      <br>
      <br>
      Justin said that he has not seen anything that is not supported
      yet.
      <br>
      Tony, Phil, and Prateek say that we are trying to find the minimum
      supported information.
      <br>
      <br>
      It seems that different folks have different use cases in mind.
      Can this situation be solved with extensions? Phil claims that the
      current specification is overly complex.
      <br>
      <br>
      It is clear that we cannot have one single spec that covers all
      the use cases.
      <br>
      Are we arguing which use cases are covered in the base
      specification?
      <br>
      <br>
      Tony suggested that only client_id and redirect_uri should be the
      supported and everything else should be dropped.
      <br>
      <br>
      Justin responded that the rest is optional anyway.
      <br>
      <br>
      Discussion started about what "optional" means. Does the
      authorization server have to implement to implement even optional
      components?
      <br>
      <br>
      John says that we need a new feature for adding and removing a new
      endpoint. This is a common use case and we don't want to revoke
      all the permissions when we do so.
      <br>
      <br>
      Mike says that there is some additional material needed beyond
      client_id and redirect_uri.
      <br>
      John agrees.
      <br>
      <br>
      Prateek says that we need to identify a minimal subset and have
      extensions defined.
      <br>
      <br>
      Hannes will talk to Derek about the next steps. Expect another
      conference call soon.
      <br>
      <br>
      Phil will update the software assertion document.
      <br>
      <br>
      <br>
      _______________________________________________
      <br>
      OAuth mailing list
      <br>
      <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
      <br>
      <a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
      <br>
      <br>
      <br>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part1.08020208.03070609@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------080309080808020703040009
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part1.08020208.03070609@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------080309080808020703040009--

--------------010907090605070901030507--

From ve7jtb@ve7jtb.com  Fri Aug 23 09:16:22 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DBCE11E81BF for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 09:16:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level: 
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[AWL=-0.861, BAYES_00=-2.599, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w5WJDjmui5UE for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 09:16:17 -0700 (PDT)
Received: from mail-ie0-f179.google.com (mail-ie0-f179.google.com [209.85.223.179]) by ietfa.amsl.com (Postfix) with ESMTP id A075F11E8103 for <oauth@ietf.org>; Fri, 23 Aug 2013 09:16:17 -0700 (PDT)
Received: by mail-ie0-f179.google.com with SMTP id m16so1137887ieq.38 for <oauth@ietf.org>; Fri, 23 Aug 2013 09:16:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=lpTUxvKerroqzozkoHP6NTDMGrqNkczAe/BWXNfe3oQ=; b=Cu5W5V0UHV+IoCooOlLvSORRR15w9v/0tsrm0Ar93YFD5AmB97hE09hLCz/JkhStKA nLPfefuBxz1ZGXQD4adCmVbNtO6appcCIMaLt8ffZYm5k7ePi5cT6YevezgtkqTN3yaN HjmR2zWjP9r2C+VAQrKj4zWmBqPac7Hp3mGHkhHgDRM5SZGB+MK69jkDeWUh7BNpnjub Q7/GRtM/udSXYwNoYI03FUNMpYwVjtmiTgiFkj4NEsdy2tjR5XzSX2s89Q7VAxYwq+DF wSu90ubZAQAgcbzOLc0GiahYBMOnlklX0y2apIXVj/dneG6YjKhcgmXfAb/4sTqSa/98 4nfw==
X-Gm-Message-State: ALoCoQnnlVyiCZQGiovGVsjF7UJ8ayRcMI5fOtwsmKv8YOOi3ag7VzOthYwtYZ7fvI3bgV+aOfIQ
X-Received: by 10.50.45.73 with SMTP id k9mr2070683igm.38.1377274576000; Fri, 23 Aug 2013 09:16:16 -0700 (PDT)
Received: from [192.168.1.216] (190-20-52-222.baf.movistar.cl. [190.20.52.222]) by mx.google.com with ESMTPSA id b5sm3811571igm.3.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 23 Aug 2013 09:16:13 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_C5EB1806-C813-42A4-97C1-9B15A2DFDFB6"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <7E028126-AC06-45A1-A219-958D0A23BA15@adobe.com>
Date: Fri, 23 Aug 2013 12:16:09 -0400
Message-Id: <28CD6095-33F7-476F-A199-D57C78C9E5C6@ve7jtb.com>
References: <52171C40.4040009@gmx.net> <7E028126-AC06-45A1-A219-958D0A23BA15@adobe.com>
To: Antonio Sanso <asanso@adobe.com>
X-Mailer: Apple Mail (2.1508)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 16:16:22 -0000

--Apple-Mail=_C5EB1806-C813-42A4-97C1-9B15A2DFDFB6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

We have that in the OIDC version where the client publishes it's public =
key.  That is in general better from a security point of view if you =
believe clients can securely generate key pairs.

It is not in the IETF version because we were asked not to include =
authentication methods not defined in the core spec, as they were =
thought best to be extensions. =20

It currently looks like the pressure is on to remove confuguration =
options rather than add them.

I agree that client registration is a reasonable place to exchange keys =
and avoid having symmetric secrets,  that is the preferred OIDC =
implementation for clients that can support it.

John B.


On 2013-08-23, at 4:55 AM, Antonio Sanso <asanso@adobe.com> wrote:

> Hi Hannes,
>=20
> thanks a lot for your notes.
>=20
> As suggested from you guys yesterday I'd like to bring on my little =
point :) (that is really orthogonal to the whole discussion).
>=20
> IMHO since the dynamic registration is still on a design phase it =
would be really nice to include something that Google already =
implemented in order to allow server-to-server communication [0].
>=20
> In order to allow this, in the registration phase, there is the option =
to download a private key (in order to allow the client to sign self =
produced signed JWT without 'human interaction'), quoting [0]
>=20
> "During the creation of a Service Account, you will be prompted to =
download a private key. Be sure to save this private key in a secure =
location. After the Service Account has been created, you will also have =
access to the client_id associated with the private key."=20
>=20
>=20
> IMHO this is a really clever way to use OAuth and would be nice to see =
this standardized and having it on the big picture. Obviously this =
should be just an optional field.
>=20
> Just my 0.02 $
>=20
> Thanks and regards
>=20
> Antonio
>=20
> [0] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
>=20
>=20
>=20
> On Aug 23, 2013, at 10:24 AM, Hannes Tschofenig wrote:
>=20
>> Thank you all for joining yesterday's conference call. I took some =
notes=20
>> during the call.
>>=20
>> ---- Meeting Minutes ----
>>=20
>> Participants:
>> - William Kim
>> - John Bradley
>> - Antonio Sanso
>> - Mike Jones
>> - Phil Hunt
>> - Justin Richer
>> - Hannes Tschofenig
>> - Derek Atkins
>> - Amanda Anganes
>> - Morteza Ansari
>> - Brian Campbell
>> - Thomas Hardjono
>> - Prateek Mishra
>> - George Fletcher
>> - Tony Nadalin
>>=20
>> Minutes
>>=20
>> Justin started with a discussion about what is described in Section =
1.3=20
>> of the protocol specification and Appendix B describes the use cases.
>>=20
>> Dynamic client registration is one way to introduce a client to an=20
>> authorization server.
>> A client is the relationship between a client piece software and a =
piece=20
>> of software on the authorization server side.
>> The client needs a client_id and the authorization server needs to =
get=20
>> various other piece of information (such as a redirect_uri, =
display_name).
>>=20
>> The group then started a discussion about what the minimal amount of=20=

>> information is the authorization server needs to have.
>>=20
>> The discussion then shifted to uses cases where trust is established=20=

>> a-priori (out-of-band) and is conveyed via an assertion to the =
dyn-reg=20
>> exchange (protected registration) and the case where there is no =
trust=20
>> (=3Dopen registration); the latter case would push the obligation to =
the=20
>> user.
>>=20
>> There seems to be agreement (on the call) that both use cases are =
valid.
>>=20
>> The following examples for protected registration have been =
discussed:
>>=20
>> * manual page where the developer obtains a developer key and =
register=20
>> there; they end up with an initial access token (in the form of an=20
>> bearer token)
>> * UMA case where there is someone who is introducing the two parties=20=

>> to each other. (Currently not described in the document)
>> * Developer Automation: Who holds the client registration =
information?=20
>> The developer makes the call and you get the client_id back. The =
client=20
>> is not doing the dyn. registration. (This use case is described in=20
>> Appendix B.3)
>> * John's use case:=20
>> http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html
>>=20
>> Phil Hunt starts with his presentation slides, which he had =
distributed=20
>> to the mailing list earlier:
>> http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html
>>=20
>> Phil says that the client_id does not need to be provided by the AS - =
it=20
>> could be provided by the client. John says that the client_id has to =
be=20
>> tied to the redirect_uri since otherwise attacks are possible.
>>=20
>> Phil says we are lacking good terminology for client, and for client=20=

>> instance.
>>=20
>> George claims that the client instance concept came up when mobile=20
>> clients and Web clients got mixed in deployments and people wanted to=20=

>> have a way to distinguish the two since they were different in their=20=

>> ability to keep a secret.
>>=20
>> A discussion started about whether an evolution had happened =
regarding=20
>> different types of clients. The client id is a proxy for some release =
of=20
>> some software. Someone claimed that with dynamic client registration =
we=20
>> have the ability to turn public clients back into confidential =
clients.
>>=20
>> Phil argues that service providers want to know the class of=20
>> applications and the instances. A problem with a client can be a=20
>> compromise and you want to disable it. There may also be a bug in the=20=

>> software and then one may want to disable the entire class of =
clients.
>>=20
>> Phil asks whether we expect that JavaScript code registers every time=20=

>> the code runs. The response was clear that this is not the =
expectation.
>>=20
>> Phil then goes on to explain four levels of dynamic behavior:
>>=20
>> * Client developer hardcodes the address of the authorization server=20=

>> and other information.
>> * Developer may hardcode some information but the client may=20
>> dynamically interact with the authorization server to provide =
additional=20
>> information (suggested by John)
>> * Confirmation information in the client software can be used to=20
>> dertermine which server to talk to and which parameters to use
>> * Client software decides at runtime who to contact and what=20
>> information to provide
>>=20
>> Hannes stopped the discussion because we ran out of time and started =
a=20
>> discussion about where we could go next.
>>=20
>> Justin said that he has not seen anything that is not supported yet.
>> Tony, Phil, and Prateek say that we are trying to find the minimum=20
>> supported information.
>>=20
>> It seems that different folks have different use cases in mind. Can =
this=20
>> situation be solved with extensions? Phil claims that the current=20
>> specification is overly complex.
>>=20
>> It is clear that we cannot have one single spec that covers all the =
use=20
>> cases.
>> Are we arguing which use cases are covered in the base specification?
>>=20
>> Tony suggested that only client_id and redirect_uri should be the=20
>> supported and everything else should be dropped.
>>=20
>> Justin responded that the rest is optional anyway.
>>=20
>> Discussion started about what "optional" means. Does the =
authorization=20
>> server have to implement to implement even optional components?
>>=20
>> John says that we need a new feature for adding and removing a new=20
>> endpoint. This is a common use case and we don't want to revoke all =
the=20
>> permissions when we do so.
>>=20
>> Mike says that there is some additional material needed beyond =
client_id=20
>> and redirect_uri.
>> John agrees.
>>=20
>> Prateek says that we need to identify a minimal subset and have=20
>> extensions defined.
>>=20
>> Hannes will talk to Derek about the next steps. Expect another=20
>> conference call soon.
>>=20
>> Phil will update the software assertion document.
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_C5EB1806-C813-42A4-97C1-9B15A2DFDFB6
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODIzMTYxNjEwWjAjBgkqhkiG9w0BCQQxFgQUo3UBiYLb
80VKYpMcq8b670DxxlIwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEATF1NVi4Xu7Cn7n194xqxn1fkXGi1FOn4v06aSuGb
pcvllw3lRPPefnmpXtvSFjQMQQ9aMSeh2NXSxd5gLI6SE30PIeGTlBrYo/UsiuEfnLg1Ryu08U5s
j3yLep87V3Cmc2drOc67Ec8aVM6nJwkP4oxIPpNGUIHgMCPJhYB4aZ7hsKoewn897TnPjE6VX0pM
W5o/FTeDgovvX1NkwXh1jOk/BS9jXQ26UB3uBhDwoUoO0FLDaVRhkbzqmKWkFAkjH7S4Nfx1n7r3
7sEXyuc5BBq6Uv/2iYfm3hpj8BWMcrz6zl3fkYl9wAIUtoUXnp3XgzlLtKYRGbQ1kl5YwecKdQAA
AAAAAA==

--Apple-Mail=_C5EB1806-C813-42A4-97C1-9B15A2DFDFB6--

From phil.hunt@oracle.com  Fri Aug 23 09:40:07 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAA4B11E81B3 for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 09:40:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.971
X-Spam-Level: 
X-Spam-Status: No, score=-3.971 tagged_above=-999 required=5 tests=[AWL=-1.223, BAYES_00=-2.599, FRT_ADOBE2=2.455, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ji9CJmCkkADA for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 09:40:02 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 89BE811E819C for <oauth@ietf.org>; Fri, 23 Aug 2013 09:40:02 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7NGdw73027991 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 23 Aug 2013 16:39:59 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7NGdvxb009495 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 23 Aug 2013 16:39:57 GMT
Received: from abhmt119.oracle.com (abhmt119.oracle.com [141.146.116.71]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7NGdv4S009489; Fri, 23 Aug 2013 16:39:57 GMT
Received: from [192.168.1.125] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 23 Aug 2013 09:39:56 -0700
References: <52171C40.4040009@gmx.net> <7E028126-AC06-45A1-A219-958D0A23BA15@adobe.com> <28CD6095-33F7-476F-A199-D57C78C9E5C6@ve7jtb.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <28CD6095-33F7-476F-A199-D57C78C9E5C6@ve7jtb.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <4E93DDF0-1A7C-469F-8E07-64D9FB5C8DD3@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Fri, 23 Aug 2013 09:39:51 -0700
To: John Bradley <ve7jtb@ve7jtb.com>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 16:40:08 -0000

Hmmm. We are defining token drafts that discuss key distribution. Part of my=
 objection is that doing a different method in reg not only overloads reg bu=
t complicates key mgmt.=20

Phil

On 2013-08-23, at 9:16, John Bradley <ve7jtb@ve7jtb.com> wrote:

> We have that in the OIDC version where the client publishes it's public ke=
y.  That is in general better from a security point of view if you believe c=
lients can securely generate key pairs.
>=20
> It is not in the IETF version because we were asked not to include authent=
ication methods not defined in the core spec, as they were thought best to b=
e extensions. =20
>=20
> It currently looks like the pressure is on to remove confuguration options=
 rather than add them.
>=20
> I agree that client registration is a reasonable place to exchange keys an=
d avoid having symmetric secrets,  that is the preferred OIDC implementation=
 for clients that can support it.
>=20
> John B.
>=20
>=20
> On 2013-08-23, at 4:55 AM, Antonio Sanso <asanso@adobe.com> wrote:
>=20
>> Hi Hannes,
>>=20
>> thanks a lot for your notes.
>>=20
>> As suggested from you guys yesterday I'd like to bring on my little point=
 :) (that is really orthogonal to the whole discussion).
>>=20
>> IMHO since the dynamic registration is still on a design phase it would b=
e really nice to include something that Google already implemented in order t=
o allow server-to-server communication [0].
>>=20
>> In order to allow this, in the registration phase, there is the option to=
 download a private key (in order to allow the client to sign self produced s=
igned JWT without 'human interaction'), quoting [0]
>>=20
>> "During the creation of a Service Account, you will be prompted to downlo=
ad a private key. Be sure to save this private key in a secure location. Aft=
er the Service Account has been created, you will also have access to the cl=
ient_id associated with the private key."=20
>>=20
>>=20
>> IMHO this is a really clever way to use OAuth and would be nice to see th=
is standardized and having it on the big picture. Obviously this should be j=
ust an optional field.
>>=20
>> Just my 0.02 $
>>=20
>> Thanks and regards
>>=20
>> Antonio
>>=20
>> [0] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
>>=20
>>=20
>>=20
>> On Aug 23, 2013, at 10:24 AM, Hannes Tschofenig wrote:
>>=20
>>> Thank you all for joining yesterday's conference call. I took some notes=
=20
>>> during the call.
>>>=20
>>> ---- Meeting Minutes ----
>>>=20
>>> Participants:
>>> - William Kim
>>> - John Bradley
>>> - Antonio Sanso
>>> - Mike Jones
>>> - Phil Hunt
>>> - Justin Richer
>>> - Hannes Tschofenig
>>> - Derek Atkins
>>> - Amanda Anganes
>>> - Morteza Ansari
>>> - Brian Campbell
>>> - Thomas Hardjono
>>> - Prateek Mishra
>>> - George Fletcher
>>> - Tony Nadalin
>>>=20
>>> Minutes
>>>=20
>>> Justin started with a discussion about what is described in Section 1.3=20=

>>> of the protocol specification and Appendix B describes the use cases.
>>>=20
>>> Dynamic client registration is one way to introduce a client to an=20
>>> authorization server.
>>> A client is the relationship between a client piece software and a piece=
=20
>>> of software on the authorization server side.
>>> The client needs a client_id and the authorization server needs to get=20=

>>> various other piece of information (such as a redirect_uri, display_name=
).
>>>=20
>>> The group then started a discussion about what the minimal amount of=20
>>> information is the authorization server needs to have.
>>>=20
>>> The discussion then shifted to uses cases where trust is established=20
>>> a-priori (out-of-band) and is conveyed via an assertion to the dyn-reg=20=

>>> exchange (protected registration) and the case where there is no trust=20=

>>> (=3Dopen registration); the latter case would push the obligation to the=
=20
>>> user.
>>>=20
>>> There seems to be agreement (on the call) that both use cases are valid.=

>>>=20
>>> The following examples for protected registration have been discussed:
>>>=20
>>> * manual page where the developer obtains a developer key and register=20=

>>> there; they end up with an initial access token (in the form of an=20
>>> bearer token)
>>> * UMA case where there is someone who is introducing the two parties=20
>>> to each other. (Currently not described in the document)
>>> * Developer Automation: Who holds the client registration information?=20=

>>> The developer makes the call and you get the client_id back. The client=20=

>>> is not doing the dyn. registration. (This use case is described in=20
>>> Appendix B.3)
>>> * John's use case:=20
>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html
>>>=20
>>> Phil Hunt starts with his presentation slides, which he had distributed=20=

>>> to the mailing list earlier:
>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html
>>>=20
>>> Phil says that the client_id does not need to be provided by the AS - it=
=20
>>> could be provided by the client. John says that the client_id has to be=20=

>>> tied to the redirect_uri since otherwise attacks are possible.
>>>=20
>>> Phil says we are lacking good terminology for client, and for client=20
>>> instance.
>>>=20
>>> George claims that the client instance concept came up when mobile=20
>>> clients and Web clients got mixed in deployments and people wanted to=20=

>>> have a way to distinguish the two since they were different in their=20
>>> ability to keep a secret.
>>>=20
>>> A discussion started about whether an evolution had happened regarding=20=

>>> different types of clients. The client id is a proxy for some release of=
=20
>>> some software. Someone claimed that with dynamic client registration we=20=

>>> have the ability to turn public clients back into confidential clients.
>>>=20
>>> Phil argues that service providers want to know the class of=20
>>> applications and the instances. A problem with a client can be a=20
>>> compromise and you want to disable it. There may also be a bug in the=20=

>>> software and then one may want to disable the entire class of clients.
>>>=20
>>> Phil asks whether we expect that JavaScript code registers every time=20=

>>> the code runs. The response was clear that this is not the expectation.
>>>=20
>>> Phil then goes on to explain four levels of dynamic behavior:
>>>=20
>>> * Client developer hardcodes the address of the authorization server=20
>>> and other information.
>>> * Developer may hardcode some information but the client may=20
>>> dynamically interact with the authorization server to provide additional=
=20
>>> information (suggested by John)
>>> * Confirmation information in the client software can be used to=20
>>> dertermine which server to talk to and which parameters to use
>>> * Client software decides at runtime who to contact and what=20
>>> information to provide
>>>=20
>>> Hannes stopped the discussion because we ran out of time and started a=20=

>>> discussion about where we could go next.
>>>=20
>>> Justin said that he has not seen anything that is not supported yet.
>>> Tony, Phil, and Prateek say that we are trying to find the minimum=20
>>> supported information.
>>>=20
>>> It seems that different folks have different use cases in mind. Can this=
=20
>>> situation be solved with extensions? Phil claims that the current=20
>>> specification is overly complex.
>>>=20
>>> It is clear that we cannot have one single spec that covers all the use=20=

>>> cases.
>>> Are we arguing which use cases are covered in the base specification?
>>>=20
>>> Tony suggested that only client_id and redirect_uri should be the=20
>>> supported and everything else should be dropped.
>>>=20
>>> Justin responded that the rest is optional anyway.
>>>=20
>>> Discussion started about what "optional" means. Does the authorization=20=

>>> server have to implement to implement even optional components?
>>>=20
>>> John says that we need a new feature for adding and removing a new=20
>>> endpoint. This is a common use case and we don't want to revoke all the=20=

>>> permissions when we do so.
>>>=20
>>> Mike says that there is some additional material needed beyond client_id=
=20
>>> and redirect_uri.
>>> John agrees.
>>>=20
>>> Prateek says that we need to identify a minimal subset and have=20
>>> extensions defined.
>>>=20
>>> Hannes will talk to Derek about the next steps. Expect another=20
>>> conference call soon.
>>>=20
>>> Phil will update the software assertion document.
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> <smime.p7s>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From asanso@adobe.com  Fri Aug 23 09:45:40 2013
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B840C11E81D3 for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 09:45:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.372
X-Spam-Level: 
X-Spam-Status: No, score=-5.372 tagged_above=-999 required=5 tests=[AWL=-1.228, BAYES_00=-2.599, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmeheQuTXfIk for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 09:45:34 -0700 (PDT)
Received: from exprod6og112.obsmtp.com (exprod6og112.obsmtp.com [64.18.1.29]) by ietfa.amsl.com (Postfix) with ESMTP id 05C2211E81CB for <oauth@ietf.org>; Fri, 23 Aug 2013 09:45:27 -0700 (PDT)
Received: from outbound-smtp-1.corp.adobe.com ([192.150.11.134]) by exprod6ob112.postini.com ([64.18.5.12]) with SMTP ID DSNKUheRprY20PzAClBVvq6HEOovgfl6Fc2h@postini.com; Fri, 23 Aug 2013 09:45:31 PDT
Received: from inner-relay-2.corp.adobe.com ([153.32.1.52]) by outbound-smtp-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r7NGfriH009893; Fri, 23 Aug 2013 09:41:53 -0700 (PDT)
Received: from nacas02.corp.adobe.com (nacas02.corp.adobe.com [10.8.189.100]) by inner-relay-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r7NGjOw7013423; Fri, 23 Aug 2013 09:45:24 -0700 (PDT)
Received: from eurhub01.eur.adobe.com (10.128.4.30) by nacas02.corp.adobe.com (10.8.189.100) with Microsoft SMTP Server (TLS) id 8.3.298.1; Fri, 23 Aug 2013 09:45:24 -0700
Received: from eurmbx01.eur.adobe.com ([10.128.4.32]) by eurhub01.eur.adobe.com ([10.128.4.30]) with mapi; Fri, 23 Aug 2013 17:45:22 +0100
From: Antonio Sanso <asanso@adobe.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Date: Fri, 23 Aug 2013 17:42:18 +0100
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
Thread-Index: Ac6gHBwiR7aXvJcZQ3K6tHxUJJelLwAA58FG
Message-ID: <A801C24769E413478CBDD0D99D1ACB7C0278041059C5@eurmbx01.eur.adobe.com>
References: <52171C40.4040009@gmx.net> <7E028126-AC06-45A1-A219-958D0A23BA15@adobe.com>, <28CD6095-33F7-476F-A199-D57C78C9E5C6@ve7jtb.com>
In-Reply-To: <28CD6095-33F7-476F-A199-D57C78C9E5C6@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 16:45:40 -0000

Thanks a lot John for your answer.=20

How about the server to server flow per se as in [0].

Is it standardized anywhere (OAuth/OIDC)? Or is just custom at Google?

I think this is kind of clever and really suites case where there is not "h=
uman interaction"

regards

Antonio

________________________________________
From: John Bradley [ve7jtb@ve7jtb.com]
Sent: 23 August 2013 18:16
To: Antonio Sanso
Cc: Hannes Tschofenig; oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeti=
ng Minutes (22. Aug)

We have that in the OIDC version where the client publishes it's public key=
.  That is in general better from a security point of view if you believe c=
lients can securely generate key pairs.

It is not in the IETF version because we were asked not to include authenti=
cation methods not defined in the core spec, as they were thought best to b=
e extensions.

It currently looks like the pressure is on to remove confuguration options =
rather than add them.

I agree that client registration is a reasonable place to exchange keys and=
 avoid having symmetric secrets,  that is the preferred OIDC implementation=
 for clients that can support it.

John B.


On 2013-08-23, at 4:55 AM, Antonio Sanso <asanso@adobe.com> wrote:

> Hi Hannes,
>
> thanks a lot for your notes.
>
> As suggested from you guys yesterday I'd like to bring on my little point=
 :) (that is really orthogonal to the whole discussion).
>
> IMHO since the dynamic registration is still on a design phase it would b=
e really nice to include something that Google already implemented in order=
 to allow server-to-server communication [0].
>
> In order to allow this, in the registration phase, there is the option to=
 download a private key (in order to allow the client to sign self produced=
 signed JWT without 'human interaction'), quoting [0]
>
> "During the creation of a Service Account, you will be prompted to downlo=
ad a private key. Be sure to save this private key in a secure location. Af=
ter the Service Account has been created, you will also have access to the =
client_id associated with the private key."
>
>
> IMHO this is a really clever way to use OAuth and would be nice to see th=
is standardized and having it on the big picture. Obviously this should be =
just an optional field.
>
> Just my 0.02 $
>
> Thanks and regards
>
> Antonio
>
> [0] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
>
>
>
> On Aug 23, 2013, at 10:24 AM, Hannes Tschofenig wrote:
>
>> Thank you all for joining yesterday's conference call. I took some notes
>> during the call.
>>
>> ---- Meeting Minutes ----
>>
>> Participants:
>> - William Kim
>> - John Bradley
>> - Antonio Sanso
>> - Mike Jones
>> - Phil Hunt
>> - Justin Richer
>> - Hannes Tschofenig
>> - Derek Atkins
>> - Amanda Anganes
>> - Morteza Ansari
>> - Brian Campbell
>> - Thomas Hardjono
>> - Prateek Mishra
>> - George Fletcher
>> - Tony Nadalin
>>
>> Minutes
>>
>> Justin started with a discussion about what is described in Section 1.3
>> of the protocol specification and Appendix B describes the use cases.
>>
>> Dynamic client registration is one way to introduce a client to an
>> authorization server.
>> A client is the relationship between a client piece software and a piece
>> of software on the authorization server side.
>> The client needs a client_id and the authorization server needs to get
>> various other piece of information (such as a redirect_uri, display_name=
).
>>
>> The group then started a discussion about what the minimal amount of
>> information is the authorization server needs to have.
>>
>> The discussion then shifted to uses cases where trust is established
>> a-priori (out-of-band) and is conveyed via an assertion to the dyn-reg
>> exchange (protected registration) and the case where there is no trust
>> (=3Dopen registration); the latter case would push the obligation to the
>> user.
>>
>> There seems to be agreement (on the call) that both use cases are valid.
>>
>> The following examples for protected registration have been discussed:
>>
>> * manual page where the developer obtains a developer key and register
>> there; they end up with an initial access token (in the form of an
>> bearer token)
>> * UMA case where there is someone who is introducing the two parties
>> to each other. (Currently not described in the document)
>> * Developer Automation: Who holds the client registration information?
>> The developer makes the call and you get the client_id back. The client
>> is not doing the dyn. registration. (This use case is described in
>> Appendix B.3)
>> * John's use case:
>> http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html
>>
>> Phil Hunt starts with his presentation slides, which he had distributed
>> to the mailing list earlier:
>> http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html
>>
>> Phil says that the client_id does not need to be provided by the AS - it
>> could be provided by the client. John says that the client_id has to be
>> tied to the redirect_uri since otherwise attacks are possible.
>>
>> Phil says we are lacking good terminology for client, and for client
>> instance.
>>
>> George claims that the client instance concept came up when mobile
>> clients and Web clients got mixed in deployments and people wanted to
>> have a way to distinguish the two since they were different in their
>> ability to keep a secret.
>>
>> A discussion started about whether an evolution had happened regarding
>> different types of clients. The client id is a proxy for some release of
>> some software. Someone claimed that with dynamic client registration we
>> have the ability to turn public clients back into confidential clients.
>>
>> Phil argues that service providers want to know the class of
>> applications and the instances. A problem with a client can be a
>> compromise and you want to disable it. There may also be a bug in the
>> software and then one may want to disable the entire class of clients.
>>
>> Phil asks whether we expect that JavaScript code registers every time
>> the code runs. The response was clear that this is not the expectation.
>>
>> Phil then goes on to explain four levels of dynamic behavior:
>>
>> * Client developer hardcodes the address of the authorization server
>> and other information.
>> * Developer may hardcode some information but the client may
>> dynamically interact with the authorization server to provide additional
>> information (suggested by John)
>> * Confirmation information in the client software can be used to
>> dertermine which server to talk to and which parameters to use
>> * Client software decides at runtime who to contact and what
>> information to provide
>>
>> Hannes stopped the discussion because we ran out of time and started a
>> discussion about where we could go next.
>>
>> Justin said that he has not seen anything that is not supported yet.
>> Tony, Phil, and Prateek say that we are trying to find the minimum
>> supported information.
>>
>> It seems that different folks have different use cases in mind. Can this
>> situation be solved with extensions? Phil claims that the current
>> specification is overly complex.
>>
>> It is clear that we cannot have one single spec that covers all the use
>> cases.
>> Are we arguing which use cases are covered in the base specification?
>>
>> Tony suggested that only client_id and redirect_uri should be the
>> supported and everything else should be dropped.
>>
>> Justin responded that the rest is optional anyway.
>>
>> Discussion started about what "optional" means. Does the authorization
>> server have to implement to implement even optional components?
>>
>> John says that we need a new feature for adding and removing a new
>> endpoint. This is a common use case and we don't want to revoke all the
>> permissions when we do so.
>>
>> Mike says that there is some additional material needed beyond client_id
>> and redirect_uri.
>> John agrees.
>>
>> Prateek says that we need to identify a minimal subset and have
>> extensions defined.
>>
>> Hannes will talk to Derek about the next steps. Expect another
>> conference call soon.
>>
>> Phil will update the software assertion document.
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From tonynad@microsoft.com  Fri Aug 23 10:08:44 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A78E11E81CB for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 10:08:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.434
X-Spam-Level: 
X-Spam-Status: No, score=-3.434 tagged_above=-999 required=5 tests=[AWL=0.165,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gQgxpHhvuJuP for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 10:08:40 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0240.outbound.protection.outlook.com [207.46.163.240]) by ietfa.amsl.com (Postfix) with ESMTP id DF5B511E830F for <oauth@ietf.org>; Fri, 23 Aug 2013 10:08:38 -0700 (PDT)
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BY2PR03MB314.namprd03.prod.outlook.com (10.141.139.19) with Microsoft SMTP Server (TLS) id 15.0.745.25; Fri, 23 Aug 2013 16:23:09 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Fri, 23 Aug 2013 16:23:07 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.82]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.157]) with mapi id 15.00.0745.000; Fri, 23 Aug 2013 16:23:07 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "Anganes, Amanda L" <aanganes@mitre.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org WG" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
Thread-Index: AQHOn9pIFFzF9Eizx0KvarIkYTq9LZmivdgAgAA5yrA=
Date: Fri, 23 Aug 2013 16:23:06 +0000
Message-ID: <98cb53b828f0475cb1a49581af4ff8fb@BY2PR03MB189.namprd03.prod.outlook.com>
References: <52171C40.4040009@gmx.net> <CE3CD05E.C04A%aanganes@mitre.org>
In-Reply-To: <CE3CD05E.C04A%aanganes@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e8:ed31::2]
x-forefront-prvs: 094700CA91
x-forefront-antispam-report: SFV:NSPM; SFS:(50854003)(377454003)(51914003)(479174003)(24454002)(13464003)(199002)(189002)(51704005)(30513003)(19580395003)(79102001)(19580405001)(83322001)(54356001)(74366001)(56776001)(15975445006)(54316002)(53806001)(561944002)(74316001)(76482001)(80976001)(63696002)(76786001)(46102001)(69226001)(74876001)(80022001)(77096001)(56816003)(65816001)(81542001)(74662001)(83072001)(4396001)(47446002)(76796001)(50986001)(81686001)(77982001)(76576001)(47736001)(59766001)(81342001)(31966008)(47976001)(33646001)(49866001)(51856001)(74706001)(74502001)(81816001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::2; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 17:08:44 -0000

>I believe Tony commented that "if something is optional, it means that ALL=
 servers everywhere have to support it". I don't understand that - the requ=
irement for servers to ignore (i.e., don't throw an error or fall
over) if a client sends over a parameter it doesn't understand has always b=
een part of the core OAuth 2.0 spec. It's not a new idea.

So servers have to code to prevent unwanted behavior from happening, so the=
 more that is in the spec that is optional that the server does not want to=
 support the more the server side has to deal with failing, ignoring, etc. =
It makes more sense to chunk this up into a basic registration message and =
response and then extensions for all the stuff that that go beyond the simp=
le registration process. OIDC can't just pick this up and use it as is, the=
re are still specific requirements that OIDC needs beyond this and differen=
t from this proposal, so the I believe that we could get agreement on the b=
asic registration messages and let the other groups do the specific extensi=
ons they need.=20

As I have stated most of the dynamic registration draft goes beyond the sco=
pe of this WG dealing with client configuration and management. We have sta=
yed well away from client authentication methods and we should stay well aw=
ay from client configuration and management.

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of A=
nganes, Amanda L
Sent: Friday, August 23, 2013 5:46 AM
To: Hannes Tschofenig; oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeti=
ng Minutes (22. Aug)

Thanks for the notes, Hannes.

I didn't speak up on the call at all because it honestly left me a bit conf=
used. For the first 3/4 or so I was trying to figure out what the problem w=
as that everyone was fighting about. Phil, Tony, and others seemed to be po=
inting out that "in all of these cases that we can tell you about, it doesn=
't make sense to do DynReg". That is fine. That's not a problem; that just =
reflects the fact that there are different use cases out there that may not=
 need this OPTIONAL part of the spec suite.

After that there seemed to be some consensus (at least among those that wer=
e bringing up the original complaints) that folks would like to see a small=
er core document, with all of the optional parts removed to one or more ext=
ensions. I'll grant that the DynReg draft has gotten long and there are a l=
ot of optional pieces. Maybe it makes sense to break it out; at the very le=
ast I think it's worth trying. Perhaps more of the WG would accept it if th=
at was the case.

I believe Tony commented that "if something is optional, it means that ALL =
servers everywhere have to support it". I don't understand that - the requi=
rement for servers to ignore (i.e., don't throw an error or fall
over) if a client sends over a parameter it doesn't understand has always b=
een part of the core OAuth 2.0 spec. It's not a new idea.

There was also a comment that the WG doesn't have a lot of experience with =
this domain. That's true, but the experience the WG *does* have is with the=
 UMA and OIDC use cases, which directly fed into the current draft.
DynReg v14 is sufficient for the two major classes of *real*, deployed and =
under development, non-hypothetical use cases that we know of today. We can=
't loose sight of this fact.

If there is something missing from the current draft, or something present =
that disallows a particular requirement, I'd ask the other WG members to pl=
ease present those requirements and problems clearly so that we can discuss=
 them. So far I haven't seen anything concrete in this area. I've heard a l=
ot of contention and fighting but I can't make out what the actual problem =
statement is. Phil's software statements/assertions seems to fit well as an=
 extension; it's not prohibited by anything existing in the draft.=20

*apologies if I misattributed comments; I can recognize most of the voices =
that were on the call but not all of them.

--Amanda





On 8/23/13 4:24 AM, "Hannes Tschofenig" <hannes.tschofenig@gmx.net> wrote:

>Thank you all for joining yesterday's conference call. I took some=20
>notes during the call.
>
>---- Meeting Minutes ----
>
>Participants:
>- William Kim
>- John Bradley
>- Antonio Sanso
>- Mike Jones
>- Phil Hunt
>- Justin Richer
>- Hannes Tschofenig
>- Derek Atkins
>- Amanda Anganes
>- Morteza Ansari
>- Brian Campbell
>- Thomas Hardjono
>- Prateek Mishra
>- George Fletcher
>- Tony Nadalin
>
>Minutes
>
>Justin started with a discussion about what is described in Section 1.3=20
>of the protocol specification and Appendix B describes the use cases.
>
>Dynamic client registration is one way to introduce a client to an=20
>authorization server.
>A client is the relationship between a client piece software and a=20
>piece of software on the authorization server side.
>The client needs a client_id and the authorization server needs to get=20
>various other piece of information (such as a redirect_uri, display_name).
>
>The group then started a discussion about what the minimal amount of=20
>information is the authorization server needs to have.
>
>The discussion then shifted to uses cases where trust is established=20
>a-priori (out-of-band) and is conveyed via an assertion to the dyn-reg=20
>exchange (protected registration) and the case where there is no trust=20
>(=3Dopen registration); the latter case would push the obligation to the=20
>user.
>
>There seems to be agreement (on the call) that both use cases are valid.
>
>The following examples for protected registration have been discussed:
>
>  * manual page where the developer obtains a developer key and=20
>register there; they end up with an initial access token (in the form=20
>of an bearer token)
>  * UMA case where there is someone who is introducing the two parties=20
>to each other. (Currently not described in the document)
>  * Developer Automation: Who holds the client registration information?
>The developer makes the call and you get the client_id back. The client=20
>is not doing the dyn. registration. (This use case is described in=20
>Appendix B.3)
>  * John's use case:
>http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html
>
>Phil Hunt starts with his presentation slides, which he had distributed=20
>to the mailing list earlier:
>http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html
>
>Phil says that the client_id does not need to be provided by the AS -=20
>it could be provided by the client. John says that the client_id has to=20
>be tied to the redirect_uri since otherwise attacks are possible.
>
>Phil says we are lacking good terminology for client, and for client=20
>instance.
>
>George claims that the client instance concept came up when mobile=20
>clients and Web clients got mixed in deployments and people wanted to=20
>have a way to distinguish the two since they were different in their=20
>ability to keep a secret.
>
>A discussion started about whether an evolution had happened regarding=20
>different types of clients. The client id is a proxy for some release=20
>of some software. Someone claimed that with dynamic client registration=20
>we have the ability to turn public clients back into confidential clients.
>
>Phil argues that service providers want to know the class of=20
>applications and the instances. A problem with a client can be a=20
>compromise and you want to disable it. There may also be a bug in the=20
>software and then one may want to disable the entire class of clients.
>
>Phil asks whether we expect that JavaScript code registers every time=20
>the code runs. The response was clear that this is not the expectation.
>
>Phil then goes on to explain four levels of dynamic behavior:
>
>  * Client developer hardcodes the address of the authorization server=20
>and other information.
>  * Developer may hardcode some information but the client may=20
>dynamically interact with the authorization server to provide=20
>additional information (suggested by John)
>  * Confirmation information in the client software can be used to=20
>dertermine which server to talk to and which parameters to use
>  * Client software decides at runtime who to contact and what=20
>information to provide
>
>Hannes stopped the discussion because we ran out of time and started a=20
>discussion about where we could go next.
>
>Justin said that he has not seen anything that is not supported yet.
>Tony, Phil, and Prateek say that we are trying to find the minimum=20
>supported information.
>
>It seems that different folks have different use cases in mind. Can=20
>this situation be solved with extensions? Phil claims that the current=20
>specification is overly complex.
>
>It is clear that we cannot have one single spec that covers all the use=20
>cases.
>Are we arguing which use cases are covered in the base specification?
>
>Tony suggested that only client_id and redirect_uri should be the=20
>supported and everything else should be dropped.
>
>Justin responded that the rest is optional anyway.
>
>Discussion started about what "optional" means. Does the authorization=20
>server have to implement to implement even optional components?
>
>John says that we need a new feature for adding and removing a new=20
>endpoint. This is a common use case and we don't want to revoke all the=20
>permissions when we do so.
>
>Mike says that there is some additional material needed beyond=20
>client_id and redirect_uri.
>John agrees.
>
>Prateek says that we need to identify a minimal subset and have=20
>extensions defined.
>
>Hannes will talk to Derek about the next steps. Expect another=20
>conference call soon.
>
>Phil will update the software assertion document.
>
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

From phil.hunt@oracle.com  Fri Aug 23 10:14:32 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 940FF11E8302 for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 10:14:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.855
X-Spam-Level: 
X-Spam-Status: No, score=-5.855 tagged_above=-999 required=5 tests=[AWL=0.744,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sYCN-zlx0Giy for <oauth@ietfa.amsl.com>; Fri, 23 Aug 2013 10:14:27 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 49C1111E81CB for <oauth@ietf.org>; Fri, 23 Aug 2013 10:14:27 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7NHENpG026131 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 23 Aug 2013 17:14:24 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7NHEM7C019624 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 23 Aug 2013 17:14:23 GMT
Received: from abhmt104.oracle.com (abhmt104.oracle.com [141.146.116.56]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7NHEMaS018488; Fri, 23 Aug 2013 17:14:22 GMT
Received: from [192.168.1.89] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 23 Aug 2013 10:14:22 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <52171C40.4040009@gmx.net>
Date: Fri, 23 Aug 2013 10:14:31 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2CFB523D-C706-41C6-8DD0-51168BD9B45A@oracle.com>
References: <52171C40.4040009@gmx.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2013 17:14:32 -0000

Two ways to handle complexity here.

Reading over the minutes, I'm not sure it was clear the main point of =
observation I am trying to make to the group.

The current design assumes that every client is somehow completely =
different as the majority standing. This has lead to a design where all =
protocol related values and informational values must be provided at =
"association" time.   We've tried to apply this specification with this =
model against a number of use cases, and my chief problem is three-fold:
1.  Amount of data that must be retained per client (with no way to tell =
for how long)
2.  On a per client basis, it is unclear what each client must do to =
successfully register.  The spec presumes a lot of prior knowledge as to =
what is required and what isn't. =20
3. Instead of just issuing one credential (client cred), the spec issues =
2 and defines another.  Three special case security credentials each =
with special handling.

I have no doubt that many have successfully implemented this. But the =
concern is that the number of APIs tested and in production is extremely =
low.

I am proposing 2 observations that MAY make the eventual solution much =
much much easier to implement and operate.
a.  In most cases, client software is not custom. Custom software is an =
edge case (that must be supported).  Most client software can be grouped =
together as software distributions (software downloaded from a common =
site as a common distribution).  If we call this a software 'class', =
then we can observe that for a particular software class, there MAY be =
one or more instances of a class associating with any particular AS.  =
For any particular AS, the only thing that might change about the client =
is the redirect_url -- and this is likely only for web apps, not native =
apps.

b. If you look at the categories I presented yesterday, and in =
particular the last slide. You can notice that the solution for each =
category is relatively trivial and clearly defined. Categorization of =
clients seems like complexity at first. But once you look at it, you see =
that the decision path for developers is very clear.  Once a developer =
decides what type they are, the methodology is clear.

Finally, I believe that re-framing into "classes" and "categories" will =
also handle, in a better way, the cases for UMA and OIDC which are also =
at one end of a spectrum of associations (static vs. dynamic). At one =
end, static clients are hard-coded to a particular AS, next clients that =
associate upon installation, to OIDC clients that associate on an =
ongoing configuration basis (like imap clients), to UMA which may =
associate on a per-event basis.

To avoid more discussion continuing to go in circles, it seems time I =
put forward a draft for the group to consider. While this may present =
changes to the method of registration, I hope you will agree that it is =
much simpler.

Thanks in advance for your patience, thoughts, and ideas.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-23, at 1:24 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> =
wrote:

> Thank you all for joining yesterday's conference call. I took some =
notes during the call.
>=20
> ---- Meeting Minutes ----
>=20
> Participants:
> - William Kim
> - John Bradley
> - Antonio Sanso
> - Mike Jones
> - Phil Hunt
> - Justin Richer
> - Hannes Tschofenig
> - Derek Atkins
> - Amanda Anganes
> - Morteza Ansari
> - Brian Campbell
> - Thomas Hardjono
> - Prateek Mishra
> - George Fletcher
> - Tony Nadalin
>=20
> Minutes
>=20
> Justin started with a discussion about what is described in Section =
1.3 of the protocol specification and Appendix B describes the use =
cases.
>=20
> Dynamic client registration is one way to introduce a client to an =
authorization server.
> A client is the relationship between a client piece software and a =
piece of software on the authorization server side.
> The client needs a client_id and the authorization server needs to get =
various other piece of information (such as a redirect_uri, =
display_name).
>=20
> The group then started a discussion about what the minimal amount of =
information is the authorization server needs to have.
>=20
> The discussion then shifted to uses cases where trust is established =
a-priori (out-of-band) and is conveyed via an assertion to the dyn-reg =
exchange (protected registration) and the case where there is no trust =
(=3Dopen registration); the latter case would push the obligation to the =
user.
>=20
> There seems to be agreement (on the call) that both use cases are =
valid.
>=20
> The following examples for protected registration have been discussed:
>=20
> * manual page where the developer obtains a developer key and register =
there; they end up with an initial access token (in the form of an =
bearer token)
> * UMA case where there is someone who is introducing the two parties =
to each other. (Currently not described in the document)
> * Developer Automation: Who holds the client registration information? =
The developer makes the call and you get the client_id back. The client =
is not doing the dyn. registration. (This use case is described in =
Appendix B.3)
> * John's use case: =
http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html
>=20
> Phil Hunt starts with his presentation slides, which he had =
distributed to the mailing list earlier:
> http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html
>=20
> Phil says that the client_id does not need to be provided by the AS - =
it could be provided by the client. John says that the client_id has to =
be tied to the redirect_uri since otherwise attacks are possible.
>=20
> Phil says we are lacking good terminology for client, and for client =
instance.
>=20
> George claims that the client instance concept came up when mobile =
clients and Web clients got mixed in deployments and people wanted to =
have a way to distinguish the two since they were different in their =
ability to keep a secret.
>=20
> A discussion started about whether an evolution had happened regarding =
different types of clients. The client id is a proxy for some release of =
some software. Someone claimed that with dynamic client registration we =
have the ability to turn public clients back into confidential clients.
>=20
> Phil argues that service providers want to know the class of =
applications and the instances. A problem with a client can be a =
compromise and you want to disable it. There may also be a bug in the =
software and then one may want to disable the entire class of clients.
>=20
> Phil asks whether we expect that JavaScript code registers every time =
the code runs. The response was clear that this is not the expectation.
>=20
> Phil then goes on to explain four levels of dynamic behavior:
>=20
> * Client developer hardcodes the address of the authorization server =
and other information.
> * Developer may hardcode some information but the client may =
dynamically interact with the authorization server to provide additional =
information (suggested by John)
> * Confirmation information in the client software can be used to =
dertermine which server to talk to and which parameters to use
> * Client software decides at runtime who to contact and what =
information to provide
>=20
> Hannes stopped the discussion because we ran out of time and started a =
discussion about where we could go next.
>=20
> Justin said that he has not seen anything that is not supported yet.
> Tony, Phil, and Prateek say that we are trying to find the minimum =
supported information.
>=20
> It seems that different folks have different use cases in mind. Can =
this situation be solved with extensions? Phil claims that the current =
specification is overly complex.
>=20
> It is clear that we cannot have one single spec that covers all the =
use cases.
> Are we arguing which use cases are covered in the base specification?
>=20
> Tony suggested that only client_id and redirect_uri should be the =
supported and everything else should be dropped.
>=20
> Justin responded that the rest is optional anyway.
>=20
> Discussion started about what "optional" means. Does the authorization =
server have to implement to implement even optional components?
>=20
> John says that we need a new feature for adding and removing a new =
endpoint. This is a common use case and we don't want to revoke all the =
permissions when we do so.
>=20
> Mike says that there is some additional material needed beyond =
client_id and redirect_uri.
> John agrees.
>=20
> Prateek says that we need to identify a minimal subset and have =
extensions defined.
>=20
> Hannes will talk to Derek about the next steps. Expect another =
conference call soon.
>=20
> Phil will update the software assertion document.
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From sberyozkin@gmail.com  Tue Aug 27 03:54:30 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6554811E81CB for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 03:54:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mIzlySc82CCm for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 03:54:29 -0700 (PDT)
Received: from mail-bk0-x229.google.com (mail-bk0-x229.google.com [IPv6:2a00:1450:4008:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 5FAED11E81AF for <oauth@ietf.org>; Tue, 27 Aug 2013 03:54:29 -0700 (PDT)
Received: by mail-bk0-f41.google.com with SMTP id na10so1606252bkb.0 for <oauth@ietf.org>; Tue, 27 Aug 2013 03:54:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=hH3xlzzEsEOBWoMEhsM0yXVkpyWQppdu4/tzOvlNRbI=; b=YdGTj2rBZpViTDAKc5tbbMRxZSc7agvsXAluV8eSQroXYp8HymKFQqupQRsqJFQH+W llWAUzyIhdp9Ze0FdOnUvNRkDU/31amYj3PijVo9J6EvuSHf9aG1gDJbz3ZZ/Z5yxVw3 4kp0aUuB9JxoR1aGLRjp9JvuXQ+PYY4cSpZU5MOWNbUtiEffktVvZXa+2j+g7wmdy66X MfNO0uQ5jjzcIQtWmwSymurVdqQPrPvUthzwM0BYyjO6kdG2YBu9j9Hgre8vtx0u9Ig5 udAtJC5d+IuXJHA1hAS19JJ1vDWPdOdtQqJJItHNdu6Tooo95s33KnMsQZwmvtMryyNp qwLg==
X-Received: by 10.204.111.197 with SMTP id t5mr87588bkp.37.1377600868347; Tue, 27 Aug 2013 03:54:28 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id nv4sm4199347bkb.3.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 Aug 2013 03:54:27 -0700 (PDT)
Message-ID: <521C8561.6020604@gmail.com>
Date: Tue, 27 Aug 2013 11:54:25 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: "<oauth@ietf.org>" <oauth@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [OAUTH-WG] Can public clients using code flow have redirect URIs ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 10:54:30 -0000

Hi

I am a bit confused on whether public clients such as smart phones, etc 
which work with the authorization code flow can have redirect URIs 
supported or not.

My understanding so far has been that public clients won't have redirect 
uris (except for them working with Implicit code flows), the code would 
be entered into the device by a user or perhaps returned directly from 
AS via some back channel. The reason I ask is the text at [1] says in 
its Introduction:

"... This is especially true on some smartphone platform in which the 
'code' is returned to a redirect URI ... "

I can imagine that in this case a smartphone has an application actually 
running a web server so it can accept redirect requests,
is it when public clients can have redirect URIs and texts such as [1] 
can be of help ?

Thanks. Sergey

[1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01

From ve7jtb@ve7jtb.com  Tue Aug 27 05:01:09 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB77111E82CE for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 05:01:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[AWL=0.411,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rf4ogBtWXmkY for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 05:01:05 -0700 (PDT)
Received: from mail-ie0-f178.google.com (mail-ie0-f178.google.com [209.85.223.178]) by ietfa.amsl.com (Postfix) with ESMTP id 0268B11E82CB for <oauth@ietf.org>; Tue, 27 Aug 2013 05:01:04 -0700 (PDT)
Received: by mail-ie0-f178.google.com with SMTP id f4so7406276iea.9 for <oauth@ietf.org>; Tue, 27 Aug 2013 05:01:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Qb2cCu0AkwoIHbXdjZb0mX/ClwUysSLpNqrHVlfCfSg=; b=REHzRmg/qZh2Tq396+gCy6naDT4GOaJR8d+sNFCiQTLHNQkIvX+RPnCr/OsgNYqasd nB49+4Vw1c6nyWyfrxZ/1rT3FpJq+DNHhp3Nm5Qp8bs6OYq94Vf0eISZ+XTE3TPpfZIZ 9iua8BRx9/xiUg0NGYjn9kClq4OUmnKKj5vkC6kh1E3CHSLKtfkwAVEbmHl20RMsudpC nWyyQjZ2M/DDlWzgq2kDn1qxmhn9zrYi5Fz8Qn1Z1pqvzJNqLskbemz4x72zU5LI4hq0 m0jVAGksSOCbRc4g0bT6ie+nEB5PFFXcVLkj02rxoo2n/TDBRe2OiB3c7faTJAZOVu82 CjhQ==
X-Gm-Message-State: ALoCoQl5IQPjERvZdZv0S0fqJzZ0pAKAvGCRIYgCuUrROuPuNlojqsAgOkhMNcIuKRnFXqBX8pGc
X-Received: by 10.50.106.102 with SMTP id gt6mr9697319igb.46.1377604863177; Tue, 27 Aug 2013 05:01:03 -0700 (PDT)
Received: from [192.168.1.216] (190-20-51-153.baf.movistar.cl. [190.20.51.153]) by mx.google.com with ESMTPSA id oq3sm23970999igb.1.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 Aug 2013 05:01:02 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_AEE454AB-0923-495E-8DDF-57DCFAC81182"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <521C8561.6020604@gmail.com>
Date: Tue, 27 Aug 2013 08:00:56 -0400
Message-Id: <0A85510B-ABBC-4B67-B889-73D2F9B6F050@ve7jtb.com>
References: <521C8561.6020604@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can public clients using code flow have redirect URIs ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 12:01:09 -0000

--Apple-Mail=_AEE454AB-0923-495E-8DDF-57DCFAC81182
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Typically native apps on smart phones use the code flow and a =
redirect_uri with a custom scheme to redirect the browser back to the =
app with the query encoded code.

The native app is a public client as it cannot keep a secret, unless it =
is using dynamic registration.

The ID Nat and I put together is a proposed way that a proof of =
possession for the code can be used as an alternative to registering =
every instance of a native app.

On iOS and android multiple apps can register the same custom scheme and =
may try to intercept the code which can be used if the client_id and =
secret are known.

John B.

On 2013-08-27, at 6:54 AM, Sergey Beryozkin <sberyozkin@gmail.com> =
wrote:

> Hi
>=20
> I am a bit confused on whether public clients such as smart phones, =
etc which work with the authorization code flow can have redirect URIs =
supported or not.
>=20
> My understanding so far has been that public clients won't have =
redirect uris (except for them working with Implicit code flows), the =
code would be entered into the device by a user or perhaps returned =
directly from AS via some back channel. The reason I ask is the text at =
[1] says in its Introduction:
>=20
> "... This is especially true on some smartphone platform in which the =
'code' is returned to a redirect URI ... "
>=20
> I can imagine that in this case a smartphone has an application =
actually running a web server so it can accept redirect requests,
> is it when public clients can have redirect URIs and texts such as [1] =
can be of help ?
>=20
> Thanks. Sergey
>=20
> [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_AEE454AB-0923-495E-8DDF-57DCFAC81182
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODI3MTIwMDU2WjAjBgkqhkiG9w0BCQQxFgQUYl2BoUIt
lXWpNNDNP51Jb3JZAGgwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAQIWHANXvMz/ggm5r9hfgLA9Mu9P3fnjCOkieNXaV
EyXNUfu/d17KtOD0hcLfqs6dU9hc90q+4aYKC3cqUJyeU5ZVFDu7nXaiVHnhH/2cVlqlDT7TAXju
P329W1OCc3+TkyTG563ic+ABptlGahVGmkzQYU5u/Kv9H5Vlp/3qH2AfEmuWCknGiwoGhG/KBSHI
GmHLzvylSDgDmoA7Y9G6y26/4EnVSnRwjXPMGUzKHY96B4nIogzBrLQ4M/MDaQ8dkOeg22pkAnUP
oSCyz5u0PqQcORg268hbxOXbxGbdp6/qUYzhzUvEVRwy0DG++9P6kOTilPtZz7gCL13K9ekQCAAA
AAAAAA==

--Apple-Mail=_AEE454AB-0923-495E-8DDF-57DCFAC81182--

From asanso@adobe.com  Tue Aug 27 05:51:32 2013
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B29011E8302 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 05:51:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.757
X-Spam-Level: 
X-Spam-Status: No, score=-4.757 tagged_above=-999 required=5 tests=[AWL=-0.614, BAYES_00=-2.599, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8IV2LWqGaBD for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 05:51:23 -0700 (PDT)
Received: from exprod6og112.obsmtp.com (exprod6og112.obsmtp.com [64.18.1.29]) by ietfa.amsl.com (Postfix) with ESMTP id 1AB7711E8303 for <oauth@ietf.org>; Tue, 27 Aug 2013 05:51:22 -0700 (PDT)
Received: from outbound-smtp-2.corp.adobe.com ([193.104.215.16]) by exprod6ob112.postini.com ([64.18.5.12]) with SMTP ID DSNKUhygyIXzaGsU9ddvESFJjejXDpfFdgie@postini.com; Tue, 27 Aug 2013 05:51:22 PDT
Received: from inner-relay-1.corp.adobe.com (ms-exchange.macromedia.com [153.32.1.51]) by outbound-smtp-2.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r7RCpI2r007745 for <oauth@ietf.org>; Tue, 27 Aug 2013 05:51:19 -0700 (PDT)
Received: from nacas02.corp.adobe.com (nacas02.corp.adobe.com [10.8.189.100]) by inner-relay-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r7RCpG6A016697 for <oauth@ietf.org>; Tue, 27 Aug 2013 05:51:17 -0700 (PDT)
Received: from eurcas01.eur.adobe.com (10.128.4.27) by nacas02.corp.adobe.com (10.8.189.100) with Microsoft SMTP Server (TLS) id 8.3.298.1; Tue, 27 Aug 2013 05:51:16 -0700
Received: from eurmbx01.eur.adobe.com ([10.128.4.32]) by eurcas01.eur.adobe.com ([10.128.4.27]) with mapi; Tue, 27 Aug 2013 13:51:14 +0100
From: Antonio Sanso <asanso@adobe.com>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Date: Tue, 27 Aug 2013 13:51:12 +0100
Thread-Topic: Oauth Server to Server was: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
Thread-Index: Ac6jJBz7gdacVQWKSd6/B7YoOQYi7g==
Message-ID: <A59AAA2B-6C1B-4330-97FD-150EC506B108@adobe.com>
References: <A801C24769E413478CBDD0D99D1ACB7C0278041059C5@eurmbx01.eur.adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_A59AAA2B6C1B433097FD150EC506B108adobecom_"
MIME-Version: 1.0
Subject: [OAUTH-WG] Oauth Server to Server was: Dynamic Client Registration Conference Call - Meeting Minutes (22. Aug)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 12:51:32 -0000

--_000_A59AAA2B6C1B433097FD150EC506B108adobecom_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

anyone :) ?

Begin forwarded message:

From: Antonio Sanso <asanso@adobe.com<mailto:asanso@adobe.com>>
Date: August 23, 2013 6:42:18 PM GMT+02:00
To: John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@g=
mx.net>>, "oauth@ietf.org<mailto:oauth@ietf.org> WG" <oauth@ietf.org<mailto=
:oauth@ietf.org>>
Subject: RE: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeti=
ng Minutes (22. Aug)

Thanks a lot John for your answer.

How about the server to server flow per se as in [0].

Is it standardized anywhere (OAuth/OIDC)? Or is just custom at Google?

I think this is kind of clever and really suites case where there is not "h=
uman interaction"

regards

Antonio

________________________________________
From: John Bradley [ve7jtb@ve7jtb.com]
Sent: 23 August 2013 18:16
To: Antonio Sanso
Cc: Hannes Tschofenig; oauth@ietf.org<mailto:oauth@ietf.org> WG
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call - Meeti=
ng Minutes (22. Aug)

We have that in the OIDC version where the client publishes it's public key=
.  That is in general better from a security point of view if you believe c=
lients can securely generate key pairs.

It is not in the IETF version because we were asked not to include authenti=
cation methods not defined in the core spec, as they were thought best to b=
e extensions.

It currently looks like the pressure is on to remove confuguration options =
rather than add them.

I agree that client registration is a reasonable place to exchange keys and=
 avoid having symmetric secrets,  that is the preferred OIDC implementation=
 for clients that can support it.

John B.


On 2013-08-23, at 4:55 AM, Antonio Sanso <asanso@adobe.com<mailto:asanso@ad=
obe.com>> wrote:

Hi Hannes,

thanks a lot for your notes.

As suggested from you guys yesterday I'd like to bring on my little point :=
) (that is really orthogonal to the whole discussion).

IMHO since the dynamic registration is still on a design phase it would be =
really nice to include something that Google already implemented in order t=
o allow server-to-server communication [0].

In order to allow this, in the registration phase, there is the option to d=
ownload a private key (in order to allow the client to sign self produced s=
igned JWT without 'human interaction'), quoting [0]

"During the creation of a Service Account, you will be prompted to download=
 a private key. Be sure to save this private key in a secure location. Afte=
r the Service Account has been created, you will also have access to the cl=
ient_id associated with the private key."


IMHO this is a really clever way to use OAuth and would be nice to see this=
 standardized and having it on the big picture. Obviously this should be ju=
st an optional field.

Just my 0.02 $

Thanks and regards

Antonio

[0] https://developers.google.com/accounts/docs/OAuth2ServiceAccount



On Aug 23, 2013, at 10:24 AM, Hannes Tschofenig wrote:

Thank you all for joining yesterday's conference call. I took some notes
during the call.

---- Meeting Minutes ----

Participants:
- William Kim
- John Bradley
- Antonio Sanso
- Mike Jones
- Phil Hunt
- Justin Richer
- Hannes Tschofenig
- Derek Atkins
- Amanda Anganes
- Morteza Ansari
- Brian Campbell
- Thomas Hardjono
- Prateek Mishra
- George Fletcher
- Tony Nadalin

Minutes

Justin started with a discussion about what is described in Section 1.3
of the protocol specification and Appendix B describes the use cases.

Dynamic client registration is one way to introduce a client to an
authorization server.
A client is the relationship between a client piece software and a piece
of software on the authorization server side.
The client needs a client_id and the authorization server needs to get
various other piece of information (such as a redirect_uri, display_name).

The group then started a discussion about what the minimal amount of
information is the authorization server needs to have.

The discussion then shifted to uses cases where trust is established
a-priori (out-of-band) and is conveyed via an assertion to the dyn-reg
exchange (protected registration) and the case where there is no trust
(=3Dopen registration); the latter case would push the obligation to the
user.

There seems to be agreement (on the call) that both use cases are valid.

The following examples for protected registration have been discussed:

* manual page where the developer obtains a developer key and register
there; they end up with an initial access token (in the form of an
bearer token)
* UMA case where there is someone who is introducing the two parties
to each other. (Currently not described in the document)
* Developer Automation: Who holds the client registration information?
The developer makes the call and you get the client_id back. The client
is not doing the dyn. registration. (This use case is described in
Appendix B.3)
* John's use case:
http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html

Phil Hunt starts with his presentation slides, which he had distributed
to the mailing list earlier:
http://www.ietf.org/mail-archive/web/oauth/current/msg12007.html

Phil says that the client_id does not need to be provided by the AS - it
could be provided by the client. John says that the client_id has to be
tied to the redirect_uri since otherwise attacks are possible.

Phil says we are lacking good terminology for client, and for client
instance.

George claims that the client instance concept came up when mobile
clients and Web clients got mixed in deployments and people wanted to
have a way to distinguish the two since they were different in their
ability to keep a secret.

A discussion started about whether an evolution had happened regarding
different types of clients. The client id is a proxy for some release of
some software. Someone claimed that with dynamic client registration we
have the ability to turn public clients back into confidential clients.

Phil argues that service providers want to know the class of
applications and the instances. A problem with a client can be a
compromise and you want to disable it. There may also be a bug in the
software and then one may want to disable the entire class of clients.

Phil asks whether we expect that JavaScript code registers every time
the code runs. The response was clear that this is not the expectation.

Phil then goes on to explain four levels of dynamic behavior:

* Client developer hardcodes the address of the authorization server
and other information.
* Developer may hardcode some information but the client may
dynamically interact with the authorization server to provide additional
information (suggested by John)
* Confirmation information in the client software can be used to
dertermine which server to talk to and which parameters to use
* Client software decides at runtime who to contact and what
information to provide

Hannes stopped the discussion because we ran out of time and started a
discussion about where we could go next.

Justin said that he has not seen anything that is not supported yet.
Tony, Phil, and Prateek say that we are trying to find the minimum
supported information.

It seems that different folks have different use cases in mind. Can this
situation be solved with extensions? Phil claims that the current
specification is overly complex.

It is clear that we cannot have one single spec that covers all the use
cases.
Are we arguing which use cases are covered in the base specification?

Tony suggested that only client_id and redirect_uri should be the
supported and everything else should be dropped.

Justin responded that the rest is optional anyway.

Discussion started about what "optional" means. Does the authorization
server have to implement to implement even optional components?

John says that we need a new feature for adding and removing a new
endpoint. This is a common use case and we don't want to revoke all the
permissions when we do so.

Mike says that there is some additional material needed beyond client_id
and redirect_uri.
John agrees.

Prateek says that we need to identify a minimal subset and have
extensions defined.

Hannes will talk to Derek about the next steps. Expect another
conference call soon.

Phil will update the software assertion document.


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--_000_A59AAA2B6C1B433097FD150EC506B108adobecom_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html><head></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode:=
 space; -webkit-line-break: after-white-space; ">anyone :) ?<br><div><br><d=
iv>Begin forwarded message:</div><br class=3D"Apple-interchange-newline"><b=
lockquote type=3D"cite"><div style=3D"margin-top: 0px; margin-right: 0px; m=
argin-bottom: 0px; margin-left: 0px;"><span style=3D"font-family:'Helvetica=
'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>From: </b></span><span sty=
le=3D"font-family:'Helvetica'; font-size:medium;">Antonio Sanso &lt;<a href=
=3D"mailto:asanso@adobe.com">asanso@adobe.com</a>&gt;<br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-lef=
t: 0px;"><span style=3D"font-family:'Helvetica'; font-size:medium; color:rg=
ba(0, 0, 0, 1);"><b>Date: </b></span><span style=3D"font-family:'Helvetica'=
; font-size:medium;">August 23, 2013 6:42:18 PM GMT+02:00<br></span></div><=
div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin=
-left: 0px;"><span style=3D"font-family:'Helvetica'; font-size:medium; colo=
r:rgba(0, 0, 0, 1);"><b>To: </b></span><span style=3D"font-family:'Helvetic=
a'; font-size:medium;">John Bradley &lt;<a href=3D"mailto:ve7jtb@ve7jtb.com=
">ve7jtb@ve7jtb.com</a>&gt;<br></span></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style=3D"fo=
nt-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>Cc: </=
b></span><span style=3D"font-family:'Helvetica'; font-size:medium;">Hannes =
Tschofenig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net">hannes.tschofen=
ig@gmx.net</a>&gt;, "<a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a> W=
G" &lt;<a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</a>&gt;<br></span><=
/div><div style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family:'Helvetica'; font-size:medium=
; color:rgba(0, 0, 0, 1);"><b>Subject: </b></span><span style=3D"font-famil=
y:'Helvetica'; font-size:medium;"><b>RE: [OAUTH-WG] Dynamic Client Registra=
tion Conference Call - Meeting Minutes (22. Aug)</b><br></span></div><br><d=
iv>Thanks a lot John for your answer. <br><br>How about the server to serve=
r flow per se as in [0].<br><br>Is it standardized anywhere (OAuth/OIDC)? O=
r is just custom at Google?<br><br>I think this is kind of clever and reall=
y suites case where there is not "human interaction"<br><br>regards<br><br>=
Antonio<br><br>________________________________________<br>From: John Bradl=
ey [ve7jtb@ve7jtb.com]<br>Sent: 23 August 2013 18:16<br>To: Antonio Sanso<b=
r>Cc: Hannes Tschofenig; <a href=3D"mailto:oauth@ietf.org">oauth@ietf.org</=
a> WG<br>Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Cal=
l - Meeting Minutes (22. Aug)<br><br>We have that in the OIDC version where=
 the client publishes it's public key. &nbsp;That is in general better from=
 a security point of view if you believe clients can securely generate key =
pairs.<br><br>It is not in the IETF version because we were asked not to in=
clude authentication methods not defined in the core spec, as they were tho=
ught best to be extensions.<br><br>It currently looks like the pressure is =
on to remove confuguration options rather than add them.<br><br>I agree tha=
t client registration is a reasonable place to exchange keys and avoid havi=
ng symmetric secrets, &nbsp;that is the preferred OIDC implementation for c=
lients that can support it.<br><br>John B.<br><br><br>On 2013-08-23, at 4:5=
5 AM, Antonio Sanso &lt;<a href=3D"mailto:asanso@adobe.com">asanso@adobe.co=
m</a>&gt; wrote:<br><br><blockquote type=3D"cite">Hi Hannes,<br></blockquot=
e><blockquote type=3D"cite"><br></blockquote><blockquote type=3D"cite">than=
ks a lot for your notes.<br></blockquote><blockquote type=3D"cite"><br></bl=
ockquote><blockquote type=3D"cite">As suggested from you guys yesterday I'd=
 like to bring on my little point :) (that is really orthogonal to the whol=
e discussion).<br></blockquote><blockquote type=3D"cite"><br></blockquote><=
blockquote type=3D"cite">IMHO since the dynamic registration is still on a =
design phase it would be really nice to include something that Google alrea=
dy implemented in order to allow server-to-server communication [0].<br></b=
lockquote><blockquote type=3D"cite"><br></blockquote><blockquote type=3D"ci=
te">In order to allow this, in the registration phase, there is the option =
to download a private key (in order to allow the client to sign self produc=
ed signed JWT without 'human interaction'), quoting [0]<br></blockquote><bl=
ockquote type=3D"cite"><br></blockquote><blockquote type=3D"cite">"During t=
he creation of a Service Account, you will be prompted to download a privat=
e key. Be sure to save this private key in a secure location. After the Ser=
vice Account has been created, you will also have access to the client_id a=
ssociated with the private key."<br></blockquote><blockquote type=3D"cite">=
<br></blockquote><blockquote type=3D"cite"><br></blockquote><blockquote typ=
e=3D"cite">IMHO this is a really clever way to use OAuth and would be nice =
to see this standardized and having it on the big picture. Obviously this s=
hould be just an optional field.<br></blockquote><blockquote type=3D"cite">=
<br></blockquote><blockquote type=3D"cite">Just my 0.02 $<br></blockquote><=
blockquote type=3D"cite"><br></blockquote><blockquote type=3D"cite">Thanks =
and regards<br></blockquote><blockquote type=3D"cite"><br></blockquote><blo=
ckquote type=3D"cite">Antonio<br></blockquote><blockquote type=3D"cite"><br=
></blockquote><blockquote type=3D"cite">[0] <a href=3D"https://developers.g=
oogle.com/accounts/docs/OAuth2ServiceAccount">https://developers.google.com=
/accounts/docs/OAuth2ServiceAccount</a><br></blockquote><blockquote type=3D=
"cite"><br></blockquote><blockquote type=3D"cite"><br></blockquote><blockqu=
ote type=3D"cite"><br></blockquote><blockquote type=3D"cite">On Aug 23, 201=
3, at 10:24 AM, Hannes Tschofenig wrote:<br></blockquote><blockquote type=
=3D"cite"><br></blockquote><blockquote type=3D"cite"><blockquote type=3D"ci=
te">Thank you all for joining yesterday's conference call. I took some note=
s<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=
=3D"cite">during the call.<br></blockquote></blockquote><blockquote type=3D=
"cite"><blockquote type=3D"cite"><br></blockquote></blockquote><blockquote =
type=3D"cite"><blockquote type=3D"cite">---- Meeting Minutes ----<br></bloc=
kquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><br=
></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"ci=
te">Participants:<br></blockquote></blockquote><blockquote type=3D"cite"><b=
lockquote type=3D"cite">- William Kim<br></blockquote></blockquote><blockqu=
ote type=3D"cite"><blockquote type=3D"cite">- John Bradley<br></blockquote>=
</blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">- Antonio =
Sanso<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote ty=
pe=3D"cite">- Mike Jones<br></blockquote></blockquote><blockquote type=3D"c=
ite"><blockquote type=3D"cite">- Phil Hunt<br></blockquote></blockquote><bl=
ockquote type=3D"cite"><blockquote type=3D"cite">- Justin Richer<br></block=
quote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">- Ha=
nnes Tschofenig<br></blockquote></blockquote><blockquote type=3D"cite"><blo=
ckquote type=3D"cite">- Derek Atkins<br></blockquote></blockquote><blockquo=
te type=3D"cite"><blockquote type=3D"cite">- Amanda Anganes<br></blockquote=
></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">- Morteza=
 Ansari<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote =
type=3D"cite">- Brian Campbell<br></blockquote></blockquote><blockquote typ=
e=3D"cite"><blockquote type=3D"cite">- Thomas Hardjono<br></blockquote></bl=
ockquote><blockquote type=3D"cite"><blockquote type=3D"cite">- Prateek Mish=
ra<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=
=3D"cite">- George Fletcher<br></blockquote></blockquote><blockquote type=
=3D"cite"><blockquote type=3D"cite">- Tony Nadalin<br></blockquote></blockq=
uote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote><=
/blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">Minutes<br>=
</blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cit=
e"><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=
=3D"cite">Justin started with a discussion about what is described in Secti=
on 1.3<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote t=
ype=3D"cite">of the protocol specification and Appendix B describes the use=
 cases.<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote =
type=3D"cite"><br></blockquote></blockquote><blockquote type=3D"cite"><bloc=
kquote type=3D"cite">Dynamic client registration is one way to introduce a =
client to an<br></blockquote></blockquote><blockquote type=3D"cite"><blockq=
uote type=3D"cite">authorization server.<br></blockquote></blockquote><bloc=
kquote type=3D"cite"><blockquote type=3D"cite">A client is the relationship=
 between a client piece software and a piece<br></blockquote></blockquote><=
blockquote type=3D"cite"><blockquote type=3D"cite">of software on the autho=
rization server side.<br></blockquote></blockquote><blockquote type=3D"cite=
"><blockquote type=3D"cite">The client needs a client_id and the authorizat=
ion server needs to get<br></blockquote></blockquote><blockquote type=3D"ci=
te"><blockquote type=3D"cite">various other piece of information (such as a=
 redirect_uri, display_name).<br></blockquote></blockquote><blockquote type=
=3D"cite"><blockquote type=3D"cite"><br></blockquote></blockquote><blockquo=
te type=3D"cite"><blockquote type=3D"cite">The group then started a discuss=
ion about what the minimal amount of<br></blockquote></blockquote><blockquo=
te type=3D"cite"><blockquote type=3D"cite">information is the authorization=
 server needs to have.<br></blockquote></blockquote><blockquote type=3D"cit=
e"><blockquote type=3D"cite"><br></blockquote></blockquote><blockquote type=
=3D"cite"><blockquote type=3D"cite">The discussion then shifted to uses cas=
es where trust is established<br></blockquote></blockquote><blockquote type=
=3D"cite"><blockquote type=3D"cite">a-priori (out-of-band) and is conveyed =
via an assertion to the dyn-reg<br></blockquote></blockquote><blockquote ty=
pe=3D"cite"><blockquote type=3D"cite">exchange (protected registration) and=
 the case where there is no trust<br></blockquote></blockquote><blockquote =
type=3D"cite"><blockquote type=3D"cite">(=3Dopen registration); the latter =
case would push the obligation to the<br></blockquote></blockquote><blockqu=
ote type=3D"cite"><blockquote type=3D"cite">user.<br></blockquote></blockqu=
ote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote></=
blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">There seems =
to be agreement (on the call) that both use cases are valid.<br></blockquot=
e></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></bl=
ockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">T=
he following examples for protected registration have been discussed:<br></=
blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"=
><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=
=3D"cite">* manual page where the developer obtains a developer key and reg=
ister<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote ty=
pe=3D"cite">there; they end up with an initial access token (in the form of=
 an<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=
=3D"cite">bearer token)<br></blockquote></blockquote><blockquote type=3D"ci=
te"><blockquote type=3D"cite">* UMA case where there is someone who is intr=
oducing the two parties<br></blockquote></blockquote><blockquote type=3D"ci=
te"><blockquote type=3D"cite">to each other. (Currently not described in th=
e document)<br></blockquote></blockquote><blockquote type=3D"cite"><blockqu=
ote type=3D"cite">* Developer Automation: Who holds the client registration=
 information?<br></blockquote></blockquote><blockquote type=3D"cite"><block=
quote type=3D"cite">The developer makes the call and you get the client_id =
back. The client<br></blockquote></blockquote><blockquote type=3D"cite"><bl=
ockquote type=3D"cite">is not doing the dyn. registration. (This use case i=
s described in<br></blockquote></blockquote><blockquote type=3D"cite"><bloc=
kquote type=3D"cite">Appendix B.3)<br></blockquote></blockquote><blockquote=
 type=3D"cite"><blockquote type=3D"cite">* John's use case:<br></blockquote=
></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><a href=
=3D"http://www.ietf.org/mail-archive/web/oauth/current/msg12008.html">http:=
//www.ietf.org/mail-archive/web/oauth/current/msg12008.html</a><br></blockq=
uote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><br><=
/blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite=
">Phil Hunt starts with his presentation slides, which he had distributed<b=
r></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"c=
ite">to the mailing list earlier:<br></blockquote></blockquote><blockquote =
type=3D"cite"><blockquote type=3D"cite"><a href=3D"http://www.ietf.org/mail=
-archive/web/oauth/current/msg12007.html">http://www.ietf.org/mail-archive/=
web/oauth/current/msg12007.html</a><br></blockquote></blockquote><blockquot=
e type=3D"cite"><blockquote type=3D"cite"><br></blockquote></blockquote><bl=
ockquote type=3D"cite"><blockquote type=3D"cite">Phil says that the client_=
id does not need to be provided by the AS - it<br></blockquote></blockquote=
><blockquote type=3D"cite"><blockquote type=3D"cite">could be provided by t=
he client. John says that the client_id has to be<br></blockquote></blockqu=
ote><blockquote type=3D"cite"><blockquote type=3D"cite">tied to the redirec=
t_uri since otherwise attacks are possible.<br></blockquote></blockquote><b=
lockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote></blockq=
uote><blockquote type=3D"cite"><blockquote type=3D"cite">Phil says we are l=
acking good terminology for client, and for client<br></blockquote></blockq=
uote><blockquote type=3D"cite"><blockquote type=3D"cite">instance.<br></blo=
ckquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><b=
r></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"c=
ite">George claims that the client instance concept came up when mobile<br>=
</blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cit=
e">clients and Web clients got mixed in deployments and people wanted to<br=
></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"ci=
te">have a way to distinguish the two since they were different in their<br=
></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"ci=
te">ability to keep a secret.<br></blockquote></blockquote><blockquote type=
=3D"cite"><blockquote type=3D"cite"><br></blockquote></blockquote><blockquo=
te type=3D"cite"><blockquote type=3D"cite">A discussion started about wheth=
er an evolution had happened regarding<br></blockquote></blockquote><blockq=
uote type=3D"cite"><blockquote type=3D"cite">different types of clients. Th=
e client id is a proxy for some release of<br></blockquote></blockquote><bl=
ockquote type=3D"cite"><blockquote type=3D"cite">some software. Someone cla=
imed that with dynamic client registration we<br></blockquote></blockquote>=
<blockquote type=3D"cite"><blockquote type=3D"cite">have the ability to tur=
n public clients back into confidential clients.<br></blockquote></blockquo=
te><blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote></b=
lockquote><blockquote type=3D"cite"><blockquote type=3D"cite">Phil argues t=
hat service providers want to know the class of<br></blockquote></blockquot=
e><blockquote type=3D"cite"><blockquote type=3D"cite">applications and the =
instances. A problem with a client can be a<br></blockquote></blockquote><b=
lockquote type=3D"cite"><blockquote type=3D"cite">compromise and you want t=
o disable it. There may also be a bug in the<br></blockquote></blockquote><=
blockquote type=3D"cite"><blockquote type=3D"cite">software and then one ma=
y want to disable the entire class of clients.<br></blockquote></blockquote=
><blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote></blo=
ckquote><blockquote type=3D"cite"><blockquote type=3D"cite">Phil asks wheth=
er we expect that JavaScript code registers every time<br></blockquote></bl=
ockquote><blockquote type=3D"cite"><blockquote type=3D"cite">the code runs.=
 The response was clear that this is not the expectation.<br></blockquote><=
/blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></block=
quote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">Phil=
 then goes on to explain four levels of dynamic behavior:<br></blockquote><=
/blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></block=
quote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">* Cl=
ient developer hardcodes the address of the authorization server<br></block=
quote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">and =
other information.<br></blockquote></blockquote><blockquote type=3D"cite"><=
blockquote type=3D"cite">* Developer may hardcode some information but the =
client may<br></blockquote></blockquote><blockquote type=3D"cite"><blockquo=
te type=3D"cite">dynamically interact with the authorization server to prov=
ide additional<br></blockquote></blockquote><blockquote type=3D"cite"><bloc=
kquote type=3D"cite">information (suggested by John)<br></blockquote></bloc=
kquote><blockquote type=3D"cite"><blockquote type=3D"cite">* Confirmation i=
nformation in the client software can be used to<br></blockquote></blockquo=
te><blockquote type=3D"cite"><blockquote type=3D"cite">dertermine which ser=
ver to talk to and which parameters to use<br></blockquote></blockquote><bl=
ockquote type=3D"cite"><blockquote type=3D"cite">* Client software decides =
at runtime who to contact and what<br></blockquote></blockquote><blockquote=
 type=3D"cite"><blockquote type=3D"cite">information to provide<br></blockq=
uote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><br><=
/blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite=
">Hannes stopped the discussion because we ran out of time and started a<br=
></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"ci=
te">discussion about where we could go next.<br></blockquote></blockquote><=
blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote></block=
quote><blockquote type=3D"cite"><blockquote type=3D"cite">Justin said that =
he has not seen anything that is not supported yet.<br></blockquote></block=
quote><blockquote type=3D"cite"><blockquote type=3D"cite">Tony, Phil, and P=
rateek say that we are trying to find the minimum<br></blockquote></blockqu=
ote><blockquote type=3D"cite"><blockquote type=3D"cite">supported informati=
on.<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=
=3D"cite"><br></blockquote></blockquote><blockquote type=3D"cite"><blockquo=
te type=3D"cite">It seems that different folks have different use cases in =
mind. Can this<br></blockquote></blockquote><blockquote type=3D"cite"><bloc=
kquote type=3D"cite">situation be solved with extensions? Phil claims that =
the current<br></blockquote></blockquote><blockquote type=3D"cite"><blockqu=
ote type=3D"cite">specification is overly complex.<br></blockquote></blockq=
uote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote><=
/blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">It is clear=
 that we cannot have one single spec that covers all the use<br></blockquot=
e></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">cases.<b=
r></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"c=
ite">Are we arguing which use cases are covered in the base specification?<=
br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"=
cite"><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote t=
ype=3D"cite">Tony suggested that only client_id and redirect_uri should be =
the<br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=
=3D"cite">supported and everything else should be dropped.<br></blockquote>=
</blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></bloc=
kquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">Jus=
tin responded that the rest is optional anyway.<br></blockquote></blockquot=
e><blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote></bl=
ockquote><blockquote type=3D"cite"><blockquote type=3D"cite">Discussion sta=
rted about what "optional" means. Does the authorization<br></blockquote></=
blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">server have =
to implement to implement even optional components?<br></blockquote></block=
quote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote>=
</blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">John says =
that we need a new feature for adding and removing a new<br></blockquote></=
blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">endpoint. Th=
is is a common use case and we don't want to revoke all the<br></blockquote=
></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">permissio=
ns when we do so.<br></blockquote></blockquote><blockquote type=3D"cite"><b=
lockquote type=3D"cite"><br></blockquote></blockquote><blockquote type=3D"c=
ite"><blockquote type=3D"cite">Mike says that there is some additional mate=
rial needed beyond client_id<br></blockquote></blockquote><blockquote type=
=3D"cite"><blockquote type=3D"cite">and redirect_uri.<br></blockquote></blo=
ckquote><blockquote type=3D"cite"><blockquote type=3D"cite">John agrees.<br=
></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"ci=
te"><br></blockquote></blockquote><blockquote type=3D"cite"><blockquote typ=
e=3D"cite">Prateek says that we need to identify a minimal subset and have<=
br></blockquote></blockquote><blockquote type=3D"cite"><blockquote type=3D"=
cite">extensions defined.<br></blockquote></blockquote><blockquote type=3D"=
cite"><blockquote type=3D"cite"><br></blockquote></blockquote><blockquote t=
ype=3D"cite"><blockquote type=3D"cite">Hannes will talk to Derek about the =
next steps. Expect another<br></blockquote></blockquote><blockquote type=3D=
"cite"><blockquote type=3D"cite">conference call soon.<br></blockquote></bl=
ockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquo=
te></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">Phil wi=
ll update the software assertion document.<br></blockquote></blockquote><bl=
ockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote></blockqu=
ote><blockquote type=3D"cite"><blockquote type=3D"cite"><br></blockquote></=
blockquote><blockquote type=3D"cite"><blockquote type=3D"cite">____________=
___________________________________<br></blockquote></blockquote><blockquot=
e type=3D"cite"><blockquote type=3D"cite">OAuth mailing list<br></blockquot=
e></blockquote><blockquote type=3D"cite"><blockquote type=3D"cite"><a href=
=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br></blockquote></blockquote>=
<blockquote type=3D"cite"><blockquote type=3D"cite"><a href=3D"https://www.=
ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oaut=
h</a><br></blockquote></blockquote><blockquote type=3D"cite"><br></blockquo=
te><blockquote type=3D"cite">______________________________________________=
_<br></blockquote><blockquote type=3D"cite">OAuth mailing list<br></blockqu=
ote><blockquote type=3D"cite"><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.=
org</a><br></blockquote><blockquote type=3D"cite"><a href=3D"https://www.ie=
tf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth<=
/a><br></blockquote><br></div></blockquote></div><br></body></html>=

--_000_A59AAA2B6C1B433097FD150EC506B108adobecom_--

From jricher@mitre.org  Tue Aug 27 07:06:44 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B114D21E80D8 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 07:06:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.511
X-Spam-Level: 
X-Spam-Status: No, score=-6.511 tagged_above=-999 required=5 tests=[AWL=0.088,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U8vxDpknP4RV for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 07:06:31 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 0807F21E80C2 for <oauth@ietf.org>; Tue, 27 Aug 2013 07:06:16 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 48D741F08E8 for <oauth@ietf.org>; Tue, 27 Aug 2013 10:06:15 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 3D9581F08D0 for <oauth@ietf.org>; Tue, 27 Aug 2013 10:06:15 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.104]) by IMCCAS02.MITRE.ORG ([129.83.29.69]) with mapi id 14.02.0342.003; Tue, 27 Aug 2013 10:06:15 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: oauth mailing list <oauth@ietf.org>
Thread-Topic: Refactoring Dynamic Registration
Thread-Index: AQHOoy6Xe84MPWeQ0USE/EN9KkVWYQ==
Date: Tue, 27 Aug 2013 14:06:14 +0000
Message-ID: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.146.15.49]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B248C105EF7A164D94DAEA6EC0043863@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 14:06:44 -0000

After last week's design team call, at Derek's suggestion, I took time toda=
y to refactor the Dynamic Registration draft into two pieces: "core" and "m=
anagement". The former contains the definition of the Registration Endpoint=
 and the semantics surrounding that, the latter contains the Client Configu=
ration Endpoint as well as the "non-essential" client metadata parameters. =
=20

I did this refactoring with an axe, so there are almost certainly bits and =
pieces that are in the wrong document. In particular, I've kept the use cas=
es in the "core" document even though they reference concepts and construct=
s defined in the "management" spec. This way people that don't want to deal=
 with a configuration management API can implement just the "core" registra=
tion spec and call it a day, while people who want to have full lifecycle c=
ontrol can do the "management" spec on top of it. This does increase the op=
tionality by making the client configuration endpoint parameters optional, =
but that's the tradeoff for having things cut this way.

You can read both the specs here:

http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00

http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00

I've uploaded these as individual submissions for now. If the working group=
 decides to move forward with this refactoring, I expect both documents to =
move in tandem through the RFC approval process.

 -- Justin=

From phil.hunt@oracle.com  Tue Aug 27 09:52:32 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC36C11E8261 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 09:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.879
X-Spam-Level: 
X-Spam-Status: No, score=-5.879 tagged_above=-999 required=5 tests=[AWL=0.719,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-1ICtyLZ726 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 09:52:27 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 6A14D11E8243 for <oauth@ietf.org>; Tue, 27 Aug 2013 09:52:27 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7RGqQOu004634 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Tue, 27 Aug 2013 16:52:26 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7RGqPum005632 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <oauth@ietf.org>; Tue, 27 Aug 2013 16:52:26 GMT
Received: from abhmt102.oracle.com (abhmt102.oracle.com [141.146.116.54]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7RGqPSd017106 for <oauth@ietf.org>; Tue, 27 Aug 2013 16:52:25 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 27 Aug 2013 09:52:25 -0700
From: Phil Hunt <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BCDCAE75-1265-4CC4-AB73-4A0F576BA0F6"
Date: Tue, 27 Aug 2013 09:52:24 -0700
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com>
To: "oauth@ietf.org WG" <oauth@ietf.org>
Message-Id: <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 16:52:32 -0000

--Apple-Mail=_BCDCAE75-1265-4CC4-AB73-4A0F576BA0F6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

FYI.  Based on feedback from Berlin, Tony and I have revised the draft =
to include:

* Alignment with OpenID Connect (using id_token)
* Always returns a JWT
* Minimum assertion level on request
* Return information about the type of authentication performed

Thanks for your input.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com


Begin forwarded message:

> From: internet-drafts@ietf.org
> Subject: New Version Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt
> Date: 27 August, 2013 8:56:45 AM PDT
> To: Phil Hunt <phil.hunt@yahoo.com>, Anthony Nadalin =
<tonynad@microsoft.com>, Tony Nadalin <tonynad@microsoft.com>
>=20
>=20
> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
> has been successfully submitted by Phil Hunt and posted to the
> IETF repository.
>=20
> Filename:	 draft-hunt-oauth-v2-user-a4c
> Revision:	 01
> Title:		 OAuth 2.0 User Authentication and Consent For =
Clients
> Creation date:	 2013-08-27
> Group:		 Individual Submission
> Number of pages: 10
> URL:             =
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt
> Status:          =
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
> Htmlized:        =
http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
> Diff:            =
http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01
>=20
> Abstract:
>   This specification defines a new OAuth2 endpoint that enables user
>   authentication session and consent information to be shared with
>   client applications.
>=20
>=20
>=20
>=20
> Please note that it may take a couple of minutes from the time of =
submission
> until the htmlized version and diff are available at tools.ietf.org.
>=20
> The IETF Secretariat
>=20


--Apple-Mail=_BCDCAE75-1265-4CC4-AB73-4A0F576BA0F6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">FYI. =
&nbsp;Based on feedback from Berlin, Tony and I have revised the draft =
to include:<div><br></div><div>* Alignment with OpenID Connect (using =
id_token)</div><div>* Always returns a JWT</div><div>* Minimum assertion =
level on request</div><div>* Return information about the type of =
authentication performed</div><div><br></div><div>Thanks for your =
input.</div><div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div><div><div>Phil</div><div><br></div><div>@independentid</div><div><a=
 =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></div></div></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div></span>=
</div></span></div></span><br class=3D"Apple-interchange-newline">
</div>

<div><br><div>Begin forwarded message:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family:'Helvetica'; =
font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>From: </b></span><span =
style=3D"font-family:'Helvetica'; font-size:medium;"><a =
href=3D"mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a><br><=
/span></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px;"><span =
style=3D"font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, =
1.0);"><b>Subject: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;"><b>New Version Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt</b><br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family:'Helvetica'; =
font-size:medium; color:rgba(0, 0, 0, 1.0);"><b>Date: </b></span><span =
style=3D"font-family:'Helvetica'; font-size:medium;">27 August, 2013 =
8:56:45 AM PDT<br></span></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span =
style=3D"font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, =
1.0);"><b>To: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@yahoo.com">phil.hunt@yahoo.com</a>&gt;, Anthony =
Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;, =
Tony Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;<br></s=
pan></div><br><div><br>A new version of I-D, =
draft-hunt-oauth-v2-user-a4c-01.txt<br>has been successfully submitted =
by Phil Hunt and posted to the<br>IETF repository.<br><br>Filename:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
draft-hunt-oauth-v2-user-a4c<br>Revision:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> 01<br>Title:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> OAuth =
2.0 User Authentication and Consent For Clients<br>Creation date:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
2013-08-27<br>Group:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span><span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> Individual Submission<br>Number =
of pages: 10<br>URL: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a=
 =
href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-0=
1.txt">http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01=
.txt</a><br>Status: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c">http=
://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>Htmlized: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01">http:/=
/tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01</a><br>Diff: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01=
">http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01</a><b=
r><br>Abstract:<br> &nbsp;&nbsp;This specification defines a new OAuth2 =
endpoint that enables user<br> &nbsp;&nbsp;authentication session and =
consent information to be shared with<br> &nbsp;&nbsp;client =
applications.<br><br><br><br><br>Please note that it may take a couple =
of minutes from the time of submission<br>until the htmlized version and =
diff are available at <a =
href=3D"http://tools.ietf.org">tools.ietf.org</a>.<br><br>The IETF =
Secretariat<br><br></div></blockquote></div><br></div></body></html>=

--Apple-Mail=_BCDCAE75-1265-4CC4-AB73-4A0F576BA0F6--

From tonynad@microsoft.com  Tue Aug 27 10:20:33 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AABC21E8085 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 10:20:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.445
X-Spam-Level: 
X-Spam-Status: No, score=-3.445 tagged_above=-999 required=5 tests=[AWL=0.154,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4Nv5v6DRN-x for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 10:20:28 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0151.outbound.protection.outlook.com [207.46.163.151]) by ietfa.amsl.com (Postfix) with ESMTP id 76EEE21E809A for <oauth@ietf.org>; Tue, 27 Aug 2013 10:20:28 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 27 Aug 2013 17:20:25 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Tue, 27 Aug 2013 17:20:25 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "Richer, Justin P." <jricher@mitre.org>, oauth mailing list <oauth@ietf.org>
Thread-Topic: Refactoring Dynamic Registration
Thread-Index: AQHOoy6Xe84MPWeQ0USE/EN9KkVWYZmpSJuA
Date: Tue, 27 Aug 2013 17:20:25 +0000
Message-ID: <052002acf28f44d185131db50ab9fbb1@BY2PR03MB189.namprd03.prod.outlook.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org>
In-Reply-To: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0951AB0A30
x-forefront-antispam-report: SFV:NSPM; SFS:(13464003)(189002)(199002)(52604005)(377454003)(80976001)(65816001)(31966008)(47446002)(74662001)(74502001)(74706001)(80022001)(83072001)(56776001)(54316002)(59766001)(79102001)(76482001)(54356001)(15202345003)(53806001)(77982001)(81816001)(74366001)(69226001)(77096001)(83322001)(19580405001)(63696002)(51856001)(76796001)(74316001)(81542001)(49866001)(81342001)(47736001)(47976001)(50986001)(56816003)(4396001)(76786001)(76576001)(81686001)(74876001)(19580395003)(15975445006)(46102001)(33646001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 17:20:33 -0000

Thanks for splitting this and making it simple.

It's unclear if the server must send the metadata back in same form/order/ =
as sent, that is, does client expect to get back only what was sent with wh=
at server values will be or can client deal with defaults that the sever se=
ts=20

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of R=
icher, Justin P.
Sent: Tuesday, August 27, 2013 7:06 AM
To: oauth mailing list
Subject: [OAUTH-WG] Refactoring Dynamic Registration

After last week's design team call, at Derek's suggestion, I took time toda=
y to refactor the Dynamic Registration draft into two pieces: "core" and "m=
anagement". The former contains the definition of the Registration Endpoint=
 and the semantics surrounding that, the latter contains the Client Configu=
ration Endpoint as well as the "non-essential" client metadata parameters. =
=20

I did this refactoring with an axe, so there are almost certainly bits and =
pieces that are in the wrong document. In particular, I've kept the use cas=
es in the "core" document even though they reference concepts and construct=
s defined in the "management" spec. This way people that don't want to deal=
 with a configuration management API can implement just the "core" registra=
tion spec and call it a day, while people who want to have full lifecycle c=
ontrol can do the "management" spec on top of it. This does increase the op=
tionality by making the client configuration endpoint parameters optional, =
but that's the tradeoff for having things cut this way.

You can read both the specs here:

http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00

http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00

I've uploaded these as individual submissions for now. If the working group=
 decides to move forward with this refactoring, I expect both documents to =
move in tandem through the RFC approval process.

 -- Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

From jricher@mitre.org  Tue Aug 27 11:12:07 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4431021E80A8 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:12:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.515
X-Spam-Level: 
X-Spam-Status: No, score=-6.515 tagged_above=-999 required=5 tests=[AWL=0.084,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JHKXHUgKH+fz for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:12:02 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 1880121E8084 for <oauth@ietf.org>; Tue, 27 Aug 2013 11:11:59 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 3B14A1F0A85; Tue, 27 Aug 2013 14:11:59 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 1D2E11F0A6C; Tue, 27 Aug 2013 14:11:59 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 27 Aug 2013 14:11:58 -0400
Message-ID: <521CEBE5.8010006@mitre.org>
Date: Tue, 27 Aug 2013 14:11:49 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <052002acf28f44d185131db50ab9fbb1@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <052002acf28f44d185131db50ab9fbb1@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 18:12:07 -0000

A JSON object is not order dependent by definition, so order of elements 
doesn't matter.

In the section on client metadata and the client information response, 
it's stated that the server can:

1) Override a client's requested values and replace with its own
2) Insert a new field/value that the client didn't supply (effectively a 
server default)
3) Restrict the value of a given field

Therefore, clients MUST deal with whatever kinds of extra JSON a server 
might respond (so long as it's a valid JSON object). Thankfully, since 
this is JSON and not a schema-based XML format, this is trivial to 
implement for the client.

If you have suggestions about how to word this better, please submit text.

  -- Justin

On 08/27/2013 01:20 PM, Anthony Nadalin wrote:
> Thanks for splitting this and making it simple.
>
> It's unclear if the server must send the metadata back in same form/order/ as sent, that is, does client expect to get back only what was sent with what server values will be or can client deal with defaults that the sever sets
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Richer, Justin P.
> Sent: Tuesday, August 27, 2013 7:06 AM
> To: oauth mailing list
> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>
> After last week's design team call, at Derek's suggestion, I took time today to refactor the Dynamic Registration draft into two pieces: "core" and "management". The former contains the definition of the Registration Endpoint and the semantics surrounding that, the latter contains the Client Configuration Endpoint as well as the "non-essential" client metadata parameters.
>
> I did this refactoring with an axe, so there are almost certainly bits and pieces that are in the wrong document. In particular, I've kept the use cases in the "core" document even though they reference concepts and constructs defined in the "management" spec. This way people that don't want to deal with a configuration management API can implement just the "core" registration spec and call it a day, while people who want to have full lifecycle control can do the "management" spec on top of it. This does increase the optionality by making the client configuration endpoint parameters optional, but that's the tradeoff for having things cut this way.
>
> You can read both the specs here:
>
> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>
> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>
> I've uploaded these as individual submissions for now. If the working group decides to move forward with this refactoring, I expect both documents to move in tandem through the RFC approval process.
>
>   -- Justin
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From tonynad@microsoft.com  Tue Aug 27 11:22:44 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39C1521F9E37 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:22:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.463
X-Spam-Level: 
X-Spam-Status: No, score=-3.463 tagged_above=-999 required=5 tests=[AWL=0.136,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ExzUwke7dnfB for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:22:34 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) by ietfa.amsl.com (Postfix) with ESMTP id 61B8A21F9E1D for <oauth@ietf.org>; Tue, 27 Aug 2013 11:22:34 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 27 Aug 2013 18:22:32 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Tue, 27 Aug 2013 18:22:31 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: Refactoring Dynamic Registration
Thread-Index: AQHOoy6Xe84MPWeQ0USE/EN9KkVWYZmpSJuAgAAS04CAAAI8kA==
Date: Tue, 27 Aug 2013 18:22:31 +0000
Message-ID: <8a5b8df1c31d4a58bc341fe1587664ec@BY2PR03MB189.namprd03.prod.outlook.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <052002acf28f44d185131db50ab9fbb1@BY2PR03MB189.namprd03.prod.outlook.com> <521CEBE5.8010006@mitre.org>
In-Reply-To: <521CEBE5.8010006@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0951AB0A30
x-forefront-antispam-report: SFV:NSPM; SFS:(189002)(199002)(24454002)(13464003)(51704005)(52604005)(377454003)(479174003)(79102001)(54316002)(56776001)(59766001)(77982001)(49866001)(47736001)(47976001)(50986001)(4396001)(63696002)(51856001)(31966008)(81816001)(74502001)(47446002)(74662001)(81686001)(80976001)(53806001)(76482001)(46102001)(54356001)(15975445006)(33646001)(19580405001)(83322001)(19580395003)(56816003)(15202345003)(77096001)(76576001)(76786001)(76796001)(74876001)(65816001)(80022001)(74316001)(74366001)(83072001)(74706001)(81342001)(81542001)(69226001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 18:22:44 -0000

Understand all that  but does not say what the response will be on an addit=
ional parameter that the server does not understand,  does the parameter co=
me back with a null, or is the parameter omitted on response ?

-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org]=20
Sent: Tuesday, August 27, 2013 11:12 AM
To: Anthony Nadalin
Cc: oauth mailing list
Subject: Re: Refactoring Dynamic Registration

A JSON object is not order dependent by definition, so order of elements do=
esn't matter.

In the section on client metadata and the client information response, it's=
 stated that the server can:

1) Override a client's requested values and replace with its own
2) Insert a new field/value that the client didn't supply (effectively a se=
rver default)
3) Restrict the value of a given field

Therefore, clients MUST deal with whatever kinds of extra JSON a server mig=
ht respond (so long as it's a valid JSON object). Thankfully, since this is=
 JSON and not a schema-based XML format, this is trivial to implement for t=
he client.

If you have suggestions about how to word this better, please submit text.

  -- Justin

On 08/27/2013 01:20 PM, Anthony Nadalin wrote:
> Thanks for splitting this and making it simple.
>
> It's unclear if the server must send the metadata back in same=20
> form/order/ as sent, that is, does client expect to get back only what=20
> was sent with what server values will be or can client deal with=20
> defaults that the sever sets
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of=
 Richer, Justin P.
> Sent: Tuesday, August 27, 2013 7:06 AM
> To: oauth mailing list
> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>
> After last week's design team call, at Derek's suggestion, I took time to=
day to refactor the Dynamic Registration draft into two pieces: "core" and =
"management". The former contains the definition of the Registration Endpoi=
nt and the semantics surrounding that, the latter contains the Client Confi=
guration Endpoint as well as the "non-essential" client metadata parameters=
.
>
> I did this refactoring with an axe, so there are almost certainly bits an=
d pieces that are in the wrong document. In particular, I've kept the use c=
ases in the "core" document even though they reference concepts and constru=
cts defined in the "management" spec. This way people that don't want to de=
al with a configuration management API can implement just the "core" regist=
ration spec and call it a day, while people who want to have full lifecycle=
 control can do the "management" spec on top of it. This does increase the =
optionality by making the client configuration endpoint parameters optional=
, but that's the tradeoff for having things cut this way.
>
> You can read both the specs here:
>
> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>
> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>
> I've uploaded these as individual submissions for now. If the working gro=
up decides to move forward with this refactoring, I expect both documents t=
o move in tandem through the RFC approval process.
>
>   -- Justin
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Tue Aug 27 11:34:05 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D17921F9DB0 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:34:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.518
X-Spam-Level: 
X-Spam-Status: No, score=-6.518 tagged_above=-999 required=5 tests=[AWL=0.081,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZXT9C4c2fPX for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:34:00 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 0448721F9B7F for <oauth@ietf.org>; Tue, 27 Aug 2013 11:33:59 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 6465F1F0AB2; Tue, 27 Aug 2013 14:33:59 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 3C95A1F0AA8; Tue, 27 Aug 2013 14:33:59 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 27 Aug 2013 14:33:58 -0400
Message-ID: <521CF10E.1090801@mitre.org>
Date: Tue, 27 Aug 2013 14:33:50 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <052002acf28f44d185131db50ab9fbb1@BY2PR03MB189.namprd03.prod.outlook.com> <521CEBE5.8010006@mitre.org> <8a5b8df1c31d4a58bc341fe1587664ec@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <8a5b8df1c31d4a58bc341fe1587664ec@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 18:34:05 -0000

If the server does not understand a parameter (and by this, remember, we 
mean a field in the JSON object, not a query parameter), it can accept 
it, ignore it, replace it with a default value, or return an error.

Think of it in terms of the data model: The client has some model of 
what information it knows about, and the server's got some internal 
model of what a "registered client" is, and the client information 
response reflects the *server's* model of a client. Ultimately, the 
client is making a registration request, the server is returning the 
reality of what was actually registered. The client MUST defer to the 
server's values in these cases. If the server returns a value that the 
client doesn't know about (and doesn't know what to do with), the client 
will ignore that.

If the server's ignoring the parameter completely (which I think will be 
the common implementation), the server will just leave it out of the 
returned object entirely. That's what our server does if you send it 
some parameter that it doesn't know or care about -- it will safely 
ignore the field when it saves the object and echoes the configuration 
back. I'll here note that we didn't do anything special to make that 
happen, that's pretty much out of the box JSON library behavior in my 
experience.

The server could return a null value, or replace it with some default 
value that the server likes better. If the server's data model is 
somehow normalized and wants to take and remember *whatever* the client 
sends, it can echo back what the client sent. I don't think that's going 
to be very common in practice though, and clients need to be prepared to 
take back whatever the server dictates. Since the server is the final 
authority of what's attached to a given client ID, this is the 
appropriate model.

  -- Justin

On 08/27/2013 02:22 PM, Anthony Nadalin wrote:
> Understand all that  but does not say what the response will be on an additional parameter that the server does not understand,  does the parameter come back with a null, or is the parameter omitted on response ?
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Tuesday, August 27, 2013 11:12 AM
> To: Anthony Nadalin
> Cc: oauth mailing list
> Subject: Re: Refactoring Dynamic Registration
>
> A JSON object is not order dependent by definition, so order of elements doesn't matter.
>
> In the section on client metadata and the client information response, it's stated that the server can:
>
> 1) Override a client's requested values and replace with its own
> 2) Insert a new field/value that the client didn't supply (effectively a server default)
> 3) Restrict the value of a given field
>
> Therefore, clients MUST deal with whatever kinds of extra JSON a server might respond (so long as it's a valid JSON object). Thankfully, since this is JSON and not a schema-based XML format, this is trivial to implement for the client.
>
> If you have suggestions about how to word this better, please submit text.
>
>    -- Justin
>
> On 08/27/2013 01:20 PM, Anthony Nadalin wrote:
>> Thanks for splitting this and making it simple.
>>
>> It's unclear if the server must send the metadata back in same
>> form/order/ as sent, that is, does client expect to get back only what
>> was sent with what server values will be or can client deal with
>> defaults that the sever sets
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Richer, Justin P.
>> Sent: Tuesday, August 27, 2013 7:06 AM
>> To: oauth mailing list
>> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>>
>> After last week's design team call, at Derek's suggestion, I took time today to refactor the Dynamic Registration draft into two pieces: "core" and "management". The former contains the definition of the Registration Endpoint and the semantics surrounding that, the latter contains the Client Configuration Endpoint as well as the "non-essential" client metadata parameters.
>>
>> I did this refactoring with an axe, so there are almost certainly bits and pieces that are in the wrong document. In particular, I've kept the use cases in the "core" document even though they reference concepts and constructs defined in the "management" spec. This way people that don't want to deal with a configuration management API can implement just the "core" registration spec and call it a day, while people who want to have full lifecycle control can do the "management" spec on top of it. This does increase the optionality by making the client configuration endpoint parameters optional, but that's the tradeoff for having things cut this way.
>>
>> You can read both the specs here:
>>
>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>>
>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>>
>> I've uploaded these as individual submissions for now. If the working group decides to move forward with this refactoring, I expect both documents to move in tandem through the RFC approval process.
>>
>>    -- Justin
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth


From tonynad@microsoft.com  Tue Aug 27 11:38:23 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4980921E8084 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:38:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.471
X-Spam-Level: 
X-Spam-Status: No, score=-3.471 tagged_above=-999 required=5 tests=[AWL=0.128,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WvxTRDqdmPzc for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:38:19 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0240.outbound.protection.outlook.com [207.46.163.240]) by ietfa.amsl.com (Postfix) with ESMTP id 0D57721E80FA for <oauth@ietf.org>; Tue, 27 Aug 2013 11:38:18 -0700 (PDT)
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BY2PR03MB092.namprd03.prod.outlook.com (10.255.241.160) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 27 Aug 2013 18:38:17 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 27 Aug 2013 18:38:16 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Tue, 27 Aug 2013 18:38:15 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: Refactoring Dynamic Registration
Thread-Index: AQHOoy6Xe84MPWeQ0USE/EN9KkVWYZmpSJuAgAAS04CAAAI8kIAAA+sAgAAAXMA=
Date: Tue, 27 Aug 2013 18:38:15 +0000
Message-ID: <a9f69dce67494fbebea818cdb51494b4@BY2PR03MB189.namprd03.prod.outlook.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <052002acf28f44d185131db50ab9fbb1@BY2PR03MB189.namprd03.prod.outlook.com> <521CEBE5.8010006@mitre.org> <8a5b8df1c31d4a58bc341fe1587664ec@BY2PR03MB189.namprd03.prod.outlook.com> <521CF10E.1090801@mitre.org>
In-Reply-To: <521CF10E.1090801@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0951AB0A30
x-forefront-antispam-report: SFV:NSPM; SFS:(13464003)(24454002)(189002)(199002)(52604005)(51704005)(377454003)(479174003)(80976001)(65816001)(31966008)(74502001)(47446002)(74662001)(74706001)(80022001)(83072001)(56776001)(54316002)(59766001)(79102001)(76482001)(54356001)(15202345003)(53806001)(77982001)(81816001)(74366001)(69226001)(77096001)(83322001)(19580405001)(63696002)(51856001)(76796001)(74316001)(81542001)(49866001)(81342001)(47736001)(47976001)(50986001)(56816003)(4396001)(76786001)(76576001)(81686001)(74876001)(19580395003)(15975445006)(46102001)(33646001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 18:38:23 -0000

This is a better explanation that what is in the current document, as this =
will become an interop problem that the clients need to deal with and not s=
ure how the client is going to know how to deal with all these permutations=
, there should be a recommended action.

-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org]=20
Sent: Tuesday, August 27, 2013 11:34 AM
To: Anthony Nadalin
Cc: oauth mailing list
Subject: Re: Refactoring Dynamic Registration

If the server does not understand a parameter (and by this, remember, we me=
an a field in the JSON object, not a query parameter), it can accept it, ig=
nore it, replace it with a default value, or return an error.

Think of it in terms of the data model: The client has some model of what i=
nformation it knows about, and the server's got some internal model of what=
 a "registered client" is, and the client information response reflects the=
 *server's* model of a client. Ultimately, the client is making a registrat=
ion request, the server is returning the reality of what was actually regis=
tered. The client MUST defer to the server's values in these cases. If the =
server returns a value that the client doesn't know about (and doesn't know=
 what to do with), the client will ignore that.

If the server's ignoring the parameter completely (which I think will be th=
e common implementation), the server will just leave it out of the returned=
 object entirely. That's what our server does if you send it some parameter=
 that it doesn't know or care about -- it will safely ignore the field when=
 it saves the object and echoes the configuration back. I'll here note that=
 we didn't do anything special to make that happen, that's pretty much out =
of the box JSON library behavior in my experience.

The server could return a null value, or replace it with some default value=
 that the server likes better. If the server's data model is somehow normal=
ized and wants to take and remember *whatever* the client sends, it can ech=
o back what the client sent. I don't think that's going to be very common i=
n practice though, and clients need to be prepared to take back whatever th=
e server dictates. Since the server is the final authority of what's attach=
ed to a given client ID, this is the appropriate model.

  -- Justin

On 08/27/2013 02:22 PM, Anthony Nadalin wrote:
> Understand all that  but does not say what the response will be on an add=
itional parameter that the server does not understand,  does the parameter =
come back with a null, or is the parameter omitted on response ?
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Tuesday, August 27, 2013 11:12 AM
> To: Anthony Nadalin
> Cc: oauth mailing list
> Subject: Re: Refactoring Dynamic Registration
>
> A JSON object is not order dependent by definition, so order of elements =
doesn't matter.
>
> In the section on client metadata and the client information response, it=
's stated that the server can:
>
> 1) Override a client's requested values and replace with its own
> 2) Insert a new field/value that the client didn't supply (effectively=20
> a server default)
> 3) Restrict the value of a given field
>
> Therefore, clients MUST deal with whatever kinds of extra JSON a server m=
ight respond (so long as it's a valid JSON object). Thankfully, since this =
is JSON and not a schema-based XML format, this is trivial to implement for=
 the client.
>
> If you have suggestions about how to word this better, please submit text=
.
>
>    -- Justin
>
> On 08/27/2013 01:20 PM, Anthony Nadalin wrote:
>> Thanks for splitting this and making it simple.
>>
>> It's unclear if the server must send the metadata back in same=20
>> form/order/ as sent, that is, does client expect to get back only=20
>> what was sent with what server values will be or can client deal with=20
>> defaults that the sever sets
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf O=
f Richer, Justin P.
>> Sent: Tuesday, August 27, 2013 7:06 AM
>> To: oauth mailing list
>> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>>
>> After last week's design team call, at Derek's suggestion, I took time t=
oday to refactor the Dynamic Registration draft into two pieces: "core" and=
 "management". The former contains the definition of the Registration Endpo=
int and the semantics surrounding that, the latter contains the Client Conf=
iguration Endpoint as well as the "non-essential" client metadata parameter=
s.
>>
>> I did this refactoring with an axe, so there are almost certainly bits a=
nd pieces that are in the wrong document. In particular, I've kept the use =
cases in the "core" document even though they reference concepts and constr=
ucts defined in the "management" spec. This way people that don't want to d=
eal with a configuration management API can implement just the "core" regis=
tration spec and call it a day, while people who want to have full lifecycl=
e control can do the "management" spec on top of it. This does increase the=
 optionality by making the client configuration endpoint parameters optiona=
l, but that's the tradeoff for having things cut this way.
>>
>> You can read both the specs here:
>>
>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>>
>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>>
>> I've uploaded these as individual submissions for now. If the working gr=
oup decides to move forward with this refactoring, I expect both documents =
to move in tandem through the RFC approval process.
>>
>>    -- Justin
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth


From tonynad@microsoft.com  Tue Aug 27 11:41:23 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1AA821E8084 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:41:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.478
X-Spam-Level: 
X-Spam-Status: No, score=-3.478 tagged_above=-999 required=5 tests=[AWL=0.121,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZhc+eUQhZzQ for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:41:19 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id E7B2F11E819B for <oauth@ietf.org>; Tue, 27 Aug 2013 11:41:18 -0700 (PDT)
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BY2PR03MB208.namprd03.prod.outlook.com (10.242.36.156) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 27 Aug 2013 18:41:16 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 27 Aug 2013 18:41:15 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Tue, 27 Aug 2013 18:41:15 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "Richer, Justin P." <jricher@mitre.org>, oauth mailing list <oauth@ietf.org>
Thread-Topic: Refactoring Dynamic Registration
Thread-Index: AQHOoy6Xe84MPWeQ0USE/EN9KkVWYZmpY1lA
Date: Tue, 27 Aug 2013 18:41:14 +0000
Message-ID: <57d0cc93671e43c09d04fb7f46528b90@BY2PR03MB189.namprd03.prod.outlook.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org>
In-Reply-To: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0951AB0A30
x-forefront-antispam-report: SFV:NSPM; SFS:(377454003)(13464003)(199002)(189002)(81542001)(49866001)(50986001)(47976001)(47736001)(81342001)(74316001)(76796001)(76576001)(4396001)(76786001)(81686001)(56816003)(77096001)(69226001)(81816001)(74366001)(51856001)(63696002)(19580405001)(83322001)(19580395003)(33646001)(15975445006)(46102001)(74876001)(80022001)(65816001)(80976001)(74502001)(74662001)(74706001)(47446002)(31966008)(15202345003)(53806001)(54356001)(77982001)(54316002)(59766001)(56776001)(83072001)(79102001)(76482001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 18:41:24 -0000

I believe the http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-managem=
ent-00 is out of scope for this WG and needs to go to the APPS area since w=
e don't deal with other OAuth management issues

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of R=
icher, Justin P.
Sent: Tuesday, August 27, 2013 7:06 AM
To: oauth mailing list
Subject: [OAUTH-WG] Refactoring Dynamic Registration

After last week's design team call, at Derek's suggestion, I took time toda=
y to refactor the Dynamic Registration draft into two pieces: "core" and "m=
anagement". The former contains the definition of the Registration Endpoint=
 and the semantics surrounding that, the latter contains the Client Configu=
ration Endpoint as well as the "non-essential" client metadata parameters. =
=20

I did this refactoring with an axe, so there are almost certainly bits and =
pieces that are in the wrong document. In particular, I've kept the use cas=
es in the "core" document even though they reference concepts and construct=
s defined in the "management" spec. This way people that don't want to deal=
 with a configuration management API can implement just the "core" registra=
tion spec and call it a day, while people who want to have full lifecycle c=
ontrol can do the "management" spec on top of it. This does increase the op=
tionality by making the client configuration endpoint parameters optional, =
but that's the tradeoff for having things cut this way.

You can read both the specs here:

http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00

http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00

I've uploaded these as individual submissions for now. If the working group=
 decides to move forward with this refactoring, I expect both documents to =
move in tandem through the RFC approval process.

 -- Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

From jricher@mitre.org  Tue Aug 27 11:41:57 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 354D821E80C3 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:41:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.521
X-Spam-Level: 
X-Spam-Status: No, score=-6.521 tagged_above=-999 required=5 tests=[AWL=0.078,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FDnTKATcdGih for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:41:52 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id E335A21E8084 for <oauth@ietf.org>; Tue, 27 Aug 2013 11:41:51 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 8ED0F1F04F0; Tue, 27 Aug 2013 14:41:51 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 6BCC41F0A65; Tue, 27 Aug 2013 14:41:51 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 27 Aug 2013 14:41:51 -0400
Message-ID: <521CF2E6.8040709@mitre.org>
Date: Tue, 27 Aug 2013 14:41:42 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <052002acf28f44d185131db50ab9fbb1@BY2PR03MB189.namprd03.prod.outlook.com> <521CEBE5.8010006@mitre.org> <8a5b8df1c31d4a58bc341fe1587664ec@BY2PR03MB189.namprd03.prod.outlook.com> <521CF10E.1090801@mitre.org> <a9f69dce67494fbebea818cdb51494b4@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <a9f69dce67494fbebea818cdb51494b4@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 18:41:57 -0000

OK, please submit text.

  -- Justin


On 08/27/2013 02:38 PM, Anthony Nadalin wrote:
> This is a better explanation that what is in the current document, as this will become an interop problem that the clients need to deal with and not sure how the client is going to know how to deal with all these permutations, there should be a recommended action.
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Tuesday, August 27, 2013 11:34 AM
> To: Anthony Nadalin
> Cc: oauth mailing list
> Subject: Re: Refactoring Dynamic Registration
>
> If the server does not understand a parameter (and by this, remember, we mean a field in the JSON object, not a query parameter), it can accept it, ignore it, replace it with a default value, or return an error.
>
> Think of it in terms of the data model: The client has some model of what information it knows about, and the server's got some internal model of what a "registered client" is, and the client information response reflects the *server's* model of a client. Ultimately, the client is making a registration request, the server is returning the reality of what was actually registered. The client MUST defer to the server's values in these cases. If the server returns a value that the client doesn't know about (and doesn't know what to do with), the client will ignore that.
>
> If the server's ignoring the parameter completely (which I think will be the common implementation), the server will just leave it out of the returned object entirely. That's what our server does if you send it some parameter that it doesn't know or care about -- it will safely ignore the field when it saves the object and echoes the configuration back. I'll here note that we didn't do anything special to make that happen, that's pretty much out of the box JSON library behavior in my experience.
>
> The server could return a null value, or replace it with some default value that the server likes better. If the server's data model is somehow normalized and wants to take and remember *whatever* the client sends, it can echo back what the client sent. I don't think that's going to be very common in practice though, and clients need to be prepared to take back whatever the server dictates. Since the server is the final authority of what's attached to a given client ID, this is the appropriate model.
>
>    -- Justin
>
> On 08/27/2013 02:22 PM, Anthony Nadalin wrote:
>> Understand all that  but does not say what the response will be on an additional parameter that the server does not understand,  does the parameter come back with a null, or is the parameter omitted on response ?
>>
>> -----Original Message-----
>> From: Justin Richer [mailto:jricher@mitre.org]
>> Sent: Tuesday, August 27, 2013 11:12 AM
>> To: Anthony Nadalin
>> Cc: oauth mailing list
>> Subject: Re: Refactoring Dynamic Registration
>>
>> A JSON object is not order dependent by definition, so order of elements doesn't matter.
>>
>> In the section on client metadata and the client information response, it's stated that the server can:
>>
>> 1) Override a client's requested values and replace with its own
>> 2) Insert a new field/value that the client didn't supply (effectively
>> a server default)
>> 3) Restrict the value of a given field
>>
>> Therefore, clients MUST deal with whatever kinds of extra JSON a server might respond (so long as it's a valid JSON object). Thankfully, since this is JSON and not a schema-based XML format, this is trivial to implement for the client.
>>
>> If you have suggestions about how to word this better, please submit text.
>>
>>     -- Justin
>>
>> On 08/27/2013 01:20 PM, Anthony Nadalin wrote:
>>> Thanks for splitting this and making it simple.
>>>
>>> It's unclear if the server must send the metadata back in same
>>> form/order/ as sent, that is, does client expect to get back only
>>> what was sent with what server values will be or can client deal with
>>> defaults that the sever sets
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Richer, Justin P.
>>> Sent: Tuesday, August 27, 2013 7:06 AM
>>> To: oauth mailing list
>>> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>>>
>>> After last week's design team call, at Derek's suggestion, I took time today to refactor the Dynamic Registration draft into two pieces: "core" and "management". The former contains the definition of the Registration Endpoint and the semantics surrounding that, the latter contains the Client Configuration Endpoint as well as the "non-essential" client metadata parameters.
>>>
>>> I did this refactoring with an axe, so there are almost certainly bits and pieces that are in the wrong document. In particular, I've kept the use cases in the "core" document even though they reference concepts and constructs defined in the "management" spec. This way people that don't want to deal with a configuration management API can implement just the "core" registration spec and call it a day, while people who want to have full lifecycle control can do the "management" spec on top of it. This does increase the optionality by making the client configuration endpoint parameters optional, but that's the tradeoff for having things cut this way.
>>>
>>> You can read both the specs here:
>>>
>>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>>>
>>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>>>
>>> I've uploaded these as individual submissions for now. If the working group decides to move forward with this refactoring, I expect both documents to move in tandem through the RFC approval process.
>>>
>>>     -- Justin
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Tue Aug 27 11:42:51 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E546D11E81D7 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:42:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.524
X-Spam-Level: 
X-Spam-Status: No, score=-6.524 tagged_above=-999 required=5 tests=[AWL=0.075,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3PlySEexOQxq for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:42:46 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9C16821E8084 for <oauth@ietf.org>; Tue, 27 Aug 2013 11:42:46 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id EA8F21F08CF; Tue, 27 Aug 2013 14:42:45 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id B47FA1F04F0; Tue, 27 Aug 2013 14:42:45 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Tue, 27 Aug 2013 14:42:45 -0400
Message-ID: <521CF31D.7080108@mitre.org>
Date: Tue, 27 Aug 2013 14:42:37 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <57d0cc93671e43c09d04fb7f46528b90@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <57d0cc93671e43c09d04fb7f46528b90@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 18:42:52 -0000

-1, I believe that the management spec is vital for interoperability and 
well within the scope of this working group, and that the management 
spec needs to move forward in tandem with the core spec.

  -- Justin

On 08/27/2013 02:41 PM, Anthony Nadalin wrote:
> I believe the http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is out of scope for this WG and needs to go to the APPS area since we don't deal with other OAuth management issues
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Richer, Justin P.
> Sent: Tuesday, August 27, 2013 7:06 AM
> To: oauth mailing list
> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>
> After last week's design team call, at Derek's suggestion, I took time today to refactor the Dynamic Registration draft into two pieces: "core" and "management". The former contains the definition of the Registration Endpoint and the semantics surrounding that, the latter contains the Client Configuration Endpoint as well as the "non-essential" client metadata parameters.
>
> I did this refactoring with an axe, so there are almost certainly bits and pieces that are in the wrong document. In particular, I've kept the use cases in the "core" document even though they reference concepts and constructs defined in the "management" spec. This way people that don't want to deal with a configuration management API can implement just the "core" registration spec and call it a day, while people who want to have full lifecycle control can do the "management" spec on top of it. This does increase the optionality by making the client configuration endpoint parameters optional, but that's the tradeoff for having things cut this way.
>
> You can read both the specs here:
>
> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>
> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>
> I've uploaded these as individual submissions for now. If the working group decides to move forward with this refactoring, I expect both documents to move in tandem through the RFC approval process.
>
>   -- Justin
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From ve7jtb@ve7jtb.com  Tue Aug 27 11:52:17 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F7DC11E81F3 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.222
X-Spam-Level: 
X-Spam-Status: No, score=-3.222 tagged_above=-999 required=5 tests=[AWL=0.377,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Slf2P9QaUsZe for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 11:52:12 -0700 (PDT)
Received: from mail-oa0-f51.google.com (mail-oa0-f51.google.com [209.85.219.51]) by ietfa.amsl.com (Postfix) with ESMTP id 4E27F11E81EC for <oauth@ietf.org>; Tue, 27 Aug 2013 11:52:12 -0700 (PDT)
Received: by mail-oa0-f51.google.com with SMTP id h1so6118014oag.10 for <oauth@ietf.org>; Tue, 27 Aug 2013 11:52:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=AMmvu70SEKse0jvu9MZ6EtlotjcVTu+YVdFCbnuNvb0=; b=lFOiyAz8jpht+E4sqljt3itolVMY/A6Zfe0Syj2HtOxTwD0UPhh4WazY6lXBjZUp5o cYW+sZWoS2dh/C6QxsE3fM6m+F/qv3BFy7jRPQlVKJCC1gSNvDI5jpjPdJLl+Y5Uew+G 5aVC2I+HQhiasfKF0Oid+T5mkLfk70hbt8IQhKjeWXw2WiZLTdnMsnkCRarip+fFLe1R AlT8vl/+nph6H3klLnKhJaGQCC+93JPq4S7t4T35aVgfEe8kmyVIttZshfxFh0YC6Vcd VhPUtOnraF22G/WbPCcty4QSDheJG4oP2T9+MoMmUe1A4Or831WgUgFwB3OUDYMsN1jt jDcA==
X-Gm-Message-State: ALoCoQkahjp1IcGpsu+owO3U/blvlnmTHN/yJw2EO3D6kVArA2Zu2okx/B4/ukWv1VAAtjr1LPay
X-Received: by 10.182.110.226 with SMTP id id2mr3185265obb.95.1377629531681; Tue, 27 Aug 2013 11:52:11 -0700 (PDT)
Received: from [192.168.1.216] (190-20-51-153.baf.movistar.cl. [190.20.51.153]) by mx.google.com with ESMTPSA id ru3sm21282556obc.2.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 Aug 2013 11:52:10 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_94E87713-0972-46CB-BCD0-0C0B1236A4F2"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <57d0cc93671e43c09d04fb7f46528b90@BY2PR03MB189.namprd03.prod.outlook.com>
Date: Tue, 27 Aug 2013 14:52:07 -0400
Message-Id: <0FD93772-1AEC-4400-8A7D-C9F6D44E2E5E@ve7jtb.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <57d0cc93671e43c09d04fb7f46528b90@BY2PR03MB189.namprd03.prod.outlook.com>
To: Anthony Nadalin <tonynad@microsoft.com>
X-Mailer: Apple Mail (2.1508)
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 18:52:17 -0000

--Apple-Mail=_94E87713-0972-46CB-BCD0-0C0B1236A4F2
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I appreciate that is your opinion.   Lets finish splitting the document =
and agree on what we agree on, then the chairs and others can render a =
opinion on if =
http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is =
in scope for this WG.    I happen to think it is in scope, and I suspect =
I am not alone in that.

Right now lets focus on the core of the spec we agree on and leave the =
scope issue to a later knife fight.

John B.

On 2013-08-27, at 2:41 PM, Anthony Nadalin <tonynad@microsoft.com> =
wrote:

> I believe the =
http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is =
out of scope for this WG and needs to go to the APPS area since we don't =
deal with other OAuth management issues
>=20
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf =
Of Richer, Justin P.
> Sent: Tuesday, August 27, 2013 7:06 AM
> To: oauth mailing list
> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>=20
> After last week's design team call, at Derek's suggestion, I took time =
today to refactor the Dynamic Registration draft into two pieces: "core" =
and "management". The former contains the definition of the Registration =
Endpoint and the semantics surrounding that, the latter contains the =
Client Configuration Endpoint as well as the "non-essential" client =
metadata parameters. =20
>=20
> I did this refactoring with an axe, so there are almost certainly bits =
and pieces that are in the wrong document. In particular, I've kept the =
use cases in the "core" document even though they reference concepts and =
constructs defined in the "management" spec. This way people that don't =
want to deal with a configuration management API can implement just the =
"core" registration spec and call it a day, while people who want to =
have full lifecycle control can do the "management" spec on top of it. =
This does increase the optionality by making the client configuration =
endpoint parameters optional, but that's the tradeoff for having things =
cut this way.
>=20
> You can read both the specs here:
>=20
> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>=20
> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>=20
> I've uploaded these as individual submissions for now. If the working =
group decides to move forward with this refactoring, I expect both =
documents to move in tandem through the RFC approval process.
>=20
> -- Justin
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_94E87713-0972-46CB-BCD0-0C0B1236A4F2
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODI3MTg1MjA3WjAjBgkqhkiG9w0BCQQxFgQUDH88/Dla
gDCx0xWUU/HuqLzFLEswgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAF/e+5IjxGSVCCagPEsOZj14kqsPQKQYWr4Kqb+PV
8E2u2Bp4EO4gla25focm205sLF3OOgNvKQZTRx5zhHO1rA3uaM0ht9TvIBGi1GShibakhEjdZSs7
YRyaWtRT4hjgqntgk1MMsnnu9mL7teceQ0NdTOL6wLpZEiVIlbMslSJ62CMS33IELxqc4HLE1OtK
AtQm240nAVEP1Sa/muEMMyAqB7XNmqFL87vtzjsvPc5zDxNYsUCMPyIW16/aKrngEGoThRIT0H3S
FzbY7YSW19WoPvFLGHYpMI/E0XsGKqRE9KxXzWU0YXllVjfwENzwzZA2Kow8cRNbyzQSmR4y0gAA
AAAAAA==

--Apple-Mail=_94E87713-0972-46CB-BCD0-0C0B1236A4F2--

From eve@xmlgrrl.com  Tue Aug 27 14:13:10 2013
Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1818A11E81EC for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 14:13:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.007
X-Spam-Level: *
X-Spam-Status: No, score=1.007 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, MANGLED_EMAIL=2.3, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SzxMkjSCaO-t for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 14:13:06 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [50.47.36.5]) by ietfa.amsl.com (Postfix) with ESMTP id D999111E81D0 for <oauth@ietf.org>; Tue, 27 Aug 2013 14:13:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.promanage-inc.com (Postfix) with ESMTP id 662A42250B3A; Tue, 27 Aug 2013 14:13:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at promanage-inc.com
Received: from mail.promanage-inc.com ([127.0.0.1]) by localhost (greendome.promanage-inc.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NSKMck3WaEeL; Tue, 27 Aug 2013 14:13:03 -0700 (PDT)
Received: from [172.19.131.171] (unknown [12.130.122.48]) by mail.promanage-inc.com (Postfix) with ESMTPSA id 2A61C2250B2F; Tue, 27 Aug 2013 14:13:00 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
Content-Type: text/plain; charset=us-ascii
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <0FD93772-1AEC-4400-8A7D-C9F6D44E2E5E@ve7jtb.com>
Date: Tue, 27 Aug 2013 14:12:56 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4B81034F-7B26-488A-B7FA-E4DBFEB2256C@xmlgrrl.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <57d0cc93671e43c09d04fb7f46528b90@BY2PR03MB189.namprd03.prod.outlook.com> <0FD93772-1AEC-4400-8A7D-C9F6D44E2E5E@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1508)
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 21:13:10 -0000

Unfortunately I haven't been able to attend the design meetings, but =
I've continued to follow along here with interest.

I confess that the core/management split seems a little artificial to =
me. I can imagine a potential use case for splitting things this way -- =
even a client that was *statically* provisioned its credentials might =
still want to manage its representation at the authorization server over =
time. But even so, I would normally expect to see all of this considered =
part of the "management" bucket, with the first step allowed to happen =
either on-stage or off-stage. In any case, if the split satisfies some =
other need I'm missing, I don't want to stand in the way.

Also, I'm still a little stumped at the reluctance to allow a full set =
of management operations. Is this still a concern over similarity to =
SCIM, which also has a full set of CRUD-type operations? If so, perhaps =
it's worth pointing out that many (millions?) of APIs leverage the HTTP =
verbs in nearly identical ways to "provision" web resources. In fact, my =
SCIM-related slideware even says "If you've seen one RESTful CRUD API, =
you've seen 'em all" :), and points out that its unique value is in the =
*nature* of the resources being provisioned (scoped to user identity =
data, as noted in the SCIM API spec itself). Similarity like this is a =
feature of REST, not a bug.

As an aside, I'm surprised the core spec has a SHOULD around open =
registration. Different APIs have different business models, and the =
range of possibilities legitimately includes APIs that require approval =
workflows etc. for onboarding devs and their client apps. In fact, =
that's one of the exciting things about defining dynamic =
(machine-to-machine) client registration that can nonetheless put gates =
in front of client provisioning: it makes OAuth protection more easily =
achievable even in "circle of trust" scenarios.

Net on the important bits:
- I'm weakly in favor of a recombined core+management spec but I'm fine =
with the split if others find it valuable.
- I'm in favor of keeping the management functions in scope.

	Eve

On 27 Aug 2013, at 11:52 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> I appreciate that is your opinion.   Lets finish splitting the =
document and agree on what we agree on, then the chairs and others can =
render a opinion on if =
http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is =
in scope for this WG.    I happen to think it is in scope, and I suspect =
I am not alone in that.
>=20
> Right now lets focus on the core of the spec we agree on and leave the =
scope issue to a later knife fight.
>=20
> John B.
>=20
> On 2013-08-27, at 2:41 PM, Anthony Nadalin <tonynad@microsoft.com> =
wrote:
>=20
>> I believe the =
http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is =
out of scope for this WG and needs to go to the APPS area since we don't =
deal with other OAuth management issues
>>=20
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On =
Behalf Of Richer, Justin P.
>> Sent: Tuesday, August 27, 2013 7:06 AM
>> To: oauth mailing list
>> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>>=20
>> After last week's design team call, at Derek's suggestion, I took =
time today to refactor the Dynamic Registration draft into two pieces: =
"core" and "management". The former contains the definition of the =
Registration Endpoint and the semantics surrounding that, the latter =
contains the Client Configuration Endpoint as well as the =
"non-essential" client metadata parameters. =20
>>=20
>> I did this refactoring with an axe, so there are almost certainly =
bits and pieces that are in the wrong document. In particular, I've kept =
the use cases in the "core" document even though they reference concepts =
and constructs defined in the "management" spec. This way people that =
don't want to deal with a configuration management API can implement =
just the "core" registration spec and call it a day, while people who =
want to have full lifecycle control can do the "management" spec on top =
of it. This does increase the optionality by making the client =
configuration endpoint parameters optional, but that's the tradeoff for =
having things cut this way.
>>=20
>> You can read both the specs here:
>>=20
>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>>=20
>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>>=20
>> I've uploaded these as individual submissions for now. If the working =
group decides to move forward with this refactoring, I expect both =
documents to move in tandem through the RFC approval process.
>>=20
>> -- Justin


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl


From tonynad@microsoft.com  Tue Aug 27 14:28:00 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D971B21E80A6 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 14:28:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.484
X-Spam-Level: 
X-Spam-Status: No, score=-3.484 tagged_above=-999 required=5 tests=[AWL=0.115,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f+0gYH5HI2sN for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 14:27:56 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0206.outbound.protection.outlook.com [207.46.163.206]) by ietfa.amsl.com (Postfix) with ESMTP id 0A32321E80A3 for <oauth@ietf.org>; Tue, 27 Aug 2013 14:27:55 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Tue, 27 Aug 2013 21:27:47 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Tue, 27 Aug 2013 21:27:46 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: Refactoring Dynamic Registration
Thread-Index: AQHOoy6Xe84MPWeQ0USE/EN9KkVWYZmpSJuAgAAS04CAAAI8kIAAA+sAgAAAXMCAAAHXAIAALINQ
Date: Tue, 27 Aug 2013 21:27:46 +0000
Message-ID: <db3e030fa7f34cb8ac64e330b149e2fa@BY2PR03MB189.namprd03.prod.outlook.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <052002acf28f44d185131db50ab9fbb1@BY2PR03MB189.namprd03.prod.outlook.com> <521CEBE5.8010006@mitre.org> <8a5b8df1c31d4a58bc341fe1587664ec@BY2PR03MB189.namprd03.prod.outlook.com> <521CF10E.1090801@mitre.org> <a9f69dce67494fbebea818cdb51494b4@BY2PR03MB189.namprd03.prod.outlook.com> <521CF2E6.8040709@mitre.org>
In-Reply-To: <521CF2E6.8040709@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 0951AB0A30
x-forefront-antispam-report: SFV:NSPM; SFS:(24454002)(13464003)(52604005)(377454003)(51704005)(479174003)(189002)(199002)(76576001)(74876001)(76786001)(76796001)(15202345003)(77096001)(56816003)(81542001)(81342001)(69226001)(80022001)(65816001)(83072001)(74366001)(74706001)(74316001)(4396001)(63696002)(51856001)(31966008)(81686001)(81816001)(74502001)(47446002)(74662001)(54316002)(59766001)(56776001)(79102001)(47736001)(50986001)(47976001)(77982001)(49866001)(19580395003)(76482001)(53806001)(46102001)(54356001)(15975445006)(80976001)(19580405001)(83322001)(33646001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 21:28:01 -0000

Well, that is just one minor nit and not sure that this is the proper base =
to start with for the core, I was only trying to understand the intent of t=
he specification.  There is the fundamental issue of relationship (endpoint=
/ API publisher and with whom the client is trying to register with and how=
 the registration data is organized /represented as each server has to deal=
 with all sorts of clients.

-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org]=20
Sent: Tuesday, August 27, 2013 11:42 AM
To: Anthony Nadalin
Cc: oauth mailing list
Subject: Re: Refactoring Dynamic Registration

OK, please submit text.

  -- Justin


On 08/27/2013 02:38 PM, Anthony Nadalin wrote:
> This is a better explanation that what is in the current document, as thi=
s will become an interop problem that the clients need to deal with and not=
 sure how the client is going to know how to deal with all these permutatio=
ns, there should be a recommended action.
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Tuesday, August 27, 2013 11:34 AM
> To: Anthony Nadalin
> Cc: oauth mailing list
> Subject: Re: Refactoring Dynamic Registration
>
> If the server does not understand a parameter (and by this, remember, we =
mean a field in the JSON object, not a query parameter), it can accept it, =
ignore it, replace it with a default value, or return an error.
>
> Think of it in terms of the data model: The client has some model of what=
 information it knows about, and the server's got some internal model of wh=
at a "registered client" is, and the client information response reflects t=
he *server's* model of a client. Ultimately, the client is making a registr=
ation request, the server is returning the reality of what was actually reg=
istered. The client MUST defer to the server's values in these cases. If th=
e server returns a value that the client doesn't know about (and doesn't kn=
ow what to do with), the client will ignore that.
>
> If the server's ignoring the parameter completely (which I think will be =
the common implementation), the server will just leave it out of the return=
ed object entirely. That's what our server does if you send it some paramet=
er that it doesn't know or care about -- it will safely ignore the field wh=
en it saves the object and echoes the configuration back. I'll here note th=
at we didn't do anything special to make that happen, that's pretty much ou=
t of the box JSON library behavior in my experience.
>
> The server could return a null value, or replace it with some default val=
ue that the server likes better. If the server's data model is somehow norm=
alized and wants to take and remember *whatever* the client sends, it can e=
cho back what the client sent. I don't think that's going to be very common=
 in practice though, and clients need to be prepared to take back whatever =
the server dictates. Since the server is the final authority of what's atta=
ched to a given client ID, this is the appropriate model.
>
>    -- Justin
>
> On 08/27/2013 02:22 PM, Anthony Nadalin wrote:
>> Understand all that  but does not say what the response will be on an ad=
ditional parameter that the server does not understand,  does the parameter=
 come back with a null, or is the parameter omitted on response ?
>>
>> -----Original Message-----
>> From: Justin Richer [mailto:jricher@mitre.org]
>> Sent: Tuesday, August 27, 2013 11:12 AM
>> To: Anthony Nadalin
>> Cc: oauth mailing list
>> Subject: Re: Refactoring Dynamic Registration
>>
>> A JSON object is not order dependent by definition, so order of elements=
 doesn't matter.
>>
>> In the section on client metadata and the client information response, i=
t's stated that the server can:
>>
>> 1) Override a client's requested values and replace with its own
>> 2) Insert a new field/value that the client didn't supply=20
>> (effectively a server default)
>> 3) Restrict the value of a given field
>>
>> Therefore, clients MUST deal with whatever kinds of extra JSON a server =
might respond (so long as it's a valid JSON object). Thankfully, since this=
 is JSON and not a schema-based XML format, this is trivial to implement fo=
r the client.
>>
>> If you have suggestions about how to word this better, please submit tex=
t.
>>
>>     -- Justin
>>
>> On 08/27/2013 01:20 PM, Anthony Nadalin wrote:
>>> Thanks for splitting this and making it simple.
>>>
>>> It's unclear if the server must send the metadata back in same=20
>>> form/order/ as sent, that is, does client expect to get back only=20
>>> what was sent with what server values will be or can client deal=20
>>> with defaults that the sever sets
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf =
Of Richer, Justin P.
>>> Sent: Tuesday, August 27, 2013 7:06 AM
>>> To: oauth mailing list
>>> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>>>
>>> After last week's design team call, at Derek's suggestion, I took time =
today to refactor the Dynamic Registration draft into two pieces: "core" an=
d "management". The former contains the definition of the Registration Endp=
oint and the semantics surrounding that, the latter contains the Client Con=
figuration Endpoint as well as the "non-essential" client metadata paramete=
rs.
>>>
>>> I did this refactoring with an axe, so there are almost certainly bits =
and pieces that are in the wrong document. In particular, I've kept the use=
 cases in the "core" document even though they reference concepts and const=
ructs defined in the "management" spec. This way people that don't want to =
deal with a configuration management API can implement just the "core" regi=
stration spec and call it a day, while people who want to have full lifecyc=
le control can do the "management" spec on top of it. This does increase th=
e optionality by making the client configuration endpoint parameters option=
al, but that's the tradeoff for having things cut this way.
>>>
>>> You can read both the specs here:
>>>
>>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>>>
>>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>>>
>>> I've uploaded these as individual submissions for now. If the working g=
roup decides to move forward with this refactoring, I expect both documents=
 to move in tandem through the RFC approval process.
>>>
>>>     -- Justin
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth


From ve7jtb@ve7jtb.com  Tue Aug 27 16:28:06 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E7511E80E4 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 16:28:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.25
X-Spam-Level: 
X-Spam-Status: No, score=-3.25 tagged_above=-999 required=5 tests=[AWL=0.348,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wIQtoWgmdgRP for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 16:28:02 -0700 (PDT)
Received: from mail-qe0-f47.google.com (mail-qe0-f47.google.com [209.85.128.47]) by ietfa.amsl.com (Postfix) with ESMTP id DF30711E80D7 for <oauth@ietf.org>; Tue, 27 Aug 2013 16:28:01 -0700 (PDT)
Received: by mail-qe0-f47.google.com with SMTP id b4so3024397qen.34 for <oauth@ietf.org>; Tue, 27 Aug 2013 16:28:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=h/kQihZ4wDom2fdUZPIHXdhHMBI88QbdVOVkRvWYDAQ=; b=Jn8DJKioYrxVKuBkLPtr/jIljkQlzApSsjjGDQ6C3wiZchkYdKnXYRlOWLTOia355t nYYxMvvSuYZVntUm5a3PvtwXFS4LeXHDhDgCxyBa9dSmCv75LHry9mD5wie+roly7zlT Cqe9UVJouZVskjcB+SHkwFKVytoA1UGEMb0iP6XuMsIy5TzxV6SVFxzWXzv26drnvaXs auFd/Y5lSN6w4IfmIZaKLP/j809piVF9wqdvBFc3TZHwRDersC1+vUlwmtKrStKzIY0B KsOZSUOGwC+Ek2acacBmnnEq8MYaCCwsrCJ9qARF9JUDHa91i3OlNbl+zayA+GXTj63X SIew==
X-Gm-Message-State: ALoCoQlyfPDjkI3S8QwloX0V2JXxhU6pdenpN7bLje/t9laz4az9pusH68DOyb5bfX4SDFjt2KMg
X-Received: by 10.229.214.200 with SMTP id hb8mr4377287qcb.1.1377646080175; Tue, 27 Aug 2013 16:28:00 -0700 (PDT)
Received: from [192.168.1.216] (190-20-36-119.baf.movistar.cl. [190.20.36.119]) by mx.google.com with ESMTPSA id q4sm32777248qah.2.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 Aug 2013 16:27:59 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_99564A94-C521-4B20-BFD3-71CA652FE4E2"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com>
Date: Tue, 27 Aug 2013 19:27:52 -0400
Message-Id: <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com>
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1508)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 23:28:06 -0000

--Apple-Mail=_99564A94-C521-4B20-BFD3-71CA652FE4E2
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_C8383AA9-C4AA-43FE-9D9F-ADEA2905667D"


--Apple-Mail=_C8383AA9-C4AA-43FE-9D9F-ADEA2905667D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

It is better.  We need to talk about what you have done with "min_alv" =
vs "acr" from  connect which is extensible via a IANA registry of =
Authentication contexts.

If it came down to reserving the strings 1 2 3 4 for the ISO29115 =
reference that could probably be arranged.

I don't know that throwing an error if the min can't be supported is the =
correct thing.  We had a lot of debate about that and decided that =
returning the actual acr and letting the client decide was better than =
an error.

Also remember that the request is not signed so someone could modify it =
to remove min_alv and spoof a RP that expects all positive results to =
meet what it asked for.

More discussion on min_alv is required.

John B.

On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> FYI.  Based on feedback from Berlin, Tony and I have revised the draft =
to include:
>=20
> * Alignment with OpenID Connect (using id_token)
> * Always returns a JWT
> * Minimum assertion level on request
> * Return information about the type of authentication performed
>=20
> Thanks for your input.
>=20
> Phil
>=20
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>=20
>=20
> Begin forwarded message:
>=20
>> From: internet-drafts@ietf.org
>> Subject: New Version Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt
>> Date: 27 August, 2013 8:56:45 AM PDT
>> To: Phil Hunt <phil.hunt@yahoo.com>, Anthony Nadalin =
<tonynad@microsoft.com>, Tony Nadalin <tonynad@microsoft.com>
>>=20
>>=20
>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
>> has been successfully submitted by Phil Hunt and posted to the
>> IETF repository.
>>=20
>> Filename:	 draft-hunt-oauth-v2-user-a4c
>> Revision:	 01
>> Title:		 OAuth 2.0 User Authentication and Consent For =
Clients
>> Creation date:	 2013-08-27
>> Group:		 Individual Submission
>> Number of pages: 10
>> URL:             =
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt
>> Status:          =
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>> Htmlized:        =
http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
>> Diff:            =
http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01
>>=20
>> Abstract:
>>   This specification defines a new OAuth2 endpoint that enables user
>>   authentication session and consent information to be shared with
>>   client applications.
>>=20
>>=20
>>=20
>>=20
>> Please note that it may take a couple of minutes from the time of =
submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>=20
>> The IETF Secretariat
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_C8383AA9-C4AA-43FE-9D9F-ADEA2905667D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">It is =
better. &nbsp;We need to talk about what you have done with "min_alv" vs =
"acr" from &nbsp;connect which is extensible via a IANA registry of =
Authentication contexts.<div><br></div><div>If it came down to reserving =
the strings 1 2 3 4 for the ISO29115 reference that could probably be =
arranged.</div><div><br></div><div>I don't know that throwing an error =
if the min can't be supported is the correct thing. &nbsp;We had a lot =
of debate about that and decided that returning the actual acr and =
letting the client decide was better than an =
error.</div><div><br></div><div>Also remember that the request is not =
signed so someone could modify it to remove min_alv and spoof a RP that =
expects all positive results to meet what it asked =
for.</div><div><br></div><div>More discussion on min_alv is =
required.</div><div><br></div><div>John B.</div><div><br><div><div>On =
2013-08-27, at 12:52 PM, Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">FYI. =
&nbsp;Based on feedback from Berlin, Tony and I have revised the draft =
to include:<div><br></div><div>* Alignment with OpenID Connect (using =
id_token)</div><div>* Always returns a JWT</div><div>* Minimum assertion =
level on request</div><div>* Return information about the type of =
authentication performed</div><div><br></div><div>Thanks for your =
input.</div><div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div></span>=
</div></span></div></span><br class=3D"Apple-interchange-newline">
</div>

<div><br><div>Begin forwarded message:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>From: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;"><a =
href=3D"mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a><br><=
/span></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px;"><span style=3D"font-family: =
Helvetica; font-size: medium; "><b>Subject: </b></span><span =
style=3D"font-family:'Helvetica'; font-size:medium;"><b>New Version =
Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt</b><br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>Date: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">27 August, 2013 8:56:45 AM PDT<br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>To: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@yahoo.com">phil.hunt@yahoo.com</a>&gt;, Anthony =
Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;, =
Tony Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;<br></s=
pan></div><br><div><br>A new version of I-D, =
draft-hunt-oauth-v2-user-a4c-01.txt<br>has been successfully submitted =
by Phil Hunt and posted to the<br>IETF repository.<br><br>Filename:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
draft-hunt-oauth-v2-user-a4c<br>Revision:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> 01<br>Title:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> OAuth =
2.0 User Authentication and Consent For Clients<br>Creation date:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
2013-08-27<br>Group:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span><span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> Individual Submission<br>Number =
of pages: 10<br>URL: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a=
 =
href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-0=
1.txt">http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01=
.txt</a><br>Status: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c">http=
://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>Htmlized: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01">http:/=
/tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01</a><br>Diff: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01=
">http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01</a><b=
r><br>Abstract:<br> &nbsp;&nbsp;This specification defines a new OAuth2 =
endpoint that enables user<br> &nbsp;&nbsp;authentication session and =
consent information to be shared with<br> &nbsp;&nbsp;client =
applications.<br><br><br><br><br>Please note that it may take a couple =
of minutes from the time of submission<br>until the htmlized version and =
diff are available at <a =
href=3D"http://tools.ietf.org/">tools.ietf.org</a>.<br><br>The IETF =
Secretariat<br><br></div></blockquote></div><br></div></div>______________=
_________________________________<br>OAuth mailing list<br><a =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>https://www.ietf.org/=
mailman/listinfo/oauth<br></blockquote></div><br></div></body></html>=

--Apple-Mail=_C8383AA9-C4AA-43FE-9D9F-ADEA2905667D--

--Apple-Mail=_99564A94-C521-4B20-BFD3-71CA652FE4E2
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODI3MjMyNzUzWjAjBgkqhkiG9w0BCQQxFgQULPNVVUP+
NtckTk0TGeErp3V1ssMwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAhVtpKF7GHMAGK1eNZlvfnFIu7OpHzujlBrrX7nMu
DRT+ieCQBtQtByXZOOulG5k75jjt/72yLFu/V247lmm5VHFcOcffGUaBOnZxhwcKmyXk+axwwBKW
aEflt2DTYajEYA1DYiX7zP1zO2J4KUVPgSR1547BBtDu6X0e3bTV4qzvQrRDhqlbjuQqh+DTwCzE
yE/sCPnBgYrztbV1PoS+WZO5WcAwyM7iM2ah01PtxBrNThcEeKrtyS0entHuEBMHnxciIFs6ySRK
sLRSSx5OPJ8wxgxfxsw1/djzKPPF4XQWtlxXivqSkvdnqExcqYHJ/sJVQucz7Tmo9ch8CmV/EQAA
AAAAAA==

--Apple-Mail=_99564A94-C521-4B20-BFD3-71CA652FE4E2--

From phil.hunt@oracle.com  Tue Aug 27 16:37:26 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F82B21F9E48 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 16:37:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.901
X-Spam-Level: 
X-Spam-Status: No, score=-5.901 tagged_above=-999 required=5 tests=[AWL=0.697,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6QxO-qK3DIc for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 16:37:20 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD0B21F9E3B for <oauth@ietf.org>; Tue, 27 Aug 2013 16:37:20 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7RNbI14029646 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 27 Aug 2013 23:37:19 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7RNbHLg019804 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 27 Aug 2013 23:37:17 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7RNbHkx009935; Tue, 27 Aug 2013 23:37:17 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 27 Aug 2013 16:37:16 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_70310B1F-1A8C-4D5C-8D12-DD4C99D760C1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com>
Date: Tue, 27 Aug 2013 16:37:18 -0700
Message-Id: <B762489A-FFAC-4BB3-822C-15DA085CB6FC@oracle.com>
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com> <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 23:37:26 -0000

--Apple-Mail=_70310B1F-1A8C-4D5C-8D12-DD4C99D760C1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

See below.
Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-27, at 4:27 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> It is better.  We need to talk about what you have done with "min_alv" =
vs "acr" from  connect which is extensible via a IANA registry of =
Authentication contexts.
>=20
> If it came down to reserving the strings 1 2 3 4 for the ISO29115 =
reference that could probably be arranged.
>=20
> I don't know that throwing an error if the min can't be supported is =
the correct thing.  We had a lot of debate about that and decided that =
returning the actual acr and letting the client decide was better than =
an error.
[PH[ I agree.
>=20
> Also remember that the request is not signed so someone could modify =
it to remove min_alv and spoof a RP that expects all positive results to =
meet what it asked for.
>=20
> More discussion on min_alv is required.
[PH] Yes. Returning what actually was done without an error is a better =
approach.

Also, just noticed that the "hint" parameter should be "login_hint".=20

I think we also need to discuss how the client detects the profile API =
type and whether the AS can return multiple endpoints (and is that even =
a good thing).  A structured attribute giving endpoint type and URL =
might be the way to go.

>=20
> John B.
>=20
> On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>=20
>> FYI.  Based on feedback from Berlin, Tony and I have revised the =
draft to include:
>>=20
>> * Alignment with OpenID Connect (using id_token)
>> * Always returns a JWT
>> * Minimum assertion level on request
>> * Return information about the type of authentication performed
>>=20
>> Thanks for your input.
>>=20
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>> Begin forwarded message:
>>=20
>>> From: internet-drafts@ietf.org
>>> Subject: New Version Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt
>>> Date: 27 August, 2013 8:56:45 AM PDT
>>> To: Phil Hunt <phil.hunt@yahoo.com>, Anthony Nadalin =
<tonynad@microsoft.com>, Tony Nadalin <tonynad@microsoft.com>
>>>=20
>>>=20
>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
>>> has been successfully submitted by Phil Hunt and posted to the
>>> IETF repository.
>>>=20
>>> Filename:	 draft-hunt-oauth-v2-user-a4c
>>> Revision:	 01
>>> Title:		 OAuth 2.0 User Authentication and Consent For =
Clients
>>> Creation date:	 2013-08-27
>>> Group:		 Individual Submission
>>> Number of pages: 10
>>> URL:             =
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt
>>> Status:          =
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>>> Htmlized:        =
http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
>>> Diff:            =
http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01
>>>=20
>>> Abstract:
>>>   This specification defines a new OAuth2 endpoint that enables user
>>>   authentication session and consent information to be shared with
>>>   client applications.
>>>=20
>>>=20
>>>=20
>>>=20
>>> Please note that it may take a couple of minutes from the time of =
submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>=20
>>> The IETF Secretariat
>>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20


--Apple-Mail=_70310B1F-1A8C-4D5C-8D12-DD4C99D760C1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">See =
below.<br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-27, at 4:27 PM, John Bradley &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">It is =
better. &nbsp;We need to talk about what you have done with "min_alv" vs =
"acr" from &nbsp;connect which is extensible via a IANA registry of =
Authentication contexts.<div><br></div><div>If it came down to reserving =
the strings 1 2 3 4 for the ISO29115 reference that could probably be =
arranged.</div><div><br></div><div>I don't know that throwing an error =
if the min can't be supported is the correct thing. &nbsp;We had a lot =
of debate about that and decided that returning the actual acr and =
letting the client decide was better than an =
error.</div></div></blockquote>[PH[ I agree.<br><blockquote =
type=3D"cite"><div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; -webkit-line-break: after-white-space; "><div><br></div><div>Also =
remember that the request is not signed so someone could modify it to =
remove min_alv and spoof a RP that expects all positive results to meet =
what it asked for.</div><div><br></div><div>More discussion on min_alv =
is required.</div></div></blockquote>[PH] Yes. Returning what actually =
was done without an error is a better =
approach.</div><div><br></div><div>Also, just noticed that the "hint" =
parameter should be "login_hint".&nbsp;</div><div><br></div><div>I think =
we also need to discuss how the client detects the profile API type and =
whether the AS can return multiple endpoints (and is that even a good =
thing). &nbsp;A structured attribute giving endpoint type and URL might =
be the way to go.</div><div><br><blockquote type=3D"cite"><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><br></div><div>John =
B.</div><div><br><div><div>On 2013-08-27, at 12:52 PM, Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">FYI. =
&nbsp;Based on feedback from Berlin, Tony and I have revised the draft =
to include:<div><br></div><div>* Alignment with OpenID Connect (using =
id_token)</div><div>* Always returns a JWT</div><div>* Minimum assertion =
level on request</div><div>* Return information about the type of =
authentication performed</div><div><br></div><div>Thanks for your =
input.</div><div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div></span>=
</div></span></div></span><br class=3D"Apple-interchange-newline">
</div>

<div><br><div>Begin forwarded message:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>From: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;"><a =
href=3D"mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a><br><=
/span></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px;"><span style=3D"font-family: =
Helvetica; font-size: medium; "><b>Subject: </b></span><span =
style=3D"font-family:'Helvetica'; font-size:medium;"><b>New Version =
Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt</b><br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>Date: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">27 August, 2013 8:56:45 AM PDT<br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>To: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@yahoo.com">phil.hunt@yahoo.com</a>&gt;, Anthony =
Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;, =
Tony Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;<br></s=
pan></div><br><div><br>A new version of I-D, =
draft-hunt-oauth-v2-user-a4c-01.txt<br>has been successfully submitted =
by Phil Hunt and posted to the<br>IETF repository.<br><br>Filename:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
draft-hunt-oauth-v2-user-a4c<br>Revision:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> 01<br>Title:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> OAuth =
2.0 User Authentication and Consent For Clients<br>Creation date:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
2013-08-27<br>Group:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span><span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> Individual Submission<br>Number =
of pages: 10<br>URL: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a=
 =
href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-0=
1.txt">http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01=
.txt</a><br>Status: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c">http=
://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>Htmlized: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01">http:/=
/tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01</a><br>Diff: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01=
">http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01</a><b=
r><br>Abstract:<br> &nbsp;&nbsp;This specification defines a new OAuth2 =
endpoint that enables user<br> &nbsp;&nbsp;authentication session and =
consent information to be shared with<br> &nbsp;&nbsp;client =
applications.<br><br><br><br><br>Please note that it may take a couple =
of minutes from the time of submission<br>until the htmlized version and =
diff are available at <a =
href=3D"http://tools.ietf.org/">tools.ietf.org</a>.<br><br>The IETF =
Secretariat<br><br></div></blockquote></div><br></div></div>______________=
_________________________________<br>OAuth mailing list<br><a =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br></blockquote></div><br></div></div></blockqu=
ote></div><br></body></html>=

--Apple-Mail=_70310B1F-1A8C-4D5C-8D12-DD4C99D760C1--

From ve7jtb@ve7jtb.com  Tue Aug 27 16:51:56 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C5A21E80B9 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 16:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.275
X-Spam-Level: 
X-Spam-Status: No, score=-3.275 tagged_above=-999 required=5 tests=[AWL=0.323,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l7aLm1Aj8Put for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 16:51:51 -0700 (PDT)
Received: from mail-qe0-f48.google.com (mail-qe0-f48.google.com [209.85.128.48]) by ietfa.amsl.com (Postfix) with ESMTP id 34FF621E80A3 for <oauth@ietf.org>; Tue, 27 Aug 2013 16:51:49 -0700 (PDT)
Received: by mail-qe0-f48.google.com with SMTP id 1so3002058qec.21 for <oauth@ietf.org>; Tue, 27 Aug 2013 16:51:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=uO6MjJvie24sP2dLOxEZ7cur5u6GEG+VnMwNvzW+Gsw=; b=I7KjSL5ngHw1qbd9Oq9NerCPJqUSvvM6+Ok0wv7ZV318azbANov3iHUjtmZ5NRGZO4 Z4fIdvd5ucxK5X//PDKA3kBH/kHkbMnvYl1GNwxwG3cUShRUMtPeoXGNgc7HITQ0k/A+ HS7MjCJiKX3bcICv+iDmLMf19jvIJCPajeM2fgCJvS0S2B5nyBtGxK372Y/F8MsqPfpE ohJKWSibnaafu1d9+gaAE2C2enhk2uCGPOincg4C7hYXHJylV5jZ7JvTePgrEziLWwbq ldjat5bQkXPLek/bdOAkVhWPnxgORbplu59bU47t/VVpDduJnzPMje+voeaElWNFLE2x YXSA==
X-Gm-Message-State: ALoCoQnJ5P0ZbQwfhkrgNLtEK7x8A3KH9ldc3xBDUvYP/QToTSImpF0D/Yhv0QZnIs32KE+rWyOm
X-Received: by 10.224.129.65 with SMTP id n1mr26112503qas.29.1377647508647; Tue, 27 Aug 2013 16:51:48 -0700 (PDT)
Received: from [192.168.1.216] (190-20-36-119.baf.movistar.cl. [190.20.36.119]) by mx.google.com with ESMTPSA id w8sm31313238qej.3.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 Aug 2013 16:51:47 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_A888CBDF-4800-4D10-A009-EC421C86D26E"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <B762489A-FFAC-4BB3-822C-15DA085CB6FC@oracle.com>
Date: Tue, 27 Aug 2013 19:51:42 -0400
Message-Id: <4D2572FD-2B04-40DA-965F-C5C82B9EE813@ve7jtb.com>
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com> <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com> <B762489A-FFAC-4BB3-822C-15DA085CB6FC@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1508)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Aug 2013 23:51:56 -0000

--Apple-Mail=_A888CBDF-4800-4D10-A009-EC421C86D26E
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_67D763BE-59FF-4119-A284-A935D4774421"


--Apple-Mail=_67D763BE-59FF-4119-A284-A935D4774421
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

I thought you wanted to keep the profile endpoint (user_info) out of =
this.   =20
Once you have a user-info type endpoint you get into defining scopes for =
claims and I thought Tony wanted to avoid this and have it be only =
session authentication.

Connect publishes its idp config in the .well-known directory of "iss"  =
that allows all the endpoints to be discovered.

Over time the Authorization endpoint URI will change and will contain =
query parameters etc.  tying iss to a logical name like a SAML entityID =
that could provide the other endpoint information was a more familiar =
pattern to people.  =20

In some ways Connect duplicates one of the entity-id to meta-data =
discovery methods in SAML meta-data that never got traction (other than =
perhaps in ADFS).

John B.

On 2013-08-27, at 7:37 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> See below.
> Phil
>=20
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>=20
>=20
>=20
> On 2013-08-27, at 4:27 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>=20
>> It is better.  We need to talk about what you have done with =
"min_alv" vs "acr" from  connect which is extensible via a IANA registry =
of Authentication contexts.
>>=20
>> If it came down to reserving the strings 1 2 3 4 for the ISO29115 =
reference that could probably be arranged.
>>=20
>> I don't know that throwing an error if the min can't be supported is =
the correct thing.  We had a lot of debate about that and decided that =
returning the actual acr and letting the client decide was better than =
an error.
> [PH[ I agree.
>>=20
>> Also remember that the request is not signed so someone could modify =
it to remove min_alv and spoof a RP that expects all positive results to =
meet what it asked for.
>>=20
>> More discussion on min_alv is required.
> [PH] Yes. Returning what actually was done without an error is a =
better approach.
>=20
> Also, just noticed that the "hint" parameter should be "login_hint".=20=

>=20
> I think we also need to discuss how the client detects the profile API =
type and whether the AS can return multiple endpoints (and is that even =
a good thing).  A structured attribute giving endpoint type and URL =
might be the way to go.
>=20
>>=20
>> John B.
>>=20
>> On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>=20
>>> FYI.  Based on feedback from Berlin, Tony and I have revised the =
draft to include:
>>>=20
>>> * Alignment with OpenID Connect (using id_token)
>>> * Always returns a JWT
>>> * Minimum assertion level on request
>>> * Return information about the type of authentication performed
>>>=20
>>> Thanks for your input.
>>>=20
>>> Phil
>>>=20
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>>=20
>>>=20
>>> Begin forwarded message:
>>>=20
>>>> From: internet-drafts@ietf.org
>>>> Subject: New Version Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt
>>>> Date: 27 August, 2013 8:56:45 AM PDT
>>>> To: Phil Hunt <phil.hunt@yahoo.com>, Anthony Nadalin =
<tonynad@microsoft.com>, Tony Nadalin <tonynad@microsoft.com>
>>>>=20
>>>>=20
>>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
>>>> has been successfully submitted by Phil Hunt and posted to the
>>>> IETF repository.
>>>>=20
>>>> Filename:	 draft-hunt-oauth-v2-user-a4c
>>>> Revision:	 01
>>>> Title:		 OAuth 2.0 User Authentication and Consent For =
Clients
>>>> Creation date:	 2013-08-27
>>>> Group:		 Individual Submission
>>>> Number of pages: 10
>>>> URL:             =
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt
>>>> Status:          =
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>>>> Htmlized:        =
http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
>>>> Diff:            =
http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01
>>>>=20
>>>> Abstract:
>>>>   This specification defines a new OAuth2 endpoint that enables =
user
>>>>   authentication session and consent information to be shared with
>>>>   client applications.
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> Please note that it may take a couple of minutes from the time of =
submission
>>>> until the htmlized version and diff are available at =
tools.ietf.org.
>>>>=20
>>>> The IETF Secretariat
>>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>=20


--Apple-Mail=_67D763BE-59FF-4119-A284-A935D4774421
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I =
thought you wanted to keep the profile endpoint (user_info) out of this. =
&nbsp; &nbsp;<div>Once you have a user-info type endpoint you get into =
defining scopes for claims and I thought Tony wanted to avoid this and =
have it be only session authentication.<div><br></div><div>Connect =
publishes its idp config in the .well-known directory of "iss" =
&nbsp;that allows all the endpoints to be =
discovered.<div><br></div><div>Over time the Authorization endpoint URI =
will change and will contain query parameters etc. &nbsp;tying iss to a =
logical name like a SAML entityID that could provide the other endpoint =
information was a more familiar pattern to people. =
&nbsp;&nbsp;</div><div><br></div><div>In some ways Connect duplicates =
one of the entity-id to meta-data discovery methods in SAML meta-data =
that never got traction (other than perhaps in =
ADFS).</div><div><br></div><div>John =
B.</div><div><br></div><div><div><div>On 2013-08-27, at 7:37 PM, Phil =
Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">See =
below.<br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><br></div></span></div></span></div></span><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-27, at 4:27 PM, John Bradley &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">It is =
better. &nbsp;We need to talk about what you have done with "min_alv" vs =
"acr" from &nbsp;connect which is extensible via a IANA registry of =
Authentication contexts.<div><br></div><div>If it came down to reserving =
the strings 1 2 3 4 for the ISO29115 reference that could probably be =
arranged.</div><div><br></div><div>I don't know that throwing an error =
if the min can't be supported is the correct thing. &nbsp;We had a lot =
of debate about that and decided that returning the actual acr and =
letting the client decide was better than an =
error.</div></div></blockquote>[PH[ I agree.<br><blockquote =
type=3D"cite"><div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; -webkit-line-break: after-white-space; "><div><br></div><div>Also =
remember that the request is not signed so someone could modify it to =
remove min_alv and spoof a RP that expects all positive results to meet =
what it asked for.</div><div><br></div><div>More discussion on min_alv =
is required.</div></div></blockquote>[PH] Yes. Returning what actually =
was done without an error is a better =
approach.</div><div><br></div><div>Also, just noticed that the "hint" =
parameter should be "login_hint".&nbsp;</div><div><br></div><div>I think =
we also need to discuss how the client detects the profile API type and =
whether the AS can return multiple endpoints (and is that even a good =
thing). &nbsp;A structured attribute giving endpoint type and URL might =
be the way to go.</div><div><br><blockquote type=3D"cite"><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><br></div><div>John =
B.</div><div><br><div><div>On 2013-08-27, at 12:52 PM, Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">FYI. =
&nbsp;Based on feedback from Berlin, Tony and I have revised the draft =
to include:<div><br></div><div>* Alignment with OpenID Connect (using =
id_token)</div><div>* Always returns a JWT</div><div>* Minimum assertion =
level on request</div><div>* Return information about the type of =
authentication performed</div><div><br></div><div>Thanks for your =
input.</div><div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div></span>=
</div></span></div></span><br class=3D"Apple-interchange-newline">
</div>

<div><br><div>Begin forwarded message:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>From: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;"><a =
href=3D"mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a><br><=
/span></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px;"><span style=3D"font-family: =
Helvetica; font-size: medium; "><b>Subject: </b></span><span =
style=3D"font-family:'Helvetica'; font-size:medium;"><b>New Version =
Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt</b><br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>Date: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">27 August, 2013 8:56:45 AM PDT<br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>To: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@yahoo.com">phil.hunt@yahoo.com</a>&gt;, Anthony =
Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;, =
Tony Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;<br></s=
pan></div><br><div><br>A new version of I-D, =
draft-hunt-oauth-v2-user-a4c-01.txt<br>has been successfully submitted =
by Phil Hunt and posted to the<br>IETF repository.<br><br>Filename:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
draft-hunt-oauth-v2-user-a4c<br>Revision:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> 01<br>Title:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> OAuth =
2.0 User Authentication and Consent For Clients<br>Creation date:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
2013-08-27<br>Group:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span><span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> Individual Submission<br>Number =
of pages: 10<br>URL: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a=
 =
href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-0=
1.txt">http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01=
.txt</a><br>Status: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c">http=
://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>Htmlized: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01">http:/=
/tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01</a><br>Diff: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01=
">http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01</a><b=
r><br>Abstract:<br> &nbsp;&nbsp;This specification defines a new OAuth2 =
endpoint that enables user<br> &nbsp;&nbsp;authentication session and =
consent information to be shared with<br> &nbsp;&nbsp;client =
applications.<br><br><br><br><br>Please note that it may take a couple =
of minutes from the time of submission<br>until the htmlized version and =
diff are available at <a =
href=3D"http://tools.ietf.org/">tools.ietf.org</a>.<br><br>The IETF =
Secretariat<br><br></div></blockquote></div><br></div></div>______________=
_________________________________<br>OAuth mailing list<br><a =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br></blockquote></div><br></div></div></blockqu=
ote></div><br></div></blockquote></div><br></div></div></div></body></html=
>=

--Apple-Mail=_67D763BE-59FF-4119-A284-A935D4774421--

--Apple-Mail=_A888CBDF-4800-4D10-A009-EC421C86D26E
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODI3MjM1MTQzWjAjBgkqhkiG9w0BCQQxFgQUXCM90Goy
24mHhcJiT2lPAZFxEBIwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAXlLkZ0oZDReqWzu/XmoB1AAwM9+Ihh6K/VknexB0
OONMTQlkWJcyxicPAkcd1U9d60P+waVLQhgKOVRXzwqmfjiHmByzGXYVVZSsOyNBL38287KysWdQ
2jg/SwY4uNA/Lm96nbRQmEkGzsoUyyC2Q7gM5w6dTCBTgFeKB/sHLT35NeRGiblQY9bVBpBd7A9F
RjRHNgVObxbI5CYvaOT/wri8aRr8O9bmz+TAFglNC6NYl/B32Q4sQyPrOVjFKWf/mtd+75muXmPs
EmRj9uHVuGnZ6zM0MTw0iG5J2UWPd2NTlkLmeJzw9Ldnna8GsEtVNkZ456UFYZ7D9ugvpW1FPwAA
AAAAAA==

--Apple-Mail=_A888CBDF-4800-4D10-A009-EC421C86D26E--

From Michael.Jones@microsoft.com  Tue Aug 27 17:09:26 2013
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA2F11E8105 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 17:09:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.429
X-Spam-Level: 
X-Spam-Status: No, score=-3.429 tagged_above=-999 required=5 tests=[AWL=0.169,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VlnyYmbBrlD3 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 17:09:21 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0235.outbound.protection.outlook.com [207.46.163.235]) by ietfa.amsl.com (Postfix) with ESMTP id 67B2D11E8241 for <oauth@ietf.org>; Tue, 27 Aug 2013 17:09:21 -0700 (PDT)
Received: from DM2PR03CA010.namprd03.prod.outlook.com (10.141.52.158) by BLUPR03MB035.namprd03.prod.outlook.com (10.255.209.147) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 28 Aug 2013 00:09:13 +0000
Received: from BN1AFFO11FD035.protection.gbl (2a01:111:f400:7c10::25) by DM2PR03CA010.outlook.office365.com (2a01:111:e400:2414::30) with Microsoft SMTP Server (TLS) id 15.0.731.16 via Frontend Transport; Wed, 28 Aug 2013 00:09:13 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1AFFO11FD035.mail.protection.outlook.com (10.58.52.159) with Microsoft SMTP Server (TLS) id 15.0.745.15 via Frontend Transport; Wed, 28 Aug 2013 00:09:13 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.178]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.03.0136.001; Wed, 28 Aug 2013 00:08:36 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
Thread-Index: AQHOo0Xx/shr9E0dO0CyW4vMFChZdpmps40AgAACowCAAAYZgA==
Date: Wed, 28 Aug 2013 00:08:36 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436B7E0239@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com> <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com> <B762489A-FFAC-4BB3-822C-15DA085CB6FC@oracle.com>
In-Reply-To: <B762489A-FFAC-4BB3-822C-15DA085CB6FC@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [157.54.51.78]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436B7E0239TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(24454002)(69234005)(377424004)(377454003)(189002)(199002)(2473001)(81542001)(46102001)(512954002)(31966008)(74662001)(19580395003)(50986001)(47976001)(19580405001)(83322001)(81342001)(47446002)(74502001)(80976001)(81686001)(56816003)(77096001)(74706001)(74366001)(51856001)(71186001)(6806004)(54356001)(16601075003)(15202345003)(44976005)(53806001)(15975445006)(47736001)(33656001)(4396001)(49866001)(16236675002)(15974865002)(14971765001)(19300405004)(20776003)(81816001)(69226001)(63696002)(66066001)(80022001)(65816001)(56776001)(76482001)(54316002)(55846006)(83072001)(59766001)(77982001)(74876001)(79102001)(76786001)(76796001); DIR:OUT; SFP:; SCL:1; SRVR:BLUPR03MB035; H:mail.microsoft.com; CLIP:131.107.125.37; RD:InfoDomainNonexistent; MX:1; A:1; LANG:en; 
X-O365ENT-EOP-Header: Message processed by -  O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 09525C61DB
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for	draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 00:09:26 -0000

--_000_4E1F6AAD24975D4BA5B16804296739436B7E0239TK5EX14MBXC283r_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I'm concerned that the current "alv" and "min_alv" text wouldn't survive IE=
SG review since depending up NIST SP-800-63-2 is US-centric.  The point of =
OpenID Connect "acr" (authentication context class reference) claim using R=
FC6711 is that the authentication context values used are internationalized=
.

I agree that using the strings "1", "2", "3", and "4" to refer to the ISO 2=
9115 authentication level values would be preferable to the current "alv" t=
ext, since that approach is much more likely to survive IESG review and res=
ult in an approved RFC.  I'd therefore suggest making this change sooner ra=
ther than later.

                                                                -- Mike

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of P=
hil Hunt
Sent: Tuesday, August 27, 2013 4:37 PM
To: John Bradley
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-=
v2-user-a4c-01.txt

See below.
Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>





On 2013-08-27, at 4:27 PM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve=
7jtb.com>> wrote:


It is better.  We need to talk about what you have done with "min_alv" vs "=
acr" from  connect which is extensible via a IANA registry of Authenticatio=
n contexts.

If it came down to reserving the strings 1 2 3 4 for the ISO29115 reference=
 that could probably be arranged.

I don't know that throwing an error if the min can't be supported is the co=
rrect thing.  We had a lot of debate about that and decided that returning =
the actual acr and letting the client decide was better than an error.
[PH[ I agree.


Also remember that the request is not signed so someone could modify it to =
remove min_alv and spoof a RP that expects all positive results to meet wha=
t it asked for.

More discussion on min_alv is required.
[PH] Yes. Returning what actually was done without an error is a better app=
roach.

Also, just noticed that the "hint" parameter should be "login_hint".

I think we also need to discuss how the client detects the profile API type=
 and whether the AS can return multiple endpoints (and is that even a good =
thing).  A structured attribute giving endpoint type and URL might be the w=
ay to go.



John B.

On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hun=
t@oracle.com>> wrote:


FYI.  Based on feedback from Berlin, Tony and I have revised the draft to i=
nclude:

* Alignment with OpenID Connect (using id_token)
* Always returns a JWT
* Minimum assertion level on request
* Return information about the type of authentication performed

Thanks for your input.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>


Begin forwarded message:


From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
Date: 27 August, 2013 8:56:45 AM PDT
To: Phil Hunt <phil.hunt@yahoo.com<mailto:phil.hunt@yahoo.com>>, Anthony Na=
dalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>, Tony Nadalin <=
tonynad@microsoft.com<mailto:tonynad@microsoft.com>>


A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Filename:         draft-hunt-oauth-v2-user-a4c
Revision:         01
Title:                OAuth 2.0 User Authentication and Consent For Clients
Creation date: 2013-08-27
Group:             Individual Submission
Number of pages: 10
URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-us=
er-a4c-01.txt
Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a=
4c
Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
Diff:            http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-use=
r-a4c-01

Abstract:
  This specification defines a new OAuth2 endpoint that enables user
  authentication session and consent information to be shared with
  client applications.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available at tools.ietf.org<http://=
tools.ietf.org/>.

The IETF Secretariat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth



--_000_4E1F6AAD24975D4BA5B16804296739436B7E0239TK5EX14MBXC283r_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
span.apple-style-span
	{mso-style-name:apple-style-span;}
span.apple-tab-span
	{mso-style-name:apple-tab-span;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">I&#8217;m concerned that =
the current &#8220;alv&#8221; and &#8220;min_alv&#8221; text wouldn&#8217;t=
 survive IESG review since depending up NIST SP-800-63-2 is US-centric.&nbs=
p; The point of OpenID
 Connect &#8220;acr&#8221; (authentication context class reference) claim u=
sing RFC6711 is that the authentication context values used are internation=
alized.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">I agree that using the st=
rings &#8220;1&#8221;, &#8220;2&#8221;, &#8220;3&#8221;, and &#8220;4&#8221=
; to refer to the ISO 29115 authentication level values would be preferable=
 to the current &#8220;alv&#8221; text, since
 that approach is much more likely to survive IESG review and result in an =
approved RFC.&nbsp; I&#8217;d therefore suggest making this change sooner r=
ather than later.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Mike<o:p></o:p></s=
pan></p>
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span><=
/p>
<div>
<div style=3D"border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:10.0pt;font-family:&quot=
;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-s=
ize:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> oauth-bo=
unces@ietf.org [mailto:oauth-bounces@ietf.org]
<b>On Behalf Of </b>Phil Hunt<br>
<b>Sent:</b> Tuesday, August 27, 2013 4:37 PM<br>
<b>To:</b> John Bradley<br>
<b>Cc:</b> oauth@ietf.org WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt=
-oauth-v2-user-a4c-01.txt<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">See below.<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;;color:black">Phil<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span></=
p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;;color:black">@independentid<o:p></o:p><=
/span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;;color:black"><a href=3D"http://www.inde=
pendentid.com">www.independentid.com</a><o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;;color:black"><a href=3D"mailto:phil.hu=
nt@oracle.com">phil.hunt@oracle.com</a><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt"><span style=3D"font-s=
ize:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:b=
lack"><o:p>&nbsp;</o:p></span></p>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span><=
/p>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span><=
/p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<p class=3D"MsoNormal">On 2013-08-27, at 4:27 PM, John Bradley &lt;<a href=
=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; wrote:<o:p></o:p></=
p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal">It is better. &nbsp;We need to talk about what you h=
ave done with &quot;min_alv&quot; vs &quot;acr&quot; from &nbsp;connect whi=
ch is extensible via a IANA registry of Authentication contexts.<o:p></o:p>=
</p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">If it came down to reserving the strings 1 2 3 4 for=
 the ISO29115 reference that could probably be arranged.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">I don't know that throwing an error if the min can't=
 be supported is the correct thing. &nbsp;We had a lot of debate about that=
 and decided that returning the actual acr and letting the client decide wa=
s better than an error.<o:p></o:p></p>
</div>
</div>
<p class=3D"MsoNormal">[PH[ I agree.<br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Also remember that the request is not signed so some=
one could modify it to remove min_alv and spoof a RP that expects all posit=
ive results to meet what it asked for.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">More discussion on min_alv is required.<o:p></o:p></=
p>
</div>
</div>
<p class=3D"MsoNormal">[PH] Yes. Returning what actually was done without a=
n error is a better approach.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Also, just noticed that the &quot;hint&quot; paramet=
er should be &quot;login_hint&quot;.&nbsp;<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">I think we also need to discuss how the client detec=
ts the profile API type and whether the AS can return multiple endpoints (a=
nd is that even a good thing). &nbsp;A structured attribute giving endpoint=
 type and URL might be the way to go.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<p class=3D"MsoNormal">On 2013-08-27, at 12:52 PM, Phil Hunt &lt;<a href=3D=
"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; wrote:<o:p></o:p=
></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal">FYI. &nbsp;Based on feedback from Berlin, Tony and I=
 have revised the draft to include:<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">* Alignment with OpenID Connect (using id_token)<o:p=
></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">* Always returns a JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">* Minimum assertion level on request<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">* Return information about the type of authenticatio=
n performed<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Thanks for your input.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">Phil<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">@independentid<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;"><a href=3D"http://www.independentid.co=
m/">www.independentid.com</a><o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.co=
m">phil.hunt@oracle.com</a><o:p></o:p></span></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">Begin forwarded message:<o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:13.5pt;font-family:&quot=
;Helvetica&quot;,&quot;sans-serif&quot;">From:
</span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot=
;,&quot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org">inter=
net-drafts@ietf.org</a></span><o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:13.5pt;font-family:&quot=
;Helvetica&quot;,&quot;sans-serif&quot;">Subject: New Version Notification =
for draft-hunt-oauth-v2-user-a4c-01.txt</span></b><o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:13.5pt;font-family:&quot=
;Helvetica&quot;,&quot;sans-serif&quot;">Date:
</span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot=
;,&quot;sans-serif&quot;">27 August, 2013 8:56:45 AM PDT</span><o:p></o:p><=
/p>
</div>
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:13.5pt;font-family:&quot=
;Helvetica&quot;,&quot;sans-serif&quot;">To:
</span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot=
;,&quot;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.c=
om">phil.hunt@yahoo.com</a>&gt;, Anthony Nadalin &lt;<a href=3D"mailto:tony=
nad@microsoft.com">tonynad@microsoft.com</a>&gt;, Tony Nadalin &lt;<a href=
=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;</span><o:p>=
</o:p></p>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename:<span class=3D"apple-tab-span">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; </span>draft-hunt-oauth-v2-user-a4c<br>
Revision:<span class=3D"apple-tab-span">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; </span>01<br>
Title:<span class=3D"apple-tab-span">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>OAuth 2.0 User =
Authentication and Consent For Clients<br>
Creation date:<span class=3D"apple-tab-span"> </span>2013-08-27<br>
Group:<span class=3D"apple-tab-span">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>Individual Submission<br>
Number of pages: 10<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a=
4c-01.txt">http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c=
-01.txt</a><br>
Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"ht=
tp://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c">http://datatrac=
ker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools=
.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01">http://tools.ietf.org/html/=
draft-hunt-oauth-v2-user-a4c-01</a><br>
Diff: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01"=
>http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01</a><br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables u=
ser<br>
&nbsp;&nbsp;authentication session and consent information to be shared wit=
h<br>
&nbsp;&nbsp;client applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org/">
tools.ietf.org</a>.<br>
<br>
The IETF Secretariat<o:p></o:p></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
<p class=3D"MsoNormal">_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.or=
g/mailman/listinfo/oauth</a><o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>

--_000_4E1F6AAD24975D4BA5B16804296739436B7E0239TK5EX14MBXC283r_--

From phil.hunt@oracle.com  Tue Aug 27 17:28:26 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E01C011E826A for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 17:28:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.923
X-Spam-Level: 
X-Spam-Status: No, score=-5.923 tagged_above=-999 required=5 tests=[AWL=0.675,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfulIF3nnCI3 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 17:28:22 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id CF04A11E8251 for <oauth@ietf.org>; Tue, 27 Aug 2013 17:28:21 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7S0SKPl029142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 00:28:20 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7S0SINF025628 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 00:28:18 GMT
Received: from abhmt102.oracle.com (abhmt102.oracle.com [141.146.116.54]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7S0SHMu003375; Wed, 28 Aug 2013 00:28:17 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 27 Aug 2013 17:28:17 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_CD173472-46D3-46B0-B3E5-26EC8F5B4C85"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <4D2572FD-2B04-40DA-965F-C5C82B9EE813@ve7jtb.com>
Date: Tue, 27 Aug 2013 17:28:19 -0700
Message-Id: <B5AA5EB0-A873-4A68-A4ED-3FBAE91F68DB@oracle.com>
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com> <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com> <B762489A-FFAC-4BB3-822C-15DA085CB6FC@oracle.com> <4D2572FD-2B04-40DA-965F-C5C82B9EE813@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 00:28:27 -0000

--Apple-Mail=_CD173472-46D3-46B0-B3E5-26EC8F5B4C85
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

John,

I do not what to do anything to specify the profile endpoint.  The big =
problem is there are already many APIs -- user_info is but one.

The problems in the IETF OAuth space, is that the URL the client =
"thinks" is the authenticated user is not guaranteed to be the user.  =
For example, the clients assume "facebook.com/me" is the authenticated =
user -- and in that case it is.  But for other APIs there are no =
aliases.  For example, my client could be requesting information about =
your Facebook endpoint and because I am a friend, the client thinks it =
just authenticated you.  The point of returning the profile url is to =
ensure that the client knows what the authenticated user's profile URL =
is.

I raised the question of whether returning multiple URLs is useful since =
many cloud providers are actually offering multiple APIs for the same =
user information. My feeling is that that client already knows what it =
wants and is merely checking that the value matches its expectations.

I think the .well-known might be useful, but since this may change on a =
user-by-user basis, it is problematic.  For example, the authenticated =
user may be federated. What then?

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-27, at 4:51 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> I thought you wanted to keep the profile endpoint (user_info) out of =
this.   =20
> Once you have a user-info type endpoint you get into defining scopes =
for claims and I thought Tony wanted to avoid this and have it be only =
session authentication.
>=20
> Connect publishes its idp config in the .well-known directory of "iss" =
 that allows all the endpoints to be discovered.
>=20
> Over time the Authorization endpoint URI will change and will contain =
query parameters etc.  tying iss to a logical name like a SAML entityID =
that could provide the other endpoint information was a more familiar =
pattern to people.  =20
>=20
> In some ways Connect duplicates one of the entity-id to meta-data =
discovery methods in SAML meta-data that never got traction (other than =
perhaps in ADFS).
>=20
> John B.
>=20
> On 2013-08-27, at 7:37 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>=20
>> See below.
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>>=20
>> On 2013-08-27, at 4:27 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>=20
>>> It is better.  We need to talk about what you have done with =
"min_alv" vs "acr" from  connect which is extensible via a IANA registry =
of Authentication contexts.
>>>=20
>>> If it came down to reserving the strings 1 2 3 4 for the ISO29115 =
reference that could probably be arranged.
>>>=20
>>> I don't know that throwing an error if the min can't be supported is =
the correct thing.  We had a lot of debate about that and decided that =
returning the actual acr and letting the client decide was better than =
an error.
>> [PH[ I agree.
>>>=20
>>> Also remember that the request is not signed so someone could modify =
it to remove min_alv and spoof a RP that expects all positive results to =
meet what it asked for.
>>>=20
>>> More discussion on min_alv is required.
>> [PH] Yes. Returning what actually was done without an error is a =
better approach.
>>=20
>> Also, just noticed that the "hint" parameter should be "login_hint".=20=

>>=20
>> I think we also need to discuss how the client detects the profile =
API type and whether the AS can return multiple endpoints (and is that =
even a good thing).  A structured attribute giving endpoint type and URL =
might be the way to go.
>>=20
>>>=20
>>> John B.
>>>=20
>>> On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>=20
>>>> FYI.  Based on feedback from Berlin, Tony and I have revised the =
draft to include:
>>>>=20
>>>> * Alignment with OpenID Connect (using id_token)
>>>> * Always returns a JWT
>>>> * Minimum assertion level on request
>>>> * Return information about the type of authentication performed
>>>>=20
>>>> Thanks for your input.
>>>>=20
>>>> Phil
>>>>=20
>>>> @independentid
>>>> www.independentid.com
>>>> phil.hunt@oracle.com
>>>>=20
>>>>=20
>>>> Begin forwarded message:
>>>>=20
>>>>> From: internet-drafts@ietf.org
>>>>> Subject: New Version Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt
>>>>> Date: 27 August, 2013 8:56:45 AM PDT
>>>>> To: Phil Hunt <phil.hunt@yahoo.com>, Anthony Nadalin =
<tonynad@microsoft.com>, Tony Nadalin <tonynad@microsoft.com>
>>>>>=20
>>>>>=20
>>>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
>>>>> has been successfully submitted by Phil Hunt and posted to the
>>>>> IETF repository.
>>>>>=20
>>>>> Filename:	 draft-hunt-oauth-v2-user-a4c
>>>>> Revision:	 01
>>>>> Title:		 OAuth 2.0 User Authentication and Consent For =
Clients
>>>>> Creation date:	 2013-08-27
>>>>> Group:		 Individual Submission
>>>>> Number of pages: 10
>>>>> URL:             =
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt
>>>>> Status:          =
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>>>>> Htmlized:        =
http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
>>>>> Diff:            =
http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01
>>>>>=20
>>>>> Abstract:
>>>>>   This specification defines a new OAuth2 endpoint that enables =
user
>>>>>   authentication session and consent information to be shared with
>>>>>   client applications.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> Please note that it may take a couple of minutes from the time of =
submission
>>>>> until the htmlized version and diff are available at =
tools.ietf.org.
>>>>>=20
>>>>> The IETF Secretariat
>>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>=20
>=20


--Apple-Mail=_CD173472-46D3-46B0-B3E5-26EC8F5B4C85
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
">John,<div><br></div><div>I do not what to do anything to specify the =
profile endpoint. &nbsp;The big problem is there are already many APIs =
-- user_info is but one.</div><div><br></div><div>The problems in the =
IETF OAuth space, is that the URL the client "thinks" is the =
authenticated user is not guaranteed to be the user. &nbsp;For example, =
the clients assume "<a =
href=3D"http://facebook.com/me">facebook.com/me</a>" is the =
authenticated user -- and in that case it is. &nbsp;But for other APIs =
there are no aliases. &nbsp;For example, my client could be requesting =
information about your Facebook endpoint and because I am a friend, the =
client thinks it just authenticated you. &nbsp;The point of returning =
the profile url is to ensure that the client knows what the =
authenticated user's profile URL is.</div><div><br></div><div>I raised =
the question of whether returning multiple URLs is useful since many =
cloud providers are actually offering multiple APIs for the same user =
information. My feeling is that that client already knows what it wants =
and is merely checking that the value matches its =
expectations.</div><div><br></div><div>I think the .well-known might be =
useful, but since this may change on a user-by-user basis, it is =
problematic. &nbsp;For example, the authenticated user may be federated. =
What then?</div><div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-27, at 4:51 PM, John Bradley &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I =
thought you wanted to keep the profile endpoint (user_info) out of this. =
&nbsp; &nbsp;<div>Once you have a user-info type endpoint you get into =
defining scopes for claims and I thought Tony wanted to avoid this and =
have it be only session authentication.<div><br></div><div>Connect =
publishes its idp config in the .well-known directory of "iss" =
&nbsp;that allows all the endpoints to be =
discovered.<div><br></div><div>Over time the Authorization endpoint URI =
will change and will contain query parameters etc. &nbsp;tying iss to a =
logical name like a SAML entityID that could provide the other endpoint =
information was a more familiar pattern to people. =
&nbsp;&nbsp;</div><div><br></div><div>In some ways Connect duplicates =
one of the entity-id to meta-data discovery methods in SAML meta-data =
that never got traction (other than perhaps in =
ADFS).</div><div><br></div><div>John =
B.</div><div><br></div><div><div><div>On 2013-08-27, at 7:37 PM, Phil =
Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">See =
below.<br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><br></div></span></div></span></div></span><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-27, at 4:27 PM, John Bradley &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">It is =
better. &nbsp;We need to talk about what you have done with "min_alv" vs =
"acr" from &nbsp;connect which is extensible via a IANA registry of =
Authentication contexts.<div><br></div><div>If it came down to reserving =
the strings 1 2 3 4 for the ISO29115 reference that could probably be =
arranged.</div><div><br></div><div>I don't know that throwing an error =
if the min can't be supported is the correct thing. &nbsp;We had a lot =
of debate about that and decided that returning the actual acr and =
letting the client decide was better than an =
error.</div></div></blockquote>[PH[ I agree.<br><blockquote =
type=3D"cite"><div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; -webkit-line-break: after-white-space; "><div><br></div><div>Also =
remember that the request is not signed so someone could modify it to =
remove min_alv and spoof a RP that expects all positive results to meet =
what it asked for.</div><div><br></div><div>More discussion on min_alv =
is required.</div></div></blockquote>[PH] Yes. Returning what actually =
was done without an error is a better =
approach.</div><div><br></div><div>Also, just noticed that the "hint" =
parameter should be "login_hint".&nbsp;</div><div><br></div><div>I think =
we also need to discuss how the client detects the profile API type and =
whether the AS can return multiple endpoints (and is that even a good =
thing). &nbsp;A structured attribute giving endpoint type and URL might =
be the way to go.</div><div><br><blockquote type=3D"cite"><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><br></div><div>John =
B.</div><div><br><div><div>On 2013-08-27, at 12:52 PM, Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">FYI. =
&nbsp;Based on feedback from Berlin, Tony and I have revised the draft =
to include:<div><br></div><div>* Alignment with OpenID Connect (using =
id_token)</div><div>* Always returns a JWT</div><div>* Minimum assertion =
level on request</div><div>* Return information about the type of =
authentication performed</div><div><br></div><div>Thanks for your =
input.</div><div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div></span>=
</div></span></div></span><br class=3D"Apple-interchange-newline">
</div>

<div><br><div>Begin forwarded message:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>From: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;"><a =
href=3D"mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a><br><=
/span></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px;"><span style=3D"font-family: =
Helvetica; font-size: medium; "><b>Subject: </b></span><span =
style=3D"font-family:'Helvetica'; font-size:medium;"><b>New Version =
Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt</b><br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>Date: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">27 August, 2013 8:56:45 AM PDT<br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>To: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@yahoo.com">phil.hunt@yahoo.com</a>&gt;, Anthony =
Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;, =
Tony Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;<br></s=
pan></div><br><div><br>A new version of I-D, =
draft-hunt-oauth-v2-user-a4c-01.txt<br>has been successfully submitted =
by Phil Hunt and posted to the<br>IETF repository.<br><br>Filename:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
draft-hunt-oauth-v2-user-a4c<br>Revision:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> 01<br>Title:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> OAuth =
2.0 User Authentication and Consent For Clients<br>Creation date:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
2013-08-27<br>Group:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span><span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> Individual Submission<br>Number =
of pages: 10<br>URL: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a=
 =
href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-0=
1.txt">http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01=
.txt</a><br>Status: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c">http=
://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>Htmlized: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01">http:/=
/tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01</a><br>Diff: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01=
">http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01</a><b=
r><br>Abstract:<br> &nbsp;&nbsp;This specification defines a new OAuth2 =
endpoint that enables user<br> &nbsp;&nbsp;authentication session and =
consent information to be shared with<br> &nbsp;&nbsp;client =
applications.<br><br><br><br><br>Please note that it may take a couple =
of minutes from the time of submission<br>until the htmlized version and =
diff are available at <a =
href=3D"http://tools.ietf.org/">tools.ietf.org</a>.<br><br>The IETF =
Secretariat<br><br></div></blockquote></div><br></div></div>______________=
_________________________________<br>OAuth mailing list<br><a =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br></blockquote></div><br></div></div></blockqu=
ote></div><br></div></blockquote></div><br></div></div></div></div></block=
quote></div><br></div></body></html>=

--Apple-Mail=_CD173472-46D3-46B0-B3E5-26EC8F5B4C85--

From ve7jtb@ve7jtb.com  Tue Aug 27 18:03:46 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEA0511E8381 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 18:03:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.297
X-Spam-Level: 
X-Spam-Status: No, score=-3.297 tagged_above=-999 required=5 tests=[AWL=0.301,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NKYXKmN+gwcS for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 18:03:42 -0700 (PDT)
Received: from mail-ie0-f171.google.com (mail-ie0-f171.google.com [209.85.223.171]) by ietfa.amsl.com (Postfix) with ESMTP id 38AF411E825D for <oauth@ietf.org>; Tue, 27 Aug 2013 18:03:42 -0700 (PDT)
Received: by mail-ie0-f171.google.com with SMTP id 9so7554521iec.2 for <oauth@ietf.org>; Tue, 27 Aug 2013 18:03:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=kEkc7ZAgv8BGkfwEvFqOCxduy2m5oxiVWZI0a0Sw+eA=; b=c3Ot/rkNRxDqjrSCv4CzcTvbHtR4225NLotlwxce2DXm3wDljMFfVQxNuSrIlScdK/ vwDEQwyrYiDg4pse/05Q9DmEGdYb6zoo3VtwYkez/z9uJQQUul5ZgmFvfm0F8B4MgUZF q0gtiXxy+xUM6fSOykkuxpvk7R//pHe/Baiyw7aj7qy8F2q4Enj4zlsu1tvXd68sQrG8 Gngr9qDgi2B3ZMYyzDFYB1jfoMhc+WiFi+RbE9tIrjJBmESZjWwuJMfrVIHeThtiRAyj TfC9/77X8udCCPNu349M9wXhIGc5Rgw9Ck9V/Q0qNuS+iQVT6tJWuykmbEkcVPMOHUP/ 9FqA==
X-Gm-Message-State: ALoCoQnu5FbamA1uQIwdVdH9Z6KJA3jzgUqnNxc/cWVRbPzOpkWOoHgoJT3QkV+QO/voU9SUgbC9
X-Received: by 10.50.120.6 with SMTP id ky6mr10706876igb.58.1377651821654; Tue, 27 Aug 2013 18:03:41 -0700 (PDT)
Received: from [192.168.1.216] (190-20-36-119.baf.movistar.cl. [190.20.36.119]) by mx.google.com with ESMTPSA id p5sm1028405igj.10.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 27 Aug 2013 18:03:40 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_AF47C481-9B6F-4238-8E91-6C7CA52DF758"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <B5AA5EB0-A873-4A68-A4ED-3FBAE91F68DB@oracle.com>
Date: Tue, 27 Aug 2013 21:03:28 -0400
Message-Id: <627E09AE-2FDF-4DF9-8DF6-3FC20B51F74A@ve7jtb.com>
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com> <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com> <B762489A-FFAC-4BB3-822C-15DA085CB6FC@oracle.com> <4D2572FD-2B04-40DA-965F-C5C82B9EE813@ve7jtb.com> <B5AA5EB0-A873-4A68-A4ED-3FBAE91F68DB@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.1508)
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 01:03:46 -0000

--Apple-Mail=_AF47C481-9B6F-4238-8E91-6C7CA52DF758
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_2AC64B12-94D2-480C-8C84-BFCBB040E09A"


--Apple-Mail=_2AC64B12-94D2-480C-8C84-BFCBB040E09A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

The authenticated user is the "sub" scoped to "iss" not the profile URL. =
 A profile URL is informational and may change for the user.    I think =
making it a structured element describing the API is going beyond the =
"Simple"=20

I was assuming that the profile URI would be under the control of the =
AS/Issuer and there would be one endpoint per AS like Connect which has =
a single .well-known for the issuer.

Per user discovery uses webfinger to point to public info.  now that =
webfinger is a RFC you could return the users acct: URI for webfinger do =
the client can get public info.

If you want to specify arbitrary protected resources as the profile URI =
then you are opening a big can of complexity that Connect saves for the =
Advanced profile with distributed claims, not something you want in the =
simple profile.

You want to avoid the RP using profile url or email as the identifier =
for the subject.=20

Connect defines its subject tightly in that it must be A locally unique =
and never reassigned identifier within the Issuer for the End-User, =
which is intended to be consumed by the Client, e.g., "24400320" or =
"AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4". It MUST NOT exceed 255 ASCII =
characters in length. The value is a case sensitive string.

Keeping PII out of the subject also saves a lot of grief,  and numbers =
don't have the same pressure for reassignment as other nicknames.

John B.

On 2013-08-27, at 8:28 PM, Phil Hunt <phil.hunt@oracle.com> wrote:

> John,
>=20
> I do not what to do anything to specify the profile endpoint.  The big =
problem is there are already many APIs -- user_info is but one.
>=20
> The problems in the IETF OAuth space, is that the URL the client =
"thinks" is the authenticated user is not guaranteed to be the user.  =
For example, the clients assume "facebook.com/me" is the authenticated =
user -- and in that case it is.  But for other APIs there are no =
aliases.  For example, my client could be requesting information about =
your Facebook endpoint and because I am a friend, the client thinks it =
just authenticated you.  The point of returning the profile url is to =
ensure that the client knows what the authenticated user's profile URL =
is.
>=20
> I raised the question of whether returning multiple URLs is useful =
since many cloud providers are actually offering multiple APIs for the =
same user information. My feeling is that that client already knows what =
it wants and is merely checking that the value matches its expectations.
>=20
> I think the .well-known might be useful, but since this may change on =
a user-by-user basis, it is problematic.  For example, the authenticated =
user may be federated. What then?
>=20
> Phil
>=20
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> On 2013-08-27, at 4:51 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>=20
>> I thought you wanted to keep the profile endpoint (user_info) out of =
this.   =20
>> Once you have a user-info type endpoint you get into defining scopes =
for claims and I thought Tony wanted to avoid this and have it be only =
session authentication.
>>=20
>> Connect publishes its idp config in the .well-known directory of =
"iss"  that allows all the endpoints to be discovered.
>>=20
>> Over time the Authorization endpoint URI will change and will contain =
query parameters etc.  tying iss to a logical name like a SAML entityID =
that could provide the other endpoint information was a more familiar =
pattern to people.  =20
>>=20
>> In some ways Connect duplicates one of the entity-id to meta-data =
discovery methods in SAML meta-data that never got traction (other than =
perhaps in ADFS).
>>=20
>> John B.
>>=20
>> On 2013-08-27, at 7:37 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>=20
>>> See below.
>>> Phil
>>>=20
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>>=20
>>>=20
>>>=20
>>> On 2013-08-27, at 4:27 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>=20
>>>> It is better.  We need to talk about what you have done with =
"min_alv" vs "acr" from  connect which is extensible via a IANA registry =
of Authentication contexts.
>>>>=20
>>>> If it came down to reserving the strings 1 2 3 4 for the ISO29115 =
reference that could probably be arranged.
>>>>=20
>>>> I don't know that throwing an error if the min can't be supported =
is the correct thing.  We had a lot of debate about that and decided =
that returning the actual acr and letting the client decide was better =
than an error.
>>> [PH[ I agree.
>>>>=20
>>>> Also remember that the request is not signed so someone could =
modify it to remove min_alv and spoof a RP that expects all positive =
results to meet what it asked for.
>>>>=20
>>>> More discussion on min_alv is required.
>>> [PH] Yes. Returning what actually was done without an error is a =
better approach.
>>>=20
>>> Also, just noticed that the "hint" parameter should be "login_hint".=20=

>>>=20
>>> I think we also need to discuss how the client detects the profile =
API type and whether the AS can return multiple endpoints (and is that =
even a good thing).  A structured attribute giving endpoint type and URL =
might be the way to go.
>>>=20
>>>>=20
>>>> John B.
>>>>=20
>>>> On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>=20
>>>>> FYI.  Based on feedback from Berlin, Tony and I have revised the =
draft to include:
>>>>>=20
>>>>> * Alignment with OpenID Connect (using id_token)
>>>>> * Always returns a JWT
>>>>> * Minimum assertion level on request
>>>>> * Return information about the type of authentication performed
>>>>>=20
>>>>> Thanks for your input.
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> @independentid
>>>>> www.independentid.com
>>>>> phil.hunt@oracle.com
>>>>>=20
>>>>>=20
>>>>> Begin forwarded message:
>>>>>=20
>>>>>> From: internet-drafts@ietf.org
>>>>>> Subject: New Version Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt
>>>>>> Date: 27 August, 2013 8:56:45 AM PDT
>>>>>> To: Phil Hunt <phil.hunt@yahoo.com>, Anthony Nadalin =
<tonynad@microsoft.com>, Tony Nadalin <tonynad@microsoft.com>
>>>>>>=20
>>>>>>=20
>>>>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
>>>>>> has been successfully submitted by Phil Hunt and posted to the
>>>>>> IETF repository.
>>>>>>=20
>>>>>> Filename:	 draft-hunt-oauth-v2-user-a4c
>>>>>> Revision:	 01
>>>>>> Title:		 OAuth 2.0 User Authentication and Consent For =
Clients
>>>>>> Creation date:	 2013-08-27
>>>>>> Group:		 Individual Submission
>>>>>> Number of pages: 10
>>>>>> URL:             =
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt
>>>>>> Status:          =
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>>>>>> Htmlized:        =
http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
>>>>>> Diff:            =
http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01
>>>>>>=20
>>>>>> Abstract:
>>>>>>   This specification defines a new OAuth2 endpoint that enables =
user
>>>>>>   authentication session and consent information to be shared =
with
>>>>>>   client applications.
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>>=20
>>>>>> Please note that it may take a couple of minutes from the time of =
submission
>>>>>> until the htmlized version and diff are available at =
tools.ietf.org.
>>>>>>=20
>>>>>> The IETF Secretariat
>>>>>>=20
>>>>>=20
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>=20
>>=20
>=20


--Apple-Mail=_2AC64B12-94D2-480C-8C84-BFCBB040E09A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">The =
authenticated user is the "sub" scoped to "iss" not the profile URL. =
&nbsp;A profile URL is informational and may change for the user. &nbsp; =
&nbsp;I think making it a structured element describing the API is going =
beyond the "Simple"&nbsp;<div><br></div><div>I was assuming that the =
profile URI would be under the control of the AS/Issuer and there would =
be one endpoint per AS like Connect which has a single .well-known for =
the issuer.</div><div><br></div><div>Per user discovery uses webfinger =
to point to public info. &nbsp;now that webfinger is a RFC you could =
return the users acct: URI for webfinger do the client can get public =
info.</div><div><br></div><div>If you want to specify arbitrary =
protected resources as the profile URI then you are opening a big can of =
complexity that Connect saves for the Advanced profile with distributed =
claims, not something you want in the simple =
profile.</div><div><br></div><div>You want to avoid the RP using profile =
url or email as the identifier for the =
subject.&nbsp;</div><div><br></div><div>Connect defines its subject =
tightly in that it must be&nbsp;A locally unique and never reassigned =
identifier within the Issuer for the End-User, which is intended to be =
consumed by the Client, e.g., "24400320"&nbsp;or =
"AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4". It MUST NOT exceed 255 ASCII =
characters in length. The&nbsp;value is a case sensitive =
string.</div><div><br></div><div>Keeping PII out of the subject also =
saves a lot of grief, &nbsp;and numbers don't have the same pressure for =
reassignment as other nicknames.</div><div><br></div><div>John =
B.</div><div><br></div><div><div><div>On 2013-08-27, at 8:28 PM, Phil =
Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
">John,<div><br></div><div>I do not what to do anything to specify the =
profile endpoint. &nbsp;The big problem is there are already many APIs =
-- user_info is but one.</div><div><br></div><div>The problems in the =
IETF OAuth space, is that the URL the client "thinks" is the =
authenticated user is not guaranteed to be the user. &nbsp;For example, =
the clients assume "<a =
href=3D"http://facebook.com/me">facebook.com/me</a>" is the =
authenticated user -- and in that case it is. &nbsp;But for other APIs =
there are no aliases. &nbsp;For example, my client could be requesting =
information about your Facebook endpoint and because I am a friend, the =
client thinks it just authenticated you. &nbsp;The point of returning =
the profile url is to ensure that the client knows what the =
authenticated user's profile URL is.</div><div><br></div><div>I raised =
the question of whether returning multiple URLs is useful since many =
cloud providers are actually offering multiple APIs for the same user =
information. My feeling is that that client already knows what it wants =
and is merely checking that the value matches its =
expectations.</div><div><br></div><div>I think the .well-known might be =
useful, but since this may change on a user-by-user basis, it is =
problematic. &nbsp;For example, the authenticated user may be federated. =
What then?</div><div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px; "><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-27, at 4:51 PM, John Bradley &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I =
thought you wanted to keep the profile endpoint (user_info) out of this. =
&nbsp; &nbsp;<div>Once you have a user-info type endpoint you get into =
defining scopes for claims and I thought Tony wanted to avoid this and =
have it be only session authentication.<div><br></div><div>Connect =
publishes its idp config in the .well-known directory of "iss" =
&nbsp;that allows all the endpoints to be =
discovered.<div><br></div><div>Over time the Authorization endpoint URI =
will change and will contain query parameters etc. &nbsp;tying iss to a =
logical name like a SAML entityID that could provide the other endpoint =
information was a more familiar pattern to people. =
&nbsp;&nbsp;</div><div><br></div><div>In some ways Connect duplicates =
one of the entity-id to meta-data discovery methods in SAML meta-data =
that never got traction (other than perhaps in =
ADFS).</div><div><br></div><div>John =
B.</div><div><br></div><div><div><div>On 2013-08-27, at 7:37 PM, Phil =
Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">See =
below.<br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><br></div></span></div></span></div></span><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-27, at 4:27 PM, John Bradley &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">It is =
better. &nbsp;We need to talk about what you have done with "min_alv" vs =
"acr" from &nbsp;connect which is extensible via a IANA registry of =
Authentication contexts.<div><br></div><div>If it came down to reserving =
the strings 1 2 3 4 for the ISO29115 reference that could probably be =
arranged.</div><div><br></div><div>I don't know that throwing an error =
if the min can't be supported is the correct thing. &nbsp;We had a lot =
of debate about that and decided that returning the actual acr and =
letting the client decide was better than an =
error.</div></div></blockquote>[PH[ I agree.<br><blockquote =
type=3D"cite"><div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; -webkit-line-break: after-white-space; "><div><br></div><div>Also =
remember that the request is not signed so someone could modify it to =
remove min_alv and spoof a RP that expects all positive results to meet =
what it asked for.</div><div><br></div><div>More discussion on min_alv =
is required.</div></div></blockquote>[PH] Yes. Returning what actually =
was done without an error is a better =
approach.</div><div><br></div><div>Also, just noticed that the "hint" =
parameter should be "login_hint".&nbsp;</div><div><br></div><div>I think =
we also need to discuss how the client detects the profile API type and =
whether the AS can return multiple endpoints (and is that even a good =
thing). &nbsp;A structured attribute giving endpoint type and URL might =
be the way to go.</div><div><br><blockquote type=3D"cite"><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><br></div><div>John =
B.</div><div><br><div><div>On 2013-08-27, at 12:52 PM, Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">FYI. =
&nbsp;Based on feedback from Berlin, Tony and I have revised the draft =
to include:<div><br></div><div>* Alignment with OpenID Connect (using =
id_token)</div><div>* Always returns a JWT</div><div>* Minimum assertion =
level on request</div><div>* Return information about the type of =
authentication performed</div><div><br></div><div>Thanks for your =
input.</div><div><br><div apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
medium; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; font-family: Helvetica; font-size: =
12px; font-style: normal; font-variant: normal; font-weight: normal; =
letter-spacing: normal; line-height: normal; orphans: 2; text-indent: =
0px; text-transform: none; white-space: normal; widows: 2; word-spacing: =
0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com/">www.independentid.com</a></div></di=
v></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div></span>=
</div></span></div></span><br class=3D"Apple-interchange-newline">
</div>

<div><br><div>Begin forwarded message:</div><br =
class=3D"Apple-interchange-newline"><blockquote type=3D"cite"><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>From: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;"><a =
href=3D"mailto:internet-drafts@ietf.org">internet-drafts@ietf.org</a><br><=
/span></div><div style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px;"><span style=3D"font-family: =
Helvetica; font-size: medium; "><b>Subject: </b></span><span =
style=3D"font-family:'Helvetica'; font-size:medium;"><b>New Version =
Notification for =
draft-hunt-oauth-v2-user-a4c-01.txt</b><br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>Date: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">27 August, 2013 8:56:45 AM PDT<br></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;"><span style=3D"font-family: Helvetica; font-size: =
medium; "><b>To: </b></span><span style=3D"font-family:'Helvetica'; =
font-size:medium;">Phil Hunt &lt;<a =
href=3D"mailto:phil.hunt@yahoo.com">phil.hunt@yahoo.com</a>&gt;, Anthony =
Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;, =
Tony Nadalin &lt;<a =
href=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;<br></s=
pan></div><br><div><br>A new version of I-D, =
draft-hunt-oauth-v2-user-a4c-01.txt<br>has been successfully submitted =
by Phil Hunt and posted to the<br>IETF repository.<br><br>Filename:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
draft-hunt-oauth-v2-user-a4c<br>Revision:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> 01<br>Title:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> OAuth =
2.0 User Authentication and Consent For Clients<br>Creation date:<span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	</span> =
2013-08-27<br>Group:<span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span><span class=3D"Apple-tab-span" =
style=3D"white-space:pre">	</span> Individual Submission<br>Number =
of pages: 10<br>URL: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a=
 =
href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-0=
1.txt">http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01=
.txt</a><br>Status: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c">http=
://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>Htmlized: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01">http:/=
/tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01</a><br>Diff: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01=
">http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01</a><b=
r><br>Abstract:<br> &nbsp;&nbsp;This specification defines a new OAuth2 =
endpoint that enables user<br> &nbsp;&nbsp;authentication session and =
consent information to be shared with<br> &nbsp;&nbsp;client =
applications.<br><br><br><br><br>Please note that it may take a couple =
of minutes from the time of submission<br>until the htmlized version and =
diff are available at <a =
href=3D"http://tools.ietf.org/">tools.ietf.org</a>.<br><br>The IETF =
Secretariat<br><br></div></blockquote></div><br></div></div>______________=
_________________________________<br>OAuth mailing list<br><a =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br></blockquote></div><br></div></div></blockqu=
ote></div><br></div></blockquote></div><br></div></div></div></div></block=
quote></div><br></div></div></blockquote></div><br></div></body></html>=

--Apple-Mail=_2AC64B12-94D2-480C-8C84-BFCBB040E09A--

--Apple-Mail=_AF47C481-9B6F-4238-8E91-6C7CA52DF758
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODI4MDEwMzI5WjAjBgkqhkiG9w0BCQQxFgQUaMEtbZO6
ur4GgK60DsOPruG34WcwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAJrVaTLVMCZV/8jJhFwVWj2srYNW3OUrmpAZjmT55
6HWpH7AO6U0xChxva6/a4YgDZH2uERKWDeUm+HbKO0AI+onGzpoCyZ+FAoPT9EkxpQzENe/KnASs
X7s7dmE13kSFRIqazSEVBWwscQ43ZJ0vRYToShhPO4CQNZ8i3X6iA0eWq34FrB/lcnsQ9O8Dx2LR
mOS1c+zLRBdwHLlQXCfdvncPDKVw2MEKynOBBoUQAfc61U9+MHH7LpItoxJ8rkD5rX3h9TErCZyr
uwj2ElMRbWhrIWQuLhiu1/aX84LWtwD7HbgVAjoIVcVaejYECNHUmo4xDXhqX+AONkdbeFiiuwAA
AAAAAA==

--Apple-Mail=_AF47C481-9B6F-4238-8E91-6C7CA52DF758--

From tonynad@microsoft.com  Tue Aug 27 19:27:19 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B836521F9F6F for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 19:27:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level: 
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WhfzP12I+-83 for <oauth@ietfa.amsl.com>; Tue, 27 Aug 2013 19:27:15 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0204.outbound.protection.outlook.com [207.46.163.204]) by ietfa.amsl.com (Postfix) with ESMTP id 6CD4521F9F2B for <oauth@ietf.org>; Tue, 27 Aug 2013 19:27:13 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 28 Aug 2013 02:27:03 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Wed, 28 Aug 2013 02:27:03 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
Thread-Index: AQHOo0XaAlp/tF+3Lk6rIgperD5Q+pmps40AgAAxTGA=
Date: Wed, 28 Aug 2013 02:27:02 +0000
Message-ID: <187fc518c89d4939ad169a9cad6e0e2c@BY2PR03MB189.namprd03.prod.outlook.com>
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com> <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com>
In-Reply-To: <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [50.46.126.7]
x-forefront-prvs: 09525C61DB
x-forefront-antispam-report: SFV:NSPM; SFS:(24454002)(189002)(199002)(69234005)(2473001)(377424004)(377454003)(80976001)(14971765001)(65816001)(31966008)(47446002)(74662001)(74502001)(74706001)(66066001)(80022001)(83072001)(56776001)(54316002)(59766001)(79102001)(19300405004)(76482001)(54356001)(16236675002)(15202345003)(53806001)(77982001)(81816001)(74366001)(69226001)(77096001)(83322001)(19580405001)(63696002)(51856001)(76796001)(74316001)(81542001)(49866001)(81342001)(47736001)(47976001)(50986001)(56816003)(4396001)(76786001)(76576001)(81686001)(74876001)(19580395003)(15975445006)(46102001)(33646001)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB189; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:50.46.126.7; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: multipart/alternative; boundary="_000_187fc518c89d4939ad169a9cad6e0e2cBY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for	draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 02:27:19 -0000

--_000_187fc518c89d4939ad169a9cad6e0e2cBY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

So these are not authentication context. It does more harm than good to hav=
e an extensible IANA registry of values that have no discernable meaning, w=
ith the ISO 29115 values you can go an acutually understand the values and =
have something to potentially interop on

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of J=
ohn Bradley
Sent: Tuesday, August 27, 2013 4:28 PM
To: Phil Hunt
Cc: oauth@ietf.org WG
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-=
v2-user-a4c-01.txt

It is better.  We need to talk about what you have done with "min_alv" vs "=
acr" from  connect which is extensible via a IANA registry of Authenticatio=
n contexts.

If it came down to reserving the strings 1 2 3 4 for the ISO29115 reference=
 that could probably be arranged.

I don't know that throwing an error if the min can't be supported is the co=
rrect thing.  We had a lot of debate about that and decided that returning =
the actual acr and letting the client decide was better than an error.

Also remember that the request is not signed so someone could modify it to =
remove min_alv and spoof a RP that expects all positive results to meet wha=
t it asked for.

More discussion on min_alv is required.

John B.

On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com<mailto:phil.hun=
t@oracle.com>> wrote:


FYI.  Based on feedback from Berlin, Tony and I have revised the draft to i=
nclude:

* Alignment with OpenID Connect (using id_token)
* Always returns a JWT
* Minimum assertion level on request
* Return information about the type of authentication performed

Thanks for your input.

Phil

@independentid
www.independentid.com<http://www.independentid.com/>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>


Begin forwarded message:


From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Subject: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
Date: 27 August, 2013 8:56:45 AM PDT
To: Phil Hunt <phil.hunt@yahoo.com<mailto:phil.hunt@yahoo.com>>, Anthony Na=
dalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>, Tony Nadalin <=
tonynad@microsoft.com<mailto:tonynad@microsoft.com>>


A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
has been successfully submitted by Phil Hunt and posted to the
IETF repository.

Filename:         draft-hunt-oauth-v2-user-a4c
Revision:         01
Title:                OAuth 2.0 User Authentication and Consent For Clients
Creation date: 2013-08-27
Group:             Individual Submission
Number of pages: 10
URL:             http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-us=
er-a4c-01.txt
Status:          http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a=
4c
Htmlized:        http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
Diff:            http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-use=
r-a4c-01

Abstract:
  This specification defines a new OAuth2 endpoint that enables user
  authentication session and consent information to be shared with
  client applications.




Please note that it may take a couple of minutes from the time of submissio=
n
until the htmlized version and diff are available at tools.ietf.org<http://=
tools.ietf.org/>.

The IETF Secretariat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


--_000_187fc518c89d4939ad169a9cad6e0e2cBY2PR03MB189namprd03pro_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.apple-style-span
	{mso-style-name:apple-style-span;}
span.apple-tab-span
	{mso-style-name:apple-tab-span;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">So these are not authenti=
cation context. It does more harm than good to have an extensible IANA regi=
stry of values that have no discernable meaning, with the
 ISO 29115 values you can go an acutually understand the values and have so=
mething to potentially interop on<o:p></o:p></span></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D"><o:p>&nbsp;</o:p></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> oauth-=
bounces@ietf.org [mailto:oauth-bounces@ietf.org]
<b>On Behalf Of </b>John Bradley<br>
<b>Sent:</b> Tuesday, August 27, 2013 4:28 PM<br>
<b>To:</b> Phil Hunt<br>
<b>Cc:</b> oauth@ietf.org WG<br>
<b>Subject:</b> Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt=
-oauth-v2-user-a4c-01.txt<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">It is better. &nbsp;We need to talk about what you h=
ave done with &quot;min_alv&quot; vs &quot;acr&quot; from &nbsp;connect whi=
ch is extensible via a IANA registry of Authentication contexts.<o:p></o:p>=
</p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">If it came down to reserving the strings 1 2 3 4 for=
 the ISO29115 reference that could probably be arranged.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">I don't know that throwing an error if the min can't=
 be supported is the correct thing. &nbsp;We had a lot of debate about that=
 and decided that returning the actual acr and letting the client decide wa=
s better than an error.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Also remember that the request is not signed so some=
one could modify it to remove min_alv and spoof a RP that expects all posit=
ive results to meet what it asked for.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">More discussion on min_alv is required.<o:p></o:p></=
p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">John B.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<p class=3D"MsoNormal">On 2013-08-27, at 12:52 PM, Phil Hunt &lt;<a href=3D=
"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>&gt; wrote:<o:p></o:p=
></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal">FYI. &nbsp;Based on feedback from Berlin, Tony and I=
 have revised the draft to include:<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">* Alignment with OpenID Connect (using id_token)<o:p=
></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">* Always returns a JWT<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">* Minimum assertion level on request<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal">* Return information about the type of authenticatio=
n performed<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">Thanks for your input.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">Phil<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;">@independentid<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;"><a href=3D"http://www.independentid.co=
m/">www.independentid.com</a><o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;"><a href=3D"mailto:phil.hunt@oracle.co=
m">phil.hunt@oracle.com</a><o:p></o:p></span></p>
</div>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">Begin forwarded message:<o:p></o:p></p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:13.5pt;font-family:&quot=
;Helvetica&quot;,&quot;sans-serif&quot;">From:
</span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot=
;,&quot;sans-serif&quot;"><a href=3D"mailto:internet-drafts@ietf.org">inter=
net-drafts@ietf.org</a></span><o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:13.5pt;font-family:&quot=
;Helvetica&quot;,&quot;sans-serif&quot;">Subject: New Version Notification =
for draft-hunt-oauth-v2-user-a4c-01.txt</span></b><o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:13.5pt;font-family:&quot=
;Helvetica&quot;,&quot;sans-serif&quot;">Date:
</span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot=
;,&quot;sans-serif&quot;">27 August, 2013 8:56:45 AM PDT</span><o:p></o:p><=
/p>
</div>
<div>
<p class=3D"MsoNormal"><b><span style=3D"font-size:13.5pt;font-family:&quot=
;Helvetica&quot;,&quot;sans-serif&quot;">To:
</span></b><span style=3D"font-size:13.5pt;font-family:&quot;Helvetica&quot=
;,&quot;sans-serif&quot;">Phil Hunt &lt;<a href=3D"mailto:phil.hunt@yahoo.c=
om">phil.hunt@yahoo.com</a>&gt;, Anthony Nadalin &lt;<a href=3D"mailto:tony=
nad@microsoft.com">tonynad@microsoft.com</a>&gt;, Tony Nadalin &lt;<a href=
=3D"mailto:tonynad@microsoft.com">tonynad@microsoft.com</a>&gt;</span><o:p>=
</o:p></p>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><br>
A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt<br>
has been successfully submitted by Phil Hunt and posted to the<br>
IETF repository.<br>
<br>
Filename:<span class=3D"apple-tab-span">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; </span>draft-hunt-oauth-v2-user-a4c<br>
Revision:<span class=3D"apple-tab-span">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; </span>01<br>
Title:<span class=3D"apple-tab-span">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>OAuth 2.0 User =
Authentication and Consent For Clients<br>
Creation date:<span class=3D"apple-tab-span"> </span>2013-08-27<br>
Group:<span class=3D"apple-tab-span">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>Individual Submission<br>
Number of pages: 10<br>
URL: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;<a href=3D"http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a=
4c-01.txt">http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c=
-01.txt</a><br>
Status: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"ht=
tp://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c">http://datatrac=
ker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c</a><br>
Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href=3D"http://tools=
.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01">http://tools.ietf.org/html/=
draft-hunt-oauth-v2-user-a4c-01</a><br>
Diff: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01"=
>http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01</a><br>
<br>
Abstract:<br>
&nbsp;&nbsp;This specification defines a new OAuth2 endpoint that enables u=
ser<br>
&nbsp;&nbsp;authentication session and consent information to be shared wit=
h<br>
&nbsp;&nbsp;client applications.<br>
<br>
<br>
<br>
<br>
Please note that it may take a couple of minutes from the time of submissio=
n<br>
until the htmlized version and diff are available at <a href=3D"http://tool=
s.ietf.org/">
tools.ietf.org</a>.<br>
<br>
The IETF Secretariat<o:p></o:p></p>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
<p class=3D"MsoNormal">_______________________________________________<br>
OAuth mailing list<br>
<a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.or=
g/mailman/listinfo/oauth</a><o:p></o:p></p>
</blockquote>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</body>
</html>

--_000_187fc518c89d4939ad169a9cad6e0e2cBY2PR03MB189namprd03pro_--

From sberyozkin@gmail.com  Wed Aug 28 02:02:47 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A010011E8173 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 02:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level: 
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_55=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Gg3AqNOMKEt for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 02:02:46 -0700 (PDT)
Received: from mail-bk0-x22c.google.com (mail-bk0-x22c.google.com [IPv6:2a00:1450:4008:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id CD28C11E8135 for <oauth@ietf.org>; Wed, 28 Aug 2013 02:02:42 -0700 (PDT)
Received: by mail-bk0-f44.google.com with SMTP id mz10so2075630bkb.31 for <oauth@ietf.org>; Wed, 28 Aug 2013 02:02:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=rnZRot6QZsQ4AIQwsblQLQ+wUbcKXs+jfcRxOwVAOms=; b=A8NM/XI2xtz+s4BA6x91vwEWH/fz64ZDbUhtzX4CPua19hMTXBDwRyAiVYcpbE4mXL 8QLf5fT1m4RKVQjZFVhqoE7didsMR9dtFM/6cvf9QJKSY3ltc9yKksNygPzZQIhmhEry 9I2fuo+Nvs2MgKcCgvg6HFeCWCBZVCLLLM4DKW+bQzMkt7tVioyj3nLbEhqIs+3uOE29 zQ6ejbFMLeENSOhlosVdJismZv1gu9XDd4+QmUXVHc6EHD/rWS12lXKx9+trmut1s3Hq MSS9t66SkeyqeshLrAiPB99LVLbe/nv/uyKEv3XRBS+NKt3UzhooiadnM3D+Mg7SayIP o5+g==
X-Received: by 10.204.247.71 with SMTP id mb7mr18861813bkb.7.1377680560219; Wed, 28 Aug 2013 02:02:40 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id pk7sm5493220bkb.2.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 02:02:39 -0700 (PDT)
Message-ID: <521DBC90.5000005@gmail.com>
Date: Wed, 28 Aug 2013 10:02:08 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com> <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com> <B762489A-FFAC-4BB3-822C-15DA085CB6FC@oracle.com>
In-Reply-To: <B762489A-FFAC-4BB3-822C-15DA085CB6FC@oracle.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 09:02:47 -0000

Minor typo is in section 2,

"The Authentication Code Grant type is used in exactly the same manor
    as the Authorization Code Grant Section 4.1 [RFC6749] and has the
    same features and conditions.  The *Authorization* Code Grant 
extends..."

Cheers, Sergey
On 28/08/13 00:37, Phil Hunt wrote:
> See below.
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>
>
>
>
>
>
> On 2013-08-27, at 4:27 PM, John Bradley <ve7jtb@ve7jtb.com
> <mailto:ve7jtb@ve7jtb.com>> wrote:
>
>> It is better.  We need to talk about what you have done with "min_alv"
>> vs "acr" from  connect which is extensible via a IANA registry of
>> Authentication contexts.
>>
>> If it came down to reserving the strings 1 2 3 4 for the ISO29115
>> reference that could probably be arranged.
>>
>> I don't know that throwing an error if the min can't be supported is
>> the correct thing.  We had a lot of debate about that and decided that
>> returning the actual acr and letting the client decide was better than
>> an error.
> [PH[ I agree.
>>
>> Also remember that the request is not signed so someone could modify
>> it to remove min_alv and spoof a RP that expects all positive results
>> to meet what it asked for.
>>
>> More discussion on min_alv is required.
> [PH] Yes. Returning what actually was done without an error is a better
> approach.
>
> Also, just noticed that the "hint" parameter should be "login_hint".
>
> I think we also need to discuss how the client detects the profile API
> type and whether the AS can return multiple endpoints (and is that even
> a good thing).  A structured attribute giving endpoint type and URL
> might be the way to go.
>
>>
>> John B.
>>
>> On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com
>> <mailto:phil.hunt@oracle.com>> wrote:
>>
>>> FYI.  Based on feedback from Berlin, Tony and I have revised the
>>> draft to include:
>>>
>>> * Alignment with OpenID Connect (using id_token)
>>> * Always returns a JWT
>>> * Minimum assertion level on request
>>> * Return information about the type of authentication performed
>>>
>>> Thanks for your input.
>>>
>>> Phil
>>>
>>> @independentid
>>> www.independentid.com <http://www.independentid.com/>
>>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>>
>>>
>>> Begin forwarded message:
>>>
>>>> *From: *internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>>> *Subject: **New Version Notification for
>>>> draft-hunt-oauth-v2-user-a4c-01.txt*
>>>> *Date: *27 August, 2013 8:56:45 AM PDT
>>>> *To: *Phil Hunt <phil.hunt@yahoo.com <mailto:phil.hunt@yahoo.com>>,
>>>> Anthony Nadalin <tonynad@microsoft.com
>>>> <mailto:tonynad@microsoft.com>>, Tony Nadalin <tonynad@microsoft.com
>>>> <mailto:tonynad@microsoft.com>>
>>>>
>>>>
>>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
>>>> has been successfully submitted by Phil Hunt and posted to the
>>>> IETF repository.
>>>>
>>>> Filename:draft-hunt-oauth-v2-user-a4c
>>>> Revision:01
>>>> Title:OAuth 2.0 User Authentication and Consent For Clients
>>>> Creation date:2013-08-27
>>>> Group:Individual Submission
>>>> Number of pages: 10
>>>> URL:
>>>> http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt
>>>> Status: http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>>>> Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
>>>> Diff: http://www.ietf.org/rfcdiff?url2=draft-hunt-oauth-v2-user-a4c-01
>>>>
>>>> Abstract:
>>>>   This specification defines a new OAuth2 endpoint that enables user
>>>>   authentication session and consent information to be shared with
>>>>   client applications.
>>>>
>>>>
>>>>
>>>>
>>>> Please note that it may take a couple of minutes from the time of
>>>> submission
>>>> until the htmlized version and diff are available at tools.ietf.org
>>>> <http://tools.ietf.org/>.
>>>>
>>>> The IETF Secretariat
>>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listi

From sberyozkin@gmail.com  Wed Aug 28 02:27:18 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47E5C11E815C for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 02:27:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.149
X-Spam-Level: 
X-Spam-Status: No, score=-2.149 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, J_CHICKENPOX_55=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id taP97hPtMa3p for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 02:27:17 -0700 (PDT)
Received: from mail-bk0-x232.google.com (mail-bk0-x232.google.com [IPv6:2a00:1450:4008:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id 7D9E811E8262 for <oauth@ietf.org>; Wed, 28 Aug 2013 02:27:12 -0700 (PDT)
Received: by mail-bk0-f50.google.com with SMTP id mz11so2029503bkb.37 for <oauth@ietf.org>; Wed, 28 Aug 2013 02:27:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=1Waaf1wUgQ/y18RJsdReHi3gywYV2GHk6KLNudIoiVw=; b=MU2a5dWQH/gzZ8vQBV84/TrU6GYlDkgvW6E+xw9HMb1ifGFqLXAeqlK+yLbaZ6iRfm 0CXP8XusbIUJPW0Kr9QSHBRl4yadfup6GAMUsY/4wmjGyP0bqUe2oRThUoZ4VmzsbEKB VoG4cLCYpknn8hVm3izPPf/gQREVzIL2tvbSyIn3dj+n2z0SMO5JFwQIe0uPZUX8Z+/s cJ0uOdIR4Z3bookWpZ22dTQKQL2wo33oXYsiU7SK3hc1hvEja16Y9pLMUMSabbDQhEct MC0FCPpkqgB7tHz4pzaVE0mYksLuNr2xpB7bl7oIdDzdmnKsckluLFKi7lIs1pGOBroZ Oq+A==
X-Received: by 10.204.71.133 with SMTP id h5mr19316127bkj.0.1377682030409; Wed, 28 Aug 2013 02:27:10 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id zl3sm5545606bkb.4.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 02:27:09 -0700 (PDT)
Message-ID: <521DC26B.1000005@gmail.com>
Date: Wed, 28 Aug 2013 10:27:07 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com> <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com>
In-Reply-To: <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 09:27:18 -0000

Hi Phil,

A have a question, re:

"The authorization server MUST:

  -Perform the normal OAuth2 authorization process,
  -MAY elect not to request consent if no access token is to be
       issued (i.e. this is an authentication only request),
"

This last statement confuses me, given that the Authentication Response
"is identical to the one described in Section 4.1.2 [RFC6749]."

In other words, the client may only request the login but get the 'code' 
back without the user consent ? This seems wrong but may be I'm missing 
something ?

Thanks, Sergey



>
> On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com
> <mailto:phil.hunt@oracle.com>> wrote:
>
>> FYI.  Based on feedback from Berlin, Tony and I have revised the draft
>> to include:
>>
>> * Alignment with OpenID Connect (using id_token)
>> * Always returns a JWT
>> * Minimum assertion level on request
>> * Return information about the type of authentication performed
>>
>> Thanks for your input.
>>
>> Phil
>>
>> @independentid
>> www.independentid.com <http://www.independentid.com/>
>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>
>>
>> Begin forwarded message:
>>
>>> *From: *internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>> *Subject: **New Version Notification for
>>> draft-hunt-oauth-v2-user-a4c-01.txt*
>>> *Date: *27 August, 2013 8:56:45 AM PDT
>>> *To: *Phil Hunt <phil.hunt@yahoo.com <mailto:phil.hunt@yahoo.com>>,
>>> Anthony Nadalin <tonynad@microsoft.com
>>> <mailto:tonynad@microsoft.com>>, Tony Nadalin <tonynad@microsoft.com
>>> <mailto:tonynad@microsoft.com>>
>>>
>>>
>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
>>> has been successfully submitted by Phil Hunt and posted to the
>>> IETF repository.
>>>
>>> Filename:draft-hunt-oauth-v2-user-a4c
>>> Revision:01
>>> Title:OAuth 2.0 User Authentication and Consent For Clients
>>> Creation date:2013-08-27
>>> Group:Individual Submission
>>> Number of pages: 10
>>> URL:
>>> http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt
>>> Status: http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>>> Htmlized: http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
>>> Diff: http://www.ietf.org/rfcdiff?url2=draft-hunt-oauth-v2-user-a4c-01
>>>
>>> Abstract:
>>>   This specification defines a new OAuth2 endpoint that enables user
>>>   authentication session and consent information to be shared with
>>>   client applications.
>>>
>>>
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>>> submission
>>> until the htmlized version and diff are available at tools.ietf.org
>>> <http://tools.ietf.org/>.
>>>
>>> The IETF Secretariat
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listi

From sberyozkin@gmail.com  Wed Aug 28 03:28:49 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D824711E8182 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 03:28:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level: 
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[AWL=0.200,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ujA5roB5zek for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 03:28:49 -0700 (PDT)
Received: from mail-bk0-x234.google.com (mail-bk0-x234.google.com [IPv6:2a00:1450:4008:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id B789611E816F for <oauth@ietf.org>; Wed, 28 Aug 2013 03:28:48 -0700 (PDT)
Received: by mail-bk0-f52.google.com with SMTP id e11so2022727bkh.25 for <oauth@ietf.org>; Wed, 28 Aug 2013 03:28:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=zYnmN7HmpdPI0joiEpv82iHWCu5dwS9yBK1YUVZ5mPA=; b=j8WSq+E7evkN6BzOVftLcTPGzyRDWWIhF7ZMkzKB7LAsBpG/O0VikhQkmTxFCAMNPE EG1+Qvih3s+BZc9wynT3Lwgki6wwt2bBHpnuQHRcyxRfKh5XHgh2nrpdyk+yYgigyMbs /7BCfEkAm4uZn+9K20JEci7bDi94dnllY6VJXMyWDjURSa+xno7O/OfAFCnZhIpeS93i iuuQRE6oK/KLMrm1zKiCgPIzRHX9LC/igfv9UJIOr2idEHF19UaeHJKWFFLM/0qtK9/+ 6X9fDGLsv1oU36X919AHYZk6GXFt+XbRwumWaHF6MQG0kqcL9bG9TP3xPUZI+WRK12nJ UThg==
X-Received: by 10.205.65.207 with SMTP id xn15mr773375bkb.31.1377685727819; Wed, 28 Aug 2013 03:28:47 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id pn6sm5672281bkb.14.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 03:28:47 -0700 (PDT)
Message-ID: <521DD0DD.70502@gmail.com>
Date: Wed, 28 Aug 2013 11:28:45 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <521C8561.6020604@gmail.com> <0A85510B-ABBC-4B67-B889-73D2F9B6F050@ve7jtb.com>
In-Reply-To: <0A85510B-ABBC-4B67-B889-73D2F9B6F050@ve7jtb.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Can public clients using code flow have redirect URIs ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 10:28:50 -0000

Hi John,

On 27/08/13 13:00, John Bradley wrote:
> Typically native apps on smart phones use the code flow and a redirect_uri with a custom scheme to redirect the browser back to the app with the query encoded code.
>
> The native app is a public client as it cannot keep a secret, unless it is using dynamic registration.
>
> The ID Nat and I put together is a proposed way that a proof of possession for the code can be used as an alternative to registering every instance of a native app.
>
> On iOS and android multiple apps can register the same custom scheme and may try to intercept the code which can be used if the client_id and secret are known.
>
Thanks for the explanation, helpful; one thing I'd like to clarify, in 
such cases (where no every instance of the application is dynamically 
registered), the native application needs to be registered once and have 
this redirect uri with a custom scheme pre-registered, right ?

I'm assuming it is the case (redirect uri must be pre-registered, no 
difference here between public and confidential clients as far as the 
treatment of redirect uris is concerned), but if not then I'd appreciate 
some clarifications

Cheers, Sergey


> John B.
>
> On 2013-08-27, at 6:54 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>
>> Hi
>>
>> I am a bit confused on whether public clients such as smart phones, etc which work with the authorization code flow can have redirect URIs supported or not.
>>
>> My understanding so far has been that public clients won't have redirect uris (except for them working with Implicit code flows), the code would be entered into the device by a user or perhaps returned directly from AS via some back channel. The reason I ask is the text at [1] says in its Introduction:
>>
>> "... This is especially true on some smartphone platform in which the 'code' is returned to a redirect URI ..."
>>
>> I can imagine that in this case a smartphone has an application actually running a web server so it can accept redirect requests,
>> is it when public clients can have redirect URIs and texts such as [1] can be of help ?
>>
>> Thanks. Sergey
>>
>> [1] http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>


From hannes.tschofenig@nsn.com  Wed Aug 28 05:44:01 2013
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71FA811E8182 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 05:44:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.541
X-Spam-Level: 
X-Spam-Status: No, score=-106.541 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id suVtHR1vMfrL for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 05:43:57 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [93.183.12.31]) by ietfa.amsl.com (Postfix) with ESMTP id 6997221E8088 for <oauth@ietf.org>; Wed, 28 Aug 2013 05:43:57 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7SChsET002217 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <oauth@ietf.org>; Wed, 28 Aug 2013 14:43:54 +0200
Received: from USCHHTC002.nsn-intra.net ([10.159.161.15]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7SChppA019414 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Wed, 28 Aug 2013 14:43:53 +0200
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC002.nsn-intra.net ([10.159.161.15]) with mapi id 14.03.0123.003; Wed, 28 Aug 2013 07:43:44 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: oauth mailing list <oauth@ietf.org>
Thread-Topic: Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
Thread-Index: Ac6j7DrJfwFULgQyQMGtv/P3KnLePQ==
Date: Wed, 28 Aug 2013 12:43:44 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.159.161.126]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 1843
X-purgate-ID: 151667::1377693835-0000471E-7C741D51/0-0/0-0
Subject: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 12:44:01 -0000

Here are the conference bridge / Webex details for the call today.=20
We are going to complete the use case discussions from last time (Phil wasn=
't able to walk through all slides). Justin was also able to work out a str=
awman proposal based on the discussions last week and we will have a look a=
t it to see whether this is a suitable compromise. Here is Justin's mail, i=
n case you have missed it: http://www.ietf.org/mail-archive/web/oauth/curre=
nt/msg12036.html=20

Phil, please feel free to make adjustments to your slides given the Justin'=
s recent proposal.

Topic: OAuth Dynamic Client Registration=20
Date: Wednesday, August 28, 2013=20
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)=20
Meeting Number: 703 230 586=20
Meeting Password: oauth=20

-------------------------------------------------------=20
To join the online meeting=20
-------------------------------------------------------=20
1. Go to https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1Z=
WQzMDJk&RT=3DMiM0 =20
2. Enter your name and email address.=20
3. Enter the meeting password: oauth=20
4. Click "Join Now".=20

To view in other time zones or languages, please click the link:=20
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&O=
RT=3DMiM0  =20

To add this meeting to your calendar program (for example Microsoft Outlook=
), click this link:=20
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=
=3D2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0

-------------------------------------------------------=20
To join the teleconference only=20
-------------------------------------------------------=20
Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc =20
Conference Code: 944 910 5485=20



From hannes.tschofenig@nsn.com  Wed Aug 28 05:56:55 2013
Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E99B821E8087 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 05:56:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.549
X-Spam-Level: 
X-Spam-Status: No, score=-106.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fXWwocp2SP2b for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 05:56:47 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 7F0AB11E8182 for <oauth@ietf.org>; Wed, 28 Aug 2013 05:56:46 -0700 (PDT)
Received: from demuprx017.emea.nsn-intra.net ([10.150.129.56]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id r7SCujfJ025231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <oauth@ietf.org>; Wed, 28 Aug 2013 14:56:45 +0200
Received: from USCHHTC001.nsn-intra.net ([10.159.161.14]) by demuprx017.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id r7SCub7u011304 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Wed, 28 Aug 2013 14:56:44 +0200
Received: from USCHMBX001.nsn-intra.net ([169.254.1.221]) by USCHHTC001.nsn-intra.net ([10.159.161.14]) with mapi id 14.03.0123.003; Wed, 28 Aug 2013 07:56:43 -0500
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: oauth mailing list <oauth@ietf.org>
Thread-Topic: Dynamic Client Registration - Possible Future Conference Call Dates
Thread-Index: Ac6j7gr0PYy8NB2xR76wfDgbrTPRPw==
Date: Wed, 28 Aug 2013 12:56:43 +0000
Message-ID: <1373E8CE237FCC43BCA36C6558612D2AA28DA2@USCHMBX001.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.159.161.126]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 594
X-purgate-ID: 151667::1377694605-00003561-A8B606B6/0-0/0-0
Subject: [OAUTH-WG] Dynamic Client Registration - Possible Future Conference Call Dates
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 12:56:55 -0000

Hi all,=20

in case we need more conference call dates I took a look at the poll and th=
e following dates showed up:

- Tue, 3 September 2pm EDT
- Wed, 11 September 2pm EDT
- Thu, 12 September 2pm EDT
- Tue, 17 September 2pm EDT
- Wed, 18 September 2pm EDT
- Wed, 25 September 2pm EDT
- Thu, 26 September 2pm EDT

I just want to list them here since this topic will come up today.=20

I personally would like to reach a conclusion earlier than using all these =
conference call dates. But if that's what it takes then we will have to get=
 through this.=20

Ciao
Hannes


From jricher@mitre.org  Wed Aug 28 07:57:06 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0375C11E80FA for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 07:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.973
X-Spam-Level: 
X-Spam-Status: No, score=-4.973 tagged_above=-999 required=5 tests=[AWL=-1.480, BAYES_00=-2.599, MANGLED_EMAIL=2.3, RCVD_IN_DNSWL_MED=-4, SARE_URI_CONS7=0.306, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dI1+Ekuv3KP3 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 07:57:01 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 26E7A11E8197 for <oauth@ietf.org>; Wed, 28 Aug 2013 07:56:54 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 735411F0422; Wed, 28 Aug 2013 10:56:54 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 5D79B1F0767; Wed, 28 Aug 2013 10:56:54 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 10:56:54 -0400
Message-ID: <521E0FAC.20907@mitre.org>
Date: Wed, 28 Aug 2013 10:56:44 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Eve Maler <eve@xmlgrrl.com>
References: <D4C71EFB-AE88-4E42-AED2-D9202247A3DB@mitre.org> <57d0cc93671e43c09d04fb7f46528b90@BY2PR03MB189.namprd03.prod.outlook.com> <0FD93772-1AEC-4400-8A7D-C9F6D44E2E5E@ve7jtb.com> <4B81034F-7B26-488A-B7FA-E4DBFEB2256C@xmlgrrl.com>
In-Reply-To: <4B81034F-7B26-488A-B7FA-E4DBFEB2256C@xmlgrrl.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Refactoring Dynamic Registration
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 14:57:06 -0000

Just wanted to respond to one point:

 > SHOULD around open registration

The reason behind that was to encourage wider adoption. If you don't 
have to do any out of band or manual steps to get your client 
registered, you're more likely as a developer to use it (in my view at 
least), so I'd like to see more service providers work in that mode. Of 
course, it's not a MUST and really shouldn't be a MUST, because as you 
correctly point out there are many valid mechanisms for getting access 
to the registration API. Some are more automated and robust than others. 
What we've tried to do with BlueButton+ is require open registration but 
set policy (which we can specify in our use case) around the difference 
between openly registered clients and registry-backed clients (which 
requires a manual pre-registration step to get a software assertion 
that's presented as an access token). I forsee that when we start to 
build UMA's mechanisms into BB+, we'll have another class of clients 
that have different policies as well, and while we're not quite there 
yet I think it's important to keep the user-introduction flow like this 
in mind and possible, too.

  -- Justin

On 08/27/2013 05:12 PM, Eve Maler wrote:
> Unfortunately I haven't been able to attend the design meetings, but I've continued to follow along here with interest.
>
> I confess that the core/management split seems a little artificial to me. I can imagine a potential use case for splitting things this way -- even a client that was *statically* provisioned its credentials might still want to manage its representation at the authorization server over time. But even so, I would normally expect to see all of this considered part of the "management" bucket, with the first step allowed to happen either on-stage or off-stage. In any case, if the split satisfies some other need I'm missing, I don't want to stand in the way.
>
> Also, I'm still a little stumped at the reluctance to allow a full set of management operations. Is this still a concern over similarity to SCIM, which also has a full set of CRUD-type operations? If so, perhaps it's worth pointing out that many (millions?) of APIs leverage the HTTP verbs in nearly identical ways to "provision" web resources. In fact, my SCIM-related slideware even says "If you've seen one RESTful CRUD API, you've seen 'em all" :), and points out that its unique value is in the *nature* of the resources being provisioned (scoped to user identity data, as noted in the SCIM API spec itself). Similarity like this is a feature of REST, not a bug.
>
> As an aside, I'm surprised the core spec has a SHOULD around open registration. Different APIs have different business models, and the range of possibilities legitimately includes APIs that require approval workflows etc. for onboarding devs and their client apps. In fact, that's one of the exciting things about defining dynamic (machine-to-machine) client registration that can nonetheless put gates in front of client provisioning: it makes OAuth protection more easily achievable even in "circle of trust" scenarios.
>
> Net on the important bits:
> - I'm weakly in favor of a recombined core+management spec but I'm fine with the split if others find it valuable.
> - I'm in favor of keeping the management functions in scope.
>
> 	Eve
>
> On 27 Aug 2013, at 11:52 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> I appreciate that is your opinion.   Lets finish splitting the document and agree on what we agree on, then the chairs and others can render a opinion on if http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is in scope for this WG.    I happen to think it is in scope, and I suspect I am not alone in that.
>>
>> Right now lets focus on the core of the spec we agree on and leave the scope issue to a later knife fight.
>>
>> John B.
>>
>> On 2013-08-27, at 2:41 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:
>>
>>> I believe the http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00 is out of scope for this WG and needs to go to the APPS area since we don't deal with other OAuth management issues
>>>
>>> -----Original Message-----
>>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Richer, Justin P.
>>> Sent: Tuesday, August 27, 2013 7:06 AM
>>> To: oauth mailing list
>>> Subject: [OAUTH-WG] Refactoring Dynamic Registration
>>>
>>> After last week's design team call, at Derek's suggestion, I took time today to refactor the Dynamic Registration draft into two pieces: "core" and "management". The former contains the definition of the Registration Endpoint and the semantics surrounding that, the latter contains the Client Configuration Endpoint as well as the "non-essential" client metadata parameters.
>>>
>>> I did this refactoring with an axe, so there are almost certainly bits and pieces that are in the wrong document. In particular, I've kept the use cases in the "core" document even though they reference concepts and constructs defined in the "management" spec. This way people that don't want to deal with a configuration management API can implement just the "core" registration spec and call it a day, while people who want to have full lifecycle control can do the "management" spec on top of it. This does increase the optionality by making the client configuration endpoint parameters optional, but that's the tradeoff for having things cut this way.
>>>
>>> You can read both the specs here:
>>>
>>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-core-00
>>>
>>> http://tools.ietf.org/html/draft-richer-oauth-dyn-reg-management-00
>>>
>>> I've uploaded these as individual submissions for now. If the working group decides to move forward with this refactoring, I expect both documents to move in tandem through the RFC approval process.
>>>
>>> -- Justin
>
> Eve Maler                                  http://www.xmlgrrl.com/blog
> +1 425 345 6756                         http://www.twitter.com/xmlgrrl
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From phil.hunt@oracle.com  Wed Aug 28 08:04:37 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 119C321F92B8 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:04:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.245
X-Spam-Level: 
X-Spam-Status: No, score=-5.245 tagged_above=-999 required=5 tests=[AWL=-0.042, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XD6exNeKTR8F for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:04:32 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 5589821F90C3 for <oauth@ietf.org>; Wed, 28 Aug 2013 08:04:32 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SF4U9p025940 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 15:04:31 GMT
Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SF4U8k005883 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 15:04:30 GMT
Received: from abhmt112.oracle.com (abhmt112.oracle.com [141.146.116.64]) by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SF4Uua005872; Wed, 28 Aug 2013 15:04:30 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 08:04:29 -0700
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net>
Mime-Version: 1.0 (1.0)
In-Reply-To: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Wed, 28 Aug 2013 08:04:26 -0700
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 15:04:37 -0000

I have a conflict I cannot get out of for 2pacific.=20

I think a certificate based approach is going to simplify exchanges in all c=
ases. I encourage the group to explore the concept on the call.=20

I am not sure breaking dyn reg up helps. It creates yet another option. I wo=
uld like to explore how federation concept in software statements can help w=
ith facilitating association and making many reg stateless.=20

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschof=
enig@nsn.com> wrote:

> Here are the conference bridge / Webex details for the call today.=20
> We are going to complete the use case discussions from last time (Phil was=
n't able to walk through all slides). Justin was also able to work out a str=
awman proposal based on the discussions last week and we will have a look at=
 it to see whether this is a suitable compromise. Here is Justin's mail, in c=
ase you have missed it: http://www.ietf.org/mail-archive/web/oauth/current/m=
sg12036.html=20
>=20
> Phil, please feel free to make adjustments to your slides given the Justin=
's recent proposal.
>=20
> Topic: OAuth Dynamic Client Registration=20
> Date: Wednesday, August 28, 2013=20
> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)=20
> Meeting Number: 703 230 586=20
> Meeting Password: oauth=20
>=20
> -------------------------------------------------------=20
> To join the online meeting=20
> -------------------------------------------------------=20
> 1. Go to https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1=
ZWQzMDJk&RT=3DMiM0 =20
> 2. Enter your name and email address.=20
> 3. Enter the meeting password: oauth=20
> 4. Click "Join Now".=20
>=20
> To view in other time zones or languages, please click the link:=20
> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
ORT=3DMiM0  =20
>=20
> To add this meeting to your calendar program (for example Microsoft Outloo=
k), click this link:=20
> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=3D=
2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>=20
> -------------------------------------------------------=20
> To join the teleconference only=20
> -------------------------------------------------------=20
> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc =20
> Conference Code: 944 910 5485=20
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From phil.hunt@oracle.com  Wed Aug 28 08:18:12 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F6FD11E80FA for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:18:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.244
X-Spam-Level: 
X-Spam-Status: No, score=-5.244 tagged_above=-999 required=5 tests=[AWL=-0.041, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33NKtjRHp+b4 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:18:07 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 71B8311E81A4 for <oauth@ietf.org>; Wed, 28 Aug 2013 08:18:07 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SFI0NQ012099 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 15:18:00 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SFHxNu005974 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 15:17:59 GMT
Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SFHxsM005963; Wed, 28 Aug 2013 15:17:59 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 08:17:59 -0700
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Wed, 28 Aug 2013 08:17:54 -0700
To: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 15:18:12 -0000

Sorry. I meant also to say i think there are 2 registration steps.=20

1. Software registration/approval. This often happens out of band. But in th=
is step policy is defined that approves software for use. Many of the reg pa=
rams are known here.=20

Federation techniques come into play as trust approvals can be based on deve=
loper, product or even publisher.=20

2. Each instance associates in a stateless way. Only clients that need crede=
ntial rotation need more.=20

Phil

On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:

> I have a conflict I cannot get out of for 2pacific.=20
>=20
> I think a certificate based approach is going to simplify exchanges in all=
 cases. I encourage the group to explore the concept on the call.=20
>=20
> I am not sure breaking dyn reg up helps. It creates yet another option. I w=
ould like to explore how federation concept in software statements can help w=
ith facilitating association and making many reg stateless.=20
>=20
> Phil
>=20
> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tsch=
ofenig@nsn.com> wrote:
>=20
>> Here are the conference bridge / Webex details for the call today.=20
>> We are going to complete the use case discussions from last time (Phil wa=
sn't able to walk through all slides). Justin was also able to work out a st=
rawman proposal based on the discussions last week and we will have a look a=
t it to see whether this is a suitable compromise. Here is Justin's mail, in=
 case you have missed it: http://www.ietf.org/mail-archive/web/oauth/current=
/msg12036.html=20
>>=20
>> Phil, please feel free to make adjustments to your slides given the Justi=
n's recent proposal.
>>=20
>> Topic: OAuth Dynamic Client Registration=20
>> Date: Wednesday, August 28, 2013=20
>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)=20
>> Meeting Number: 703 230 586=20
>> Meeting Password: oauth=20
>>=20
>> -------------------------------------------------------=20
>> To join the online meeting=20
>> -------------------------------------------------------=20
>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI=
1ZWQzMDJk&RT=3DMiM0 =20
>> 2. Enter your name and email address.=20
>> 3. Enter the meeting password: oauth=20
>> 4. Click "Join Now".=20
>>=20
>> To view in other time zones or languages, please click the link:=20
>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk=
&ORT=3DMiM0  =20
>>=20
>> To add this meeting to your calendar program (for example Microsoft Outlo=
ok), click this link:=20
>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=
=3D2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>=20
>> -------------------------------------------------------=20
>> To join the teleconference only=20
>> -------------------------------------------------------=20
>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc =20
>> Conference Code: 944 910 5485=20
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From jricher@mitre.org  Wed Aug 28 08:42:02 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2EFB11E820C for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:42:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.477
X-Spam-Level: 
X-Spam-Status: No, score=-6.477 tagged_above=-999 required=5 tests=[AWL=0.122,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TyzktbafgIKP for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:41:55 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id C79F021F9FF6 for <oauth@ietf.org>; Wed, 28 Aug 2013 08:41:50 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 2CE871F0427; Wed, 28 Aug 2013 11:41:50 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id ED56D1F0972; Wed, 28 Aug 2013 11:41:49 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 11:41:49 -0400
Message-ID: <521E1A34.30204@mitre.org>
Date: Wed, 28 Aug 2013 11:41:40 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>
In-Reply-To: <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 15:42:02 -0000

Except for the cases where you want step 1 to happen in band. To me, 
that is a vitally and fundamentally important use case that we can't 
disregard, and we must have a solution that can accommodate that. The 
notions of "publisher" and "product" fade very quickly once you get 
outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or 
approaches (such as something assertion based like you're after). It's 
not a one-or-the-other proposition, especially when there are mutually 
exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic 
registration spec *AND* pursue the assertion based process that Phil's 
talking about. They're not mutually exclusive, let's please stop talking 
about them like they are.

  -- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
> Sorry. I meant also to say i think there are 2 registration steps.
>
> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>
> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>
> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>
> Phil
>
> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> I have a conflict I cannot get out of for 2pacific.
>>
>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>
>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>
>> Phil
>>
>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>
>>> Here are the conference bridge / Webex details for the call today.
>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>
>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>
>>> Topic: OAuth Dynamic Client Registration
>>> Date: Wednesday, August 28, 2013
>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>> Meeting Number: 703 230 586
>>> Meeting Password: oauth
>>>
>>> -------------------------------------------------------
>>> To join the online meeting
>>> -------------------------------------------------------
>>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>> 2. Enter your name and email address.
>>> 3. Enter the meeting password: oauth
>>> 4. Click "Join Now".
>>>
>>> To view in other time zones or languages, please click the link:
>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>
>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>
>>> -------------------------------------------------------
>>> To join the teleconference only
>>> -------------------------------------------------------
>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>> Conference Code: 944 910 5485
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From tonynad@microsoft.com  Wed Aug 28 08:49:53 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6D8F21F9C46 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.489
X-Spam-Level: 
X-Spam-Status: No, score=-3.489 tagged_above=-999 required=5 tests=[AWL=0.110,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lp9dWFHEj-3I for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:49:49 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0152.outbound.protection.outlook.com [207.46.163.152]) by ietfa.amsl.com (Postfix) with ESMTP id B84FB21F9A96 for <oauth@ietf.org>; Wed, 28 Aug 2013 08:49:48 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 28 Aug 2013 15:49:41 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Wed, 28 Aug 2013 15:49:41 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
Thread-Index: AQHOpAVVZVK0368eQUGxr6rwDIwXRJmqwysg
Date: Wed, 28 Aug 2013 15:49:40 +0000
Message-ID: <ea3ca23616a042928e211e6c79879739@BY2PR03MB189.namprd03.prod.outlook.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org>
In-Reply-To: <521E1A34.30204@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 09525C61DB
x-forefront-antispam-report: SFV:NSPM; SFS:(377424004)(30513003)(189002)(199002)(52044002)(24454002)(13464003)(51704005)(377454003)(479174003)(79102001)(54316002)(56776001)(59766001)(77982001)(49866001)(47736001)(47976001)(50986001)(4396001)(63696002)(51856001)(31966008)(81816001)(74502001)(47446002)(74662001)(81686001)(80976001)(53806001)(76482001)(46102001)(54356001)(15975445006)(33646001)(19580405001)(83322001)(19580395003)(56816003)(15202345003)(77096001)(76576001)(76786001)(76796001)(74876001)(551544002)(65816001)(80022001)(561944002)(74316001)(74366001)(83072001)(74706001)(81342001)(81542001)(16799955002)(69226001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB192; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 15:49:53 -0000

>Therefore I once again call for the WG to finish the current dynamic regis=
tration spec *AND* pursue the assertion based process that Phil's talking a=
bout. They're not mutually exclusive, let's please stop talking=20

I see no reason to continue to push finish the current specification when t=
here are so many discussions/issues going on as discussions will only lead =
to better specifications that folks can actually implement and use.

-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of J=
ustin Richer
Sent: Wednesday, August 28, 2013 8:42 AM
To: Phil Hunt
Cc: oauth mailing list
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28=
 Aug, 2pm PDT: Conference Bridge Details

Except for the cases where you want step 1 to happen in band. To me, that i=
s a vitally and fundamentally important use case that we can't disregard, a=
nd we must have a solution that can accommodate that. The notions of "publi=
sher" and "product" fade very quickly once you get outside of the software =
vendor world.

This is, of course, not to stand in the way of other solutions or approache=
s (such as something assertion based like you're after). It's not a one-or-=
the-other proposition, especially when there are mutually exclusive aspects=
 of each.

Therefore I once again call for the WG to finish the current dynamic regist=
ration spec *AND* pursue the assertion based process that Phil's talking ab=
out. They're not mutually exclusive, let's please stop talking about them l=
ike they are.

  -- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
> Sorry. I meant also to say i think there are 2 registration steps.
>
> 1. Software registration/approval. This often happens out of band. But in=
 this step policy is defined that approves software for use. Many of the re=
g params are known here.
>
> Federation techniques come into play as trust approvals can be based on d=
eveloper, product or even publisher.
>
> 2. Each instance associates in a stateless way. Only clients that need cr=
edential rotation need more.
>
> Phil
>
> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> I have a conflict I cannot get out of for 2pacific.
>>
>> I think a certificate based approach is going to simplify exchanges in a=
ll cases. I encourage the group to explore the concept on the call.
>>
>> I am not sure breaking dyn reg up helps. It creates yet another option. =
I would like to explore how federation concept in software statements can h=
elp with facilitating association and making many reg stateless.
>>
>> Phil
>>
>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.ts=
chofenig@nsn.com> wrote:
>>
>>> Here are the conference bridge / Webex details for the call today.
>>> We are going to complete the use case discussions from last time=20
>>> (Phil wasn't able to walk through all slides). Justin was also able=20
>>> to work out a strawman proposal based on the discussions last week=20
>>> and we will have a look at it to see whether this is a suitable=20
>>> compromise. Here is Justin's mail, in case you have missed it:=20
>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>
>>> Phil, please feel free to make adjustments to your slides given the Jus=
tin's recent proposal.
>>>
>>> Topic: OAuth Dynamic Client Registration
>>> Date: Wednesday, August 28, 2013
>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)=20
>>> Meeting Number: 703 230 586 Meeting Password: oauth
>>>
>>> -------------------------------------------------------
>>> To join the online meeting
>>> -------------------------------------------------------
>>> 1. Go to=20
>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMD=
Jk&
>>> RT=3DMiM0 2. Enter your name and email address.
>>> 3. Enter the meeting password: oauth 4. Click "Join Now".
>>>
>>> To view in other time zones or languages, please click the link:
>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMD=
Jk&
>>> ORT=3DMiM0
>>>
>>> To add this meeting to your calendar program (for example Microsoft Out=
look), click this link:
>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&=
RD=3D2&
>>> ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>>
>>> -------------------------------------------------------
>>> To join the teleconference only
>>> -------------------------------------------------------
>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>> Conference Code: 944 910 5485
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

From jricher@mitre.org  Wed Aug 28 08:51:32 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9689D11E8191 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:51:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.481
X-Spam-Level: 
X-Spam-Status: No, score=-6.481 tagged_above=-999 required=5 tests=[AWL=0.118,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epdokdaLy7m8 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 08:51:24 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 6A20321F9BD3 for <oauth@ietf.org>; Wed, 28 Aug 2013 08:51:22 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id EB0851F02B6; Wed, 28 Aug 2013 11:51:21 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id D23671F0725; Wed, 28 Aug 2013 11:51:21 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 11:51:21 -0400
Message-ID: <521E1C70.3070801@mitre.org>
Date: Wed, 28 Aug 2013 11:51:12 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <ea3ca23616a042928e211e6c79879739@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <ea3ca23616a042928e211e6c79879739@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 15:51:32 -0000

Except that folks are already actually implementing and using the spec, 
and that all of the discussions around different specs are pretty 
clearly pointing to different use cases and assumptions about the state 
of the world.

Your arguments are invalid.

  -- Justin

On 08/28/2013 11:49 AM, Anthony Nadalin wrote:
>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking
> I see no reason to continue to push finish the current specification when there are so many discussions/issues going on as discussions will only lead to better specifications that folks can actually implement and use.
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Justin Richer
> Sent: Wednesday, August 28, 2013 8:42 AM
> To: Phil Hunt
> Cc: oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
>
> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>
> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>
> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>
>    -- Justin
>
> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>> Sorry. I meant also to say i think there are 2 registration steps.
>>
>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>
>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>
>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>
>> Phil
>>
>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>>> I have a conflict I cannot get out of for 2pacific.
>>>
>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>
>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>
>>>> Here are the conference bridge / Webex details for the call today.
>>>> We are going to complete the use case discussions from last time
>>>> (Phil wasn't able to walk through all slides). Justin was also able
>>>> to work out a strawman proposal based on the discussions last week
>>>> and we will have a look at it to see whether this is a suitable
>>>> compromise. Here is Justin's mail, in case you have missed it:
>>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>
>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>
>>>> Topic: OAuth Dynamic Client Registration
>>>> Date: Wednesday, August 28, 2013
>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>> Meeting Number: 703 230 586 Meeting Password: oauth
>>>>
>>>> -------------------------------------------------------
>>>> To join the online meeting
>>>> -------------------------------------------------------
>>>> 1. Go to
>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&
>>>> RT=MiM0 2. Enter your name and email address.
>>>> 3. Enter the meeting password: oauth 4. Click "Join Now".
>>>>
>>>> To view in other time zones or languages, please click the link:
>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&
>>>> ORT=MiM0
>>>>
>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&
>>>> ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>
>>>> -------------------------------------------------------
>>>> To join the teleconference only
>>>> -------------------------------------------------------
>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>> Conference Code: 944 910 5485
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From tonynad@microsoft.com  Wed Aug 28 09:01:33 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A64B21F9E88 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:01:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.494
X-Spam-Level: 
X-Spam-Status: No, score=-3.494 tagged_above=-999 required=5 tests=[AWL=0.105,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wipclKN8izxZ for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:01:28 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0208.outbound.protection.outlook.com [207.46.163.208]) by ietfa.amsl.com (Postfix) with ESMTP id 6388B11E81FE for <oauth@ietf.org>; Wed, 28 Aug 2013 09:01:23 -0700 (PDT)
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BY2PR03MB595.namprd03.prod.outlook.com (10.255.93.35) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 28 Aug 2013 16:01:14 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 28 Aug 2013 16:01:13 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Wed, 28 Aug 2013 16:01:13 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
Thread-Index: AQHOpAVVZVK0368eQUGxr6rwDIwXRJmqwysggAABoQCAAADVgA==
Date: Wed, 28 Aug 2013 16:01:12 +0000
Message-ID: <e9cc445675f24c19940a6d3428749950@BY2PR03MB189.namprd03.prod.outlook.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <ea3ca23616a042928e211e6c79879739@BY2PR03MB189.namprd03.prod.outlook.com> <521E1C70.3070801@mitre.org>
In-Reply-To: <521E1C70.3070801@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 09525C61DB
x-forefront-antispam-report: SFV:NSPM; SFS:(30513003)(13464003)(24454002)(189002)(199002)(51704005)(52044002)(377424004)(377454003)(479174003)(80976001)(65816001)(31966008)(74502001)(47446002)(74662001)(74706001)(551544002)(80022001)(83072001)(56776001)(54316002)(59766001)(79102001)(76482001)(54356001)(15202345003)(53806001)(16799955002)(77982001)(81816001)(74366001)(69226001)(77096001)(83322001)(19580405001)(63696002)(51856001)(76796001)(74316001)(81542001)(49866001)(81342001)(47736001)(47976001)(50986001)(56816003)(4396001)(76786001)(76576001)(81686001)(74876001)(561944002)(19580395003)(15975445006)(46102001)(33646001)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:01:33 -0000

So I guess we should have different specifications for different use cases =
to solve same requirements, I guess we should have done that we OAuth and n=
ot worked out common flows, patterns, parameters, etc. I have only seen 2-3=
 respond to the implementation status, once again people should post if the=
y:

1. have implemented this as is
2. plan on implementing as is
3. what use case they are solving
4. what modifications needed on top of this specification to actually solve=
 use case

-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org]=20
Sent: Wednesday, August 28, 2013 8:51 AM
To: Anthony Nadalin
Cc: Phil Hunt; oauth mailing list
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28=
 Aug, 2pm PDT: Conference Bridge Details

Except that folks are already actually implementing and using the spec, and=
 that all of the discussions around different specs are pretty clearly poin=
ting to different use cases and assumptions about the state of the world.

Your arguments are invalid.

  -- Justin

On 08/28/2013 11:49 AM, Anthony Nadalin wrote:
>> Therefore I once again call for the WG to finish the current dynamic=20
>> registration spec *AND* pursue the assertion based process that=20
>> Phil's talking about. They're not mutually exclusive, let's please=20
>> stop talking
> I see no reason to continue to push finish the current specification when=
 there are so many discussions/issues going on as discussions will only lea=
d to better specifications that folks can actually implement and use.
>
> -----Original Message-----
> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf=20
> Of Justin Richer
> Sent: Wednesday, August 28, 2013 8:42 AM
> To: Phil Hunt
> Cc: oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call:=20
> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>
> Except for the cases where you want step 1 to happen in band. To me, that=
 is a vitally and fundamentally important use case that we can't disregard,=
 and we must have a solution that can accommodate that. The notions of "pub=
lisher" and "product" fade very quickly once you get outside of the softwar=
e vendor world.
>
> This is, of course, not to stand in the way of other solutions or approac=
hes (such as something assertion based like you're after). It's not a one-o=
r-the-other proposition, especially when there are mutually exclusive aspec=
ts of each.
>
> Therefore I once again call for the WG to finish the current dynamic regi=
stration spec *AND* pursue the assertion based process that Phil's talking =
about. They're not mutually exclusive, let's please stop talking about them=
 like they are.
>
>    -- Justin
>
> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>> Sorry. I meant also to say i think there are 2 registration steps.
>>
>> 1. Software registration/approval. This often happens out of band. But i=
n this step policy is defined that approves software for use. Many of the r=
eg params are known here.
>>
>> Federation techniques come into play as trust approvals can be based on =
developer, product or even publisher.
>>
>> 2. Each instance associates in a stateless way. Only clients that need c=
redential rotation need more.
>>
>> Phil
>>
>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>
>>> I have a conflict I cannot get out of for 2pacific.
>>>
>>> I think a certificate based approach is going to simplify exchanges in =
all cases. I encourage the group to explore the concept on the call.
>>>
>>> I am not sure breaking dyn reg up helps. It creates yet another option.=
 I would like to explore how federation concept in software statements can =
help with facilitating association and making many reg stateless.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.t=
schofenig@nsn.com> wrote:
>>>
>>>> Here are the conference bridge / Webex details for the call today.
>>>> We are going to complete the use case discussions from last time=20
>>>> (Phil wasn't able to walk through all slides). Justin was also able=20
>>>> to work out a strawman proposal based on the discussions last week=20
>>>> and we will have a look at it to see whether this is a suitable=20
>>>> compromise. Here is Justin's mail, in case you have missed it:
>>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>
>>>> Phil, please feel free to make adjustments to your slides given the Ju=
stin's recent proposal.
>>>>
>>>> Topic: OAuth Dynamic Client Registration
>>>> Date: Wednesday, August 28, 2013
>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)=20
>>>> Meeting Number: 703 230 586 Meeting Password: oauth
>>>>
>>>> -------------------------------------------------------
>>>> To join the online meeting
>>>> -------------------------------------------------------
>>>> 1. Go to
>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzM=
DJk
>>>> &
>>>> RT=3DMiM0 2. Enter your name and email address.
>>>> 3. Enter the meeting password: oauth 4. Click "Join Now".
>>>>
>>>> To view in other time zones or languages, please click the link:
>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzM=
DJk
>>>> &
>>>> ORT=3DMiM0
>>>>
>>>> To add this meeting to your calendar program (for example Microsoft Ou=
tlook), click this link:
>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1=
&RD=3D2
>>>> &
>>>> ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>>>
>>>> -------------------------------------------------------
>>>> To join the teleconference only
>>>> -------------------------------------------------------
>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>> Conference Code: 944 910 5485
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From phil.hunt@oracle.com  Wed Aug 28 09:02:35 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAFFE11E820B for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:02:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.243
X-Spam-Level: 
X-Spam-Status: No, score=-5.243 tagged_above=-999 required=5 tests=[AWL=-0.040, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l+sY1gSBMqp4 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:02:29 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 601BF11E81DB for <oauth@ietf.org>; Wed, 28 Aug 2013 09:02:29 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SG2Si0009275 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:02:29 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SG2RSN019677 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:02:28 GMT
Received: from abhmt117.oracle.com (abhmt117.oracle.com [141.146.116.69]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SG2Rwu016004; Wed, 28 Aug 2013 16:02:27 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:02:27 -0700
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <521E1A34.30204@mitre.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Wed, 28 Aug 2013 09:02:24 -0700
To: Justin Richer <jricher@mitre.org>
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:02:36 -0000

Please define the all in one case. I think this is the edge case and is in f=
act rare.=20

I agree, in many cases step 1 can be made by simply approving a class of sof=
tware. But then step 2 is simplified.=20

Dyn reg assumes every registration of an instance is unique which too me is a=
 very extreme position.=20

Phil

On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:

> Except for the cases where you want step 1 to happen in band. To me, that i=
s a vitally and fundamentally important use case that we can't disregard, an=
d we must have a solution that can accommodate that. The notions of "publish=
er" and "product" fade very quickly once you get outside of the software ven=
dor world.
>=20
> This is, of course, not to stand in the way of other solutions or approach=
es (such as something assertion based like you're after). It's not a one-or-=
the-other proposition, especially when there are mutually exclusive aspects o=
f each.
>=20
> Therefore I once again call for the WG to finish the current dynamic regis=
tration spec *AND* pursue the assertion based process that Phil's talking ab=
out. They're not mutually exclusive, let's please stop talking about them li=
ke they are.
>=20
> -- Justin
>=20
> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>> Sorry. I meant also to say i think there are 2 registration steps.
>>=20
>> 1. Software registration/approval. This often happens out of band. But in=
 this step policy is defined that approves software for use. Many of the reg=
 params are known here.
>>=20
>> Federation techniques come into play as trust approvals can be based on d=
eveloper, product or even publisher.
>>=20
>> 2. Each instance associates in a stateless way. Only clients that need cr=
edential rotation need more.
>>=20
>> Phil
>>=20
>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>=20
>>> I have a conflict I cannot get out of for 2pacific.
>>>=20
>>> I think a certificate based approach is going to simplify exchanges in a=
ll cases. I encourage the group to explore the concept on the call.
>>>=20
>>> I am not sure breaking dyn reg up helps. It creates yet another option. I=
 would like to explore how federation concept in software statements can hel=
p with facilitating association and making many reg stateless.
>>>=20
>>> Phil
>>>=20
>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.ts=
chofenig@nsn.com> wrote:
>>>=20
>>>> Here are the conference bridge / Webex details for the call today.
>>>> We are going to complete the use case discussions from last time (Phil w=
asn't able to walk through all slides). Justin was also able to work out a s=
trawman proposal based on the discussions last week and we will have a look a=
t it to see whether this is a suitable compromise. Here is Justin's mail, in=
 case you have missed it: http://www.ietf.org/mail-archive/web/oauth/current=
/msg12036.html
>>>>=20
>>>> Phil, please feel free to make adjustments to your slides given the Jus=
tin's recent proposal.
>>>>=20
>>>> Topic: OAuth Dynamic Client Registration
>>>> Date: Wednesday, August 28, 2013
>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>> Meeting Number: 703 230 586
>>>> Meeting Password: oauth
>>>>=20
>>>> -------------------------------------------------------
>>>> To join the online meeting
>>>> -------------------------------------------------------
>>>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNN=
TI1ZWQzMDJk&RT=3DMiM0
>>>> 2. Enter your name and email address.
>>>> 3. Enter the meeting password: oauth
>>>> 4. Click "Join Now".
>>>>=20
>>>> To view in other time zones or languages, please click the link:
>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMD=
Jk&ORT=3DMiM0
>>>>=20
>>>> To add this meeting to your calendar program (for example Microsoft Out=
look), click this link:
>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&=
RD=3D2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM=
0
>>>>=20
>>>> -------------------------------------------------------
>>>> To join the teleconference only
>>>> -------------------------------------------------------
>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>> Conference Code: 944 910 5485
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20

From jricher@mitre.org  Wed Aug 28 09:07:34 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 062E711E8215 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.485
X-Spam-Level: 
X-Spam-Status: No, score=-6.485 tagged_above=-999 required=5 tests=[AWL=0.114,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hcm2UvK4igSM for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:07:21 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 6335711E820D for <oauth@ietf.org>; Wed, 28 Aug 2013 09:07:08 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 2B5DA1F0A09; Wed, 28 Aug 2013 12:06:58 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 144BD1F0732; Wed, 28 Aug 2013 12:06:58 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 12:06:57 -0400
Message-ID: <521E2018.3020906@mitre.org>
Date: Wed, 28 Aug 2013 12:06:48 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <ea3ca23616a042928e211e6c79879739@BY2PR03MB189.namprd03.prod.outlook.com> <521E1C70.3070801@mitre.org> <e9cc445675f24c19940a6d3428749950@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <e9cc445675f24c19940a6d3428749950@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:07:34 -0000

I think it makes perfect sense to have different spects for different 
use cases to solve different requirements (and the requirements *are* 
different -- you keep bringing up fully stateless registration and 
that's just not a requirement for many people). The different specs can 
(and should) use common parameters and data models where it makes sense, 
and differ where it makes sense. You know, just like we did with the 
OAuth flows. There's a reason that the Client Credentials flow doesn't 
use the authorization endpoint, but the Code flow does. And there's also 
a reason why the "grant_type" parameter is an explicit extension point 
in OAuth.

The as-of-yet-completely-unspecified-and-unimplemented software 
assertions based "spec" can re-use the client model from the current 
dyn-reg, if it wants to and it makes sense to. It can use the same 
parameter names. Nobody's saying not to do that, Tony. But in addition 
to the responders who have implemented Dyn-Reg as it is, I'd like to 
hear from people who have implemented the stateless proposal as well. 
Anyone?

  -- Justin


On 08/28/2013 12:01 PM, Anthony Nadalin wrote:
> So I guess we should have different specifications for different use cases to solve same requirements, I guess we should have done that we OAuth and not worked out common flows, patterns, parameters, etc. I have only seen 2-3 respond to the implementation status, once again people should post if they:
>
> 1. have implemented this as is
> 2. plan on implementing as is
> 3. what use case they are solving
> 4. what modifications needed on top of this specification to actually solve use case
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Wednesday, August 28, 2013 8:51 AM
> To: Anthony Nadalin
> Cc: Phil Hunt; oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
>
> Except that folks are already actually implementing and using the spec, and that all of the discussions around different specs are pretty clearly pointing to different use cases and assumptions about the state of the world.
>
> Your arguments are invalid.
>
>    -- Justin
>
> On 08/28/2013 11:49 AM, Anthony Nadalin wrote:
>>> Therefore I once again call for the WG to finish the current dynamic
>>> registration spec *AND* pursue the assertion based process that
>>> Phil's talking about. They're not mutually exclusive, let's please
>>> stop talking
>> I see no reason to continue to push finish the current specification when there are so many discussions/issues going on as discussions will only lead to better specifications that folks can actually implement and use.
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Justin Richer
>> Sent: Wednesday, August 28, 2013 8:42 AM
>> To: Phil Hunt
>> Cc: oauth mailing list
>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>
>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>
>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>
>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>
>>     -- Justin
>>
>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>
>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>
>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>
>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>
>>>> I have a conflict I cannot get out of for 2pacific.
>>>>
>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>
>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>
>>>> Phil
>>>>
>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>>
>>>>> Here are the conference bridge / Webex details for the call today.
>>>>> We are going to complete the use case discussions from last time
>>>>> (Phil wasn't able to walk through all slides). Justin was also able
>>>>> to work out a strawman proposal based on the discussions last week
>>>>> and we will have a look at it to see whether this is a suitable
>>>>> compromise. Here is Justin's mail, in case you have missed it:
>>>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>
>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>
>>>>> Topic: OAuth Dynamic Client Registration
>>>>> Date: Wednesday, August 28, 2013
>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>> Meeting Number: 703 230 586 Meeting Password: oauth
>>>>>
>>>>> -------------------------------------------------------
>>>>> To join the online meeting
>>>>> -------------------------------------------------------
>>>>> 1. Go to
>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk
>>>>> &
>>>>> RT=MiM0 2. Enter your name and email address.
>>>>> 3. Enter the meeting password: oauth 4. Click "Join Now".
>>>>>
>>>>> To view in other time zones or languages, please click the link:
>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk
>>>>> &
>>>>> ORT=MiM0
>>>>>
>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2
>>>>> &
>>>>> ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>
>>>>> -------------------------------------------------------
>>>>> To join the teleconference only
>>>>> -------------------------------------------------------
>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>> Conference Code: 944 910 5485
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth


From jricher@mitre.org  Wed Aug 28 09:08:54 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F19D811E81FE for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:08:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.488
X-Spam-Level: 
X-Spam-Status: No, score=-6.488 tagged_above=-999 required=5 tests=[AWL=0.111,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hDmLHH8mtZud for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:08:49 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 4B20611E81B4 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:08:49 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 83BF822601B4; Wed, 28 Aug 2013 12:08:48 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 7254822601D2; Wed, 28 Aug 2013 12:08:48 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 12:08:48 -0400
Message-ID: <521E2086.1010007@mitre.org>
Date: Wed, 28 Aug 2013 12:08:38 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com>
In-Reply-To: <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:08:54 -0000

I set up an auth server to protect my API, my users download a piece of 
software that speaks the API to access their data. Where is my server 
supposed to get the list of "approved" software classes from? Are you 
assuming a central registry per API? Or is it going to be 
provider-specific? If the latter, why wouldn't you just do manual 
registration and not use dynamic registration at all? After all, manual 
registration will always still be a valid option.

  -- Justin

On 08/28/2013 12:02 PM, Phil Hunt wrote:
> Please define the all in one case. I think this is the edge case and is in fact rare.
>
> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>
> Dyn reg assumes every registration of an instance is unique which too me is a very extreme position.
>
> Phil
>
> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>
>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>
>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>
>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>
>> -- Justin
>>
>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>
>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>
>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>
>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>
>>>> I have a conflict I cannot get out of for 2pacific.
>>>>
>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>
>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>
>>>> Phil
>>>>
>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>>
>>>>> Here are the conference bridge / Webex details for the call today.
>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>
>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>
>>>>> Topic: OAuth Dynamic Client Registration
>>>>> Date: Wednesday, August 28, 2013
>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>> Meeting Number: 703 230 586
>>>>> Meeting Password: oauth
>>>>>
>>>>> -------------------------------------------------------
>>>>> To join the online meeting
>>>>> -------------------------------------------------------
>>>>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>> 2. Enter your name and email address.
>>>>> 3. Enter the meeting password: oauth
>>>>> 4. Click "Join Now".
>>>>>
>>>>> To view in other time zones or languages, please click the link:
>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>
>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>
>>>>> -------------------------------------------------------
>>>>> To join the teleconference only
>>>>> -------------------------------------------------------
>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>> Conference Code: 944 910 5485
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth


From sberyozkin@gmail.com  Wed Aug 28 09:13:01 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D29411E8226 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:13:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level: 
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=0.150,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4QX4JMk4T8Hq for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:12:55 -0700 (PDT)
Received: from mail-ee0-x22c.google.com (mail-ee0-x22c.google.com [IPv6:2a00:1450:4013:c00::22c]) by ietfa.amsl.com (Postfix) with ESMTP id EF86911E8211 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:12:54 -0700 (PDT)
Received: by mail-ee0-f44.google.com with SMTP id b47so3086222eek.31 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:12:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=IowF68E+mYt2j1a8doOJarkiChcATgT7NdHXqEbew6g=; b=foCkX3Sbdf5GZZAdLbGMIWGQ+QV7yDtFK5O/F4qt/lUcUJt9xd10gE6yweIBiVwsqo XTWFnxIxjStURDA6B/vVvYSlAl4vYOL5UcHhvaui7n+B9lFktKlGjp7oHIIeLq2LkYdC rflQjLbQ/OxGSkurtrCiAmTrWA5aFxrtqOZrBB3vJovR4aLejbtMgWYOPW0Joz6Dhi/E wl6bXVVEgOjLB2awB7kYdkAKQ5Jwz1IVZREXAHAPVlRAR7YgJiD7BTKbKRx8kpAv7Twq vJwlZDbF7BVWjBGBhzUvLBQToEniHaAaTYBNdXpmbtlFuJmDDiqPt9QDmFQWiq/VwRl4 uIXw==
X-Received: by 10.14.99.193 with SMTP id x41mr4273907eef.52.1377706374035; Wed, 28 Aug 2013 09:12:54 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id x47sm38626859eea.16.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 09:12:53 -0700 (PDT)
Message-ID: <521E2183.1010007@gmail.com>
Date: Wed, 28 Aug 2013 17:12:51 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <20130730095129.29309.12243.idtracker@ietfa.amsl.com> <CABzCy2CC3Oi2J7GZJVBa07=xtjMXvy9ah_h_ZwwZQXDd4qtSzw@mail.gmail.com> <CABzCy2Ax56ithEc2AvKCqybzK9RjV1cDYPoKdj7DBu6euj8F7w@mail.gmail.com>
In-Reply-To: <CABzCy2Ax56ithEc2AvKCqybzK9RjV1cDYPoKdj7DBu6euj8F7w@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] New Version Notification for draft-sakimura-oauth-tcse-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:13:01 -0000

Hi,

can you consider replacing "tcs" and "tcsh" with "temp_client_secret" 
and "temp_client_secret_hash" ? in OAuth2 we have "client_id", 
"client_secret" (ex, in dyn reg), and having a temp variant of 
"client_secret" called as "tcs" seems a bit cryptic to me :-), not a bit 
issue though

Sergey

On 30/07/13 16:36, Nat Sakimura wrote:
> Hi.
>
> I had to fix a few issues with the previous draft text.
> No normative changes, but just removed some extra text.
>
> Nat
>
> ---------- Forwarded message ----------
> From: **<internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
> Date: 2013/7/31
> Subject: New Version Notification for draft-sakimura-oauth-tcse-01.txt
> To: Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>, John
> Bradley <jbradley@pingidentity.com <mailto:jbradley@pingidentity.com>>,
> Naveen Agarwal <naa@google.com <mailto:naa@google.com>>
>
>
>
> A new version of I-D, draft-sakimura-oauth-tcse-01.txt
> has been successfully submitted by Nat Sakimura and posted to the
> IETF repository.
>
> Filename:        draft-sakimura-oauth-tcse
> Revision:        01
> Title:           OAuth Transient Client Secret Extension for Public Clients
> Creation date:   2013-07-30
> Group:           Individual Submission
> Number of pages: 7
> URL: http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-01.txt
> Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
> Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
> Diff: http://www.ietf.org/rfcdiff?url2=draft-sakimura-oauth-tcse-01
>
> Abstract:
>     The OAuth 2.0 public client utilizing authorization code grant is
>     susceptible to the code interception attack.  This specification
>     describe a mechanism that acts as a control against this threat.
>
>
>
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org
> <http://tools.ietf.org/>.
>
> The IETF Secretariat
>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
>
> 2013/7/30 Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>
>
>     As some of you know, passing the authorization code securely to a
>     native app on iOS platform is next to impossible. Malicious
>     application may register the same custom scheme as the victim
>     application and hope to obtain the code, whose success rate is
>     rather high.
>
>     We have discussed about it during the OpenID Conenct Meeting at IETF
>     87 on Sunday, and over a lengthy thread on the OpenID AB/Connect
>     work group list. I have captured the discussion in the form of I-D.
>     It is pretty short and hopefully easy to read.
>
>     IMHO, although it came up as an issue in OpenID Connect, this is a
>     quite useful extension to OAuth 2.0 in general.
>
>     Best,
>
>     Nat Sakimura
>
>     ---------- Forwarded message ----------
>     From: ** <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
>     Date: 2013/7/30
>     Subject: New Version Notification for draft-sakimura-oauth-tcse-00.txt
>     To: Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>,
>     John Bradley <jbradley@pingidentity.com
>     <mailto:jbradley@pingidentity.com>>, Naveen Agarwal <naa@google.com
>     <mailto:naa@google.com>>
>
>
>
>     A new version of I-D, draft-sakimura-oauth-tcse-00.txt
>     has been successfully submitted by Nat Sakimura and posted to the
>     IETF repository.
>
>     Filename:        draft-sakimura-oauth-tcse
>     Revision:        00
>     Title:           OAuth Transient Client Secret Extension for Public
>     Clients
>     Creation date:   2013-07-29
>     Group:           Individual Submission
>     Number of pages: 7
>     URL:
>     http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-00.txt
>     Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
>     Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-00
>
>
>     Abstract:
>         The OAuth 2.0 public client utilizing code flow is susceptible
>     to the
>         code interception attack.  This specification describe a mechanism
>         that acts as a control against this threat.
>
>
>
>
>
>     Please note that it may take a couple of minutes from the time of
>     submission
>     until the htmlized version and diff are available at tools.ietf.org
>     <http://tools.ietf.org>.
>
>     The IETF Secretariat
>
>
>
>
>     --
>     Nat Sakimura (=nat)
>     Chairman, OpenID Foundation
>     http://nat.sakimura.org/
>     @_nat_en
>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From gffletch@aol.com  Wed Aug 28 09:20:48 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 867BC11E81FE for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:20:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.398
X-Spam-Level: 
X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[AWL=0.200,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JbYAm2aYuhDz for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:20:38 -0700 (PDT)
Received: from omr-d04.mx.aol.com (omr-d04.mx.aol.com [205.188.109.201]) by ietfa.amsl.com (Postfix) with ESMTP id 0C4A921F9D0C for <oauth@ietf.org>; Wed, 28 Aug 2013 09:20:38 -0700 (PDT)
Received: from mtaout-mb06.r1000.mx.aol.com (mtaout-mb06.r1000.mx.aol.com [172.29.41.70]) by omr-d04.mx.aol.com (Outbound Mail Relay) with ESMTP id B7DE4700000A0; Wed, 28 Aug 2013 12:20:36 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-mb06.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 766C0E00009D; Wed, 28 Aug 2013 12:20:35 -0400 (EDT)
Message-ID: <521E2353.2030904@aol.com>
Date: Wed, 28 Aug 2013 12:20:35 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com>
In-Reply-To: <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com>
Content-Type: multipart/alternative; boundary="------------030302030309090109010109"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93304
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377706835; bh=5yZYRdOPWQFqANYiXQnqkyOFt71ehTipi57teMgd0Zo=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=XZhsC1Lk0YskalxuFkjfmq8L1wNCjX/HuuAT5rWN/+O8YNvsJffgGiL7po5zujkwM OUKHrP8Qk4YLoxKRKgbcZBJGkdDjsw8frOsbOY3TaTIEqZvgq80r24qXyHAoQUEsKW T+cRAFLkoAkFHYumffQxDbJpiwiqM4pyYIP0cMMk=
x-aol-sid: 3039ac1d2946521e235349c6
X-AOL-IP: 10.181.176.48
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:20:48 -0000

This is a multi-part message in MIME format.
--------------030302030309090109010109
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


On 8/28/13 12:02 PM, Phil Hunt wrote:
> Please define the all in one case. I think this is the edge case and is in fact rare.
>
> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>
> Dyn reg assumes every registration of an instance is unique which too me is a very extreme
If you have a mobile app that needs to do the code flow... which 
requires a client_secret in order to retrieve the access token and 
refresh token, how does the app do this without per app instance 
registration?

I'd argue that almost all user facing mobile apps will want the above 
flow and that's not a small, rare edge case.

Thanks,
George
> position.
>
> Phil
>
> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>
>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>
>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>
>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>
>> -- Justin
>>
>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>
>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>
>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>
>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>
>>>> I have a conflict I cannot get out of for 2pacific.
>>>>
>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>
>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>
>>>> Phil
>>>>
>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>>
>>>>> Here are the conference bridge / Webex details for the call today.
>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>
>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>
>>>>> Topic: OAuth Dynamic Client Registration
>>>>> Date: Wednesday, August 28, 2013
>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>> Meeting Number: 703 230 586
>>>>> Meeting Password: oauth
>>>>>
>>>>> -------------------------------------------------------
>>>>> To join the online meeting
>>>>> -------------------------------------------------------
>>>>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>> 2. Enter your name and email address.
>>>>> 3. Enter the meeting password: oauth
>>>>> 4. Click "Join Now".
>>>>>
>>>>> To view in other time zones or languages, please click the link:
>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>
>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>
>>>>> -------------------------------------------------------
>>>>> To join the teleconference only
>>>>> -------------------------------------------------------
>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>> Conference Code: 944 910 5485
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------030302030309090109010109
Content-Type: multipart/related;
 boundary="------------020302070409030803000705"


--------------020302070409030803000705
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <br>
    <div class="moz-cite-prefix">On 8/28/13 12:02 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
      type="cite">
      <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare. 

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. 

Dyn reg assumes every registration of an instance is unique which too me is a very extreme </pre>
    </blockquote>
    If you have a mobile app that needs to do the code flow... which
    requires a client_secret in order to retrieve the access token and
    refresh token, how does the app do this without per app instance
    registration? <br>
    <br>
    I'd argue that almost all user facing mobile apps will want the
    above flow and that's not a small, rare edge case.<br>
    <br>
    Thanks,<br>
    George<br>
    <blockquote
      cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
      type="cite">
      <pre wrap="">position. 

Phil

On 2013-08-28, at 8:41, Justin Richer <a class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
          <blockquote type="cite">
            <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
            <blockquote type="cite">
              <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
            </blockquote>
            <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
          </blockquote>
          <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
        </blockquote>
        <pre wrap="">
</pre>
      </blockquote>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part1.07090300.05030700@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------020302070409030803000705
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part1.07090300.05030700@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------020302070409030803000705--

--------------030302030309090109010109--

From phil.hunt@oracle.com  Wed Aug 28 09:21:07 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F61811E8193 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:21:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.241
X-Spam-Level: 
X-Spam-Status: No, score=-5.241 tagged_above=-999 required=5 tests=[AWL=-0.038, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gVxmsGlbUFiO for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:21:02 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id 7A7DE11E823A for <oauth@ietf.org>; Wed, 28 Aug 2013 09:21:02 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SGL1lq001781 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:21:01 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGKxBM015392 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:21:00 GMT
Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGKxbh011242; Wed, 28 Aug 2013 16:20:59 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:20:59 -0700
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2086.1010007@mitre.org>
Mime-Version: 1.0 (1.0)
In-Reply-To: <521E2086.1010007@mitre.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Wed, 28 Aug 2013 09:20:56 -0700
To: Justin Richer <jricher@mitre.org>
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:21:07 -0000

This is the key problem with dyn reg.=20

You have to recognize software as distinct entities shared by clients as ins=
tances. Statements can be by a developer, an organization or an api owner th=
at approves clients in the same way google or facebook does today.=20

The approval happens once per client software or can even happen once per pu=
blisher or developer depending on trust.=20

Dyn reg doesn't work in practice because each registration has to be approve=
d individually yet the protocol doesn't support approvals. It must be immedi=
ate.=20

This is why the question of who has used this in production matters. Impleme=
ntation of dyn reg is easy. Operating it looks workable only in small instal=
lations.=20

Phil

On 2013-08-28, at 9:08, Justin Richer <jricher@mitre.org> wrote:

> I set up an auth server to protect my API, my users download a piece of so=
ftware that speaks the API to access their data. Where is my server supposed=
 to get the list of "approved" software classes from? Are you assuming a cen=
tral registry per API? Or is it going to be provider-specific? If the latter=
, why wouldn't you just do manual registration and not use dynamic registrat=
ion at all? After all, manual registration will always still be a valid opti=
on.
>=20
> -- Justin
>=20
> On 08/28/2013 12:02 PM, Phil Hunt wrote:
>> Please define the all in one case. I think this is the edge case and is i=
n fact rare.
>>=20
>> I agree, in many cases step 1 can be made by simply approving a class of s=
oftware. But then step 2 is simplified.
>>=20
>> Dyn reg assumes every registration of an instance is unique which too me i=
s a very extreme position.
>>=20
>> Phil
>>=20
>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>>=20
>>> Except for the cases where you want step 1 to happen in band. To me, tha=
t is a vitally and fundamentally important use case that we can't disregard,=
 and we must have a solution that can accommodate that. The notions of "publ=
isher" and "product" fade very quickly once you get outside of the software v=
endor world.
>>>=20
>>> This is, of course, not to stand in the way of other solutions or approa=
ches (such as something assertion based like you're after). It's not a one-o=
r-the-other proposition, especially when there are mutually exclusive aspect=
s of each.
>>>=20
>>> Therefore I once again call for the WG to finish the current dynamic reg=
istration spec *AND* pursue the assertion based process that Phil's talking a=
bout. They're not mutually exclusive, let's please stop talking about them l=
ike they are.
>>>=20
>>> -- Justin
>>>=20
>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>=20
>>>> 1. Software registration/approval. This often happens out of band. But i=
n this step policy is defined that approves software for use. Many of the re=
g params are known here.
>>>>=20
>>>> Federation techniques come into play as trust approvals can be based on=
 developer, product or even publisher.
>>>>=20
>>>> 2. Each instance associates in a stateless way. Only clients that need c=
redential rotation need more.
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>=20
>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>=20
>>>>> I think a certificate based approach is going to simplify exchanges in=
 all cases. I encourage the group to explore the concept on the call.
>>>>>=20
>>>>> I am not sure breaking dyn reg up helps. It creates yet another option=
. I would like to explore how federation concept in software statements can h=
elp with facilitating association and making many reg stateless.
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.=
tschofenig@nsn.com> wrote:
>>>>>=20
>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>> We are going to complete the use case discussions from last time (Phi=
l wasn't able to walk through all slides). Justin was also able to work out a=
 strawman proposal based on the discussions last week and we will have a loo=
k at it to see whether this is a suitable compromise. Here is Justin's mail,=
 in case you have missed it: http://www.ietf.org/mail-archive/web/oauth/curr=
ent/msg12036.html
>>>>>>=20
>>>>>> Phil, please feel free to make adjustments to your slides given the J=
ustin's recent proposal.
>>>>>>=20
>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>> Date: Wednesday, August 28, 2013
>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>> Meeting Number: 703 230 586
>>>>>> Meeting Password: oauth
>>>>>>=20
>>>>>> -------------------------------------------------------
>>>>>> To join the online meeting
>>>>>> -------------------------------------------------------
>>>>>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3D=
NNTI1ZWQzMDJk&RT=3DMiM0
>>>>>> 2. Enter your name and email address.
>>>>>> 3. Enter the meeting password: oauth
>>>>>> 4. Click "Join Now".
>>>>>>=20
>>>>>> To view in other time zones or languages, please click the link:
>>>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQz=
MDJk&ORT=3DMiM0
>>>>>>=20
>>>>>> To add this meeting to your calendar program (for example Microsoft O=
utlook), click this link:
>>>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D=
1&RD=3D2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DM=
iM0
>>>>>>=20
>>>>>> -------------------------------------------------------
>>>>>> To join the teleconference only
>>>>>> -------------------------------------------------------
>>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>>> Conference Code: 944 910 5485
>>>>>>=20
>>>>>>=20
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>=20

From phil.hunt@oracle.com  Wed Aug 28 09:24:09 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF5B11E8193 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:24:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.24
X-Spam-Level: 
X-Spam-Status: No, score=-5.24 tagged_above=-999 required=5 tests=[AWL=-0.038,  BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lv9KXq54ZtKE for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:24:01 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id EDF5611E8203 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:24:00 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SGNsxS008460 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:23:55 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGNsS1024045 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:23:54 GMT
Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGNrpc024028; Wed, 28 Aug 2013 16:23:53 GMT
Received: from [192.168.1.125] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:23:53 -0700
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <521E2353.2030904@aol.com>
Content-Type: multipart/alternative; boundary=Apple-Mail-3A13FA4A-4E70-47E4-B61F-A7D5EF486B91
Content-Transfer-Encoding: 7bit
Message-Id: <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com>
X-Mailer: iPhone Mail (10B329)
From: Phil Hunt <phil.hunt@oracle.com>
Date: Wed, 28 Aug 2013 09:23:49 -0700
To: George Fletcher <gffletch@aol.com>
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:24:09 -0000

--Apple-Mail-3A13FA4A-4E70-47E4-B61F-A7D5EF486B91
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable

George

That case can be solved with a simple assertion swap. We just have to profil=
e it.=20

Phil

On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com> wrote:

>=20
> On 8/28/13 12:02 PM, Phil Hunt wrote:
>> Please define the all in one case. I think this is the edge case and is i=
n fact rare.=20
>>=20
>> I agree, in many cases step 1 can be made by simply approving a class of s=
oftware. But then step 2 is simplified.=20
>>=20
>> Dyn reg assumes every registration of an instance is unique which too me i=
s a very extreme=20
> If you have a mobile app that needs to do the code flow... which requires a=
 client_secret in order to retrieve the access token and refresh token, how d=
oes the app do this without per app instance registration?=20
>=20
> I'd argue that almost all user facing mobile apps will want the above flow=
 and that's not a small, rare edge case.
>=20
> Thanks,
> George
>> position.=20
>>=20
>> Phil
>>=20
>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>>=20
>>> Except for the cases where you want step 1 to happen in band. To me, tha=
t is a vitally and fundamentally important use case that we can't disregard,=
 and we must have a solution that can accommodate that. The notions of "publ=
isher" and "product" fade very quickly once you get outside of the software v=
endor world.
>>>=20
>>> This is, of course, not to stand in the way of other solutions or approa=
ches (such as something assertion based like you're after). It's not a one-o=
r-the-other proposition, especially when there are mutually exclusive aspect=
s of each.
>>>=20
>>> Therefore I once again call for the WG to finish the current dynamic reg=
istration spec *AND* pursue the assertion based process that Phil's talking a=
bout. They're not mutually exclusive, let's please stop talking about them l=
ike they are.
>>>=20
>>> -- Justin
>>>=20
>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>=20
>>>> 1. Software registration/approval. This often happens out of band. But i=
n this step policy is defined that approves software for use. Many of the re=
g params are known here.
>>>>=20
>>>> Federation techniques come into play as trust approvals can be based on=
 developer, product or even publisher.
>>>>=20
>>>> 2. Each instance associates in a stateless way. Only clients that need c=
redential rotation need more.
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>=20
>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>=20
>>>>> I think a certificate based approach is going to simplify exchanges in=
 all cases. I encourage the group to explore the concept on the call.
>>>>>=20
>>>>> I am not sure breaking dyn reg up helps. It creates yet another option=
. I would like to explore how federation concept in software statements can h=
elp with facilitating association and making many reg stateless.
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.=
tschofenig@nsn.com> wrote:
>>>>>=20
>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>> We are going to complete the use case discussions from last time (Phi=
l wasn't able to walk through all slides). Justin was also able to work out a=
 strawman proposal based on the discussions last week and we will have a loo=
k at it to see whether this is a suitable compromise. Here is Justin's mail,=
 in case you have missed it: http://www.ietf.org/mail-archive/web/oauth/curr=
ent/msg12036.html
>>>>>>=20
>>>>>> Phil, please feel free to make adjustments to your slides given the J=
ustin's recent proposal.
>>>>>>=20
>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>> Date: Wednesday, August 28, 2013
>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>> Meeting Number: 703 230 586
>>>>>> Meeting Password: oauth
>>>>>>=20
>>>>>> -------------------------------------------------------
>>>>>> To join the online meeting
>>>>>> -------------------------------------------------------
>>>>>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3D=
NNTI1ZWQzMDJk&RT=3DMiM0
>>>>>> 2. Enter your name and email address.
>>>>>> 3. Enter the meeting password: oauth
>>>>>> 4. Click "Join Now".
>>>>>>=20
>>>>>> To view in other time zones or languages, please click the link:
>>>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQz=
MDJk&ORT=3DMiM0
>>>>>>=20
>>>>>> To add this meeting to your calendar program (for example Microsoft O=
utlook), click this link:
>>>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D=
1&RD=3D2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DM=
iM0
>>>>>>=20
>>>>>> -------------------------------------------------------
>>>>>> To join the teleconference only
>>>>>> -------------------------------------------------------
>>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>>> Conference Code: 944 910 5485
>>>>>>=20
>>>>>>=20
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> --=20
> <XeC>

--Apple-Mail-3A13FA4A-4E70-47E4-B61F-A7D5EF486B91
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: 7bit

<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>George</div><div><br></div><div>That case can be solved with a simple assertion swap. We just have to profile it.&nbsp;<br><br>Phil</div><div><br>On 2013-08-28, at 9:20, George Fletcher &lt;<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt; wrote:<br><br></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  
    <br>
    <div class="moz-cite-prefix">On 8/28/13 12:02 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" type="cite">
      <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare. 

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. 

Dyn reg assumes every registration of an instance is unique which too me is a very extreme </pre>
    </blockquote>
    If you have a mobile app that needs to do the code flow... which
    requires a client_secret in order to retrieve the access token and
    refresh token, how does the app do this without per app instance
    registration? <br>
    <br>
    I'd argue that almost all user facing mobile apps will want the
    above flow and that's not a small, rare edge case.<br>
    <br>
    Thanks,<br>
    George<br>
    <blockquote cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" type="cite">
      <pre wrap="">position. 

Phil

On 2013-08-28, at 8:41, Justin Richer <a class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
          <blockquote type="cite">
            <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
            <blockquote type="cite">
              <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
            </blockquote>
            <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
          </blockquote>
          <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
        </blockquote>
        <pre wrap=""></pre>
      </blockquote>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me">&lt;XeC&gt;</a></div>
  

</div></blockquote></body></html>
--Apple-Mail-3A13FA4A-4E70-47E4-B61F-A7D5EF486B91--

From gffletch@aol.com  Wed Aug 28 09:28:05 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA01D21F9F12 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level: 
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.150,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cv42NnJkkYSq for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:28:01 -0700 (PDT)
Received: from omr-m02.mx.aol.com (omr-m02.mx.aol.com [64.12.143.76]) by ietfa.amsl.com (Postfix) with ESMTP id 513E121F9703 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:27:52 -0700 (PDT)
Received: from mtaout-da02.r1000.mx.aol.com (mtaout-da02.r1000.mx.aol.com [172.29.51.130]) by omr-m02.mx.aol.com (Outbound Mail Relay) with ESMTP id 589DA700DA025; Wed, 28 Aug 2013 12:27:50 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da02.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id C8F5BE0000B9; Wed, 28 Aug 2013 12:27:49 -0400 (EDT)
Message-ID: <521E2505.5060505@aol.com>
Date: Wed, 28 Aug 2013 12:27:49 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2086.1010007@mitre.org> <4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com>
In-Reply-To: <4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com>
Content-Type: multipart/alternative; boundary="------------080306050205000704090904"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93304
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377707270; bh=LblENV0RiCr9K1X26XnlbxorlvsSPmDY2g39oi59P9Y=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=e3BA8av7aOGYlam/AQri2dCaS4PQBL4u9Wb2AQu8ihMvCTDJK/UcnwnyijZEoc+qn Wk0RWxY+YcVJrKBTyV+KTH2ue5JHUiM/ZpdC9dvlLQOgChSlO7WyZyklfizGnInjAm ArCZf4O9HWfBhhoyn20dqiYeMfbEEudkmaIVOdpk=
x-aol-sid: 3039ac1d3382521e250540f6
X-AOL-IP: 10.181.176.48
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:28:05 -0000

This is a multi-part message in MIME format.
--------------080306050205000704090904
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Maybe I'm missing something...
On 8/28/13 12:20 PM, Phil Hunt wrote:
> This is the key problem with dyn reg.
>
> You have to recognize software as distinct entities shared by clients as instances. Statements can be by a developer, an organization or an api owner that approves clients in the same way google or facebook does today.
>
> The approval happens once per client software or can even happen once per publisher or developer depending on trust.
Isn't this what the Initial Access Token is all about in the current 
spec? An "assertion" can be provided to the software developer for them 
to use with the registration endpoints.
>
> Dyn reg doesn't work in practice because each registration has to be approved individually yet the protocol doesn't support approvals. It must be immediate.
I'm confused... what do you mean by approvals? If the initial "software 
statement" (i.e. token/assertion) identifies the developer or class of 
client or whatever, the AS can apply the necessary policy to determine 
if it wants to allow the instance to register. The AS doesn't have to 
make decisions based on the data provided by the instance, it could make 
them based on the data provided in the Initial Access Token. The AS 
could easily provide a client_id to the instance that is really a 
structured token such that the AS implementation is stateless.
>
> This is why the question of who has used this in production matters. Implementation of dyn reg is easy. Operating it looks workable only in small installations.
What policy an AS applies to a client_id is out of scope of OAuth and 
always has been. So whats the complication in this case? I can see a 
number of easy ways to solve the approval/authorization from an AS 
implementation perspective.
>
> Phil
>
> On 2013-08-28, at 9:08, Justin Richer <jricher@mitre.org> wrote:
>
>> I set up an auth server to protect my API, my users download a piece of software that speaks the API to access their data. Where is my server supposed to get the list of "approved" software classes from? Are you assuming a central registry per API? Or is it going to be provider-specific? If the latter, why wouldn't you just do manual registration and not use dynamic registration at all? After all, manual registration will always still be a valid option.
>>
>> -- Justin
>>
>> On 08/28/2013 12:02 PM, Phil Hunt wrote:
>>> Please define the all in one case. I think this is the edge case and is in fact rare.
>>>
>>> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>
>>> Dyn reg assumes every registration of an instance is unique which too me is a very extreme position.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>>>
>>>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>
>>>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>
>>>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>
>>>> -- Justin
>>>>
>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>>
>>>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>
>>>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>
>>>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>
>>>>> Phil
>>>>>
>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>>
>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>
>>>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>>
>>>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>>
>>>>>> Phil
>>>>>>
>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>>>>
>>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>
>>>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>>>
>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>> Meeting Number: 703 230 586
>>>>>>> Meeting Password: oauth
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>> To join the online meeting
>>>>>>> -------------------------------------------------------
>>>>>>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>> 2. Enter your name and email address.
>>>>>>> 3. Enter the meeting password: oauth
>>>>>>> 4. Click "Join Now".
>>>>>>>
>>>>>>> To view in other time zones or languages, please click the link:
>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>
>>>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>> To join the teleconference only
>>>>>>> -------------------------------------------------------
>>>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>>>> Conference Code: 944 910 5485
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------080306050205000704090904
Content-Type: multipart/related;
 boundary="------------010403050204000007080408"


--------------010403050204000007080408
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">Maybe I'm missing
      something...</font><br>
    <div class="moz-cite-prefix">On 8/28/13 12:20 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com"
      type="cite">
      <pre wrap="">This is the key problem with dyn reg. 

You have to recognize software as distinct entities shared by clients as instances. Statements can be by a developer, an organization or an api owner that approves clients in the same way google or facebook does today. 

The approval happens once per client software or can even happen once per publisher or developer depending on trust. </pre>
    </blockquote>
    Isn't this what the Initial Access Token is all about in the current
    spec? An "assertion" can be provided to the software developer for
    them to use with the registration endpoints.<br>
    <blockquote
      cite="mid:4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com"
      type="cite">
      <pre wrap="">

Dyn reg doesn't work in practice because each registration has to be approved individually yet the protocol doesn't support approvals. It must be immediate. </pre>
    </blockquote>
    I'm confused... what do you mean by approvals? If the initial
    "software statement" (i.e. token/assertion) identifies the developer
    or class of client or whatever, the AS can apply the necessary
    policy to determine if it wants to allow the instance to register.
    The AS doesn't have to make decisions based on the data provided by
    the instance, it could make them based on the data provided in the
    Initial Access Token. The AS could easily provide a client_id to the
    instance that is really a structured token such that the AS
    implementation is stateless.<br>
    <blockquote
      cite="mid:4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com"
      type="cite">
      <pre wrap="">

This is why the question of who has used this in production matters. Implementation of dyn reg is easy. Operating it looks workable only in small installations. </pre>
    </blockquote>
    What policy an AS applies to a client_id is out of scope of OAuth
    and always has been. So whats the complication in this case? I can
    see a number of easy ways to solve the approval/authorization from
    an AS implementation perspective.<br>
    <blockquote
      cite="mid:4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com"
      type="cite">
      <pre wrap="">

Phil

On 2013-08-28, at 9:08, Justin Richer <a class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">I set up an auth server to protect my API, my users download a piece of software that speaks the API to access their data. Where is my server supposed to get the list of "approved" software classes from? Are you assuming a central registry per API? Or is it going to be provider-specific? If the latter, why wouldn't you just do manual registration and not use dynamic registration at all? After all, manual registration will always still be a valid option.

-- Justin

On 08/28/2013 12:02 PM, Phil Hunt wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare.

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.

Dyn reg assumes every registration of an instance is unique which too me is a very extreme position.

Phil

On 2013-08-28, at 8:41, Justin Richer <a class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
          <blockquote type="cite">
            <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
            <blockquote type="cite">
              <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
              <blockquote type="cite">
                <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
                <blockquote type="cite">
                  <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                </blockquote>
                <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
              </blockquote>
              <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
            </blockquote>
          </blockquote>
        </blockquote>
        <pre wrap="">
</pre>
      </blockquote>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part1.00020308.03010702@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------010403050204000007080408
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part1.00020308.03010702@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------010403050204000007080408--

--------------080306050205000704090904--

From tonynad@microsoft.com  Wed Aug 28 09:28:44 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9937921F9C34 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:28:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level: 
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[AWL=-0.400, BAYES_00=-2.599, EXTRA_MPART_TYPE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fv2+jdoD8rLL for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:28:38 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0157.outbound.protection.outlook.com [207.46.163.157]) by ietfa.amsl.com (Postfix) with ESMTP id 5F5B711E81C1 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:28:32 -0700 (PDT)
Received: from BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) by BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 28 Aug 2013 16:28:21 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB191.namprd03.prod.outlook.com (10.242.36.143) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 28 Aug 2013 16:28:19 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Wed, 28 Aug 2013 16:28:19 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: George Fletcher <gffletch@aol.com>, Phil Hunt <phil.hunt@oracle.com>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
Thread-Index: AQHOpAqUOZm5k7uhPkyNsHCSUVgQJZmqzaLQ
Date: Wed, 28 Aug 2013 16:28:19 +0000
Message-ID: <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com>
In-Reply-To: <521E2353.2030904@aol.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 09525C61DB
x-forefront-antispam-report: SFV:NSPM; SFS:(30513003)(24454002)(189002)(199002)(52044002)(164054003)(377424004)(377454003)(479174003)(80976001)(65816001)(31966008)(74502001)(47446002)(74662001)(74706001)(551544002)(80022001)(83072001)(15395725003)(56776001)(54316002)(59766001)(79102001)(76482001)(19300405004)(54356001)(16236675002)(15202345003)(53806001)(16799955002)(77982001)(81816001)(74366001)(17760045001)(69226001)(77096001)(83322001)(19580405001)(63696002)(51856001)(76796001)(74316001)(81542001)(49866001)(81342001)(47736001)(47976001)(50986001)(56816003)(4396001)(76786001)(76576001)(81686001)(74876001)(561944002)(19580395003)(18206015023)(15975445006)(46102001)(33646001)(19580385002)(42262001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB191; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; MX:1; A:1; LANG:en; 
Content-Type: multipart/related; boundary="_004_23dda71eaefa47fb848fd2d6e4cd7499BY2PR03MB189namprd03pro_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:28:44 -0000

--_004_23dda71eaefa47fb848fd2d6e4cd7499BY2PR03MB189namprd03pro_
Content-Type: multipart/alternative;
	boundary="_000_23dda71eaefa47fb848fd2d6e4cd7499BY2PR03MB189namprd03pro_"

--_000_23dda71eaefa47fb848fd2d6e4cd7499BY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I do think that this is the rare-edge use case, we would not want require c=
lient-secret, we already have that mess today with OAuth and trying not to =
continue the proliferation, we solve this today with our STS and assertion =
swaps/transformations, it scales, performs and we don't have the management=
 debacle this specification creates

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of G=
eorge Fletcher
Sent: Wednesday, August 28, 2013 9:21 AM
To: Phil Hunt
Cc: oauth mailing list
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28=
 Aug, 2pm PDT: Conference Bridge Details


On 8/28/13 12:02 PM, Phil Hunt wrote:

Please define the all in one case. I think this is the edge case and is in =
fact rare.



I agree, in many cases step 1 can be made by simply approving a class of so=
ftware. But then step 2 is simplified.



Dyn reg assumes every registration of an instance is unique which too me is=
 a very extreme
If you have a mobile app that needs to do the code flow... which requires a=
 client_secret in order to retrieve the access token and refresh token, how=
 does the app do this without per app instance registration?

I'd argue that almost all user facing mobile apps will want the above flow =
and that's not a small, rare edge case.

Thanks,
George


position.



Phil



On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org><mailto:jricher@mi=
tre.org> wrote:



Except for the cases where you want step 1 to happen in band. To me, that i=
s a vitally and fundamentally important use case that we can't disregard, a=
nd we must have a solution that can accommodate that. The notions of "publi=
sher" and "product" fade very quickly once you get outside of the software =
vendor world.



This is, of course, not to stand in the way of other solutions or approache=
s (such as something assertion based like you're after). It's not a one-or-=
the-other proposition, especially when there are mutually exclusive aspects=
 of each.



Therefore I once again call for the WG to finish the current dynamic regist=
ration spec *AND* pursue the assertion based process that Phil's talking ab=
out. They're not mutually exclusive, let's please stop talking about them l=
ike they are.



-- Justin



On 08/28/2013 11:17 AM, Phil Hunt wrote:

Sorry. I meant also to say i think there are 2 registration steps

1. Software registration/approval. This often happens out of band. But in t=
his step policy is defined that approves software for use. Many of the reg =
params are known here.



Federation techniques come into play as trust approvals can be based on dev=
eloper, product or even publisher.



2. Each instance associates in a stateless way. Only clients that need cred=
ential rotation need more.



Phil



On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com><mailto:phil.hunt@o=
racle.com> wrote:



I have a conflict I cannot get out of for 2pacific.



I think a certificate based approach is going to simplify exchanges in all =
cases. I encourage the group to explore the concept on the call.



I am not sure breaking dyn reg up helps. It creates yet another option. I w=
ould like to explore how federation concept in software statements can help=
 with facilitating association and making many reg stateless.



Phil



On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tscho=
fenig@nsn.com><mailto:hannes.tschofenig@nsn.com> wrote:



Here are the conference bridge / Webex details for the call today.

We are going to complete the use case discussions from last time (Phil wasn=
't able to walk through all slides). Justin was also able to work out a str=
awman proposal based on the discussions last week and we will have a look a=
t it to see whether this is a suitable compromise. Here is Justin's mail, i=
n case you have missed it: http://www.ietf.org/mail-archive/web/oauth/curre=
nt/msg12036.html



Phil, please feel free to make adjustments to your slides given the Justin'=
s recent proposal.



Topic: OAuth Dynamic Client Registration

Date: Wednesday, August 28, 2013

Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)

Meeting Number: 703 230 586

Meeting Password: oauth



-------------------------------------------------------

To join the online meeting

-------------------------------------------------------

1. Go to https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1Z=
WQzMDJk&RT=3DMiM0

2. Enter your name and email address.

3. Enter the meeting password: oauth

4. Click "Join Now".



To view in other time zones or languages, please click the link:

https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&O=
RT=3DMiM0



To add this meeting to your calendar program (for example Microsoft Outlook=
), click this link:

https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=
=3D2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0



-------------------------------------------------------

To join the teleconference only

-------------------------------------------------------

Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc

Conference Code: 944 910 5485





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





--
[George Fletcher]<http://connect.me/gffletch>

--_000_23dda71eaefa47fb848fd2d6e4cd7499BY2PR03MB189namprd03pro_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=3D"white" lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">I do think that this is t=
he rare-edge use case, we would not want require client-secret, we already =
have that mess today with OAuth and trying not to continue
 the proliferation, we solve this today with our STS and assertion swaps/tr=
ansformations, it scales, performs and we don&#8217;t have the management d=
ebacle this specification creates<o:p></o:p></span></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D"><o:p>&nbsp;</o:p></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><sp=
an style=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-ser=
if&quot;;color:windowtext"> oauth-bounces@ietf.org [mailto:oauth-bounces@ie=
tf.org]
<b>On Behalf Of </b>George Fletcher<br>
<b>Sent:</b> Wednesday, August 28, 2013 9:21 AM<br>
<b>To:</b> Phil Hunt<br>
<b>Cc:</b> oauth mailing list<br>
<b>Subject:</b> Re: [OAUTH-WG] Dynamic Client Registration Conference Call:=
 Wed 28 Aug, 2pm PDT: Conference Bridge Details<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">On 8/28/13 12:02 PM, Phil Hunt wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Please define the all in one case. I think this is the edge case and i=
s in fact rare. <o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>I agree, in many cases step 1 can be made by simply approving a class =
of software. But then step 2 is simplified. <o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Dyn reg assumes every registration of an instance is unique which too =
me is a very extreme <o:p></o:p></pre>
</blockquote>
<p class=3D"MsoNormal">If you have a mobile app that needs to do the code f=
low... which requires a client_secret in order to retrieve the access token=
 and refresh token, how does the app do this without per app instance regis=
tration?
<br>
<br>
I'd argue that almost all user facing mobile apps will want the above flow =
and that's not a small, rare edge case.<br>
<br>
Thanks,<br>
George<br>
<br>
<o:p></o:p></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>position. <o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Phil<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 2013-08-28, at 8:41, Justin Richer <a href=3D"mailto:jricher@mitre.=
org">&lt;jricher@mitre.org&gt;</a> wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Except for the cases where you want step 1 to happen in band. To me, t=
hat is a vitally and fundamentally important use case that we can't disrega=
rd, and we must have a solution that can accommodate that. The notions of &=
quot;publisher&quot; and &quot;product&quot; fade very quickly once you get=
 outside of the software vendor world.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>This is, of course, not to stand in the way of other solutions or appr=
oaches (such as something assertion based like you're after). It's not a on=
e-or-the-other proposition, especially when there are mutually exclusive as=
pects of each.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Therefore I once again call for the WG to finish the current dynamic r=
egistration spec *AND* pursue the assertion based process that Phil's talki=
ng about. They're not mutually exclusive, let's please stop talking about t=
hem like they are.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>-- Justin<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 08/28/2013 11:17 AM, Phil Hunt wrote:<o:p></o:p></pre>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Sorry. I meant also to say i think there are 2 registration steps<span=
 style=3D"color:#1F497D"><o:p></o:p></span></pre>
<pre>1. Software registration/approval. This often happens out of band. But=
 in this step policy is defined that approves software for use. Many of the=
 reg params are known here.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Federation techniques come into play as trust approvals can be based o=
n developer, product or even publisher.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>2. Each instance associates in a stateless way. Only clients that need=
 credential rotation need more.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Phil<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 2013-08-28, at 8:04, Phil Hunt <a href=3D"mailto:phil.hunt@oracle.c=
om">&lt;phil.hunt@oracle.com&gt;</a> wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>I have a conflict I cannot get out of for 2pacific.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>I think a certificate based approach is going to simplify exchanges in=
 all cases. I encourage the group to explore the concept on the call.<o:p><=
/o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>I am not sure breaking dyn reg up helps. It creates yet another option=
. I would like to explore how federation concept in software statements can=
 help with facilitating association and making many reg stateless.<o:p></o:=
p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Phil<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 2013-08-28, at 5:43, &quot;Tschofenig, Hannes (NSN - FI/Espoo)&quot=
; <a href=3D"mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.co=
m&gt;</a> wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Here are the conference bridge / Webex details for the call today.<o:p=
></o:p></pre>
<pre>We are going to complete the use case discussions from last time (Phil=
 wasn't able to walk through all slides). Justin was also able to work out =
a strawman proposal based on the discussions last week and we will have a l=
ook at it to see whether this is a suitable compromise. Here is Justin's ma=
il, in case you have missed it: <a href=3D"http://www.ietf.org/mail-archive=
/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oaut=
h/current/msg12036.html</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Phil, please feel free to make adjustments to your slides given the Ju=
stin's recent proposal.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Topic: OAuth Dynamic Client Registration<o:p></o:p></pre>
<pre>Date: Wednesday, August 28, 2013<o:p></o:p></pre>
<pre>Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)<o:p></=
o:p></pre>
<pre>Meeting Number: 703 230 586<o:p></o:p></pre>
<pre>Meeting Password: oauth<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>-------------------------------------------------------<o:p></o:p></pr=
e>
<pre>To join the online meeting<o:p></o:p></pre>
<pre>-------------------------------------------------------<o:p></o:p></pr=
e>
<pre>1. Go to <a href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp=
;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;RT=3DMiM0">https://nsn.webex.com/nsn/j.=
php?ED=3D269567657&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;RT=3DMiM0</a><o:p=
></o:p></pre>
<pre>2. Enter your name and email address.<o:p></o:p></pre>
<pre>3. Enter the meeting password: oauth<o:p></o:p></pre>
<pre>4. Click &quot;Join Now&quot;.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>To view in other time zones or languages, please click the link:<o:p><=
/o:p></pre>
<pre><a href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&=
amp;PW=3DNNTI1ZWQzMDJk&amp;ORT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=
=3D269567657&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;ORT=3DMiM0</a><o:p></o:=
p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>To add this meeting to your calendar program (for example Microsoft Ou=
tlook), click this link:<o:p></o:p></pre>
<pre><a href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&=
amp;ICS=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DC6-AjLGvhdYjmpVdx7=
5M6UsAwrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0">https://nsn.webex.com/nsn/j.php=
?ED=3D269567657&amp;UID=3D0&amp;ICS=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&a=
mp;SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0</a><=
o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>-------------------------------------------------------<o:p></o:p></pr=
e>
<pre>To join the teleconference only<o:p></o:p></pre>
<pre>-------------------------------------------------------<o:p></o:p></pr=
e>
<pre>Global dial-in Numbers: <a href=3D"http://www.nokiasiemensnetworks.com=
/nvc">http://www.nokiasiemensnetworks.com/nvc</a><o:p></o:p></pre>
<pre>Conference Code: 944 910 5485<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre><o:p>&nbsp;</o:p></pre>
</blockquote>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
</blockquote>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">-- <br>
<a href=3D"http://connect.me/gffletch" title=3D"View full card on
        Connect.Me"><span style=3D"text-decoration:none"><img border=3D"0" =
width=3D"359" height=3D"113" id=3D"_x0000_i1025" src=3D"cid:image001.png@01=
CEA3D0.ED6000E0" alt=3D"George Fletcher"></span></a><o:p></o:p></p>
</div>
</div>
</body>
</html>

--_000_23dda71eaefa47fb848fd2d6e4cd7499BY2PR03MB189namprd03pro_--

--_004_23dda71eaefa47fb848fd2d6e4cd7499BY2PR03MB189namprd03pro_
Content-Type: image/png; name="image001.png"
Content-Description: image001.png
Content-Disposition: inline; filename="image001.png"; size=80840;
	creation-date="Wed, 28 Aug 2013 16:28:18 GMT";
	modification-date="Wed, 28 Aug 2013 16:28:18 GMT"
Content-ID: <image001.png@01CEA3D0.ED6000E0>
Content-Transfer-Encoding: base64

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAACXBI
WXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAkENxCggWC
J0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T/OrUqdPSpUuX
Ll26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5fvnz58mWQ/+yCuLm5
ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85ubm5ubm5ubm5uv4M7cXZz
c3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0X5zFHWFAjKWodQOI0pauqeXB
VvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6SzA9TFcjH9a5AO5f6c8RU4O1rTsoaA
8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs
5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfmz94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzM
zIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxgO5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj
10swe3lGee8EYeKpsSLoVxg3ywdA/dJVX/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoW
F0FqjJkgELm4cAEg/R8fpMJ/TEl4DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpN
aTKrYWNwTpKXSJGg7RGz8ATf557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg
9TZ4Vk4vsD9M8FDuwsOYN6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uo
u/QGsHazT9AtgtTwpMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwP
FxvHfP7LLrB+q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNX
e3mkrx8k30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3Z
F7Dpt4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2JHAM
yzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi6UpzfAJ6
p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJjKkeNq8NII10
1LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZaqls00D+UBkn7oI2
QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLNCvf2qwf9LO27NT0I9Q9U
SC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ETY6UVYG7k/SZiFChhSim7DkLe
+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUCy0Oh9oHdiqwGZ7ajaFEJss5l5/IU
7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVjBuj2SyNe1wWvHXJ157fwpkbSwafr4Wa5
+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7L
yYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6nP9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6Zcq
Z0HdaYm3VgKuyN8bZoM819BeNw+UicpQ9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGp
lH6yxyBQvxSfuayglY1v8Kg6aIn2W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRw
fWpvYP8c1AiluagLhoX6lnoPMGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH
8iUCwLFdHqP1B/MYD7M5BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9
AtoJ66a0LwGDfEUfBdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1
SAPoJ3/CfEATqdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH
5TdDQrfUQ0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93
hJRvLAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZLfeDz
IeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpoR8yTwFYn
MyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOegayFG0ANcwdo1
pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1AamfHM9s0OJypqQr
oF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoTjgP5DWO974DugXRMXwa8
93qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaCpSngVdSriq432LOsK7O+A/ma
c5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoAW6TeSguwT87RW26DPlmvZh8Cbnuc
DSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dpJQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA
3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMUOAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25W
utkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4eDYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01K
HyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7XE6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQN
PlzXzNW8F/ik2LcaxkKZqFKehVdDTPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LW
lISLILZYN4Z/CaXqlM5fbiUEBQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQ
uep5WNoa4KDeLh2GzFIZJ42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAx
XQ4B+RN6SvNBVPbqYd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzT
BXn7gXzJ41LAV6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7
nToBRDn1c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8O
nKaWaAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRrXax/
cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5Do40O//L
7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn1WV4I6cG/1oT
guv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUIvwdx+9Iu30+Fgafa
ftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCvvrrLYGuSVcXzNZTyLHqs
6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ89NU5y0KDk0WCWkyHiCT/8bUt
YPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY6b/Tf6c/PGn0pNGTRqCuVFeqK6HI
V0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beqVq1atWrVf367yc0nN5/cHLrM7TK3y9y/
j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGCBQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZAC
Ik48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2cswWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbO
gRRmOOZZDfhE2W4qBtplx5dZPwHztGDxCcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6
KuNLy2IQA+1e9oYg9TfGKgkgqfZjrhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRN
lHqC1MeU69UbRIpor70AVwM11JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3s
AeNnuhzzRFBjnJXtIyB7R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775
I7fB0zWvIlO/h8KnCu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+
8gNQqug+FrPBuceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ
9mvzn65C6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvh
sWfAA/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vgWySo
Ulxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeTnU12Nslb
rnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7hUwPmR4yHZTh
ynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8R0+mXgi8gHSecwt4
iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEsAkEY5Eq6yiBVtfbKygGX
TItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCqlK6krBPRQN7osoFSTia8D9qPO
2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSDtELaqWsByjL5rLwQjPUMFY39QZQx
9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNXI3ANcQxXJPD0MdmMdnBtt2+17wHtiKug
8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyjv6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWt
bioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzogCosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau
4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPq
gOGRPi2sIKQXz55nngSnWycdsKZB4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3
DKkA5VMiB9ScD46T1j2uTZDZWXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUl
GLrmHnNMh2ptS3dvbAL7k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXC
pUnbLkHTOVW7fDAMfL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21j
bWNtmBk/M35mPDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsv
bG2wtcHWBuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTa
wFCLKetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t2ZBZ
NzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN+l9BF2II
MxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9fmWN7Afadpfd
rge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8dL0DaImVKLUFbJs6r
F0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+BJdJQqT9kVsk+kB4H5vPm
6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPfkPz7wDUtt6KvBA8+jL17PRiO
PL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4ttAbwbs6Y6seBdcZqmQmQPZU57Qn
Z+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IArhmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqB
b0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88noZt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTa
Er+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn379u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk
0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHj
G49vPL4xJLRLaJfQ7r8o4H/2dL/rCe/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZG
RkZGRt4t/Hd/H9Z7WO9hPeia3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/
j/tuf++t/v9L/LP1UK+oV9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MX
zV40ewELTyw8sfAE2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/
Hud3Y2SzgBCQ6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek
/iBV1Xf0BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3a
MJC2efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYKsJiD
iQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zOgu1Jeomk
vmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77zIWiad/miP4Or
G/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+vBkNwQb/V1oJgaOTZ
N1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8IYhPlLmSHgJ+8egZ8DV4
7FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbvBmVaVD1a8md4YXl9IWsopOS+
Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqXD0NGUuYCv+2woe3BjJ0FwN/Pv5N3
LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbHK4E50U/2XQrmGroN/g3+eLMSg8VgMRhu
/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N//37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlV
ZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmr
rOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfln7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKl
S5fmXUAUji0cWzgWZu6fuX/mfmAJS1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473
r9ZjS9EtRbcUhQKdC3Qu0Bli98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNM
qKJWUauo8LzG8xrPa8COqB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+
cHzh+MIBG9jAhvfwuf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiY
Wyh3MojrqskZAHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5c
W1cIpCLSckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1
ErxHBfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE2jpt
lfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cmLoVjU+9+
+H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUkioKpnu6Krhyc
Db6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBINym5luuEIeE7RN8zX
BXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HMkaJ9/NrDifrnQq4fgyPH
rnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28vEEtI39r3wZVlpYY2WoqpKS9
XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3TB8KzGS9GxU+FGGtK10fBcP76wxt7
TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sW
WxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8++OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jF
wS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLMCJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ
3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/
v9e/Wo8j84/MPzIf9kzZM2XPlL+Pu3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8
O+DbAXl3APR39Hf0d+DonKNzjs4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5q
f/+uz+0fnW9ubm5u73eMswy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwW
fcRnICVJaXJlYKC4J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4F
rTPl5J0graSHGAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtA
nNfGGAqAbNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+
wjTAYyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/qhXc
7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfGLrg39+Wm
mzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnGg+lUiF3qD4bZ
pklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetNqDKpegFDfXD0ZUqJ
IPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWCF0PrFa4Ksd7xJ3J7wdmE
xyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6wmk0zQDnJd007ThkdLJfSC8L
OQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBPwT8F/5S3fkpUSlRKFMQWii0UW+jv
46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1vebWdNsCZYE+DNwzcP3/xV4txwbMOxDccC
LWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96Us
Zel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7
bu27QFva0haKdivarWg3IIAAAvKGlLyv+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X
30ndQRSQ2oltoEXQWI4D6UutWG4CyCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJ
KHQgIqgvBwJFxQBtLkhrqMojIIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ
86IvWDc5TGIF2FYbfjaPBdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1
hm/BVMjnO/M3kJ7fGp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y
62dOg+yR2V+lPAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe
5vQHXWFb35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZ
DDzReW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3XlHvQ
dFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZWn1vyC8hd
a//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8/jKuxMN+4DHd
PM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1ph6gNnP1jzerdrfxS
50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODAAfj8888///zzv49vu2C7
YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1Xs3i8G+t8gQtc+Pu3fyuB0VZq
K7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqiCvCQh/zVhZJOp9Pp/sD/Ju+GZvzF
u1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKAOyJSagtSAF9rxUBuYa4QuB7EPrlQzglg
iSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0BcVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmN
L0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHNYBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVC
seyGDF1G9eS9oFslr5cmge6RctPgCZK/vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE
11y/BZQguaNyBOjjnOzsAYZhcpQ0GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWAr
ltIv+xho37rs9npgSpSumC6BYZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34E
SQsz59o9wXE6s3dOBGQ3TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu
+Qw2roCCXwXU97bAS5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8K
xkVy/brfAuOVdYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1
UHhQFyj+Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB
5QkYE02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv9N8J
bWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y1ns87vG4
x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrRqUVAa1rTGiLb
R7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7ie7QLqFdQrsEOHzk
8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7WV9atmzZsmXLvDsfHTp2
6NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgIso3vda1BDJFGeNQDZZthibIa
xGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXyaFHdNRu0hWov2QZyU/kzSQ/aeTFR
twGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPsBVkFYm+lloXkq0k56ZdB7et6bv8Vciam
RCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42xkC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCw
TRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaUGxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKp
ofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIVzDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw
+TDqUdwFiI1LePDmU8ieZ6yb9gWUK1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+W
PnPsA/9a3se9/cDxyLpZegG+gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ
8+PPPv0ZogYHBwbFQM+eTV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGV
fL7LrQanPzkxJa4PZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxM
u5Q1FXRlDGHaTvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMF
vA7rkmyTwdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU4
1AFmz549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+2/tv
77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vDi4AXAS/+
m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6TICFiQsTFybm
3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7OiQkw4SleArBXSwB2
SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/mQL29i/23/IEeUKAf6GP
QJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ9jh16KuTgCv/s9DvIG5/XGJS
N7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjrdzkyBTw7GL/2MYEUq8uiOTivaadz
z4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHdI11RuTlIt+RJuh9BOkZhqQVILcQpqQro
+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOK
sjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJLC9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUB
RRuajtc/BY19qt6sOg9el8tt9GgLbCl3ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1
rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8
QPC6UHpipAdkNc4ZFlscTP1MNyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSy
aul5EWPgeamXR9+eBc+l3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagb
VxFeTU9Wrd/CSzlrTY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJs
pVjYPXn35N2T4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWr
Vq+CZWWWlVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn
6mew9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BFLGIR
dD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBzmtP8z6/v
305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn+VH6AOjMLFc4
aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWIeF24b08wlAp/FZIB
omjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjqF6d7kgSZ89JfafnB8ZP6
vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxSGgmuFuQ4woFK9kDneJA76xvp
e4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCiXBZ1GUgdRFe5JmDUTNpMUDfZf7H+
BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJgnmjvwjYwjdFKG4qA3ub70FeAIKFndgiY
rOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJDA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5
v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HVFkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcM
n8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz
9YDnr97WSBMQXiTQW7sMUrrpCy8z+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj
1tNXHq2HjL4ppV/dgHr+dU+V+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D
/OzDIG1uRrXcBxBeQ3/JEg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrq
KnnL3z0cWOpsqbOlzsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny
5cuXL7/PHmcFgQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NY
rD4BqavmK6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+
16XOgmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQezb0L
1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxpmuCTDjkb
7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3wn+hXyzMOKmWU
+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5lxPeyXocCzeXbtXuB
Vjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1ztkHud87RNgucSLw29cxk
MD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi0TNIbpRd8Wl+yDhkXXW7EHjd
8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyLPx17C0pcL7s2Mh2c82xTZTPk+y7y
VpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8RcXpkE+a86oh02sO303IEDjAN08c7+4Byu
XDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujKoLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSm
E5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZF
G2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIiSDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXf
vsEyGKYVH1r2O3DNsn+duQR8plZ70LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQV
hvxJXt/4NwfdPkc3ezaYRkpvlY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21
mmB7dn3V/e2Qc+bl+YQvILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagt
Bi3M+VTzBDFYF6RcAyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeG
HATrCa2+cRk8/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060x
zl1gm+RcbWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRA
zAVHKfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2uV2eh
bEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2Pqy/YN3sE
uPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnzYMnZJWeXnIUL
ZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7v8W7Huc/njg77Lm2
5yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM6RFIA0WkmASupSzSHQC5
if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxWMIuAX6W14PGw6un6HmD2KtO5
RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/kOaH3AL1HMsMKeA9zXuPbxHwiDLm
9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIvczbkBj08/koHKXtfVkyMgWwv6yfWSuDs
LrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85pF/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu
2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZJuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwL
tpeW2pmPwX7csdGVDvot3JbPg17WtTBsAvm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ
8jhxGsQMUVKOBK2JmkE5cH6mfa0VAK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbg
DaBv6uvhHwN+zwNuBESBrpC5pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzj
dF2dbcF5X9aJySC3chTyPgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDV
K2es/AHo+5o2uYaBtaD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfz
z27ubm5ubm5ubn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYG
Ase0gdJaEAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3
Pr4AuvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169KA25
sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYflIyB3lyfK
ySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+Pm5czAFI35Hw
ItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K005ddvB50ib5S/A22d
iOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsukpqCFab2Ue6C1Ep+5WoE6
1l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB94lXLLwS8PzZWcqSA/0qPWf7N
4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaWGicbFoHrfo8nxawD6wmjVdsIRQoV
yw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSpy9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+
Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3Nzc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6
i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZLWfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjw
uFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/
A6Ki059kyD7meBS0D2xbs644q4KzZ2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHdd
BFfvl+dfW8FxOulE+jzQdmSZXR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2A
VZIqdwZmavdYAaKGKK41BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB16
3e3VfkgTbz9PaA/aBfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3k
pmauz+wAYmz6SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4n
LwK5rZLELdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NK
gq1KyoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfCU78X
Wc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30ODNeTQE+
FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVFXgPc/o+wrprJ
6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M2wvuKDcJtC6utTY/
YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7tW8l/OgTtCGjuFQbKD0o+
IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCOaHPpBZJReiFNAemo6EQEiMpa
rKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSMV0coNeHtitxtFh9IrBv/6sUZSFn1
+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ
6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GYGoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2i
ulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VHPxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3
HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvCnE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNfl
nxr4OWgbRYDTCdo110dmJ3j19KxJNOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWc
a5C2ECp+UO7rEmtAd9e0ukApuNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26
nJubm5ubm9sf84cTZ11X/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxh
xiSTE+SNAQEBd8G12eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWR
dWVWV1DCii+reR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4T
UhlVhjev4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yy
b9m3ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mDQK1m
q6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcElINSMWUc
iB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr2m5wNVF3qo1B
89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa5LvN2Bt8KvoIkwS5
6+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXKli6zr+ACyBydule6D46B
0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25FkosLuJrOAJ3nt9t7/gEnry+c+BO
FPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f34w8nzmfqXRh5aRTUKlf1ftXaIF+T
tokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWtyCvgWNC21XwLDRUMp6QvQ1qmebAFD59DU
IqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFFGlf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngt
C5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNwZonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykq
qOBbMN60ts+JAmVDaliaAXSRPq19H4DW2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDq
aP1ArYNBtw1c8X7H/IZCqtMZqUkQNyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPu
wPE+P4PTy7lZnQMpjeNmv5kG8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMG
GErrVymeoDdI56UgUCShowuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlx
QDQHpbFoQT6QhkgNpTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaX
xWEFe23HNNtAcJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a
5ZteDrJn5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7Hg
UlzF5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJnF8ct
Zyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1lGUAjtG5
lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5F4w7/BN0hcEV
YwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6Ac7PrG+dlECu1lcIC
0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXdfHJjHyQ2f8Or6aDE+ff0
bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEjhT6D4K35ksJXgW8B32yvE2C6
oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEiBAPQWPKXvweDRaeT84FusNSTXNAC
pa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppRnAJlq/yVFAV6p3RY2gZqKe0Jh8Auqcmu
H0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+iceCaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN
+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiwjbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT
8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5
b0qjN4WgHvWp+wfa17sf8MjJycnJyYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21t
tbXVYMiQIUOGDHn/XyBr1qxZs2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48s
PhlyStgm231AacgmMQvYQLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAE
skz3BHRbfBJNRsCXxpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJL
sL+ynklPA5q6XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1p
mL4YvIdYBmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5W
w7RIeJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpijxgO
ogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nRBJyh6lj1
ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3aVK0PSHNw0g9c
V8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq95g4Gb8h9qBuhrwXp
1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p3nkbNB+tnCsZXFfEWt0S
MFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7Krqw6MKiC+GnaT9N+2ka1K1Y
t2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75932BDKw4sOLAin/e9v9u4pq4Jq7B
7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiYGHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmv
rFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oP
qz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n
5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKl
AGA5ZTAB5UV7bTWIxdJiZSXgEvPUT0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWi
p+aAWiipb1JnEDfU07mV4HmT+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBic
fkr4r6C7qisinYfMXa5jaW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvh
wZSEt2908OzKNelqH3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUi
K12AgmdLTiqcAEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K
2sqnQCttufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2V
gpVcsH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC5Zay
xzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKqGgDWLrb9
rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuGrxu+bggFKECB
v1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98nvk98ocWUFlNaTIHo
BdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai2YtmeRcAVatWrVq16t9v
3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW/AMXIr/Xs53Pdj7bCY+2PNry
aAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZSQ6kB523nbedtcLny5cqXK4PHZo/N
HpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPnzZ1QhSpUAc4tP7f83HLotK/Tvk778tbf
Z99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gbm5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8
zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRcOEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPy
JhGt9QJuU5xVoJWQFureAI203S5P0HZLfowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJ
fgxMP3qVMa2DOoNqNazoAbViGrvq+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8Gz
snfFyBUgVin1AgIgc0VmYYsPZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28u
vhYGjh7Gox5HwBweeSz0A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGl
weuFYYrRCkoL7ay2FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos
87VHYPxA6SKPBr3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHX
IJA7aQ21aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtl
nfwY9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029Qf6M
dcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH3vLME5kn
Mk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g++efLGzkrclbk
LGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+LbjW7g6+Orgq4P/+XLY
bDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWpmgS6EboRuhEgVZWqSlWh
evXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbzlv/t5//up8etZ61nrWfBes56
znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZLzJYY2N5oe6PtjSC6SHSR6CJ56/3e
z+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPmTN7ydxcqJ4udLHayGDgcDofDAUeOHDly
5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf4
5pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UYCA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHs
FDkgDovnoiZwm8tcBOZI06TPQVzXamuvgRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66Cl
SB9JRpC3uRam+EDqhIM1Nv4KmvXSV/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m
4Nht1JsSwZnqmOb5LWgRprqGVmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEV
WJeZahnrQ+75gD7h6+Hu4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrt
WrTrNpRfWalFGaDksAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgF
jin2evbvQcnFiBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6Ec
yM+kadpkkPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlET
yQCqikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtbm1pe
gRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPwyFEGyxHv
r6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuXLl26dF4i90b/
Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R16hrfnv9Dvk65OuQ
DxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblTXqKlu627rbsNXXO75nbN
BQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avjV8ORzUc2H9kM9gv2C/YLEN42
vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a+zWG7LvZd7Pv5i2vu6nuprqb4OdD
Px/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfRLqJdBBzverzr8a7gGeMZ4xkDvTb02tBr
A0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V
/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcSDkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh
/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ
4vefJm5ubv8X+sM9zo7rhqfxFnjqGfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc8
5SnI30mXpRHgqOt47ewB9l3OUs56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLs
dCBI9dOzcquCNLx064ou8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQ
PzGd8lBB2aG7aooFZa/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5Lh
vuHN129qQszas/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61
zuJKP0P+nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiO
mHzk+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDrpclq
eTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1lzZaLDhV
McSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0xHjWtAU8lhMs
yoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+rLcVDDHG6R6ZoM2U
h5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEaRaOLRheN/v3x3vWAvqNd
1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+lQdXHlz5X+hpfje04t1Qj3cJ
a86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O9DkDgS8DXwa+hBPFThQ7USxviMVv
EWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//CcXvn3RjrSoMqDao0KO8Cixvc4AZUvFzx
csXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0MeLg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSX
k6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMW
zVs0//efV25ubn++P9zjXK51/u21JoFByA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIY
z2YqA/0Iog5wUVzmGmR6ZERkHYCAGYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqS
WSZZAWv92PD46+BMSAu03oTgi/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8a
eEy9sOVJU3hV8+X55FVgG0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4I
z18nPUyaAo/sl8ZfOAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSr
oifzfQuG2/odxqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbr
hB9U2V3RUm4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5
wDzDvxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pnAnER
sJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQWNw0BAzf
axmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh6XjilbfHwZEi
hCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD5v/rcSPaRbSLaAdP
5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8GcYk4xp0BcXFxcXBxwiEMc
4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN96FqdNXoqtFgqGuoa6gL3OMe
96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl98jukd0DfAr5FPIpBAxiEIMgZU7K
nJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33/i9W+M/j/+7hScpTnvLvL15IXEhcSByk
Pk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW43bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4d
AwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq
3396ubm5/Yn+cOIcXzf582fHoblHnah2Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB
9prN2ijQyqpZrr1AI9FX+w6kj0VFeQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkF
opv1qr04eJyqUK56Lug9wssUrQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXU
z+D8MfsrWyCkR2Yvdg0CGhu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCny
wgl4FnGv281sSBuqL6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLb
fltpV3eI35f4a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5w
wXI581otkJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CA
gWDoqq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADpE2mE
dAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqRA7LFuMBw
CfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcKPov8EHy+NNw2
LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgtdevWrVu3LkR7RXtF
e8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0wzTDNCOvhz04PDg8OBwu
tb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub9zbvbVCwYMGCBQvmDQ2oWKti
rYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9df3X91eTNzvGfy4tsKbKlyF9NR/hu
fykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967
sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2FC/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+Md
jXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3Orma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte
7nm55yVwkYtcfP/nl5ub2/8efzhxLl2uWKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4es
D61HpU5wc8a9PZcXQ1Bt35dhhSGm6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK
1WLBKamPXbNA/0Kki/3AKNmCFxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38
m/gDWrq+lMdQMAeUuFNiBPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJ
X3lO8ykFr6bf1l89Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3b
AuAa6fDRNoCjglpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4Orr
nKumg7maqb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbM
jxk7O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla665uC6
qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1pTof5HrK
Oe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEneez36Q7Xp9VZW
HghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1pwVILphZMLQgtY1vG
towF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMCPuIjPgJq6GroaujgXOFz
hc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG7t27d+/eDWK32C12Q1hYWFhY
GFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbGBsZ/vT71POp51POAs9Fno89Gw7aU
bSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJkDwneU7yHPAq4VXCqwTo4nXxuniwLLEs
sSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a99qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdp
gjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58lXbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iu
gscg81O/fXDnh4fPT46BWFesI60XFNEV3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRa
xtY91Lc4eId6tTPdAj+jz3P/guB/OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkq
gRqjTFfHgpClsvJi0Pmp30iPQO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utz
n4LjZe5EQyToEguUK2kFNb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars
3a0brVUgpVDGjNT2YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RR
UV/rBVKEVAt/0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5x
jjdqeTBE69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBN
QX4oHVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E2cFc
awyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4AsIq4i0d
QCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZGtydfIvkeZA9
hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgxGHItzJU7+wmo+rCM
UuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYwsI8tIuLjk4pKLSyDh64Sv
E76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8a06fPn369GlQe/bs2bNnz/Hj
Xz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3fzmyE8G8DzbzxUHt1jRHVssEL+bzp
04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7zhdEbwHzf9cr1MeScm+NerhzgK8RYzQlq
P3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzgsRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG
/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2YdU2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2
GcT31b7wewxBs/1M+0WQU/RK+i6IO5TUK74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/
BeWK3GGuAF8b34eGCnoR44beEORMOUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5
wNSlQ+YEY6oU8gPQ442Neg+QFeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlH
YK/ZyjwNhjSzmmvATJDb5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvY
z1/tAG8DXwfXPTBO66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJK
bld573q4cOby5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z
24QUBO26et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0
PAX/zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+9G8V
EgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX6stKKYvA
FmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLzXlN2dwPL8gx9
8mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31iaMeQzhC35sSuKwXA
HBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwvdEhpmVwh6R4kZ0oNSn4C
yhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllIrwPKIPE+s8DoLf9jbu4cLZtS
GsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD5mDjrnkOxBDOK3dBWSWW8j34cnkS
zGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyUVUHMNH8V50F8K14QAiKWrGZhkE9lfqqB
LEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/q
YbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7
IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZOkr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmj
wV5TOybyQZKeMDN+KiifO485PoTzSbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf
/vlPspGNP3FhnU466aSTTjr/m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPg
gPdc0w15wNvAOGL+CDnIHpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGcz
aoGvh37Q8znoV+U4rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydX
GQfYduau7EwG9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS
10pfyQUvc7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M
9Ba+dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZj4G0
AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMjqLEMUsuD
Wc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s49icYKlgGa8e
hcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNmgZgpq6vjQB6lkFoI
lDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4LNNWEAXVUlpFQNdvmR0g
KTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5gzmGYEgZ9SrEnQAWI85lvwS2
hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm6Dsa/JtZd/p1BDGZueZ0yNszT7NC
Hoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHezngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+
qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5
I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC41lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdB
OM2b5o8g64s42oIZIBfwIfC9LElWkC3lHdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2g
ngzaE1FCCQDRVbyHHfhGz6hXBtNi3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+
A7W16KkIEDGim9wIZgvpRzswyhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsu
gtbH0pD+QAFMvgf9S7M0t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKS
X/kZYi3xixM+gmyWiDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5
oG4BzV8TylZQJoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0
AE+iZ7urBbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3
iR7aHqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraTYJkY
sTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkSC1YBb3Lo
pQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2DwJLO5upHgT9
il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WHgGJTeivBwFI5TMwB
846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4IvzjtSPAS1FKbEHKC+OyVZg
xMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldtO8iN8qgpQKkiprATtGxaHfUO
yKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8pGnKfqAqc8ztoPc2z0sNlChtvpIN
9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpB
tYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6sfQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EOb
HZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8JfHd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cC
v8CQgo4vIabvi5Ov8kByjug8ATfgVpdHN+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/
8Y19nAGe1/e2+O1XSFmbHJ46CRKTk0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvd
DeqwsMO5NaCOa+arvaCcMY4amUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvA
Kz939hQLPDl74cC59hDVK9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91
kCvler4HX1FflPkR+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvo
RUH8RFVRHMQT86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/
eP/ojyC2K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL
+3IFGBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUafDUpv
Mc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6enwf8TWds
6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs43fNy8rHGcPTO
WduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFodkjaZp5KA7C0Cegdd
hcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0t+y3tQJq6YXd00GLD8qU
+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcyLMoYltcAv6GZ9+SbAVcmr/5h
yVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRfI2MxmJvMWEaBfGQOMZeDWd8MN9eA
MVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdM
ZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfq
d2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwGmce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W
0tZwYQO+sv6qPAKlhr5XfgbGdL42c4GcYr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlD
ltYHgByFlzlACTPeyAFijLBquUBfqD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1
XYaDqZq3RWcwvtUHyNLgrS66YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvM
XODd7zrgCfrPILn59oF6+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8v
xi5OGADOgtZu2vegPzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOe
gPsbXr5nLIOA+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIu
q2sYqDa1qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/B
pTY/5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTjU5Cm
LCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8CmYTSrMF
LEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxGR6MrqIVFAfET
yKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCdI3I5yDPyA9kXKE1r
uQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfwkYw3fwLfe8wx3wOxXy5X
MwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPIx0OwrBQVlTrgK6GPM2wQuyFu
YHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumkk0466aTz9ihv24B7vXdvtAeK23La
zOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8GvmvqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwA
ZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxyucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVq
m2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbKUI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7
GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPy
o7IUtHCtoFYElH5KB+UwiKxYeAzittgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB
/YT9pP0yWLtamli9YKthO29PAsdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6L
bZ49Apw/2m/bioN9jvWmNRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B
+RVj2ADygRlungCRTFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4T
o9UkEJHCX+wAFrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIv
zR5gEj+pI4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIe
JkQmNwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9+QEk
/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzPCymP5GGt
ESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoIxAxOCU9ZCik+
OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/Dso4cV1xg2iulVGr
At1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1qvVASGEqJ8FQDbcxGJSu
6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwxLwKTZQH2gWWCWlVJBPFYSVSq
gNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+L
WDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeVIhNo15RR2vtAF4HMC8wUw9VRIOYwhjog
bMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoCOih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkU
lG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMrxcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3U
QLEXZJS0+5YAbf/qEE8nnXTSSSeddN4Vb11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgq
x4K+3rrU9StERXu+issNqX1S87p2w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN
+ln1DMiORg/jDjwocNf6JBSSSsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J
+9IEMsrlfAesMNuaP4F1rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey
9wqk1tQ17zYwc8srphW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YD
VVNraufAMs7SxFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u
4CumPzN6g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnk
DpGJz0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wPwfzK
bCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh60OX5zwP
to5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNsYPnSsSq4CPi6
6JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/6t7936Fs2bJly77B
HYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDrA64PuA7Pxj0b92zcm8v/
Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1Ufiw/lh/DrFmzZs2aBbUCawXW
CoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xnvQYRi7JlCIqESFfsnbjj8Nj7aLjr
MLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5yY/CU108Z2SE1h6+ErReIu4l5E6qA0o9X
ifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NWryxGdljabefUTSfhcsPjActjwHHDftavJ+jL
ZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ778NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxc
VzpC6nRXndRPwXNZ3jQHg8whosVmsEyyLNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflm
S9Daah3UD0CtpNZQa4MyXhmtTAaRLB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2
xDEIlMHKeu1rMBNkbfaBEqZ2VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0
EIhlwK8YfAHWPFo5bQQQzHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWX
oB3X4pTGIJqKhywBc7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9
Nfk5+I74DvumgLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPl
g+yXsw/M/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1B
q6JcU3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z49/F
X34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atXr4bup7qf
6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvTby29tQMyVctW
1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV8mnCPUit5OuRvAxe
7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyRz+P7w4rzh5pNSYBI262e
hyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k9VcQ18Y11xMLyXWMqSwEaxXH
N7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2MQHRmfXcBW2/1kdbCZa+2seaBPOl
WUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5E2R/WZsfQOQRXtECWMRHbADGcMVMARaJ
DbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SWoCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk
5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COKcheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1
QcmixCofgfWq9Yr1OMgnOI14EDeoIJuBDDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZ
YwkE9aW6XpsAaAjxAfia+j7Ud4Fvtm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQ
ORdSOyQ1i34GZpKvWPI2SMma0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDh
UnK35ETwnTGaeneCrbU6y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj
4+NhxIgRI0aMgIbbGm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq
1KkT3Kx2s9rNamnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at
08bTuHHjxo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4
/4h33a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5BjcG
3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0FCxYsWLDg
H7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lTc03NNTUhV65c
uXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34z/eDv7X3m/rpu7Kr
vYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7pR/4ZTC9Qa0g4xUnmb6D
wpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF4sU3qW4w5viXT7gM/lvtXscL
8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a664CWu2gJmEHYEmlLQ+GzoKkOZG9
b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng08MQF+8K81UE46VSQf0VLC7rWUtvcCd7
e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxCa3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWY
eU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SBYlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY
5mYlOOraNHsMWLda2llCwZrdIq1hYG1tKWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK
1G5KqLIbWEsgv4HZz7xvBgJNyEoPMK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHzt
iA6oCg6Po1fgNXDUde4IqAu2MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa
2sra94Esxn1+Ap+/3l7PBMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjii
pjy7Dg8/fbDkrh0efP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOon
ISY04SPPAXCd8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8ef
O6bJT9s/bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIy
v7++krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDMX2b+
MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1YWmFphaUV
YNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K2gVFPyr6UdGP
3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKLSy7Ciiorqqyo8ub2
+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd2fn1Bc+aGmtqrKkBw2oN
qzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelHph/55/vB3/KmfvquKHex3MVy
F2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOavLn8v5q3Tpztk3wf+fZC6OLADX5N
IcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1awLbatMs6D+5ySPWobeEv5tscngDcpJXtA
Bsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadj
LIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnqbA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprR
IrQ+ICaI8spsSMnrep7UATwr9CTvdBDDjabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwaj
neEzfgIWMYpyYDY2O8p1oNiUJCUUlM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lA
JuLlIRBtRH2lKjBYTFIngVFbLqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSV
qke9BnQRgewB5Xu1ktobeKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQt
a/1cwyHLjSzN8zshYGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+Kc
EJICmb7LMjtvO1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEc
DHqKEag3AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZ
Mh/sy2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6AT6/
6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+hP4b+CBuG
bxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL6LRbe3/Eu+7X
60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7ett9/xN9WqB5tfrT5
0ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZvIf8neX0r/HWFXtM0TdPS
/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+HxK8Tv078GnZN2DVh1wRo+rzp
86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zXtzyPNsnSJEuTLGnLLWNaxrSMgQu9
L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOTjE8ywuKLiy8uvvj28v9s3vqtGrbx2iWl
DCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6rnAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHY
JijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAiopwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037H
wH41YmhCNLhbJ3YNiIZznSInPFsBRTvsb720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN
36LnAUdJ/88dRcG8IAfIYeAe6o5z3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id
5krZBngpGsr1IPYrXrEctN5aA20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPA
WLmfAqCMYL/6FSjZhKL4QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AV
WhktByj3DWGcBX6SzwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP
+MnAHaBn008bdyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU
/732fuBp5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4R
IWDb5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZfGXxl
MCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/xX8t/mvx
X+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0JuhNyATyt/WvnT
yhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2utRsoS1nKAlasWEFM
E9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rfljfVz9v2+4+YU2xOsTnF
wNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4TPCYYDjy4siLIy/SbuUOvD7w
+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/viu/+D1eJ1K1Z9WeVXsWbP9w+4fb
P4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqA
dQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAF
dsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXFOc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OE
mh1CKqsnw36DTBmCfkt2ghppnBFLIONB/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/Af
bWvANoiZn3Iy7hToGQO9CcsgfFC2aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6
oDNdNnSFvcV2hCxZCp5qz9c8CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvy
DgNZhMHqHGANnZQKYNrkHHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIW
iO/lS+6Dnl8/o58Bc7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6
oI5SJyjzQFkrFomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBS
tDhLSbBWtl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/Tw
zU4pB8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk1vIv
LL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAYj1nHZ6Au
11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yauTRx8fu/ze5/f
g8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxSOKVwCvxU76d6P9WD
UmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA60rC/89/Vgz/iKwTsk7I
OgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DPyrPyrIQvMn+R+YvM785Pfs9e
b6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t1xW61xdur/1vf679ufbnSrvV/aby
b8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nXUzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9
N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn
/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhy
IFb66ngzge+KT7f3hORdnmEJFgj5RD4MXwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2ml
VFAHEBNFamodeLE85ZkxDLTT8eWtmyG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGS
knr6fwcB/QK9cjbYOoYJ+0TwOqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/Cd
A9MicprrQauhva+NAfcPeh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykol
p9gJZguzp7Eb9JH6F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFA
xIlGQAUmMQiMn2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9f
Bcpn2njtV1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotx
WgVwT0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrltnUo
uIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9Z1kvg37e
PUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1LgRKtRCvRoK5U
V6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZwyx9R+FjhY4WPQccz
Hc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzROdKmdlCSkpRMe/jl9cOE
wfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKXk74E9xb3FvcWcKxyrHKsgs+y
fpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZmHpt57D8hcf5be42vNL7S+Er/uH7+
bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalELrla6WulqJbjKVa7+N+3lP5L/SP4j/7h8
k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrvaL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbk
GNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqdap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2
MGVortBcobngy7tf3v3yLsT2jO0Z2/Of7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJR
wahgwMicI3OOzAkR9SPqR7yB/L8a8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/A
mVO3np68BEEbnAP8RkPmMoEVsj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFH
zV719PggsAU1zL4Q3VKbmDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeI
h8Dr1p2uWxBfMsXh9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSp
bONzx0FybMqPCT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7
ME+Y+80doORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwY
AcKj3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN2+CJ
cldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWsUj8C0zAj
zNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZdx48fX0uV38I
7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9qCP7MgbYQlP185xsL
8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDTSSeddP4sryuQF9WL6kUV
vmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/qg1Pf3Yu4eQrkLu+jpFEQ1s/v
a2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQYS4hGSaAmt8/pzkB8lxyqpaL8PT0
40exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5PklwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG2
09bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8J
GJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNkZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj
5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqDEi4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44
Q0GdqnVXVbCOs/f3+w0Cvw96HvYbiAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M
5CPR3tIM1FR1hCrAckrdon0AeoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs
6O0CQvCEoWC76d8q2AdaZq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM
1Z4iqYfBWk/6GdfBe98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CX
cBS0+0A/6DXkFhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbq
v8kXEJzDf4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+I
t06cc7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0cLUEs
ZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4TzKfPaC3
178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc67M5zYBtmu2ov
DmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq7ptlgTUySvwI2veW
urZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWhfA6WfJZxziZg/oI09oE2
UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9BNpO99GqgteWK3A+qw9rdUQaM
eNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D55b+vWwA5jIzSbeAHGh+bYSD8pto
hQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3+nbza4g6G22PHgmxjlcDXnQGbytPteT7
YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQlBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7
RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkPzjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp
8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEP
BXWh/psaAxkitTx+NSE0Z85Lxqdgr2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZ
CgQvgwzugNseEzK0t6Vk6gHKF3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbR
tx7sh/cK575XaguIsUoADeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzY
ifAdEJ478/Lc/pC1c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/Zyqb
ywGBenj1HP0hqHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacg
IH/IsIyHwDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7
AoCGtu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24VvJGe
AgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnzhxUIqQlK
f2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/uHToMwgrFdwt
U22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeYHfwLP62bTjrppJPO
vwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtxu0pCUh72G7vBOBz1jecQ
hJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B2mfWiWovcOwPrM3H4B6flKA3
Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB/u9DmEWbJ9tDwYLZslZsBHKga7ji
Am2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT2jjQzliXB34CRhVzo+8l+BanDkq9ArKN
bCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4McoF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWV
BLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJId
gBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzdm5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN1
5T6RAYzLRkMjIxgV9XuugWA00LczDLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEo
pmtTQOlldvCMBHOY3CnygHlB9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCf
g69C0L6wbzNfBNXhfJFpICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF
3KdTmyXZIGRyQLOAraDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0
Vwd5Oumkk0466aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0
u1/aO0CmCY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZz
A1J+vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbSMSfg
DvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFrA0dvMDbK
OHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxBrsrgK29e8fUC
73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4iK6g6moWbRgYgwyP
70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3WrJb22nDwTPdcE6UgJSxh
uDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDoQbCtsN22lQZLqCW3xQT9sKxo
lAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV8EW7N4GIFB5fKfC0c9VKrgrmBI6L
k6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk3wRx1EjS14O2RlgJBs/HHhv1wPux60zC
XTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+OrouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3
X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHrdvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpw
HMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJd0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0L
jmrXAJyl/YuFR4P9hNTvRILa+mI38Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z
74DlK0sBrQl4+5u9jeKg1rdPsMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQF
y3HrWmsB8P3o62tMBDaKfUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZ
zhft+RzkeCOPryYYt7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tn
ly8vWBdqim0cKBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4l
TvsNzMLkERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygj
BLTZlmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDLy7xg
W2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omzcVpfaSkB
4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1cyWoXCPALmKd3
AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/ZAwLaWiOTNfDleVTC
nAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w9rWUs94HY6X6QD4H5arR
ResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/SntobgvlIG2/7HuREo5osCLbF9jr2
UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8PcGs7W3nuQo41HbqSHCnJp9Juglm
Y+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TDSgnLatBHGfcMG3jrete7C4H62BKvzARR
hsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqWumqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqk
BgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu
66dg3OeYjALfYHkJCepA0VCZDjJVIiuBjJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV6
2fgZIKL0zb4KoJRVu4mHoM0QHi0LaNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdi
gvBS0TcaaK/8Yk0BmogVYgsE5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7U
GtivySOQWN8YH90L9NXek56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvK
Ukh56ZyaehvYy0rZCZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2
E+hXvPXM9dch98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNl
kHKC+yDvidbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzT
axkNtju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs5xxV
QMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRMkNrAPS25
BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H53FzhawG+g76Z
nk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8WvJHe9a7RYPYz4vTb
YJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/MH54VbD0sibaCYJlgeWHr
AR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaYCJa29qa2Y6AdkC18hUFdbats
eUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgrsFZg2pe/Xn/Y5OnTp0+fPv2rtfb/
DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP9qvf8+f/7fyr4/VfxZbHWx5veQxTX019
NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbLQ79SsjUkRxvl40yI+TT221cbINsiS3LQGYiv
mFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1Ah
iDnz4nZyY3hvRpi14GfQ9la321NPgXNGmJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJ
EcYCyByfRQ/cBEoTcdesDOoj9YHtOcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8
wEUBGUFNsj2y/QqWLg63cwMEnA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgO
qSWTv0g8CFjkj+YZ8NcDqoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738c
ZA/dY2wCWUD0VbuCtlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7
Hzzvucu5FoK+y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2
lBe/AC2UeGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo
87XG2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt8JxP
mZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6nup/qfgr6
L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu6Do4+dHJj05+
BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk/q/6dzrvhrdOnP1M
T5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5DmbrDHKfVtfwgv99vy9D
78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUgrho0vFhoe8lB0D2g9+U59cEd
IjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9WHGzfW+3WGCg8sHR0GQG27tp34j3Q
iomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZN
bZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgwwvtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4Mwb
bAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbbXjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63Vv
cI8Aa19bTUst0C5q2y2JEDAudFtYH4iolc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX
9Z7yNAdjq75YPwamT0q9DPiG6118k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2t
QMttjfdfDQGhGSpnfAEhZtgn2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ
5CScan5QH2g/W34GWUoeFrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP
+Y2D8I8zzslcGex9HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFL
EfuPzurvLlDj4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwt
ckDjxo0bN24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNL
zC/x5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SHCn0r
9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/nz2/aTlRU
VFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJycDIMGDRo0aFCa
P7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6gA85ckBydfDxqFXgv
ptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDrH/ArZG7kbGldARlyZOxk
nIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgqGShAlPR9qRYD0U4NUa+Bfl2O
Mk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YYC44kyzotE9jzav6WYDA6y+3mfFAc
+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0bQdr06r5ZYOzVv/JeAy272Gj0AfZaqzji
QLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJoKXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMX
xCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRXt1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB
/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZY
CttS/INBSbbU85sDAfWC9meqACELM1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5
NO/XEJYt08h8D8He2u9Exskg6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZ
ek13JzDCvB+mRoCSTQabtcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUh
sy6IhdxiHnBTmPJD8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXq
tP3T9k/bD+GPwx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdf
WX5l+RX4/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvT
y2vKXSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zwww8/
hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xPmJ4AHzz4
4MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y82/EMaqypsabG
Gpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctbtoe0hdQf43d4n4Lt
GQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+ploEpH4pvHGV4UjE2Rqx
uaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvqS3kClJxkUmNBX++LcAeDGGZG
Gz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuoCFq9mO9S+4Ks71nv8YB8YK6jLChX
tWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY
2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJP
X6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORTThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHz
GLdBu2Xta/0G/LJbNmaaAc6WZnR4CijdLQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYp
C5YpyjixCqRXfm9cAKOOVERpAKGrFUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85
sF/TIjQJxhDrIXtDUPYQYAL2DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1
K6AFKbX1RNAL+154B4PYwGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF
9dm/AXHJUt3sAX4+tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/a
Hhp91OijRh/BkfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0Dawmz
hFnCwFffV99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnX
ZlybERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRpkqXJ
f3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4wx2o91O9
n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/v/480IlOdIKW
0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/WX9r5dUgW2xgW+ND
sE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8NF2vfPvNyHmRzZGmvpwCO
FH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ2opL2qcgvzRXGQ1AKaTloicY
bd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk7ALZk7LPyzYBzpkPv43ZA8qvXkNp
AWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4TC43ALGDwspj0DTLDPsmUOc62jlfgail
d/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59NX+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1Gta
D5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKlj
rWQfBsoZcUvdDNp6PmQKWC/aomUkiO3MN8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7su
g9xpbvMUg9S54j4HQDXkGT0bWHap+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0
h8ZBkA2JVztB0HuBRYNjwZ1dL89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1
BXFcmMpd0Pf5thq9QTum1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9
vOlWPgdZQH8ky4B6VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX
58V5MJ+YT8wnMMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/
OcXmFJtTDHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96t
OAzxG+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3XUwPU
g+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0Me0fH9/v
8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgFgV/7Lc41Al4V
UI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycPigNrRGDRPFHg2+B6
kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKjwh5C9OBnGZ7fBMs8S0sj
AKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFIAudLaz5bOUg6mlA4YR4Q557u
rgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb1/ofArFZZNO+AG2mZZ79OYhB6g/a
I7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3uraXnBNtyrapWH9SvrFabCfID+bW6Biho
vNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL22PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ
+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5
wXXO144E8K3jG+UoeM7pW3Q/sLVU86vtQb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQd
dmS1ZAWtodrJmgn01WY3RoK4JyoqBsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4Nvo
LglqM220qoKoLpfLHGA2M1caYSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/
NiLA9ki5I78C50hrdmuF/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7M
OTHnxBzYennr5a2XIcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53
ewMrWMGK3+/f67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwS
kNI1pWtKVwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3
q8usLrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JOgCkt
prSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZeTswT9hs
yNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xBUGSDd54jEepu
bTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FKF1DDlOlqSdATZHMl
BRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7LuzN4w2yrwC7Evtx8DJYur
r3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWOB323L9JbH4xBej9fAXBkc0YG
rQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6ZfDu81Ry3QP1kXJT2wnyvAySPwHx
WmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+iFgjVGu4/GpzPnYMsgcAqvjJygLnEO95Y
At4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIfgSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5V
D8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+ETHmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0
j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm
8fX3NAHbRNssrQUIu/mITaA8p5lcCsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZ
GqiX1JvaIpBH1Q1KCLh3pux2VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW7
1exW2vYi24tsL7I97WGlPSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2E
QQxiENC5cOfCnQtDj/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fk
PIQhSw6SDCTJIjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9
z3339aV+Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/q
qHXUOiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sBD36e
50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27cOJgwdcLU
CVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lTp06dOn99gGeT
+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpfkJwGLzes9XSDjdAx
r3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962TAL9BWGpHA3icV5UtgJ7
tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yrLU2iNoK0yTRW6gvXqh94Y4cT
JvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+uepsvSUYDLZTIT1AcKhbAj8CEzWr
vxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdfyBubXSz1IOjRaqnAJjCclpfJxcDwiynE
lgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4
gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GW
Nla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8
vwEYvzNckd4Bw4tSM6E6mIsZroqNQOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfq
gOGifNRgAbWbNojmQBdhHTtAH6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHu
ONA2KpsC1cD4lbGs5Aehq7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj
4M133j/6/rm/e5oHCfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F
/7T7GiTIfwKHDh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG
8Mqs6GZ19kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUb
CINBGK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1BcNK
yxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppfsSSBkMo9
kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzXV4H/UOC8EgZi
P3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTfIFcn0GL0BNdpcK/w
pOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvIH8seloBxrfS+/h1wm0/V
c+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8xX3fBb6HQEv/x+o0kN7TVGUY
SEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJgSQL/TndR1QLmLoZvDS+D9KGvn68x
BCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4afzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6
i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59nnwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SP
qR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUkL7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+
MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VBW6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L
84BQ9Ud/J5DSrEttz8HtyjeOHKgCd4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1t
d2SBbW7UFMfnUE6s4i3VEfbPuvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9
Z+Ovlq1AH72E9B4oy5V1+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8sl
ayvrIVBLq321s2CqxqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dG
gdBFuxn4CKKeD4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4F
X2vfend/kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQ
bgg/mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+B5NL
CAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HKEbA3ML4v
R4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZa2QtaGBtYG1g
hYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA209bSsQVCK5k6BtZD
94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+8MCPgX4gPa+d97cCcYo+
TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWPkqDswoOdMvxgq/7EzjIahH1l
qBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQmhDW0nwjbAc4jrvi8beBq4fzBnQxh
udGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KA
Impd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabncDAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X
2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPGLPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym
6catII+Q1xu7gn+096h7MIip0gnjTyC5jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+
scApLVbqCrQTL+ivg3+5d79/MYif6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0
VCsE7oBcRxkhimBoLdTWp4O01RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/
N/UOqKK4WaoJ5qWmI6ayYJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9a
XgGP1bdfKQpWk+EkL0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/H
vB/zPixhCUv+UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX
4meWyqwZBe59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4kt
QE9hgtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV8CJx
w8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE3tLuq2VB
j1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3BbfoXgniMOor
W0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7QKqveZSvQGnoX+Ja
DdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWbCmp1rY63BNieMf0g3YGw
NMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4nd6uvO1gaGJdq74K5g2jnDHgt
/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOAIrLJOB2UZ4S20pMQluaIMn0A4V5b
mcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8xXzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9
JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0AOv7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG
91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2
Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITM
ei67pgnSV/T5aFhzcCnOIpkdICd/Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3
I3oRpLfKq+edAu4u+dZbO8H9qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4V
QsV5oK8lTp8L6tNKUf8VMPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQU
R4Ivy3vNPQj08b54wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819
DgxV5DmeDaCHBmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71Vw
Dc7fk74LIndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUr
qM38jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLzalUw
+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY6PeF10M8
f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZqw5aNWULJ0D4
TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S+RVAGCfMU4uA1iLQ
j41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidLxIMpv8SLlY5C5pOzuyxp
D/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT7JPAfTQvkP4lWL522IpXAkvt
kBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy7vBq4Z+A/44QbfwM1G3Kl75I8FbK
2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bBYK5gu25fB6FFjRZLGljfsqwxFwF/vvMt
5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcq
HUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQwli6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnw
X9LfoT+EvxT6a1gYZG3IaeAuDhme3KP52WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/V
mep4MO4zHTaFgjZLE5T6YOhtmmSMB6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7
246LYDxqGGz8AKQoua/5InhEd0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooK
QOR9y1JHMuSMTB3gvwqh7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9Y
ATTFGim2A3+rzI7Z9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA
5YX4EH0D5HfI2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5
IDaPKWWeA4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFj
YlLBeSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hFPBuk
zSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6YH1dnhYS
AerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDEKQuly5C73lXS
ewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2h+yBdGPel4FOoCUr
VZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4KJ4F22FLG7kURA8MHWKR
wayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj8oaA4NXd2jvgq6P9rCog1FQb
KgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+CrUXEDyEX/u7pHSRIkCBBggR5nIiP
OoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqt
k/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUKyn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56
rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS
5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQTCpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZo
yBvqi9Bqg+mn0L2J18Fusn0R0RayO+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikg
NQRrUWMr2oOpqslqGQTqZf24OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJ
sk0FS1nT+4a9oJ/WnvRcBOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1y
rb4poJzyL3QdAF8Pz9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003
vqpXBC2N5yQ7iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8
BEwlDa9J80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPX
tbzX/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8PA8y
rkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWqQna71MTD
e0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSRfrKkgjk+skyM
HYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnniekRruH8gv7d/EDie
ifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlzujZCyOfG9poKEe/HDI/e
Cvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T8Bg8pb01QUiV+ptbgXaH/oII
Yi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jbBsJ7Yk9hN1i2G9tJ18FXMtBK7ws5
J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBFny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B
2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cpE4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx
34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0UNvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJh
kpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YNpqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D
8DMUiw47JR6FSlfLGJK6guVDQxnbMJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJ
EuRx8MgR5ycnNp7X8XXwe9TOyiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9d
Swfju5HlI0cCMz3HModA1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6
OVaDflXw8iVoO0HPAP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCiz
vUhc1KeQP11P0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9ha
gOeKr7PwE+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8J
CS+GR9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPnguulp
rIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs9cV2IKw1
NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcNvDU9Vs+n4N2W
78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc+jm5kD3SOdq9DLIP
5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHbIf5WXPe4CAhdawq33YOi
l0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LCEmqC9oa+lAQQdWOE4SSkv57z
Q/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukWUGt581w/AAeETjQHVqrLXaVBu5//
s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9VMI3w9/PfArWNckz6EvRcU759GAgb3P3k
icB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3ROy4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76Qv
ilkOv67wbijaG3IO3x10sTR4huW9nroCLG3CX404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D
8q6vgasFGK6r32n7wfWS55C7DNg6WRc5jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS
8EzOX5bTDIpMjj0WHQHOCt5QtRaIdeSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8
YN5qOmEKBWYJe00fg/2idX2IDSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26
DtGbQiqYFkHK+NSh98IgeoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5a
mrgHkk25I5TmoCer6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvG
vQuBiUp9skAOF++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8I
YT/FlrRHQ9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5
ObBkyZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIedKd7
YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8FbSFWl+6
Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrxgG9Yk423r0HF
8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W9gv47uT/nL0J3JNy
jmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8kYFt9ITojY4XbAKYTOby
tg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvPvQJSL+Gm/iFIc+wlDWPAdt3c
OvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBTHi5WgrMf30xMS4fAFTlOmw0Oo2mj
qQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwlhP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95
/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXF
ahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQK+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593
BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVaTb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7
YcOGDRs2LBTQBRQI6ZMnT548efLv8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QU
Hg5vv9237zPPgN1us5lMv/fH5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXH
vV5N0zTYsyczMy8PcnMVRVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMY
bLXCVsUOhaJNWhWtUxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8R
pBn2eiGNQN9miwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI
3UZePxyvHfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+q
Iuif6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQv9DV
NvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDUexpCepru
SHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2Rtz3HAZ777q9y
N0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72ZqXMBPNWy1emryHr
RP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88rz+kxrjCXZ0hUxO+kQeA
/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV1z3dQaqkfSrUBH0IrTwiONZY
k+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQOHBw7epjy+CX0xedlz+GtHjFoF35
930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJEiRKF/QoEdpAgQYIE+deYOvWLL/bsgczM
vLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sV
i4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX
4/H5Cu22ahUTExHx+Ow8snB2l3MWz34KjBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8IT
Ygt9NEhxhBg2gr5Nfcf9EhifL/59xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZz
QfcKh/U7QGvqqGEg3vTvMRQDa/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2
ZkCzvSEny70E3rC0o+ajcP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A
+wW+KtcevENvHji2CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiH
gfE5OVmcBKG54gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5Lmux
ezhIC7il50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaG
YJpsqOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6ztrYU
gbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoOymgtXOwI
ijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUvNq3YfTCsFO5K
b0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+TZOvj/XL4r6hWrVq1
atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+ffbsdovFYCi0+yBnzqSk
5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0GA1y44PF4/o0vCAsPlyRZhvT0
3wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6SdnMdyCd1U5wFITmwgBhAegJ4ine
Af2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKThdfFqSBe1O6KDYBY4aSigzBM3y8eAS0E
h2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEywuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMn
jrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEzxrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb
7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksIC
UXC1VfLLOSfB117Ls9YDdT/9JBfoHampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHre
h9BMubcqgRjgFeE6GMvKXWynwRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaX
jaWiZoD3aV/H3KogtKWF8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDo
EiKl8ZBt9izQ7kFMl9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPT
hqOgNtWPqF1BjVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdil
SVB8c+zZ0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFL
cT72xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz711KP7
W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2Cuw+bh45
6yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6+ItcDfnFBMrO
7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCMFZoLxUBcTjTTwacI
7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQefPlAebl60mO+8DX6rtaZn
B9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3WZU3D6wLYpoWWQGyP+ynyPbg
2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflOIB+8eD9x/wjn42+8fv87SLakf5dx
C7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hpr2UYdkNeP1cVrxVMi80vGBdBmCWktvVr
iKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgkLBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4w
yP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3
Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87Jntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfK
Y8Fe3h5tag62cuaVtg9ArmHMFEUIdNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrq
ResyiN9T/JmE6yB+Jw8xtQTvDn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyet
AzjrZnW63xr8IzzT7//w+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX
97D7UtDvP4UVjhWOFY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNT
xqeMhdd5p+Wdlnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/
PO83uw/i9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjI
xMTC+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX4Sn9
DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX06+f8dSG
cisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/KwaN98Tczh8D
ISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPzJkCOL29F3kxwlw3M
FDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Nguv8VnxVyDuW9lH0ObEUs
cy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs2zbwtMtfHZgK/q98rbOugetD
5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6RocxjwpVglPwAuv79z1kkQazHD/gvklcsf
lhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS5R8LllqMkteAuYycSjaEfRNa2bwIhG+E
+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnUJEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3
MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9gRkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHS
G7Ah8BNonxtnRcngfZpudz8Bob3UVKoI3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4
iGwW2SyyGbz++uuvv/76H487LjsuOy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp2
6dilhe3j24xvM77Nw59j3Ddx38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoE
qgSqFLZv6bil45aO0Je+9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9
nkAA/H6r9b9ahOf3/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPht
caCqFuYh/x5Ztlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDi
OvE5YQ4Q4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGY
QSiBi5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXCVlje
BKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZDi/kVAl0
06qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekghEaF6GGzwL7D
clvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHKRK8L3He8+a4i4M0L
tMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adBRB9jewriwqOjqxyB/Mmu
53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9Ev+kfRMEYoX8QC0QJ5pnWiaC
MpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gKcRej3ov5CczvmL+Wj0HKM5nd3eXh
5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qgF0TVi0mK2Qshy2LmRjWEG++ca3XXB4ff
OJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+SbYGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfH
jh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGHBBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyM
DIiKioqKioJ27dq1a9cO+hzqc6jPIRAHiYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49
Wmi+4Ly4uLi4uDiwLLMssywDZzlnOWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIb
i0Lp0qVLly4Nnvae9p72wBrWsOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7
490f7/74x+t+kBLbSmwrsQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpl
dYId03dM3zH9zz+fa6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87v
XixUMN6wtGFpw9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q
+9QHm9I3pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZ
eTNhyNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOmaFG4
ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2aNYsUgfr1
Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4pUxghbAbE9BT
me0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B/jwd9GQQqglVdQfw
Hc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB3tvy94bGYBbLtLb1hR6O
Fye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQB8r9pCIQOqzoClNfiBxuq5xn
h8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaEPBvaFBwtY04XuQCxtaKux6RCbFxU
TPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv04e5PQGrsfTtrEySlRA6Q90BoN0MZZRrY
bNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmfgWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgb
GW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hPpyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfb
B3Ja+F5wNfPN8R6F2OURidYbYN9tWmTaAfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oS
ZFS+/+rtvuD/0b85dQDkJnqWZXSCKyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34Hp
gKlXqAKuYu6d2vdgPeaoFNYUwoh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7
Ojg/c95NSwRDluVe1DJwT9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9X
t60rEDAP+6l/U9FNRTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1Amp
E1InQKcpnaZ0mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A2
4eF2cnfm7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdn
hz479Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58nD/7
/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6HdhP/ic/KY
5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjCsqB95cpRo/r0
KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC//7dcY1X9bR+OB0tJ
MpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGIGNDe1CcqbhDyhRAhFUjD
pDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6KhBq618zC6ikjxQiQHdTAgGQ
EAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWAiTlaCgjVhSpkgVhPeotpcH9lVvX0
eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW91LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmn
N4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzTMZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9z
XnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F
83FzNckJwm1/mjYM5C5MUYdCVLb1FaEyRH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKu
GNhzIhLSXsupee4MZO0I9Lw0HJy1fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk
98s5dnMmZHyY87XnHmSsdRrT3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8Hz
LBhPSGcUD/CUaKcdqN1Fu20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5h
M6HY4WKtS/cBQRHirf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDr
GoYbTgGdNZ/QBVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw
17lgnIJxC+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj
14z+XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W91v9C
elLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7fOzz/9ze
5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYLUmAaXWl0pdEV
WHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP67n+b+HBVI0/W+7Y
sWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs/ygS3L17vXpVq/5x/AK7
D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfDTfNRqwO0FXq2Vg6EeG7ot0G3
6l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APEzurlwFJgrR4mbwSWiz11Lwif6PPI
B32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjxOL13QdDlsqYFILUyrdPWgPCsLMotQF+k
HVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOw
p8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYWjPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9
sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVT
zZvAftZwwFoWPJ/ojfUwiKobvtgwBSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3
I/vGdYP0Hb6h0UMh/Utf/SsDwB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD
2Co4WofOB7Gb8kPEp2D8VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVV
en8okhPeUu4DgbnK5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVu
F/245CEIez18ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN
1AGgTTdGhg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+
/fr1hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGOAZ3p
TOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A/p99Ph8m
fpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/icA1qUAM2ztg4
Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5kH91Xv2z5xrk/6Yw
VeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBBy5ZVq0LnzjVrli4NtWuX
K5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3+x+P+x8bcTYfddWTm4ChKt2l
ogD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HXTKoZOxvEQdJCFKCMdpYFoA8V3uMG
cF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMVkA45EmPqQvJ630RjUbi0OHOUPh9yZviK
CUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71v
qvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JASdQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcG
PDHSKGktIEyJDim+DCTCGhdrCWoj342cuuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cY
AqE+W6WIUiBcN8yUy0Po/ugFEQFwmCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/Qub
ZGsLVXsmbS2+GMr0iIgrFgUGO218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUW
EGEL6xV5HCImhpriJoE8VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i
3oz62fEtPHmmbJmEsxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPK
ylD+QIVnajYFe3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1
QFaf64dBjTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gF
ArZ48eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71MiwQ
FggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2pq0wx7n6
kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n+juF4z/4y0hB
RDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h13qvzXp0HKy6vuLzi
ERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7XjzIw9p3775yJTW18Pji
xQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tcHs8fy/z83/Zrfniqxn/o4kDb
r5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8UjMWE0foZODv3Wm5mHwhtmNQ9qTUY
RzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3CatDPUosy4HzNmZdzDVbPXHN2gwV8n6nm
iO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsnnjD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROE
FbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7VElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/
Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5lHZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+G
bgX7eyFfhihg+tnS1JQI4sf2r+xnQAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/q
UXDntbTTGV5gk/qaIRTCmocWt5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUb
GLYTaK01ZgCYJsvtxa/AeIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf
/CtgWxc2Ex8olVynnBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEI
WwHmD+2zLBXBl+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9J
rnarNHgwGsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8k
af/4JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpppD0G
P3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9vw73Rt4b
eW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2kHipcjDmi+Iji
I373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRgsd1nfMZnwJbJWyZv
mQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf21/bX7j48V/lUedVkH8N
Vf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv/v7FKg/WH3Z+gd0/+vNb5Pdh
iRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmqVXvyyX8U4Cmw+7gRDh48ePDgQV2v
U6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+BL8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP
94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNXqK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt
9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+RX6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWz
dw+IfqG7fBSE16RK4mzQ39baS/uANeLHWgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A
7YuMlzO/A8kVOSOsM3jvZG687wB9Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8k
pYN/iXdc1hzwZ7pbZE8BoZo80nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7t
gU9BWaZf1IaBP9Z/1ZsOvoEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcI
G523QWsvvGwpCs7O/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqG
uvJ2Sy+IWhOmxraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI
5pHFozLBMMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O
4Psme8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/fuEc
5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+eenT4cqVWrW
LF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAyFSsWH1/Ynpz8
0UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVKCQlW6x/HTUu7f99g
gBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dhHDp06NChQ48h4qypnh+9
/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908Ex2eO/bZdYPzc8oWhN4ibpbqi
CcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxNXJe4JpD5ubu2exA4naaJppeg2Moy
CysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UNZihwXG+unwdxkrBQ9IOwROwkfw56Uf1z
bSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3
wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIWV5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1m
Oh2aBMqhvE7p+yD7QGbl+++DN8+90bIYwreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4
q/jGmbaDa5ilnuE0mM7LsdIgyLyY/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7
B6bDlna+liCvMYzTtoDrTl6IexaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ
8FoO2F6zHjK0g9AtYY2MfogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCN
z/3J9yTkr/NdDDwPktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fN
B+1j/R3hfchPclfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9Vp
oJ9U+waeATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XN
rm92fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAaarHI
v1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJwVqa48vWf
wFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbubHgH7o+5f/vm
OlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3mCHCudhY5o8GVFSnt
cr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMgTBbbio2AoiwUwkDYzn15
Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCdjutxNcBw1h4WVxm0Z5UjzmxQ
23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W/z14vmz5Pk/3gXKTylTb8DUs6PrD
V4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poib7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwd
hL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3UpfsTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGu
BtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8GO4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+
7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQNtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m
9mD5KnSk5V2wVw1fG/E8SMV8B3FBbsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+
Pf5uYBctSdohkNYH5ruLgu9DpYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EP
iqiskB/hJ9c/S4HQLRDSD24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzq
qEGCBHkcPPFEqVIREXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EU
Q0NDQiAsbNCgL774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRh
YRaLJEFWlihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfN
I6dq3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXTnS44
j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtAn6o1U2+D
niq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJWfEDCJ3r6FWu
HvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9vn4a1HS9gZAAVGSf
FAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr6Bc9s/KugShrp/xLwfqe
nCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5KiGcBfWv1I8YJ+UiuldAdtvnY6
0A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBrIQhgcpveN+4BbaPQXPsFTFXEZ4wv
gSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAwKrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZD
dJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMTLnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoA
rDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHu
BD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMD
ixdPm/byyxARERb2+zeTpqfn5jqd8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo
6O/9yc7+LXb8wQdnziQnQ1rab5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+
G/RXsr/N2QXCeFeKywr66LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQ
u0qeHU5kHNcOzARLWaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEb
sPXYrvPfXwBfJz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4
a+f5svrD5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNg
srBZDAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnPyO3B
VN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8p6WA4GWi
uASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLKBVCPspezIK8x
JZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUVNr+7dfbXJSH1jbzJ
N0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4rd74C3FmUFZE1BnzPK4OV
LmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ0C7rdzUDaMf1feoooNu/78sh
SJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1zpx/vIjv/zUeWThbvlCm+FtBYPnN
vHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XAEjB9HBMZUg0My5kub4TMt9xrMwQ4vv74
8H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8Fp05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUt
pNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72M
EA6GDyyTTLsgpkQFrQyQfPiU58owKLVbiohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZ
L7cHw4ii28t0Bfmd6OwST4O+XW/IfGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVc
XzmfzLwP8qvKbk9pEDuZdzs2gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA
+/o9LQe0Q3pxTQdnc89az3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLB
BUJDFgsJoH/BT+Jq0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay
3TLd9jOYHcY15oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIO
nEWcgUbvQkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/
vfyccx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4DcJerV
8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo7eTrhjfh
3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDfaNez6e+B8Jan
cVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8h6YsiEiNapw0C8q/
X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bER+cBTwjDQqsBZ+mnzAf9
ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZYPAedm8HIS93VeYvYMo3Zd+3
gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c7p8x2NUTMj91lwhMg/yT/oVCHXDn
6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gPrOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcg
rzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTv
e2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+
TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzac
ldeDRVC+Mh0H00pTTeMGEA+J+8SjIEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8
T6Ygx/mR3xwYJEiQIEGCBAkSJMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucg
QYIECRIkSJAgQf4EQeEcJEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIg
fwsAAAAASUVORK5CYII=

--_004_23dda71eaefa47fb848fd2d6e4cd7499BY2PR03MB189namprd03pro_--

From gffletch@aol.com  Wed Aug 28 09:29:42 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 291DE21F96DA for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:29:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.478
X-Spam-Level: 
X-Spam-Status: No, score=-2.478 tagged_above=-999 required=5 tests=[AWL=0.120,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZiqL2IIvgPR for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:29:38 -0700 (PDT)
Received: from omr-m10.mx.aol.com (omr-m10.mx.aol.com [64.12.143.86]) by ietfa.amsl.com (Postfix) with ESMTP id 3A93621F9BF2 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:29:33 -0700 (PDT)
Received: from mtaout-da03.r1000.mx.aol.com (mtaout-da03.r1000.mx.aol.com [172.29.51.131]) by omr-m10.mx.aol.com (Outbound Mail Relay) with ESMTP id 91145701221F4; Wed, 28 Aug 2013 12:29:30 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da03.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 36470E0000E8; Wed, 28 Aug 2013 12:29:30 -0400 (EDT)
Message-ID: <521E256A.60908@aol.com>
Date: Wed, 28 Aug 2013 12:29:30 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com>
In-Reply-To: <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com>
Content-Type: multipart/alternative; boundary="------------020101040503080806050003"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93305
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377707370; bh=3uDivhADuXt1bz5oNa//S8tm5IakY8Q/GLxlhGciHSQ=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=tS6P7m364apUwoOFg6mJkCySP2OKfeZU10OVfXS66AFnOXL/cANy/EpZylqBISJpB bKD/GPNhHcFSg3rt8kt4dQFK2TlFMPCjkmk71Nf3xtYZR2B5pD1YOk7oLv2Z6b6veH 8BWxjqpFd9fE0BzVhrNuaTrTSalp1FP8XTM9sOpM=
x-aol-sid: 3039ac1d3383521e256a4901
X-AOL-IP: 10.181.176.48
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:29:42 -0000

This is a multi-part message in MIME format.
--------------020101040503080806050003
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I can't say I understand what you mean by a simple assertion swap... but 
if you are wanting to use a client_assertion flow instead of the code 
flow then that's something completely different. If you are saying that 
you want the client_id to represent an "instance" in a stateless way 
using an "assertion" then that's already possible today.

George

On 8/28/13 12:23 PM, Phil Hunt wrote:
> George
>
> That case can be solved with a simple assertion swap. We just have to 
> profile it.
>
> Phil
>
> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>>
>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>> Please define the all in one case. I think this is the edge case and is in fact rare.
>>>
>>> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>
>>> Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>> If you have a mobile app that needs to do the code flow... which 
>> requires a client_secret in order to retrieve the access token and 
>> refresh token, how does the app do this without per app instance 
>> registration?
>>
>> I'd argue that almost all user facing mobile apps will want the above 
>> flow and that's not a small, rare edge case.
>>
>> Thanks,
>> George
>>> position.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  wrote:
>>>
>>>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>
>>>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>
>>>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>
>>>> -- Justin
>>>>
>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>>
>>>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>
>>>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>
>>>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>
>>>>> Phil
>>>>>
>>>>> On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>  wrote:
>>>>>
>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>
>>>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>>
>>>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>>
>>>>>> Phil
>>>>>>
>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>  wrote:
>>>>>>
>>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>
>>>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>>>
>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>> Meeting Number: 703 230 586
>>>>>>> Meeting Password: oauth
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>> To join the online meeting
>>>>>>> -------------------------------------------------------
>>>>>>> 1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>> 2. Enter your name and email address.
>>>>>>> 3. Enter the meeting password: oauth
>>>>>>> 4. Click "Join Now".
>>>>>>>
>>>>>>> To view in other time zones or languages, please click the link:
>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>
>>>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>> To join the teleconference only
>>>>>>> -------------------------------------------------------
>>>>>>> Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>>>> Conference Code: 944 910 5485
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>> -- 
>> <XeC> <http://connect.me/gffletch>

-- 
George Fletcher <http://connect.me/gffletch>

--------------020101040503080806050003
Content-Type: multipart/related;
 boundary="------------050508010808000008070707"


--------------050508010808000008070707
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">I can't say I understand
      what you mean by a simple assertion swap... but if you are wanting
      to use a client_assertion flow instead of the code flow then
      that's something completely different. If you are saying that you
      want the client_id to represent an "instance" in a stateless way
      using an "assertion" then that's already possible today.<br>
      <br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/28/13 12:23 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com"
      type="cite">
      <meta http-equiv="content-type" content="text/html;
        charset=ISO-8859-1">
      <div>George</div>
      <div><br>
      </div>
      <div>That case can be solved with a simple assertion swap. We just
        have to profile it.&nbsp;<br>
        <br>
        Phil</div>
      <div><br>
        On 2013-08-28, at 9:20, George Fletcher &lt;<a
          moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;
        wrote:<br>
        <br>
      </div>
      <blockquote type="cite">
        <div>
          <meta content="text/html; charset=ISO-8859-1"
            http-equiv="Content-Type">
          <br>
          <div class="moz-cite-prefix">On 8/28/13 12:02 PM, Phil Hunt
            wrote:<br>
          </div>
          <blockquote
            cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
            type="cite">
            <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare. 

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. 

Dyn reg assumes every registration of an instance is unique which too me is a very extreme </pre>
          </blockquote>
          If you have a mobile app that needs to do the code flow...
          which requires a client_secret in order to retrieve the access
          token and refresh token, how does the app do this without per
          app instance registration? <br>
          <br>
          I'd argue that almost all user facing mobile apps will want
          the above flow and that's not a small, rare edge case.<br>
          <br>
          Thanks,<br>
          George<br>
          <blockquote
            cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
            type="cite">
            <pre wrap="">position. 

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
            <blockquote type="cite">
              <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
              <blockquote type="cite">
                <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
                <blockquote type="cite">
                  <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
                  <blockquote type="cite">
                    <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                  </blockquote>
                  <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                </blockquote>
                <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
              </blockquote>
            </blockquote>
            <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
          </blockquote>
          <br>
          <div class="moz-signature">-- <br>
            <a moz-do-not-send="true" href="http://connect.me/gffletch"
              title="View full card on Connect.Me">&lt;XeC&gt;</a></div>
        </div>
      </blockquote>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part19.02010707.07090303@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------050508010808000008070707
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part19.02010707.07090303@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------050508010808000008070707--

--------------020101040503080806050003--

From gffletch@aol.com  Wed Aug 28 09:33:34 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0FD511E81A3 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:33:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.427
X-Spam-Level: 
X-Spam-Status: No, score=-2.427 tagged_above=-999 required=5 tests=[AWL=0.171,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQ48EqEtOvAC for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:33:30 -0700 (PDT)
Received: from omr-d09.mx.aol.com (omr-d09.mx.aol.com [205.188.108.133]) by ietfa.amsl.com (Postfix) with ESMTP id 2579E11E81BA for <oauth@ietf.org>; Wed, 28 Aug 2013 09:33:30 -0700 (PDT)
Received: from mtaout-da02.r1000.mx.aol.com (mtaout-da02.r1000.mx.aol.com [172.29.51.130]) by omr-d09.mx.aol.com (Outbound Mail Relay) with ESMTP id C01AD70109F5F; Wed, 28 Aug 2013 12:33:28 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-da02.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 0006FE000590; Wed, 28 Aug 2013 12:33:27 -0400 (EDT)
Message-ID: <521E2657.1060506@aol.com>
Date: Wed, 28 Aug 2013 12:33:27 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Anthony Nadalin <tonynad@microsoft.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com>
In-Reply-To: <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------090305040401050103060408"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93305
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377707608; bh=489faO3wtRwPcjw4wsuxta8HyxNncXq1N7RefuMKX3o=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=FXjrYR0eFGbSdzg3xg/NLv/5NcHyhIRFgrsVKeWS3KnXVsRneSjiTQW+WYlXX9joG /CQ0Yh5XZbalOz6OS3N7RR1DsChZEOU5fXf24PbUu5/bQWDpPnsoOVrHb6CaDFXKg/ yBtuMH2+3aqfsmUQH8q4FTMycQnC1Yq0TW/kAF6Q=
x-aol-sid: 3039ac1d3382521e26571e8d
X-AOL-IP: 10.181.176.48
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:33:34 -0000

This is a multi-part message in MIME format.
--------------090305040401050103060408
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

So I understand that you'd rather that OAuth doesn't require a 
client_secret and that's fine. However, I don't think we should impose 
that thinking on the rest of the world who have already implemented it 
and have it working and scaling without issues. If the core of this 
discussion is around replacing client_id and client_secret with a 
client_assertion then lets have that discussion separately and not bury 
it in the dynamic registration discussion.

Could you not profile OAuth2 to support a flow that allows for retrieval 
of access and refresh tokens using code + client_assertion? Doesn't seem 
like that hard a profile and then the rest of this could fall out pretty 
easily.

Thanks,
George

On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>
> I do think that this is the rare-edge use case, we would not want 
> require client-secret, we already have that mess today with OAuth and 
> trying not to continue the proliferation, we solve this today with our 
> STS and assertion swaps/transformations, it scales, performs and we 
> don't have the management debacle this specification creates
>
> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On 
> Behalf Of *George Fletcher
> *Sent:* Wednesday, August 28, 2013 9:21 AM
> *To:* Phil Hunt
> *Cc:* oauth mailing list
> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call: 
> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>
> On 8/28/13 12:02 PM, Phil Hunt wrote:
>
>     Please define the all in one case. I think this is the edge case and is in fact rare.
>
>       
>
>     I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>
>       
>
>     Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>
> If you have a mobile app that needs to do the code flow... which 
> requires a client_secret in order to retrieve the access token and 
> refresh token, how does the app do this without per app instance 
> registration?
>
> I'd argue that almost all user facing mobile apps will want the above 
> flow and that's not a small, rare edge case.
>
> Thanks,
> George
>
>     position.
>
>       
>
>     Phil
>
>       
>
>     On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  <mailto:jricher@mitre.org>  wrote:
>
>       
>
>         Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>
>           
>
>         This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>
>           
>
>         Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>
>           
>
>         -- Justin
>
>           
>
>         On 08/28/2013 11:17 AM, Phil Hunt wrote:
>
>             Sorry. I meant also to say i think there are 2 registration steps
>
>             1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>
>               
>
>             Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>
>               
>
>             2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>
>               
>
>             Phil
>
>               
>
>             On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>  <mailto:phil.hunt@oracle.com>  wrote:
>
>               
>
>                 I have a conflict I cannot get out of for 2pacific.
>
>                   
>
>                 I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>
>                   
>
>                 I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>
>                   
>
>                 Phil
>
>                   
>
>                 On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>  <mailto:hannes.tschofenig@nsn.com>  wrote:
>
>                   
>
>                     Here are the conference bridge / Webex details for the call today.
>
>                     We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>
>                       
>
>                     Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>
>                       
>
>                     Topic: OAuth Dynamic Client Registration
>
>                     Date: Wednesday, August 28, 2013
>
>                     Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>
>                     Meeting Number: 703 230 586
>
>                     Meeting Password: oauth
>
>                       
>
>                     -------------------------------------------------------
>
>                     To join the online meeting
>
>                     -------------------------------------------------------
>
>                     1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>
>                     2. Enter your name and email address.
>
>                     3. Enter the meeting password: oauth
>
>                     4. Click "Join Now".
>
>                       
>
>                     To view in other time zones or languages, please click the link:
>
>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>
>                       
>
>                     To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>
>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>
>                       
>
>                     -------------------------------------------------------
>
>                     To join the teleconference only
>
>                     -------------------------------------------------------
>
>                     Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>
>                     Conference Code: 944 910 5485
>
>                       
>
>                       
>
>                     _______________________________________________
>
>                     OAuth mailing list
>
>                     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>                     https://www.ietf.org/mailman/listinfo/oauth
>
>                 _______________________________________________
>
>                 OAuth mailing list
>
>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>                 https://www.ietf.org/mailman/listinfo/oauth
>
>             _______________________________________________
>
>             OAuth mailing list
>
>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>             https://www.ietf.org/mailman/listinfo/oauth
>
>           
>
>     _______________________________________________
>
>     OAuth mailing list
>
>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>       
>
>       
>
> -- 
> George Fletcher <http://connect.me/gffletch>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------090305040401050103060408
Content-Type: multipart/related;
 boundary="------------070606080508020907060001"


--------------070606080508020907060001
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">So I understand that you'd
      rather that OAuth doesn't require a client_secret and that's fine.
      However, I don't think we should impose that thinking on the rest
      of the world who have already implemented it and have it working
      and scaling without issues. If the core of this discussion is
      around replacing client_id and client_secret with a
      client_assertion then lets have that discussion separately and not
      bury it in the dynamic registration discussion.<br>
      <br>
      Could you not profile OAuth2 to support a flow that allows for
      retrieval of access and refresh tokens using code +
      client_assertion? Doesn't seem like that hard a profile and then
      the rest of this could fall out pretty easily.<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/28/13 12:28 PM, Anthony Nadalin
      wrote:<br>
    </div>
    <blockquote
cite="mid:23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
      <style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D">I
            do think that this is the rare-edge use case, we would not
            want require client-secret, we already have that mess today
            with OAuth and trying not to continue the proliferation, we
            solve this today with our STS and assertion
            swaps/transformations, it scales, performs and we don&#8217;t have
            the management debacle this specification creates<o:p></o:p></span></p>
        <p class="MsoNormal"><a moz-do-not-send="true"
            name="_MailEndCompose"><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497D"><o:p>&nbsp;</o:p></span></a></p>
        <div>
          <div style="border:none;border-top:solid #E1E1E1
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:windowtext">
                <a class="moz-txt-link-abbreviated" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a class="moz-txt-link-freetext" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>]
                <b>On Behalf Of </b>George Fletcher<br>
                <b>Sent:</b> Wednesday, August 28, 2013 9:21 AM<br>
                <b>To:</b> Phil Hunt<br>
                <b>Cc:</b> oauth mailing list<br>
                <b>Subject:</b> Re: [OAUTH-WG] Dynamic Client
                Registration Conference Call: Wed 28 Aug, 2pm PDT:
                Conference Bridge Details<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        <div>
          <p class="MsoNormal">On 8/28/13 12:02 PM, Phil Hunt wrote:<o:p></o:p></p>
        </div>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <pre>Please define the all in one case. I think this is the edge case and is in fact rare. <o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre>I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. <o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre>Dyn reg assumes every registration of an instance is unique which too me is a very extreme <o:p></o:p></pre>
        </blockquote>
        <p class="MsoNormal">If you have a mobile app that needs to do
          the code flow... which requires a client_secret in order to
          retrieve the access token and refresh token, how does the app
          do this without per app instance registration?
          <br>
          <br>
          I'd argue that almost all user facing mobile apps will want
          the above flow and that's not a small, rare edge case.<br>
          <br>
          Thanks,<br>
          George<br>
          <br>
          <o:p></o:p></p>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <pre>position. <o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre>Phil<o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre>On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send="true" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:<o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
            <pre>Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.<o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.<o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.<o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>-- Justin<o:p></o:p></pre>
            <pre><o:p>&nbsp;</o:p></pre>
            <pre>On 08/28/2013 11:17 AM, Phil Hunt wrote:<o:p></o:p></pre>
            <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
              <pre>Sorry. I meant also to say i think there are 2 registration steps<span style="color:#1F497D"><o:p></o:p></span></pre>
              <pre>1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>Federation techniques come into play as trust approvals can be based on developer, product or even publisher.<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>2. Each instance associates in a stateless way. Only clients that need credential rotation need more.<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>Phil<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <pre>On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send="true" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:<o:p></o:p></pre>
              <pre><o:p>&nbsp;</o:p></pre>
              <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                <pre>I have a conflict I cannot get out of for 2pacific.<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>Phil<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <pre>On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a moz-do-not-send="true" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:<o:p></o:p></pre>
                <pre><o:p>&nbsp;</o:p></pre>
                <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
                  <pre>Here are the conference bridge / Webex details for the call today.<o:p></o:p></pre>
                  <pre>We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a moz-do-not-send="true" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a><o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>Topic: OAuth Dynamic Client Registration<o:p></o:p></pre>
                  <pre>Date: Wednesday, August 28, 2013<o:p></o:p></pre>
                  <pre>Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)<o:p></o:p></pre>
                  <pre>Meeting Number: 703 230 586<o:p></o:p></pre>
                  <pre>Meeting Password: oauth<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>-------------------------------------------------------<o:p></o:p></pre>
                  <pre>To join the online meeting<o:p></o:p></pre>
                  <pre>-------------------------------------------------------<o:p></o:p></pre>
                  <pre>1. Go to <a moz-do-not-send="true" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a><o:p></o:p></pre>
                  <pre>2. Enter your name and email address.<o:p></o:p></pre>
                  <pre>3. Enter the meeting password: oauth<o:p></o:p></pre>
                  <pre>4. Click "Join Now".<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>To view in other time zones or languages, please click the link:<o:p></o:p></pre>
                  <pre><a moz-do-not-send="true" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a><o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>To add this meeting to your calendar program (for example Microsoft Outlook), click this link:<o:p></o:p></pre>
                  <pre><a moz-do-not-send="true" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a><o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>-------------------------------------------------------<o:p></o:p></pre>
                  <pre>To join the teleconference only<o:p></o:p></pre>
                  <pre>-------------------------------------------------------<o:p></o:p></pre>
                  <pre>Global dial-in Numbers: <a moz-do-not-send="true" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a><o:p></o:p></pre>
                  <pre>Conference Code: 944 910 5485<o:p></o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre><o:p>&nbsp;</o:p></pre>
                  <pre>_______________________________________________<o:p></o:p></pre>
                  <pre>OAuth mailing list<o:p></o:p></pre>
                  <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                  <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
                </blockquote>
                <pre>_______________________________________________<o:p></o:p></pre>
                <pre>OAuth mailing list<o:p></o:p></pre>
                <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
                <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
              </blockquote>
              <pre>_______________________________________________<o:p></o:p></pre>
              <pre>OAuth mailing list<o:p></o:p></pre>
              <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
              <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
            </blockquote>
            <pre><o:p>&nbsp;</o:p></pre>
          </blockquote>
          <pre>_______________________________________________<o:p></o:p></pre>
          <pre>OAuth mailing list<o:p></o:p></pre>
          <pre><a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
          <pre><a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
          <pre><o:p>&nbsp;</o:p></pre>
        </blockquote>
        <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
        <div>
          <p class="MsoNormal">-- <br>
            <a moz-do-not-send="true" href="http://connect.me/gffletch"
              title="View full card on Connect.Me"><span
                style="text-decoration:none"><img id="_x0000_i1025"
                  src="cid:part18.09030004.07060703@aol.com" alt="George
                  Fletcher" height="113" border="0" width="359"></span></a><o:p></o:p></p>
        </div>
      </div>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part20.02030701.09050800@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------070606080508020907060001
Content-Type: image/png
Content-Transfer-Encoding: base64
Content-ID: <part18.09030004.07060703@aol.com>

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------070606080508020907060001
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part20.02030701.09050800@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///YO+84K4o1fz/V3SdOTgw55yA5o0Ql5yRRkCgoQQEBlRwUFQlK
lowElZwFBJGcc84MDMwwOZzQXfX7Y5cP+9ldf/d60fXe3Xn+mTndVdXv+616+7ynurp7nzPD
WAeqs/zOGg75x+ctn3sPRG+Kzha1GnL3yf5TjmKQ40m2H7Ingj/T/458F5I9yfUT10PEgohP
I86DsIskW2fQymrvyolgnbdWmidB2VRT2ygwV1rV/cEguoinYjroW7VfNA/46/o+liVAL2sU
lxXA09W/QJ0C1VvYxTYwFlBd9gLe8dcxu4P5kbe89xxkLvIZ1gjwLLISKQypb3vH+7uDzXQO
cQ2F/PPzF8hzCGrdraiV/QJKdi05v8gs0OMDWtjPg2uAPZfrXyARPJB2IO1AGjiXO5c7l0NF
VVFVVHBm0ZlFZxZB8ufJnyd/Dg0aNGjQoMHLH+9/Gxs3bty4cSO0atWqVatWf7U1WWSRRRZZ
/NEcO3bs2LFjoPfu3bt3797jxj2/qeL3sunAgfFfVQKP3V8lcyOIetqhgGtwmwfDrl+BkyGX
bx5fB1HTg2WhJKi3svbIV3PDE/W4xcPB8LDJo0Z3S8CzeUlzMiMhfkh6ubi+YNwWOxJi4OGN
x/Pj1oJ8PfNZZh/INzvvrfx5wV+cMYYb9IFykGc22PM608LugjysVwvUQATqdvNz0KReyD0D
uC/eZwVQWewxLfB/c23k8fKQ3OrQrp+vQnKZde9u3wEJw25uexoCPg/fhNcGrbG7VZ5hYK+U
6+OiuyC0Y/XiZe/CUy0x5f4vcOGdveaOZnAn837eRx9A0gDjk4D7EDIzQDrPgJpsVje3QeLe
1L5JtSD1VMb7afWBCfoVMRCMUO2WuAWOQfYfjGEgOolL5hHQzqstchn42/vftHQwS1qXzSag
vlKj1RKwfrWumX2A7ehSgHhTe5OfQGnqkqwK7FI/EwvygjwsC4M0lUvlA2uKEuoNMJOsdWYv
UNXUA3kTbPuN4qIGqFfFz+oyqPOqnvCAWmq1tN4GaZcrZThIN+XoAuyUbeUxsJTMJVeBTFab
1GpQkWoSu0Bml+NlQ5DV1AH5AOQxGWPuA5VLvKvnhKdvxs1IPQYJ7RM+fLYFfI39nTNvgXXM
DPfHQNSvUfej80FspycLY11gX+RY7xgEtpy2Zs4QeLD8Qfu7Fmgr9VriDKQXyKziWwOnj59b
f3YaxBeMPxlfC4zi9pXGUgiIDyju7ARPc8fHJ1WH4++fLne2KcTPeVY/9nvIdjNb+7BiYFzS
L7kSgFhth/YY9PwUk/3AGiEXm0OBGP2a9i1kVvOM9p0H64w50PoF4pekzEmNB1+RzDrehxD4
oeUU1yC4Z7aQ8NF/dbj/baKORh2NOvriec2HZx+efXg2yE1yk9wErya9mvRqEjjyO/I78v/V
1v7zUbx48eLF/4QlIFlkkUUWWfxzEBMTExMT8wcs1Tj+7YnggwLurs3X5HwZcAy1UsuOgbA3
A9uGJcDTCZ4Hl85C+CqfFtYe7u29N/POfkj+xns71YITM+7uffAq5EpwXAmzQeENkc3LXoYn
+tPq6QvAEeMclLwdLpV42v54MJT4uPDhktUhdGAuX8FfwTPH+CJoDshA9Y62FvSpooJ1BDIK
XdS29wTb0oj+BTeDUSX4XthV8Bx+XPumB7yX75aLDQFxwIgMjIOAIrV99atCsD9bZq7N4JwQ
3iWsGySuOrTtfFGQo8NGh1yDx5rMm7AUbu08Xv9wPDwcfC/kXgrED8PSj4E7yr3XKYFlYq4w
Ib1NWtXUW5AWnRGS9gC09+1farPBOce53dYT1EdWjHoKvi7WFG8gMJjdPAM6y97iDVC3ZHGz
PmhDxOvMAKuf+re1ubOM3FoFEKOs2/I9cAxxFBFzQaap2noCZKSkp5kStAz9SyxQk2moXQc5
1LohT4J4n1PaDdBWiMXMBX9+b7KMA+sq5SkB7OGq+T74a8jDqhEYSXyrtQU+ZqUqBdLPOlUL
xFfyiDgFYrp4QhiIBHLJEqAeqiK8CqoUAzgGWjmzqegNRrAt1PoS5DFVS82GtIh0zGMQu/JJ
+ScrwO10LbF3Anrd+lX/AZyD3E3creH2Z3dz3zsHPsPXV5YDzwXP/NQPIe2HtNqRb8KTe4mH
EjVI+CL1y6QVwJqUIcYCuFMiZvZ9B5Q7+IooshVi9j+YlrEL4oISCybWAdEwYY05DLSW+kR1
BPQm2oeOIDDu23aqC5DPG/00xwaQXZll5QMjRgw3PgJnHeOgKAypZvJXSVNA+9B90PUmnEq9
2u72E7i3/H6pRxOhD6VSCv/V0f53EPBawGsBr0ErWtEK/sM//05ucvMP/LDOIossssgii/9N
vHTi7OniqOHT4O4n8d2exkJ455B+RwbCrTH3r2WaUOZ45O16kfCT72SLtQXB19j6WX4PeckT
XLAeZA8xfo4AGjar2L9ZV6iztp63wU9w7/C9ireDwXvYezVjEHhIym3VBX8vc4/3QzAvqLE+
E7R7tjtBVYCy1hbzAxB5xEfeV8EXfpPr0+BZ+pqZWzIgsn6n3D3zgXNWwfwVXeDYWqCGOw30
C/Ya+mTgiFbGuAf+gQlFHyVAWo6TnY+NAeNV+w+pCqyfclzN2RPu3jgz7+x2eFDhYoXz+eFp
vsyZ3p9AfekKDnwCjhb27/SvIaNcRou0h/CsXup3Sb+A75RZyPoVxJfiZ70e+GI82X0fgNna
v9oqCf4FsqhaAmq7ShYrQEUoyQRQPpUp+4HIFB0JBZGgd1JjQXRgiVgFjk6O9/QgELVlfuqD
0mSYVQTss9y3tNNgtvGusCqBzGXetWLAiDEKikqgVqke1kmgj7gqPgbrdZWgroC5yKwmF4Ea
yGA6ghishxvZQdZU45QAbZdaJiaA+lF8qT4AVVOOldWBmezlfRCJIo94AljiB/ElmAtkiuwC
egJD9CogG/oa+38C3bCVZDDoyUZbYyskDkzOlt4fTlc9N/vyRcg/L+/VVCeofuqivQ0865Rw
PyEf2Kraxun7Ibhw0CdB+cG31b9DAalp6SVSkiHdn9Yj7RBYk9WnrALPfm9IamH4tcHRRqkz
QHylXtPHgtpPcb04aBW16Vo2uNX7zpWYy0BdMUFlgpzAJetreJrjSc3YHFBI5G4S3RaC3w/6
IHojiGJ6eaMaYJpXZWdIDY7Ln/A+8JPYr+8F/5u+Z/7nTxkY8leHeRZZZJFFFllk8Ufw8onz
WvkxoZA++lmYJxlsVmKm8yw4mgTMCa0Kj4JEw/N+sL0S/bbZBDKd1g/P3oe0FU9soTHwTnKb
iAEfQWBL+9aALiAmMVtOg0K9C7Ys7oX4uylTHrnh9OXUxO3fQciP/omVu0F0Mb2M/XXwJvrW
m6kglhpOxydg9WOJ5QZ9ZnCvoAwIXVHznWq7wHmgTIPaMSAqS7u/Kqiucr95GeT3/pKMAt/r
T6pcGQvJTbaM2hQEvs5JB83sEDS/yobajeGxK31MSgrc958aemQcxP6QcDmxGmSUEo+0NhD8
natkQHZQIeYjqwGknkiLSF0E3nPWUTkI1Aoeimsg3PKK/B5UI5FIB5BBah5vAnNVOXKBaqOu
q/4garCLyyBeoy0eUB+qn5UJLJIjCQR5iVlqGnhvmYPNNDAeiLJaEIge4hWcwBdmNrMGSJt1
W60HdVGW4RKIEO2+VgRUX3VUrQO6Ul7LCdZNlUO2BtZRWT0CvZ3orQkQ8aKnWgeytQqgI1iV
rWTrCKAorn4EfbKWQ38X5Keqg5wI6nu1QU0A8bVoIrKBbY/oyBkw+tua8C5QFMlcMD+VFbgK
3vLeNGs8qDuyv6oLopD4XqsG13ffrPEwFkyPNcDKDvpIo5l+HLRUrYh2ABJsSQuT34Lctpyz
olpCYpXkZ0l5wOwoI1RH8B32/uRPBC1TL6O3BF+Eb7D3JNBafiymgXZDO61vACPQENpG0MaL
aqwCcUHPo0tQTVWsWA9PNz9bk34ZXF/YFz/LD/YRtiHuM+A44YgPyQXKbkRrvcCb4t2c2Roy
a6aMSN4I1nZ3Tnt14Afi/uogzyKLLLLIIoss/hheOnFO+eRZ44wxkP2UrU2pMtA3tHncsE5g
vx22wF8bflp8ttjqGeDv6u7kuQAB+5yh6S3g+1aHh80YB91Kuku9fx88OzLWiyNwtOeWxL02
cF8LmB9pgFlb22pNgsKDw08VOg8P5ySviC0JUcVDZj48B4GusPbRMSCbyRHWItC+FwMch8E2
Iefigu+CNj2oUVg6MEIrpQSoK759/rqgKmk/GfsBj7FKPQN/xr30q4vAN/PplKRDoI/OkVKs
JvjSws8GeeHawF8O7FsHD5fc2XprEDytauaXRcGY5ZoS1B70j+mjDkHypfTMlD2QdsZTwTME
bB0dUt8D5nmztLUPNLuWIk6C6shqmQj+H/2brE+A3UwRD0BPMOrr74IsZhU3R4E50SxvhoHm
0PppocBiNVzMAnldFpTrwL9Pfay2g0+p5VigubRocQb4jnPiF5Br5C25GcRoFSHKgD/RN8o8
CLQR5cUOoIo4qNqClahWylygD9GTtO3AKTFcVQXZzHrHqgiqvuqKBnKJtdLKA3ouo4exGdQ6
tV8K0GqKyWwFI7dRX78OapiKVl1A3yUuMx30942ZfALmm9aHaiCwSuUnEKwWVl0rDrQfDUPb
DdRiltwMZj95ShmgxRpztNxghim/3AFMNQ+rOmBGmU/kKrjb4V7A02fALW29egRiqfaGjAb7
FftF/XXw3/D7vMXA2me9JReAvkdvbiwBFaZCJCC+tzpqg0AuFsOoB3oPMtUWkB+pPsYHoO7K
x0qH2K/jRyRVheCooIoBiyH7B+FvOpyg5eKi/T3QO4ns4gPwp6cvS5sORmf71cDxf3V4Z5FF
FllkkUUWfyQvnTgXHxL9cfUtMEB1aDUiGgKCw4q5PoX4AU8OPysIaXnjCgZdhqvd7125XRSe
PHka8Og2aKvthSPywVbbsZJ7+oN7sv5dwBBI+sI/5n4EPG7ka33zCKR/lxaVMRFS0tKOPlkN
Qcm+9QGTIU/fXK9lbwJhVaOt3Bng3ZzZ2dcTeEpPpwf04ZH7ChhA/cyvnu0E7bi134oGs6w2
XJQDbbe6w2mgiizl8YMxKCQ5IAl0PXpWYE+IuFzjiwrt4VmAJ0+6DR6cOP3TyU4Q2zfF78kF
me+JpUYwOCrJcdZ9yDiRcSTNhKTMjLEpS8HXUo62eoDe20xSJqjlag1zwV/KHyvfAv8oy2Ol
g/YVYfoSIJ27NARru3+ptQ/kU5lobgZjrHZMfw9ETm2YmAr+ymZnsxSIH6klyoB4IB8qJ6j+
Iln0Ayu7GqmGgRjDIHUdVCXexgPqjOhAO9BHiFAEyPxyu1oM6o62gvv82/NHvwexWWsljoHY
IiZTANR5856KBeqrdtQBw2f8YISDWKfZRXGgJlPVFRBVRVERArKPLC1bgJjN62oZWOOpz3Lw
7/cYqjPI0uqcygv2FcZyrQDIX+RI8T2QWzWhEqhlYhz1Qd1Xc1Q40E8VlCdBXFQ/UhpUdjlI
7Qf5Fqf5Cvzz5S6rHugrjT5GJChkb9kV5Otqt9UY1Dcyr7oB6jPVVuUH9ataZc4ErZ+YKucA
4/VuxlmwlbNV0gDq/Ns7c83q5lNfd3Ast2/U80DmMe/nYjDEvPK0e1w7CLjlfCXAC4HSnRC+
FnxJYrwIB1nUH+c9DvLXzP3aFaANbf/qIM8iiyyyyCKLLP4YXjpxzq/yNMw1F471Ppd2sBns
v37CsTcvPByV+FlMCLhWR9RInAzBnUN/dLWGRO3RCN9MCOzmHuYMhdTcni8fvgapP8ijqUCe
1kH9Qi5A8KchGZVSIXBntgxXLhAunigHVB5bdnXz03DddiXfiZuQ70GxyYXKAW/bdjvaAnXN
Ep5pYCSFRGf/FtRUxwJWg5LWOrM2iMrimpYK2m013GoBqqSSrvvgqFTwrdINIGJBtshCFgQM
y76j8JdwftLKbxeNgccxdz++txsSx1gleQOsLSKT6eBdnjkqfSSY4dpoaoM33d/UWgjyB5nA
aFD35PtyKchGMkquAmuC6qQ2gFVBRsv2IN7QqqhLwGLGUQJkP1VcPgW1gW9EZ5DJPFXRIIqr
yqwGoshLQ1CBVFS5gYJiCj+AeJsSqjqoVDlAJQF7xHgegdZDZRIHXBY9RDSoTyiqfQqyLXYz
E9RE+T61gRIMEqvAOmSGqZOgf62XEWGgP7K9qt0AtVF1FnHAIDVM9Qe204xJoApKp9oGtNAi
1CqQp63q8i6oXNZB0Q1ENuMtLQnsFexRwgF8Zj+i3QOttrlTfQDWND6X+UFNls+MVcARevEl
UIu8MgKstvKO+g7Q1V4jEsQmbCI3yF6qgjkI1Gh8zALKyiQrL4iPhd3ID+Z88yEdQCspQkRB
EJXoI98AkVflln1AjuSWuA7WNFnBagOijGmqKJC6vCa6gTXdHKQqgO810QMbaGuNulp2eJaU
EJQ5BJ7WCYp8lgjuKc549xawPxKz3Ach4z2xROYH3+7Mn7wh/x4kV14+UK9du3bt2rX/iVNC
FllkkUUWWfzvpVixYsWKFfvH67904rw/z6W1W5fB/TMJC5MHgbuYvacxF8x71j7ZHUTOpPl2
C7JFRTwJqQKeT7I5H9WB7F19+UqUg8c5UyfHvgkBt+yR9kNwe+3TV6wlEDQnuWqsAba3jDmm
CwyHW2S8Db5dt/qqtXB1+QX3xg6QbWyuVLMpVD1T++SATyCjVKY9czjoDr2U2wWiqXtsjp7A
QxWjaoNWm0gGgNwvbCIHqBgSZDCIdcav0aHg7B593z4YUro9GHvnFTjb/kCBg5Xg2aeZEb4k
yFjFHDEN3Dscoe4QMPOIH0QIpJfzXMgMBP8Cc6FcDuJNka4dAS1Oz2P0B/mmOcW3C7RTso1M
Ai1OL6vlB9lM3la/AnmowQXFXdIAAIAASURBVAgQmvCJa8BMNVX9ADgozXugpCqtjoD4XFTX
PgbVS3VXrcCobxtv1AFrvhwoXwc5UzaSX4JeQ2QTUaBd0a5qbUE+kmHqIcjmVGAD2FJtbzuK
g1nVymXmAWlZk2Qb4E3lZCRIJduppwBMktlBS9Gq6ztB+1g/px8Cq6DVxeoBeglRVPwIKpfM
tCqDWqsecwqQek1xEvhU2OgPKoOKJIKa5yslAVnaek3uAJUgOujLgEv8rJaCOq7eUAOACrRT
y0BdtEoTDOJbkcMsDaK3pmkngWrqmrYO5B55QtYFcot4vgYxirrWVuAtlSR/BP8rzJKvgNit
lurZgb2UkIdB7NDfsmaBGmKMNhaDVc7qJ74HvbFmqECQS1Wklgp0E4W5C7bloppWH/xlzbGW
AxLWJg5OqwBRncOcaTYI7OvGfg+E3ZxGbjAPm1WFF+jGw3+GQM8iiyyyyCKLLF4e7WUb8Kzx
7YzzQhlHPodsBeUalOuQ2hxy/JK3ovgFYuMyL/iGw7UBN0fGZoOAlp7rRhCoY8G9nx2Hgk2K
FytcBeJiMyqqziBLcjHjM4hflHbq+vfw5Epqx3vvQ0L5jI2PjsGZ8+d67S8NAQMjKxRuBkc5
+9qu6pC6Ifbd24NAszsm2gaA9YnKZj4CuYeGzmpAA94WeYBqNFb7gIo05H3QqsrlYgzImtyQ
XwEzmeYPhztJR1ccjYeYlneDHtghfrhvsXoPjE8ct931IWR7wOuBY0Bfqn2rXQUZogzugj3F
kdcxFrQG2mn9NsjFcoP1DWjrtO+1xWBEGcWMkqAN1Dpr+0DkwsZ9ENfETvEhaG9ob2kfgsir
l9RdYMtlK20/Beq+OqVeA1tZW1kjPzgPOQ87z4G9h6253QeO2o5TzlRwHXP2dY0CbYW22RgA
+mt6faMrGBcNU78HYrsoQEXQdmvv6KvBZXN848wJ7u+d1xxlwDnLfsWeH+yP9BG2o6CNV2hv
AlusInIWiPpyuloMtuz6Bn0sKEltToIVr2ZzFeRnfMxaUHdklDwEIo1a1AarkZld5QfZzptT
xYPcZ32knQdVSx2jCYh6wqnVABawm3eAUswXT0F8LT7SU0HEiECxBZjHAlYAHeimLoKoLl4R
FqjxsoRqA9IuS2ntQNM1m70n2DKM9e4joKrJndpVsJ6aFdgBTORHfRQwU66iBlhrzSoyBixh
pkgbsE89UM3BKurfb94F61t/tNwK5g1rhNkb4vs+m5FWHhLvJsekNQfaKad3IBgfaG+xA6y6
MrtZ6a8O7yyyyCKLLLLI4o/kpWecXcOdJ51jIGWDd2pqM8iZwRvu7hAwXj0234AcMWFNnSkQ
dc4YFDwf8raNsGv34OYPKaueLIQ87zqrVHwPSs0ptypPPNyr+ODauTuQdiRFBowGA9uXtoKg
X7N1TQ0D7aD3R8cMCPspWAtZDrF3kkpkNIQdtXfXnh0JHVd2Pj+tEKTfU/uMpqC1FQlqEKjc
4pb6BshGgtYN2C46qnYgq9BR9QNtt9beSAB/46TzyRXhon6i19GSED80PSp9MaT71XBtOrh7
u9oERIG2Qz22DoN/rPewtyDgEuPEBtDOiLc0AVqyVlvGgDnHd8m8BNpYcUnzgGhlVNRrAT1V
J/E1iDUkWx+CcrJPNQfq0UMcBPm+shED0i0rqVagfa0t078FXdPdekMQSkjtMFi65bGGgtZD
36LNBbFR7NeOgj7UZhm/gNwjK8gjYI6zGphXwJipj9MXgLVEpsszwCRVlF1gG6/X0lJA3NdS
tJqgNda6abXAumh2Uj6gKpNUOnBTLGMKiClisDgHxkxHWz0QrAeeW77TIPea2c0coFXTArQq
QKr8XCSALCfyiuogZqry/ASqot5Lvw9Gdv17wwUqXaXIAkBBlotoMC5qo43Xge4CVQj4SozQ
R4OYxcfUB+HQBqmuIB7yRNwD0VufJwqC/ZSjbFAwqBU4RU3Q59FZawD41by0U+D/yjcy8xbI
r6zGmgRGyE/kQ9A2qfNsBxxigGoJMlSuMaeAvlbvbKSCOKyKaKXBtd811LkEtLVGc8dVSJ2c
XtQ6Br6F/lZWKOgt9WCxE1SscvoXAR3+6hDPIossssgiiyz+KF56xvlpj7jozPVgD3NMdfaC
cBEZV6ANeJxafPJpsHWnlBoD5hr74swjEBvn/SyxAGT0zyiUuR3OV3y89qdrcL32w4/O14OU
hGcNVGWwxbvGOq+D2xV+NHAx8IN5Qj8OqovVy7oOd4resD8Ih9QKief0XvBor3XqTgpcX3F7
6MJF4L7ivGhvBPJTGloeYAln9X3AWXFbSSCbWsrXwDLZQf4I9tm2ukYGPB1xtealc3C/y623
b70Dz+J9v5rBoMLENJsBjhDHM70leNb5avjOQ0Yd0/BtAllAnZd28C33VfYfAmuKtdt0gnHY
ds8+H/xLzOrWOlDKOiYXg6OVrax2F7SDRnfDAbqh1zFOgm2srbmtEThK2N6zhQHnOKdeA8pQ
TnUCBvEuDUFsF9tYA6quymvdAM93mSMznoG/hz/U9zb4S5uPrH5gWlZBaxPoOfXSeiZoF8VJ
bRpo74krnAWlMVFeAnFGG6flBz5Wq9RgIJ2yfAxikZbJWVBbRDQfgLHU2GQcAnOCnC43gN5c
LRW1wTHcXt4xGfRWxg17HdAjDbf+NahKqqSoC8omJ8ilIGOYQgHQ5zJY18C4r7WyBYFYTWnt
U5CJ0k4LsLZbD2QI+Pv7u5nrwbZM7DBKgG2RFmA7DfYd9vfdd0F+JpurkiDLmFvkTvANyryS
9hX43sm4lVoZMuqmN0wZDtYr/sVmdQioH6SHZkKOq7niihaDsDXhS/OdAkeXgP4Ra8EdGto0
Wx+I3BU1Jd9XEPp5ZJc8hcDVP2RcZH8IqhU2MEdLyLY/en5OB9g+da0ILQn+7uZ6vQLYvhBL
rQVgdBG1jI//6vD+/QyvN7ze8HrQYW+HvR32vtg+rdC0QtMK/dXW/d+hUqVKlSr9jisW/7n8
X9VfL3vcl/X7r/Lvn0X/f1X+2fv9z+LvHU9Z/HPx0olznmPZOtovQs4FuSNCYiAmM+F64q9w
33dvROY+eNoq/bGnIyTc8QQmTIMHnZ6e1s6AUdfq7GoImV+r2WnNwFvFPGrlgYy8/rKOviBu
pBRKrgnaQJ6lNAQr1pilj4OMeBkkZ0DmCdktZQ6Yq4ztdxrBg7bPbFYeWNxz65QfDsO5Jr8G
LY0H12XniYDeYC5RBb3fA9lVGxEOKkKVEz1ArBAV9FygRlv5vbfh5vhTlU8tgPhuiQ+SykFq
N99jTLDdcl5wzQc9SlzSukDGtMz6Ge+B95y6IoeCyivixHqwTbTNM1LAmKI3s00BfYM+XFsB
9ur2KGMHyNvqO7kb5I9qjmwDRgejs/4G6NX12no90MZpH2mTQKSJ+6wEDnOfb0B8K1aIqiCj
ZDG1AcTborv2AdgrGw0dTnCeczxwDQFtqLbG+BxksqrHLtAi9W6aAZpPJOhrwGpmvSM1MN7V
G+kNwJFq15yFwJhnuI2ZIDK1O1o1EI0FYglwBItPwF7QqGyMBEK5RApolcWrojhQT20kAHS7
mKK/CcZIfbFeGVSGrCl6ghrOejkHqIpbfQrGr0ai1gxEC3GXRSCXWsXUdFDL5WN1AEQsE8RU
IFlc0NqAvk+/Z68Avj3+sr5LIMdZm60Q8M7POJL2GPw/+/f5J4NcKGeo70CcEj2FBPWT6ml9
C5QSNWkJWi6jjlENrCLSoR5D0NmgeoF+yPY0R7/chSHPuTyDi9yHPHVyfVToK8j7au6eeUdC
vhXZk7P/CvlP5uwaGQjZ94Yuc6VD6ELHdiM/hFx2v+NsBkZN7aLWC7ROYrjWHvQobZPW7a8O
79/Pzyk/p/ycAmuur7m+5vqL7evC1oWtC/urrcvitzj81uG3Dr/14vNf1V8ve9z/7Mc/G7/l
3z+L/v+q/LP3+59F1jj51+SlE2fzqi3dMx+uNb/95K4dzk67uvjqFoh+NXetwKKQeUplPH0E
cScTyrmqgnZDhDk2Qdyy9G7yJCQOTC4UvAX8LawOEbvB0TfsveRbkFHd3yttCTzbfT9XugbJ
h55O8I4HOda6rBaBJyBzil4TnqYldUluBbGdEyrEjINrhWMeJ70Ly07tbTk5GWIcV3vvmwTO
3M72QQ1A5pFFze4gVotdqi1ot40PtcXguRW3MbYY3L1x6fClZ5DYPnO2NwHS6ltTmA/2mq4v
HH3B97G/qHUGMuf6FmRGg1mDCqSBtUhut4aB0MRFWoA8JJtLQHRjDTfA2G30N5aDbYDRx1Ag
n8rq6iaYb5hNza1gZbfCrWag6qgGagDI+fI7uQbUYjlYbgX1rqrHtyAKCp9oDSzgLdYCH3Ne
pgMLxFpVDVjMl+YQEDnZZhnAbfWY/SC6ad9o2UFfot/S24C2SJ+h/wC2+caPxlegvlXbqA78
qBaLcqBZTNLOg/BQXmwDRqtMDoAqJseqK6Av09ppg4Hv0bQbYE2Wi601IDqLQZoGoofoqV8A
fMSIV8G2xLbTaARaDi1BewvsF+zn7b+CeoDbSgJxmaqqJahw+Zl1HMwwM8U8B2q1fKAag/8H
a6i/PKQv8k4z54C5xBpDMOhP9TXGeMBAiDfA38L/prkN/DP986yDoKorp7UOzJ7mHv91yPgl
o3XK9xBb5/Hpe20hYX78oJjZkNE5tWXcI5Cp/tJpmyA9V3rb5COQ0iglb3InSHen38j4ADzv
e3P670JqsfS+mWGQ6kmrlToaks+m9UxLAf9xq4VvKzja6TPkpT8uUH9K+Cnhp4QXM8Gt87bO
2zovtJzQckLLCbBpzKYxm8a8KJ+UlJSUlAQjR44cOXIkNNnUZFOTTS/Kj3pj1Buj3nhRbkzM
mJgxMS/q96/Sv0r/Kv91e99TfU/1PQVdu3bt2rUrXHn1yqtXXn2xv3fv3r1794ZJkyZNmjTp
xfYtj7Y82vIIPmnySZNPmsDOnTt37twJ7dq1a9eu3Qt/mjVr1qxZM1hyfsn5Jef/qw7PZ2JW
XF5xecVl6JTaKbVTKqSlpaWlpcGQIUOGDBkCzXM2z9k8JwxcPHDxwMUv/Pxb/NF2xeeNzxuf
FwboA/QBOrRq1apVq1Yv9l9afmn5peW/bc+UZ1OeTXkGLba12NZiG8wpO6fsnLL/tVyNZTWW
1Vj22/31e/X5vXb/1nF/L8/9eG7P8ysgDRo0aNCgwYvxO/f43ONzj7+o94/2//N+m+Wd5Z3l
fdH+vHnz5s2b9/f797f0n7h94vaJ22Hr1q1bt259sd86bh23jkPjB40fNH4Az3Y/2/1s99+v
1++N8//s9+zDsw/PPvyiXreS3Up2KwkPsz3M9jDbn6/ry/b7n6XTy54H/tb2vzde/t74z+J/
lpdOnP0lrZjgCeCPT3DaBkJAhPSFtIVs591Efw0loqM2RN4BV7YAW1J/SL2r9X/SGIwV9ooJ
04C7aUPjDfBWNHultgCSxBcZHrBmBVZJPgeBG50+1xMIiNbr24cCFcyNnq3g2BnUyzMKfB/5
ytueQUyTmCvaSfB8mDnbUxOMeiHNI3+CRdU33Bk2A1JnxfS7fBSMEY73Au6DjDL7+Q8Ah4wh
WggkNLxT+nZleHDvUfDDfZCYlBnprwbWU62qfgRsmfYTtn7gSfP19j6BjPH+Mt4WICoKj5gG
qoB1QT4GSzMbmCVBNqed3AmqjPWBvAMkyYbyXdCGiJtCA9FMfSxWgiwkXTIfcJDj6k2Ql+QF
qxqIoaKnAPQ4PVPEgmZRmzagnlqFrNfAOm4m+g6B+Uyuki1B5VZ+lRcYqgqwHFwNHIYzHuwb
bR1t4WDPY1P2SLC3s5Wy1wVRTD5TlYHXVSnmg95XH6i3AXFH+0IsBC1Bq6KNBr2nFq5tB74j
mJsgB8rbMhhoTi56gTyvNqtFwA/iAvuAJDGFWmBgeOwFwXjbqOxwgqORwxGQCa7PXXFBtcDl
dfUNvgiuBu4tQQ3A8bG9uHsLBNcO3BdWHIJaBN8Jbw7WeCvCugfyPFfZBUHLQqaEzwCjg6OS
cxeo0tzmR/AHmp3MaLCOWcWkF2ScrKVqgics43J6D/B/4gvNtIPZ0Zsvow94NqXeTOoMT1yx
kx9dgrvv3Vl0wwl3Pn8w4N5JiGkTNz9pGqR0927wl4Dk5d5jpEDMoMS+mdUgbn9ma38kJLZO
TzEPQ3x48lvenyDzkK+ttQu029hkoz8uUCfknpB7Qm6Y3ml6p+mdYMP9Dfc33If5fef3nd8X
DnQ50OVAlxflp+6eunvqboi6H3U/6j5sfbT10dZHsPHBxgcbH0DOcTnH5RwHn3X4rMNnHWBC
rgm5JuR6UX9BxQUVF1T87e3V7dXt1e1wcv7J+Sfng2+2b7ZvNsTHx8fHx8O5xecWn1v8ot7p
/qf7n+4PNS7UuFDjAqy+vvr66uvQp0KfCn0qvPBn6fml55eeh7kn5p6Ye+Jv67Jq5aqVq1a+
+EJ+/gX1PFGvvar2qtqr4Ktfvvrlq1/+dnt/tF2fFf6s8GeF4dUrr1559Qps3Lhx48aN8O6S
d5e8uwS+LPZlsS//P09LqVunbp26dWBx1cVVF1eFFStXrFyx8v8zTn6jv36vPr/X7t867j/K
84QhNDQ0NDT0RSKzIWpD1IYoSO2U2im104vyL9v/lUVlUVnAojOLziw6A8tqLqu5rObv9++3
yjVq1KhRo0awu8DuArsLvNh/9OjRo0ePQvEuxbsU7wIRb0S8EfHG36/T743z/0xkw8iGkQ1h
e8vtLbe3hHpr6q2ptwam/Tzt52k///m6vmy//1k6/VHngd/i7x1Pvzf+s/if4aUTZ+dE/1v+
nRC+MHhtQAuIdAXvtPUArYhcbVWF5BVWumsfGM3lDdUQQkcbuyJygWOhY4V1CjwntTyxm8BX
3r85KRl8qel5giIg36ng/jlSwVlN3TKbgO1m2jw9HlwnrYKOCmCb7Ppe3YOIJzkm2stCZGRE
ZXM45PSGzw4oARnH4m2aHWLaeqZmHoFV19Z1+LAfkJSukmqDmGcb5m4FxlZVk1YQe+JB0+vF
4VmxxFZpHkh6am6Rh0HPZhNGfxDjRRVtJqQXynyc2hm8y8xU3zQQI6wW8jvApK5YAXwnh4gq
oA/lfe0NUOeYZp4CK7f8zIwDq6Plt34EFjCayiCbyS5qNWgOLVULB+1D8TorwNbbeFe8Cmo6
e7VyoBc0Ttj6gbikjdQjwLoh8zIViCZJ7QXRXjTSagFDxUR9Ilj11Dx6gPpKTsEJ1nrzY/8P
oD0Vm8QW0AfoH+sVgS405jqIHqKD6Ab6ct2rXwS6i2B2gDZXr673A+5qScIGYra4RgvQ1nGc
haCb+iyOgLFW26FdBHFVVRRDwGhj/9o4C9FTczXKPwJyXM7RqogbgiaE3I/MD6FrItOyNYAo
b/Zf8tWCqNw5S+UNhtBz2cpFF4Do5jmiCowG53n3+LB0iP46x8xCHUFbYrj0j8Habc7yTgRz
pD/WlCA/sQ6bn4H81Nrm3wNqlbVPngW5jqlaeRAFSZZDwUy3gs3G4C4XfD10L9hHOwa6WoPV
WFW3akP6rdRdyefA955nRUZFkNPkF9YqsO207XaMB1crd52wOeBc4igVkgPkG6Kd6x6kjzIP
OH6AtLW+7EwDFaK9pw/+4wL1+RfQmC1jtozZAkuXLl26dCnExsbGxsbCl198+cWXX7wof7jH
4R6He0Cvo72O9joK2jvaO9o7IBaKhWIh9JjdY3aP2XDorUNvHfoHLpE+T4BPLTi14NQCuDz4
8uDLg6GyVlmrrIFxzjhnnIOEqQlTE6bCGe2MdkaDatWqVatWDRZXW1xtcTUI/z78+/DvYe2I
tSPWjoA5J+acmHMC5Fw5V8797eO3b9e+Xft2L/x6vsSk5baW21pue1GuTVybuDZxcGzOsTnH
5vxtv/5ou54nRv/ZrppLay6tuRTm9JzTc07P327vecISGRkZGRkJ/p7+nv7/T/nf4vfq87J2
vyzPL90/n/E2DMMwjBe6Pk9o/lH//ovO/Sr1q9QPojZEbYja8I/r/FtUnF9xfsX5cPvD2x/e
/hBSPk/5POVz2DZ+2/ht46HF4xaPWzz+B3R6yThvnqN5juY5/oNe8W3i28TD6X6n+53u9z+v
6+/t9z9Lp5c9D/xR/FHxn8Ufy0s/VcMxzjirVYS0A95gWxuQIUaw3QueGeZjKx0Mp2Nb+hhQ
O8wjagaISvKa5xtwF8DGWIgdaN109gHHYGNv5kJwjNe+ti+A1PXJIwgGedTbKn0bWJO1du4c
EDQyZ2VHIqReSasYUB2e/Ox5nN4fQu45V+nfQ0gjjgUcBOeFnMOS48DTLqVHUByc7Boz/tEy
KNV5d7vFVeDV4g2b9t0I4j3dL0ZATN7rU+5FQ6InM8PzKngvmhvMguAqF/ihqxTI02qQGg6e
YZ5Ezy3gHhvFEbAqq8nWFKC3Gqc9ALlZnVbzQYzge5YDe3Cq9aC2yuWqPfBUNFFrQOzWfGIp
GP2Mxsb7IOfImSoMdGW0Nt4B+bFMlztBDBBuURr0lfo6rQ3Io/KoOgiMUbspCtpIduufgZZb
aJofjNPGM1EfzGfmaPMBiOJ6ET0VtAxRSXwF2lTtJ/EUeCzc+kXgfTGAJ6ALo6KRF7TblrBO
AD+qx0SC2qvlUvdAVFX99QEgSooQcRi0A1QiP6g5RIkWIO4Kv80Dgd+G3Ag5A87jASp4C5i5
zWPWdUh+N3ndk7PAWis+vSp4v06vHD8FhE3P5XwE6pC8YHYGc7pZzDcZ9IF6zqTxEDQ5cKdz
IHjbZg7IdEJq1ZT3E/uDPOUr558BVmkzyjsc1OtUlW+CGi+maMuBs2K0dgXEzzxRVcAMsd4R
YeD4wZ0YIsExz/1F8CjIeDODOBuYZ60Qf20IuxfsyZYAoZ+G9cwRCeITvQB9QJQycF4Go7qt
kqs8qAxVmoZgpBtljEtgFJYzMt8A85rv7YyzYHa0NIYC6/+YQJ1ebHqx6cXg2q1rt67dgvND
zw89PxQW/7r418W/AkMYwhCYxSxmAaqCqqAqgLHT2Gns/K/tiVPilDgF8oF8IB8AXehCl7/f
njJHyhwpcwSub7u+7fo2OFn6ZOmTpaH8lvJbym8B+wn7CfsJ2NV2V9tdbSFoRdCKoBUQdjns
cthleK/GezXeqwFRO6N2Ru18MbNSq1atWrVqwWY2s/n/c3znZedl5+UXn+PyxeWLywd1t9fd
Xnc7UIlKVALs2LGDmCqmiql/26/nl6T/KLusudZcay7ItrKt/G/eIfn8h09+8pP/v2nPtsS2
xLbkJQbOP6jPy9r9sojT4rQ4DTSlKU3/m/3/Pn4JJ5zwl+//P0rn3+J5olZvRr0Z9WbA5jc3
v7n5TTi7+Ozis4thwicTPpnwye9v94+Oc22htlBb+KLd/2ldf2+//1k6DZFD5BD5j58HnvP8
Stw/yp89LrP4x3jpGedEd+rrVneQY/UIXw/wv2N2JgUeb4obnvk5mNPThZ4HwmrohyNvQnRE
yM00N+gx1nGxCLLtCWwSMhmyNY14X8wEWz1bvfgBEBUVvsdWEtxvBWVz9IPAjxyN2QTxc9IP
Jx4FM1uwL3kJRA3JPTVTQcQrIYvcJUDb5BzFl5BWOLkbk8DzxBvsfxd8+13XMtvBmpDj3df2
gJ2lt4QtWgzeVx+vuhMEj5rfcz3MCcmdfSH+IpCxzfpUjgO9ua2b7Wvw9zQL+neDZ5Qv0zcc
VEmG6rOAVXTVqoJ0qFlyBKi+JKn+oALVCXULrHoyTq0DJmgPtbYgftY3a++DWkBpPgCtLfNE
XRBz1VNug1nEPG4eBzlUBak7oM6qX9RBsFZZ0+QCwE0GCuRJuV/uBNVb9ZZvgz5Rn60NA62t
1lE0BH20Pl77BrTvxALxFuhP9Bh9M2g7tZ3aVNCmi0miCNgq2AbZPgOjjbZJLwxGKX2aEQ+G
23jNqAdGupFoKwf2GvZLjl1gW28UtgeDmipiRU6w53YE2Q0IaBB8P+gc2Ac5dzrzgWoip8ov
Ia3Qs8Wxp4Be/pnplUG7JnIbhYFJ6pL2APQLnPANAK2ammeNA9t1rbdWHOw9bM90HQJmBDvD
TkJ4vciz2ZZBvugCQ4s9hejWeX4oDOQpXej6K6GQ93ThORWqQc6pBd4t+yHkulJwVtlZkOPr
vN+U+BnyVCqUUr4iFDCKzK+wCvT69gKh1SDwSviQbF4oUvWVIa8egrDsOYNLXAfXwvBnkekQ
EBbcN6wEiNeNNrYSYN1nNR+AvtRYrm8DFZLeLm4PpOVP+OLhF5DZNX1I5nawqlsLVMAfF6gd
Pu/weYfPX8yAtE9sn9g+ET689eGtD2/BuW/PfXvu2xfln68ZXDZo2aBlg0D1UX1Unxd/lyxd
snTJ0hdfBH8vz+s/nwkqkV4ivUQ6/Njwx4Y/NoTysrwsL1/MsC2vtbzW8lpQ/UL1C9UvvGjn
7NmzZ8+ehYHnBp4beO7FkoAH2R5ke5DtPxywAhX4O2aYco3PNT7XeFhec3nN5TXh5MmTJ0+e
hM1NNzfd3BRGjRw1ctTIv93OH23X8xmj/7wG/YQ6oU4o+CT7J9k/yf7HjZPf6q/fq8/L2v38
uM+J2RyzOebvyTT+nZqDag6qOejFmlbTNE3TfDHTt0AsEAvEi/J/VP//Xl1/b7nnSzbmWHOs
ORbUu1HvRr0bYJw3zhv/zZrZv6Xby8b5lsdbHm/5DzPd66PWR62PggonK5yscPJ/Xtff2+9/
lk7/6HnAdt523nb+xZK1U/1O9TvV7/ePk9/L742vLF6Ol1+qcSU6JrEy2N911X8WDWKpMM0P
Ie0D7/DkkmDP9N21rYWi7ULm5RwOxVLDfIXXQ1Bsjp729eBJSV8jj4I4lvZLSGcQE0RGQH14
siz9kZUGvjeTqtjXQ1jX8JWOvhBUOedc7yhIvPisemYZoHVSA/c0SH+q5/PPh/TU9N7O0uD8
RfiCN0BEVKTI1gIC3OoLx3lIOupf8SQ//Fr1ety+YrBr084bB5ZCzOiUUp4ckF7N28C/FaRN
5JN3wKhtvG60Am8ns5JfA39Zq57/UzBLqy1qJljDzS/lcZCNVQajQN6UE0kBfwdrvCVBXVb5
2ApWa6u39S74VvgO+46DGqjmq49AbBPPxIcgJ8t5VjGQuVUfuQ98hX07/XvBdJmrzQZg9jV3
+4eA+Zb5k382UJWJFAbLrc5bESCvqhFqM1h31TjmghymfqQDsJpDKiewkomMAoE4LZ4CDanD
M7AKmI/NFcAHapzcBFqi1kdEgzZRe6QdAu0N7ouFoLUQc/RzoDc1mtvqg1M4xwakg+MbV4ng
dkA/Ldn5GWjhYqxRFbwT0vOmDQA5nR99NlAV9HtaOgilee3zwPhBvytqg7FZtxvfgauke0/I
Ogg4Hro2m4LwT6O25e4HIbmCPggbDgFRAT8HfQ6unoGlgltD6HtR83MOgpDKEYNyVITwbdne
zmOHyC+yF8m7CcJfyfZurrWQLWfOhfkdkF3L3S1PZXAMd9SznQH3r44tWn+Izpbtg9zfQsB4
9xT3Tghs43bb74OejcosBGuUFOo1EO+zTq6EkGmBJ+znwL5CvKHugHzXGGk/Bq6BkU1z2sCW
O2hWrvogJoqhAeYfF6hvHXrr0FuHoHf53uV7l4fWca3jWsfB4OWDlw9eDh9//PHHH/+Hx9+N
jhgdMToC7n1076N7H0HLVi1btWz14u/zE+3zm2L+FiUOljhY4iB06dqla5euL7bXuFjjYo2L
L2aKcsTkiMkRAxVOVDhR4QTE5Y3LG5f3xdKO5zy/uej5zYQ9/T39Pf1wQp6QJ+SL483oPqP7
jO5/275x48aNGzcOJu6YuGPijhc38wyrN6zesHqQr22+tvna/u12/mi7Rr8++vXRr8P+/fv3
79//4uaqLzp90emLTi9uVvqj+c/99Xv1+Uft/q1x0mV6l+ldpv/99j9vP6F9QvuE9tA4W+Ns
jbO9GPc5tuTYkmPLH9//v1fX31uu5MGSB0seBKfT6XQ6//YSjb+l28vG+e3Xb79++/UXNyfu
zr87/+78MCJkRMiIkP85Xf/Rfv+zdPpHzwPdSnQr0a0E9JrTa06vOXDEf8R/xP/y4+lv8Xvj
K4uXQ/zbWjalqlatWrVq1d/fQM9XxtwoswMqhBbeWqUheOLNk75f4PjRqw8Pn4WQte5BAR9B
9orBVXM/BvlE22F7C549fPJG7Em4Ov9O2eTGEPVV9kO2y1D2YvSb+Y7DvZbPenv9ENya2nIA
xLUxJqQMgwBH+FCzDWgXrapqPjxakVzBWxfCeos9ueeBvJ82LuMARE/N8VFEEgRfsm/NvApJ
5dJdHi/4Nxi7k6ZBgfPh5ar1haJ3wz0NXLDpzKK+i5bA2Qr3y949D5nvqs72RZDzaO5xBRIh
LSH9++Qf4cHUR43u7QCriChs3AZ50HKo7oBGQXUBREcusQRklJKyBKid6pjqASK/aCU6gjwk
d8stoOXTh2jVQVstzurzQV21PlCPAZfopx6BfIdPxSSQB+Ql6xhon+OhGVBZrRGtQNTQToqR
ILzaNUywFTNwNgFxRyymL2gfa7HqImh9td36etBi9A2OiWD8atzSB4ARaVx1dAU1mQJyHaiL
KlN5wHnQedZ9F+yGI5u7PegPtVJ6edCy6UPsx8CWZn/fkQO0ROOR3g2sXeItNoFWSdyx7QOu
yCh5DbyxntfSZwJbmWC9A66+zu7OJyBXWMd8bcD82DMy8wswqhmb7UNAVLZtsX8MYrq+wj4b
1DxW6G+BtGROuRLUYRFpaCAeaEu1HSC3yb3mPPAsybyf2gm0QLarFFD1CNa6gj9WNtPLQeb4
1HyJp8A7wJ+Z+S6E9w6vHvkeBE4PTIv8BLyzvQGZpcA8Jh9njAfbEm2TvhNshVwjwuuDN8Hb
wbcSQj9wYcwHbTdf+8dAUp1UX9rnoK+z3w+6D3phrSkJoP3EObMQ5K2ULdkRCIuci88sPPBX
h3kWWfy19OjRo0ePHi/W5v9f4/mM6Rn9jH5Gf/EDZHXQ6qDVQb9d78/S7fkVheczyP/q/F8f
X//X/f+f4tixY8eOHfsD1jg/+SqpoO6Ho1/fynnlKKhtvnupoyFyYMDn7iDQzKBftWMQ/9R+
PW4DnEo9FvfsFARWdR0Wh8DRVlXV20PEbMIixoNeJDCfHA8Fz7p12xl4eOz+vYRkMDfaJ6fn
huQBGd/4a4NRUB4MiAL3UF3ZvgFfYW+qWgHujaFDxD5IKySWPm4NT4KSLpslwLHV0S+wNASN
kHkDp0DlkUW3v/YQLC2pjWMyJOZJOZA6FjwfWJWs+qD9aFQXr4PYqh9TR8Br877hbw5WdXOJ
soGKM0pLAWqpHC9bgIpUudU5UFUZorKDPKb2qwTQL4lvdBuQm720AlVY3SEeeFv2Ej+BNUb9
aAmgDh4FcFU1Fl+BOiHCcYA2SNtPO9CixHv6QeCeuiISQQWpw3IJ0EZUEFXBekXllbnB1dtx
2h0O+hTjbV0H+1jnuwE3IXhuyOPImyB+Eu8pD2gjRH+bBtJudfetACmts/JXcNx02p3zwSji
GOZcAuqe6GRrCXqGPlIXYDuqbzDeADNZlvTVAOG1GvjeAFVDWdZroL1qBOo+CDga9FFAGshB
/jXWaCBBdvF1ByF4wDBwXAlsG+oHI7vR0ogEvZfxnfMeyF+tb9VwEEdFc3UFZBv2q4lgNjbf
tF4DedE8kVkC5EpvyYx9YG+oAqxL4LtthZEE3k/88818kKQlfJtYAtK/yvg5MQcYA2muPgZT
8/RM/wVkzRw3ZBdwlnUVc/rB3OOz1AYQlbSNag74f0jPkTwG1FT1tj4Mnu3w1kr3gFwqi5mt
QbxtP2nfAfYc1iTPj2CNMW+qJxCaN/DLwApg9MetXwGW/tWhnkUWfz3/17/Qt03YNmHbBJie
Pj19ejpMmT1l9pTZwAUucOG36/1f1+3v5f+6Tv/X/f+f5qUT57xPopdq70JyD8/h2N4Qsltf
4a4PEZ2NANdySLRl5E5rDN7RxgHzfSgti4YFWpBR2VqkBoCRov/onAyOp6mXbB+BrJLp8TeA
UBl6LvBTcGZ62lmTICBIfJlrNHjXOt97+hi856yZmYeAXf7GrjYg5jM4MRY8VczuxgUwNmhl
DA3ChkZ2CP8VPFfc5z1DQH6cONh1FiI/CbHnj4RfLh/utn8v+A4zhx1gdjK/kOPA9qO9tOgA
zBftCQX/FGuQGQ72UJcMmAG2i+6woCQwY/3D1FXgDC4RAs4JLqf7JDiGOy44y4Asat00+4J/
n6n8OUG7po/X+4FQ9Na+A+sbq5P5DmjntNdVBtiu2uOCaoG0i9uyErBKxYrvwZhra+BYATxT
hdgHVrg/p/cA6ENERassGEtsfntRMOKMavaCoH9o2G0GsFgT2odgK2wb624O8heUtQuMwdo2
4x0QXemlOoNeRZ+jh4H1jjxp5gU+4Y7WF8Q4sY6zwEZVWz0E1VL1NV8FowPn1W7QXfa3XRXB
SlLttfsgZukt9ONgvuOv7e8J6msSqQ7292zDHKXBtdf5pv0UeK+ac1VjkEtkqmkDNVh+bkWB
dlO0xQsigRtWMFivkK71BOuW1Ut2Ao6pV1UBCDwcEO5+BGquuVl+DrEn4pxxoyDB9WzQk27g
a+t9Ne02yF+tn2QLyDzlzy0fglzMXi0I4k/GtY0dCQGz3YNC8oGjkysi8CYkH039NCE/OF93
++3lQTzQJzjXgT/Vu99bFxxj9CBbF7D9bP6iHYOMRH+u9DngLhhYMmQZJM9O7ZYWAIGn9VDb
lL86vLPIIot/Bpo/bv64+WNoTnOa/9XGABvvb7y/8f5fbUUWWfxr8vLPcd6dGuHJBfm6ha/J
DgQWdZRw34O08nqKGQ76fPOmHg8RMUbBgDoQni/fWes9cFZ1ZtcaQWTzXDlzHoR43RaTVAKe
FHpS3H4ACt0ILlM2ErLp0UVDl0CEJ+iaV0JEJ0d6dC/QPqGPvTFwi9VqC/ifZbZXv4JjjG2u
0RfcBRxN9K/Au81Z6+l8SGgZd/XObnilRIFb5TeAGKMF0RgelIw9dWsA+D+UFywXyMvyNb4F
8YHWWEsGWVAWEL1Aize66o8htErkoagtEFUg+9ICgZCrW4EbRYMh5958FQubENYl24PcjSDA
ExYUvRQCv4l4L8ctCNajrudpDqEHoivld0GwGfVa3nchpFXE1zmXQWBoaMMoNwR1DduVfT0E
RYa2jz4AwWfCLkZVAle1oEthD8H1flCn8KMQVCRseLa94B4dMj26CNgXBFwOWw96Tler4Hog
ytk7B+QD+25nucDdoP9sT3HNBns9x7WAFaCPtXtcQUATx1z3LyDXanX0WaBV1ffZe4PWRn9o
s4HjXdt9xypwPnTGuXaD1U4elTlBTDSqGl+DqKn/pO0AI9aWU98MIk7EamHgnOY84x4HAa0D
sgemgtMdYAvpA+ptkcu2FbRBVi/5EIx7Io4EYJt8xaODL8ZbNLkpeLJn9k37BtJfS16QNBg8
nTM7pgeC9kBbqs0Cbbmx3T4arHlyiq8mRHUKPetaAtmLRBYNqwPau9pShwHOe86urs6Q/Ua+
wHx2yHY2z/E8H0Fo09CqoVshOCC4ZGA1sD103DEiILRRaIXwRxBZPrRndD2wW9oF+TMYRYyT
WjmQZzWfSAJrhhhoDgdHP3t9Yxkwno9oDubHojffg38oW8h6ZWoWWWTxT0jup7mf5n76V1uR
RRb/mrz0jLPtPfPz0DEg2yX8bGsBTzt6l2SuASMyzJNZDlILstvaDta+2C+8eyGssnu+kQSO
jfp3WiAkjVGH7qSBKyKkt3sPpB/0TElZDccXXTxxEjA+sE/Q+4Jrd3A9+oBnXGqy2RzMilTn
WwiID3ys1QFbA89hdyT4O2Xc82WAN3tYB6MJ2CZmBAe+DpE24xvVCYoVy52rWlNQgzNHaJlg
7JA/i1rgbWr2tfKBv6R6qN4FV0t9NI9AFWWlqgAU5JgxFozj9qXB74BVU67zPwX/wowhGedB
tVfN1AXQvjYG2/uBfsx+KzAX6Iv1Mq7FoA3U23hNUIPMC1YzEJVoarUD0ULPTw2wpenLAtyg
Vqvv/OVAVpV1ZGnQGgmbsRBkJqWthsBEUV/bD850Z58gGwiHWiuPgqX4gADgc1FKjgHjlX97
6oY+RUxUnYEnuL0WiHas0FeAuEy8ag1Ga9nK/A6k6UtJmwE01z6w3wGtsJ5kvAvWJDMnfpDt
aUpvYKIaoJoBDdQuEQHWOauJlQ2sauatzMFgNTY3Mxx8V/yPPZMhY2ZyYkI2cFxyfuXoAs4e
zgGu/RBghGyM7AUiWEwzJoPWV3b2jgI5XG0VBUGeVgPpA46JejZtP2RU9dby94NEe/L61HTA
E9TKNQVsl/Xv9HkQeCLoQOgFCNkVOT37GdBd7ifRg0G7Z0TTFPRXHENtVUCfbY1SgKovKqjJ
oM0yAm3xgKUPcA0Df1jmovQN4DmW0TLVAWGTgloGbQS9iF7K3gMyxni/yFgDVkdi9Z1gFjMt
PgW9kF7DKUBfYp9BCaCksdnoD8BL3PKRRRZZZJFFFln8M/HSifPj0wnfps6BO2P0vQkdQP8x
qBTvgbN7RsPALiDdnrfUz5C2wWfLTAbp8Tx1dobo8a67+dwQ/1la4tXzUKiW4y1nIciIMF41
ckPSWG9hqytYaak9MvZBUOk8vXwTwNXM+Z33MqQfODfBswX8Ne2lDBOiVwU9CxsA7tY0cq6F
iE76GvcBSHvg6x/bCmpvrOBteB0KbIsYWux7uOu88vBqdvC+q85KDaxoMdIqAdZyVphXQNWT
w4zdoAqpYaIh4BHBeiHQXrctctUE9baWz7gEjnKuWUHXwb/GX9A3FYxG9mjjVdCqi/tGY5Bl
zBqZDYBQYq2mwCcyTXwE2hW9negIxIiZRi8wfrU3dvUDa51KZCvYC9kn2TRQV80U6xqob632
3APDZ6wQy8H3rXkiIxbkLPXAMRSMaQxT34Jqbw3JrAH+KvK8vy/4xpnjPXlANNIOqm/AOdix
IbAveL705swYBXTVCtAQjM9405EAFDJy+AuCCLDeogfopp7DGA7WEMvrfxNkH/MV/w3QyzJD
XgFPz4zSac0heU1yrWd7wfu2d5qnOFhLzdc8BcCey9bJGAHead6LojykRyaP0EaC94p3bGZP
kD7NckwGmskB/l6Q2TgtJW0lBD0K/jVoETjuBRG+BxzLHNccFcAWbitgk2DuU9WsiuAq4hrg
/BCMRq63Au+AOV3tJy9E3shRz/4VeBdlbPe/B/7a/jjPDyBihNdfHrwdM+um1QI5nl/FYdB+
0A6ktgfvq5n1U+tAUKWwESE2cA8MnBJ4FNKLpDRPuwJiv5VqrgFjlbATCt4+XgcNwdcn83jy
DZA+PRuZEDRILx6Q4x8MqiyyyCKLLLLI4p+Sl06cnd3drdKagCPTWdz1PmQmmX3lLghp5GgY
UBYK7crfyF0Crud4cCnhGXgOZ3yt34G0Np7I2Otg3+z8XssJSXvTwo0fwWyWOcu6Aum3tNKZ
ucFVRC8V9CuIyw/WZzghpXPmE78B/ivmzsCD4HVa5TzZIG966Bbfbcj1VpVqYT+AdtrVIvF1
KNXXbF75HlRqUmx0x8bgrhBYOioOnIeUeT0G9HZneor7YC43h4inoO+SecVFsDqK0b6pIHOr
MrI/0EGtsvKCWiY3yetg+8xW1GgOvndlP6sM6I2c452JoG00GtneADFHzlFbQXQxc/iTwPzV
6iYvgNTUJPMU6BdVNtsAsP1q/85eFPzf+wdYE4B1Ypc2AMyDvjbmAtA6kF1bBVYf/6PkReAr
nVnU1wX0Lvoz90QQle1FtD0gK/vjvB+CGmcV9NcB6yoX5FLQ8qpMGQT2y7a19nHgsWUGpQeB
mdOsmbEHjLeNtbYo8K2xzqrPwbfZu81fCOzzDc0xFrTTWln9KFgLzbPePeAsbjuv7wRPYtrA
lGmQ1iW1RcI4kPPMRdZtMN/29c24CbpXSzRugixBQXEazLfNPZYTRAs11J8bMr582vixAY5o
9+qAe6DtYojwgxXjz/QnQ3yzZ88yt4K7g3+0FQbGTNurzlDQRmlbjKXg6OIYb3eCNUAsNoZD
ShXvRGskyDB1Ex/4Z5vj/dnBmGHfZDwAsdP6RKsGvk/8v5jXwTfQN8w3FryNMiun7gU9u7Hd
MRR0v5ZNNQPzfZ/yDYHHq55cexoK6WEpWlJrsBfVq6hC4FjjvBHYE2wNjY8C3OCtmnk18zMw
7uvdHIC2VR73VgFaACl/dZhnkUUWWWSRRRZ/BC+dOFvHzOW2shB10VXaKeFRUmo7/3owNOV0
tYbMdv6+cg9kfpo41yYg+ExwweB0uN03JtuD++Bvm5mmd4eggKBvzM6gdHlXHwnittU5aTbI
zfpY/SdI+OzRZK06RL8X9q1zCQTWybNcVgHtVupAdy8I6mCPSTPAX/BeWTkBOjVsVn1SHyj8
bb4adaaBL8QszKegF9AGWBEgDiZMDHoIbHt2wF8I7ANsle23wVqu31GPQbtgdTe6gdjFEHEI
5C052r8HMvemnoivCWaYr6YrFLS+WrweD/JH46GzCch7xjjHXFATrFdVMXAsdNZ3lgd7mD7V
/ilkFva0SzkMqjnDCAL/BWuHdQB0Yett5AXxpRzv6w2ynq+j9wLg0jvqo8CTkXY89QrIZtYN
8w7Y45wlVRL4/Gm3n9YAxxzna85HEDgluHtYb9D3aWVtK8Ecbd2yHOBr4FvjKQ76fVuS9hWI
ipyz9oA2x1jsuA7+VsqVeR6MBrTSOkFSs4RdsRlga6CnaMdBZpfXzfOQuYAVygbyNTnVKgT6
p3qqHgR046jWDUR3MRcTzJJylHUY9GDzhPgA/A3MeVZhkC3lFv9UkHHyrhgKMoYVYhRQjsZi
Jdgv2Lbb3wPrNgdVLPiHqrMo0AeLJto0UBkKVR1UjNqmZoOvhTfRPxtkey3W8oH9I/sxxx0w
Q311ZAp4F5uVkr4EEWuu91cFrZLeU9wF40vhNXKAMS2kZfh4cIeGeqP3Abfl+2oFqJHmNLMW
yOK+b61J4JrlXocE4aOa/yOgk/aLPR1oLpaJDRBUIOh2+Bfg3+O9bpWHlO7PnE+GA0l/dYhn
kUUWWWSRRRZ/FC99c6DR2HlR/QwpjaxxcX3BXOk77D0BidUTsmf2gAu+a8PTCkB6E8dmGsOz
O75Gj6ZAzhxh61VOyF4y4qq2GNKfuqdkXAN2slx1Ba2HHmK7C+HdbXv9k8HRSi8qx8LdV9NC
ky5C6pj0cNMF3i585S0PZe5HD6/3AAaWaffVmktQYELeQvWWQcYdz21/IPhy+19P/hYe3n74
2rklEN/qcq6YYZAtw/G5uzI4DP0r3QHaEO0Qt0HdEu2s4yBWa1u1WaAMGcs9UNus1uZsMEbo
q+33wb0t6FR0DAR+EvpJVEVw6QEZAQ3BftLts30EjuuOV/RyIFDutCvg+i5kX2gFCLweXCu8
DbjPuF5z5AdHmDHHrAT6UIT6BVJGJr/x7CCkVUrZkvAqaN/qj4wUMJuYs/wuyKycUvWJC+R2
s7H/NqjxIkYPBqudCpErwBxlvu05CXIaa9UNcFZ2nnTVBCOvrb59FxgHbD+5DoO6qH1newbq
Q5FkU+Dr5XnVNxbMBv5BvkqQliv1dvwp8DzOjEiJhozGnqlptUHdF6ZcCXK1uq7WgWgu1qsA
4CCtxXaQgVYbazXISVa43wTGmd19w8Ea6B9pOkA+lsv8rcG/x/+VtyuoMNlBXAVvRf9kX0Ow
D3WeCRwAxibtQ/v3wCPlJw/om42GRnfwHzd7mdPBF+Nbk/kRyIFWonkNZBU+pzrYfnGMcsWC
fsj+aVB5YJfzhO0+OCu6iwbWA/eC0AcRDyDgteAiUbnA0cuW4igGtvG2J45e4A30FbF+AeNd
rYXeEdw/uO8420JAoaA2YfEQUjvcHtkdAuJDXg1OAVsHZwvHQTB+Uq39JUBf6ahhG/5Xh/f/
Pp4/f/bPYlqhaYWmFfqrvfyf58/WNYssssjifwsvPePscThGp+yAyKDQ4kERkH7XX95qB2lx
3iqJ9yHlveTPfWuhtC13jULH4frbCcUzwiA6X9iuHPFg5BXfJK6HnPlC5wcmQOIBFa4tgMi+
Rv9oB/h6iv3pn4DtjG+hvTUYt/zekB8h/njKtcfNoMmXJaLK54IOV3tem3IUvF8Kw1YfvF97
EtNmgfiCZPEmJGc8Dn/SFPSZ6npIWdBWpea05kH2qjnuBKeD1lzckLlAX67fcawCNdTq5W8D
orS6Z74BzsGOe/aZIL4KPBLRDYJ+iZiTYwWIJnozezZQF7jHEdC6Cw9rwbXTcAYPhvQpSXMe
lYH0u8mvPLkDwSf0OVo38HW2VujzQA6RCf6eYO2Un1hzwWGz9XcbEGgGqbBR4L/k65T6CmhX
7OX10mB343UFgL7Q2mGvBrblgYkh98Ax3hFozwayl+m1okEVNQbYxoOx0LillwY53nzbFwHp
w9I/SakLLFf75ERIu588MDkBUoumhzx7CAF6wL2A3eC95OmSOQ0YJXda58B4bETzC+jperr+
Nfje9rXw/Qh6RU2T3UC7pZXTCoI2QIvSmoGoKWzSD7IjVcQ0wK0laQMBXa6Xr4AxRT9sewra
SGETbvBb/rMZr4DjA/eRwPvgCHLkCzgPegm9hrEeRGmhiVjQOhjNjH1AJ32Ftgtsd7iuRYF6
WysgPgJVynxkhoDoxy2ugi3OkaFL0LKJstkGg9XCap4eDNqb9jn6EbC9pYXpU8D6wXfKVwC8
pzwbMs4A36t1ZhEgntH+meC95mmW0Q7UDjH935+icdKsCdYjc5L2GOiv5VVJ4Hjg/sT2CkQ8
Ccod/TnQDPjkrw7zLP5e1oWtC1sXBiMYwYi/2pgsssgiiyz+6XjpGecA6e2fbRKEykB7viuQ
s3LwoZxNod61fKsqFYdGm2rfqXIUwoeH3RaZUPHTwntydwO1y2hg+SDwdsCn4TfgfuG0Gemt
ILlAZoCtFViVxIjMAqD9KNY4MyDb0tBi2RtA7kt6UOKr0ORM8c3lhsDbQf3OzWoEnjDVWdYC
65zvduZAMGYZic6DkDk+vUxKCLh6ORdpxyAx4UGRR2XAMdfutMdDicEV4ioKcLxtfC1eAaO0
2GirBaqVjKUzWHGiqf4FaNL4xbkctI3abXEV1CMrj+8mWAE+Z0Z3sH7xNEx9CuZ+T7u0uuDL
ldEqrSkoy8puWwruOQEyfDl4c2T0T78GmdkyniVbYH1uvqKOgtZGa2SvCN6L1seZH4Nx27HC
eADuQqG2yFRwnAi4HzQJgm6EJ0ffAld62HfRC8G22fHMZYKZbmpmH5DDrJPWIhBS3pafAhOs
clZ18Pk8az0jwT7AUcdWF4wzxmZbCgSNDd8U2R9y1s3tKvERBA0NuBn9AcivzVGZjcF6xfrR
Pw+8g3xh3gvg031Hva3A2mguNA+C9CtlVgT/CLO7fyKYgXKPBVg9qKsegJVpLvLNBPnIOuVb
BXq6tl18Bdo5fbutLRgF7EmBKyEoPKJGticQJiPfyZ0N7C2dM4OKgVjg/Mr9Pug57DkdycBJ
63PxLti78op9JKg8Il7/AdRE3HoR0O8YB2wHQJVX+8Q10A5Zhc2noMr4h/oNoLrV0PoF9PVa
OS0CSNbfcxYEfYr9okMH51r3wYCxENUn26zsNcA5wPVpSE4I7B3yU3R1CFkVciY6CrR4o5n7
KohzegHbN2A/5zgS0B7kamOUqyDYSjq/d7/2xwfsb80M/q3tX3b+svOXnV+8OvnzfZ/v+3zf
i1fMPn/O7KxSs0rNKvWi/s6dO3fu3Ant2rVr167di1fuNmvWrFmzZrDk/JLzS86/vD+zD88+
PPswNNnUZFOTTdCtZLeS3UrCw2wPsz3M9l/rTXk25dmUZ9BiW4ttLbbBnLJzys4p+2J/UlJS
UlLSi1f4Pm+35YSWE1pOeOH383JjYsbEjIl5Ub/vqb6n+p76/e3ExsbGxsa+eEVvq1atWrVq
9ULXv9VPKy6vuLziMnRK7ZTaKfUf1//P0jUtLS0tLQ2GDBkyZMiQF+Pp+SuKn+vw9/qXRRZZ
ZPGvxksnziH5Q35y54e0uLRfY1eA70z61fgOYJ4E/9cwZvBb6WuqQJ/2zbYNXAtR2YKCMzOg
cN9cDXMMhxzzjHeDjkD2pu429mUQkTdbV+sQPLZ8YfbLcP/1tGvxk0Ar7K14vT801ivb3qwD
3Tr302aXAq11SLlgAaKc/1O9NIiOeph+EcxLarR1CFSw7OO7B+kD/As90yHp7cdPY0dBvi/K
HXr1KQTMj8qXdwy4Um2rjWhwFjICbaFgdVOb5RzQXARYb4A+QQwQB8F7J6OR5xl4i3h2mQ9A
zZEX8ICpvOHedaAc5mv+GWDtND/zXQQjj1hn9Qd22mu6EsG46gwOtIEL92vBLuB1+1FtD9g3
u2q5DkBgVHBqeHlwnQzYFjoRHGOd0wNjwRajGomCYF7NvOmdDWK0UdXmB32nvaGrFtgIdISH
g/27wGJhv4J4V99o+xB8s+RKvTXYWrlTQsqB/Rf3vojh4LYHD8h5CAL3BhXNVhwCO4dVjCoL
7o5hY6PnQK5BBSeW/xCi0nLNKxgD4VuiR+YNhvCN0b/m/RYC3wyLz14bbCUc6YGhoKXZGgbM
gqCGIbujq0LY/Igauc+Dq2/gsmgDgm6HF87zHUR2zP1RyaUQWTBvxzI/QLjIHl7oc4jMHT2q
8F1wtgs4lG0SiPpaJb0M2OrrB0Qf0GYrt/ULWDusGhnlIfNeZpekd8D/YWaPlNnADLOOpytY
kb43M3KClluFyrpg1THXanlA5iHcNx9kG1XFpoGvmi+3FQ/+1b656b3A6u/zZU4ErZgqLhuA
mM9VvgGuCKneBF8Z71ZfMzA3++PNlaDySp+cBVqA9rH6Gsyi3h+s70G3EyBOgTufzaZi/+rw
fkH9EfVH1B/xItFaO2LtiLUjoOO0jtM6ToPFAxYPWDwAVq9ZvWb1mhf1Vl9ffX31dehToU+F
PhVgw/0N9zfch6Xnl55feh7mnph7Yu6Jl7cvsmFkw8iGsL3l9pbbW0K9NfXW1FsD036e9vO0
n/9r+bp16tapWwcWV11cdXFVWLFyxcoVK1/sn7p76u6puyHqftT9qPuw9dHWR1sfwcYHGx9s
fAA5x+Ucl3McfNbhsw6fdYAJuSbkmpDrRf0FFRdUXFDx97czLXla8rRkeOPOG3feuAMbN27c
uHEj5NmRZ0eeHX+/HqtWrlq5auXL6/9H6zpv3rx58+a9SIS3PNryaMsjqL2q9qraq+CrX776
5atf/n7/ssgiiyz+1XjppRpidfhP8UvAWcO2OawDZHyftMX3EByPmOcKgG0Tto6csR/kes/b
qaOgyL3sF+pOA3u6d4lvBNwxrV8vToJSl5wfv5oTMj4VvsQa8HPOE7UTCkCx6pEf5R8B3Vd2
7/hhfshxrMjqSg7w9fd/5v8WzO6+zeYi0G7rT9Uh0PIRrSeAucaf0xMKYriMs/wQuMK5Nvw1
KHy10revloDgnbncYWUhvWPcDO8kiGgWuiuoGhgN47/OGACqkXeN1wvqjlxNJdAuGMP1ISBm
Ze717IPMd1LrJ8wDn9/+tvsg2MoYj/kGPDLzS88aMJoY52znQI9XZ1V+kGOU12oIYquIFBvA
fGw28P0CNrvtnMMF1geeNamrwPwsPckaCsLU7xlrwD7Y+XbgXBDD9Cu2UqCnOqZrS8G8Zi72
DgCqWxesacA8ddMqCCJGizaWgHVNPdPHglZYO2yNBvEK99kD1m1zuzgLWqS9i8oF7NCO6FNB
zjILWtfAuGofYP8CAvLY1kV/Ce42Mi4qHbS3bUF6e8Dv+ybzHPhn+p6kvwcctyapd0D3GT3E
AFBzxHdaJbBN1saKFaB8aq51Gqz6ShMVAISpVwMVzAOtC5iNZUdKgdXGdHvfBkdx+yOtNHDR
6mGTYBW2PN7K4Lxo5DQUWO/b9zqbgLaDIAk437A1FrPBOiXPqwZgKjNKxoMsI+KtSNAmamts
o0GvZBRzhYEuxRXjPBghWj0zBcwS/ie+oSDW8oEeA0ZFPa9tAHjf8J6zuoAnwXfV0kFrrzWx
zQJLl8XUJmCK8ogLIGrqfucXIM7aXpO9IMCvNzd/AKdl764n/nuQdPyrwxzKflP2m7LfgFgo
FoqF/832DWKD2AD+Sv5K/krASU5yEhZXW1xtcTU43e90v9P9YG3S2qS1SXDtxLUT106AbCqb
yqZAL3rR6x+3r3mO5jma/4fH97WJbxPfJh6+HfPtmG/HAL/yK7++2P88cbNF2iJtkeBv5G/k
b/TC7sM9Dvc43AO2ZN+SfUt20L7TvtO+e1G/R6cenXp0gqZvNX2r6Vu/bdfvbUeVV+VVeZiQ
e0LuCbmB61znOjT8seGPDX+EyUxm8v9Hh/bt2rdr3w60y9pl7TIsPr74+OLj/7j+f7SuP6f8
nPJzCqw5tebUmlNAV7rSFdrEtYlrEweL5yyes3gO0IIWtPjb/mWRRRZZ/Kvx0onzTfvNtj4D
cicEd7DeBOcU7UP5DRxZ+7D46cNwoN2dTvs3Q5Fz4ctyjoESYwtfKrkJnvYk+PFKOFPv2vGn
30BuV45OZjrgSg/0+OGVUkXfKTwB3szVcdngxhBmyxFWIQW8G9InZfwEVprtmToKWgdx1ngP
1KdyhdUYtOJGfnqD1cGTmnEdmGI8tp8Cbbe2KmA3WKc9M558A/4vMj9wjIfIqzmD8nWHPKl5
vsk9Hk7Ku9Pjd4B2xGdprUF2kf1kGhgNbJUcn4HY6c/rXwh6hHOCrRnYmmvdRQLwgVpqAWIL
JbT7YBi2L50/gD7b1dH9DERds4tfgDZKDpMOEN96zIzXwF/Ae98zC6Qh3/QvAb/DXO4xwEjR
u2grwXwiY+QpsNV0tQ0oAVp5/aLRC1Qp2UN1BfOKMFRRUNWtsv6F4KzimKFFgmuCs5NzBKg4
pYsegF0Fy4HgGeCflbkfzDKepqI9aPXt1Z3DQTsururrwVjDm0wG+xlHnIoBsZk5MgqSWqe+
np4beGw9VcvBOGPE2/eAltPeTL8B1vueSZnnQG2Vm7ylIWO2uM1PoFvquJkbbNv03UZxEOfV
FJkL9MdUs9qDdkNVtUqDHqK/57oM7gxjpF4XxFTjrrUHVBOS9K4Q8kpwqdAE8OQxq3ABrChr
o7wN9mzOdcZsUPNUEetj8Lf1LSATvPH+Zd4vwOV0jDVagPhVSO0GmLv8G61+YBzU64gNoBd1
vO10grijCqlnILpplcRTCEhTxbWbEDYhYF/QCPB8bz6y9oBZRXq0D0EVNe+piqBf0CfL+WBE
OPY5KkDwAdsxfRTYlSNcVAPgnT8zgH2zfbN9s/92uf+cMP+t7c95fkk+amfUzqidL2Yka9Wq
VatWLdjMZjb/CX5pC7WF2kJQFVQFVeG/7rctsS2xLfnt+s/rGTuNncbO/8bvU+KUOAXygXwg
HwBd6EKXl29HzpVz5VzQ9+h79D3/odxpcVqc/tt+Oy87Lzv/Q0L5R+v/srrG5YvLF5cP6m6v
u73udqASlagE2LFjBzFVTBVT/37/ssgiiyz+1XjpxNn3ffLntiKQ+ZPRJMUE+ydiamg5cA6z
WljPIPjzgIX5R8KzotrPVghcqHLn1qU0yFEg8mLoVxBcO/qdwEbwdIkv6nIa1JpfvFKjdtC5
2OtpQxLBnjO4VMFY8K/NfJJxA7RLukuUACOn+k7vC6qXymPWBrmdR9avoF1hhjgNvmX+PZmx
4J4VHBt5F+KGPop4fAVs39jaWEFg7+qOc04AzWdr6qoBOZfnrZ5rK7h/tj+6/DOkXvB1dAwE
a5xaKFLB/dRe2FEZUvcnl0j+Bkj0TPNUBdvQkC9c6eAN8eYyC4KjjTPU3RQYI14nO3hnJld6
egscjZzfBe4FsV7kNj4B4yvbN87HIIbo3xr3wIEjzDkKuCG2iSogVlrvWrnB+sKs5h0PehEt
XI8FXx5fXTMfOJYatYxGoH9mtzskqDfU5/oqoJj11GwGqYOTjPhHwKvWT95+4N1r1lAXwfkw
8HRwChj3HV8EtgFbA5thbACjrH7NfglYLNeaoSAWqfW+L8D4hQhbO3AdMCrJEuBo7jwpzoP7
mvu+Xh70FBXjLwBqiP2wLsFXx/ujVQAy3VZBFQTO0e7rQUUg86S/I8ngX80X2n7wnjQ3mAHg
aKMX0TuBfkP/1vY6qPnaRLURXJmuPc4WIOaqRvprYJZXOf0NIWSfK5ctFxhN9K72aDBXyp6M
AnFLVNMsUDNtmaIP+O+YSwkH29e2r4w0kLVldfUdaONdp2wHwd/Zv85TDvSWxke6DuI1tVTl
BdlSLrciQWTXnukKtAJsMUpAQB4SlQWiKh/JVmCfz6fad+ALNxfJa+C9ID+3coLjnnZdfQbu
UfY89qr/HiSv/3EBaztvO287D/Hx8fHx8XCj341+N/oBy1jGsj/+BHH27NmzZ8/CxnMbz208
BxFXIq5EXIGjR48ePXr0PxSsQAUqAKc5zWmI2RyzOWYz5GqRq0WuFn/7OFseb3m85TF0ohOd
gPVR66PWR0GFkxVOVjj5++2usazGshrLYNmgZYOWDYIB+gB9gP5i/5KlS5YuWQq1NtfaXOu/
yTxVH9VH9fn97aTPT5+fPh92BO0I2hEEbWhDG2BX211td7UFJjGJSX++/n+WrrnG5xqfazxM
bj259eTWUHJmyZklZ8KjsY/GPhoLR0ceHXl0JLCLXez6/e1nkUUWWfyz89KJs/tacMHImZCr
R3Dx/MWhfLXoNwo0gLDTIT/5g+CYvLnhbjqcGh3X7vJRMH+Mruv+HsIt32hfCJRc6/vGlQIN
Njb9aObPUDqsyNs1QsCzSIx19wcxTHxq7w8qTsw3GwKa+oEMUK+ISgwH0UkN07qDHqlN08uB
maxaaengaueYGdgZku88OZj0EG6eOpfnSBIUH1xhVtWnoEcYDxwrQO0CcR1ybc3TJPcKCAhz
LnUeBC1H5gDPDGCq9ZOWArZYW4RjNthTnT+41oFV0jZS7wNmFWLFaQiwB34TPA7M7f4YXyOw
hpgD/UXBldsdE7Ia/MPMOKaD9qrxSO8BelVbHL1Ae1d+KeaAKKpt17aBlWydM2uAb5e3euYt
0O9pV4ytoE6pEPUjkGS004JBbRcTVR/wr/XFZjQDLmoJ2jGwZnpP+jqBqqRuirogdHtU4Efg
fuweYgsGVvCZlRfkIt84axH4zkufdQf8zbUA73mwDptPrMugzpk11Vcgc9JX3gNbnE0aFtjf
pqhoDWkjUyek3wWrnBXDFLC9p/+kWoEpuSwtCLwfMjnkCXhi/EO0BFCpmmWOguiCofNDrkCQ
z/G2VhRsG4yVWikQUaK0Vhv8p3wzzD6gjySb9gaIVfoJTUF6Vd9qcxDYRmp35WrQBuuV9Glg
lVad5Bnw3/RN8A4FKrNBLwr+Mb7Dpgkyh/9db3NwTHDMMFqDcMp7/ADaY1qqxWCtMzuYd8FR
1P6pEQJ6OzHSNhbM16w58idQn4mvZG8Qd1VXywD9rH7FWABqv75WCwPP1vTtntfAuq4Fq3Zg
/Wo8EpfAGGRP0ncCc/7YgO1WoluJbiWg15xec3rNgdof1P6g9gd/3gni+U1fvXv37t27N4Te
Cr0VegsqyAqygoQSB0scLHEQZsyfMX/GfBjCEIYAXaZ3md5lOuxvsb/F/r8jcb79+u3Xb78O
jR80ftD4AYTnD88fnh8+vfHpjU9v/H67R0eMjhgdAVM+mvLRlI+g5dWWV1tefbG/5OaSm0tu
fnFz33Oe+9PleJfjXY7DnIg5EXN+RztpNdJqpNWAj9Z/tP6j9fBdu+/afdcOGjRo0KBBA9Cr
6FX0Kn++/n+WruPGjRs3bhxM/HTipxM/Bc8GzwbPBnCtcK1wrYAPcn2Q64Ncv7/dLLLIIot/
FcS/zVwoVbVq1apVq/7+Bmrl7/tR3t5Q7ft8Zyv9BB/+0uXOgKdwPteNdy/MgaUltnVc2Q+0
K4HDHQ3g8da4BQ+fQvc6lWvU3g5tU5oXmfAreL/zd3LOBm19wHHHDrAtDrgTGA1ioByovGB5
1Oa0YaDtEcNdk0E1E8uMKNBO86a5G/hFPtJvAUn2fMZdSG4X1/9+JCTsfHLqWRewhpqdn+WD
XCMKvf5KELh/cDWI3A76DsdYvTfcKn/kvb1pMNE7sfycT+H6e7GPnn4O9iOOgsFnIHRhzm55
S0Faw8StsW+B9xtrpmoMNlvAueCuIIKsXf7NwCTp9uUFMYuPtbWgNdLL2+aAPK7FG0ng7hbW
NPsDsA5m1szoDSljE/M+OQoqyirk3wG288YKIy/YfnUEBzwE+TM1tEtgmd645FMgF9hKu8+B
MUjboBcAZZMN1WLQjxvf2N4B5vGhOAnSoXLKA2Ast690SdB+VNnNa+AtkpEnpRz4k319PZPB
mKvvdfYAUVwvIQJBlNNGywdgbNdTA4LB6G7fYi8EKkqW848DMUOOlffBM8r7kWchyCeqqOUG
85bvjK8OBN5093L8Ag4CroUA5nmrrv4MXMtdP9sdEDrYHWHrCmKhP4evNtjX2G7oH4LtTf0N
UR6ceW03tbqgd9XSCANfWX9x1Qcy4jzrMlPBOKuc1idg5rVCvTr4wvx7/FXBdtU4aXOB1Um+
Q0Ogg9jIXlAfWEF8BJzWhnIMqKGCzOIQMCRQD88AeVbUM14BvYJxw6HA08PzcUZ2kNvNHf5y
YF9sL6r7QHTUDmjVwPSJsWI+yG1mXa0PECLd/plgv+coo8+DyLXumMCZEPJa+HvO0TD0w09O
fnLprw7z/3l69OjRo0cPWLp06dKlS3+73PM1tSdPnjx58h+YAf1n4/ka4PLlypcrXw5Cb4fe
Dr0NCVMTpiZMffE0iV1Tdk3ZNeXPs+N/m65ZZJFFFn81x44dO3bs2B8w48wTERp2Fi5XutXv
dHmYUW/V7c8bQ2Yl80LgZUidYfMoDbT9ySOe1Ie3ZkS9UfUgtHql/I9j2kLyxaQn6T3BE/K0
3fUDkOtIjYD6XcHXz/rBXATaeJXfTAZNioX2niCStdpiIIj3VYJaAPJV8amxCJjKbHMtONyi
jq0ieCfpNzLjIbnjiZ+3n4b0QTvnnnsPoj8b22BcDKiYMr9E3QQ1neraPoi+lbdw/tWQp3TY
rrA6cKvJs3ZpR8Fr82ueiSALKlNEg/HYfsvlgIwzyfUSOoJtrau4ywT9oX5ZXwJWe5qLbmBr
Zay3PwZruvxArw7Mtn7wPwT/nvTYZ4vAN8ez11cZXGedb7nyg3jCY4cN5DnVVTYGFcYYuRJ8
3/ire14BMQFT3wBiE3G2zWDO9V/03+P/tfeecVIVa7/2tULn7unJkRwlB0mKJMkgOYmAimRR
QFBUQAElg4oBUIKAgCgiQZScUXLOOQ4Dk1PnXuH94Jl3PLh5tnvDPj7nOX19qV/VqlX3vdaa
6vn33XfVgmS9V+B5kIeJ+foqCBwKnlfCQRwgjhaPg3hY/E2/CeIAY7TRAWHznWfCFeAp7Zlg
ErBFumYeAv5J3tr+fhBI8Q9xdwUtVk90nwbPSm9qzg9gqWCdYPOAf61STR0C6kVtsvo5WGfb
LhtHg9TeGm90gPGyYbxkBflj2csSMK6V3tO/A27zmXoOXL0DjcW3QWojBKWh4P4uUAYnGPaJ
u7kDQjt/VNACxuOGs4bVECju/y74AwRbBz5Wp4P0rqYqI0A6Kp0SE8E203o+rCTIC8Q2Yn/w
9/Ed93UF9ybvYt/noHQWh0oSBHZ6iqoWMHc3fGt4EaQP/AP8TSFYWf3IOwhUP4O9lUH8VB5n
Wg6KrJYQBoPL7nJ6OoDprPFHcz9QfwzMDpQA6yBLJ3kPaOHCMvNkUH9V94srQb5gPSScAMEn
r5bn/N3T/O/jnwnm/6ns8+7z7vPCGcsZyxkLDKw4sOLAirCy3sp6K+tBjdgasTViH91OiBAh
QoT4e3hk4WxZYarhfh7Csv3PRQPJy+95gt9C9Lb4odpEMJ3TUjNPQxdXzDd1jkH7Le2OjPfB
rd2+oWkaWC+nf+P5BaKKVZ7/ZFHQ5mtLOQ1CCX2C3h/UMH1+dheQ7OKhcA+wgYvCRdCv6bfF
uYBT/SnQFaQ061Lbs3C7yo0jB6rC3WGTPpqwGky9f/sptRdoJf37pNsgfuJLUluBrBCQq8Md
cV+HHVlgmxM91fEllBer+kp3gf2zbz2fegACif5a/hcg+Iy/qPIBGPqah0fsB2F/zrKsl0Av
FzAGUkD/xfibZSvQTy8pvQvKcmWd/iooG5RI9wXAL+YLmRBYl70j1QlSX8MMgwVMGy0/R9QA
7yu+095lYLlkbWs9BGoZtb92FkzV+UxqCNImabn8C/C6eJW9oG1U31fXg5amug37QSjNTbUK
SC8K7ym5ENAC6doYELprN4MfQXSbsFhbEvguer/1fgf5Yq41ayPQVX06MBL0NH6U1oClqW29
8w4IZaWtYh/QdWWZbyn42/nXewaC1MLQyNgGHJXt3S2nQSiteeS+oO7TXlJKgdKCiuoc8J/3
X827C/qH2nrtO5CvGiZaO4BwQ/jZ9AIwkbNCAKy/WDcbAOW6Nl0cAtTUmzEbfJH++oFvQTsh
7BP6g2GP8aa1Efhb+Lv6hoB3i+eY9y5ktXF1zKkOpkkGm3QZDJfkMYZhkL3P1TowGiK2Oz60
usGx0b5fbApqB7GH4V3I3uFa6/0BTG4hPBgJwUmaRXgH9MNCgnwF5I3SWOlLMB029ZVnQeAH
X3/fNRCNQiRHILBI8QfXg+JRo5QjYG9kfE+OBvMV8zCnA6RT4lfyswCMQ/27p/l/X9bdXnd7
3e2/24vHx+D5g+cPng+ja4+uPbo2NLI2sjayQqWXKr1U6SWYtHHSxkkb//N+/E+7ryFChAjx
34VHFs5Pdg9vXGQA5NwQp4bFQvgsW2vHFnBWNnUJrodelbpHvjkYKlcu1b/n56BtismP3gnh
T5zzHdwOtoyYtAoOMD0bviDyHvgjgj8FB4DURjsfaAviVH26vADEuRw3HQS1vz5H/xiEKlgC
HcHYxfSueT14YlxqWgM49fknVz8qAeUWHOyaEQBbjSd2ltUg/GtDvbBYsNaoMKTMPlC8QUHJ
B2tm0SZF14L1mK2dyQVFrNG3ojMhvLH9RPgOcB1xJ+RtA3cr14+eZAjPjWmS0AeMJc2zrasg
0EStpIaBeYx5iDUK9L3CVv1TUJ8LXAvYwHLAUMHwHCgvyW/ZyoP5CWt6MBYootYLfAX+S/7j
3hpg7GF4Vv4YggODbZWmIPSWlsstwPCeNEJNB0Vig/ItiNN0l7AXDNXkeIsf9ASpk3YU6K23
9XYCIVLoJE8Bw6emWcbXwDjBcM6YBb5+rnvZGyBVvvdqSlUQ+xraGNeBbDdUMcWCyW6aYdwK
8ih5vbEHBMb6jnqGgpgqnTD+DJLbeM8UDYZWcl8xEuTZXFEugqGH+U3pJtBZP2LSwD9RGRQY
D5zS4qQeQEfxgv4aBJb79gcWg/iZXjfvMsS0Co80yyDeVB0MBsN02WvaA4YNRqyDwDsg0CNo
hWBrtWLwDsh1lVGiCIZ2Qh19BkhbjQkkgOJXB4jfg/6x9kMwGYQxYpKxOUS8FD0wpikEBvmn
qi+DfjzQU70DqihulmqBeanpiKkcWOeZP7ckgL5XXyrWBtMWw0JpKxhqCZWlVFAvK1cCSRA8
LmdTBoRbpt8sL4HX6t+vFAWryXCS5yF2Y8QTxiEQ0SK8T0Q5UIPBAUptYPffPcX/e1MkrUha
kbS/24vHR+x7se/FvgdLWMKSf9ShLnX5N1Li/lX+p93XECFChPjvwiML5zDkpLjF4BvtbJmf
BkVuFq8b7Aqd5z15Z2guJMwqnVkrGjz7hPHibRDLepe6z4DzTJke1aYCN8S5hq0QlPxxvq/A
sEvcaKoLwQr5ZW/uBbGNlaRWoKfwoTQAhM85FHgHeEOMl++Db5HH474N+4svffOb+WB9OefD
aAkS579jaKtDdv8L08+UA/RLde9GgrZfed/9GUgHLQvMRcBZJelYSRuYLxkqittAjnb0tLwL
5r6WpnY3GO5a5jpywe1x985cA7aqEUXiR4DxBfPUsKGQ0+X+sRu1gLe1NkIDMB+yLbf/ClpZ
dUfgI9BEJgglQLJQRdgOilldyHUIvqndV8uBHqsOVsKAu5TWSwNm4WvpJsjr9a1CNmhN9P3B
L0DwCSM1P0iz5V2WdLAsNR4TXwTfcx7R8z2II2iobAVxtTzEVgfU58Sh0nxQtcBEz28QGBu0
+9+BmM+Kdi5dF0ybpHeNX4EkczTgB6mh5lW+BqVxYIl7NUhDjO3UCAim+z9UN4J/nnes3whq
c/FD0QlhVR1YF4F+nvmsBk+q5yVfKqg1tLq+kmCrb/pRugPhaY7XwkqB4tXe8N8GeZDewFAT
pONChhAE603TAv0r8D3rXy56If3z3K3+XmBpZFyqvQPmzqKdM+CzBNJ950CP0XcJfcC8yhBj
fAvIEs+Ko0C/rlYxvg+Zh9N7pc0Fisgm4wxQ6gsdpCchPM0RbXofIny2slG7wRsMGH0HIfe4
J0G9BWJVYa53CchPit+F/QbeYd5j/hZg6m8ZJF8DpbywRDwNWQcygjm7IXx7WKTtPpg3iJs1
P5Q8WVwIN4F9rWOdIx7cce7qvjsAdPm7J3mIECFChAgR4vHwyML5bhPXAGN7iMhM6Ke2Bn9K
+vs3nwfvczmHMsdD/nGhpLcrmFZLdSx9QbnKZ/rHIOXrrZgFTFIbBKaCuFTsZRwJqq7sz6oJ
+lD1R/1rED4xvRUeD/rzGJQZwETtonYCTNON5cxr4VDng0sPZ8OxV0/2ytwBfTJenvtiGwib
/Wx2LROkr+z30YiW4FZcRTI7Q07+horLXwOH+Zl7z78Eposlt8evg5x62U3cReBO+dyXLQkQ
tyL+RsxCSG+b18A3FTzd8623doLnFbffXRvsQxy9nXfAOtV00zYb9IxgZ3cfUMOCu/T7YIg2
GR1Pgu4TnOJc0NcSr88B9WmlaOAKGHobJ8jHweCyDo0cBnoJ7SMxBbimzVMugRYIrnbvgOAw
/ynvZZB/NtQSR4M/y3fNMwT0if4EwQaBTVQw/QjW16yHnUXB3ttWRnwbtKB3v6sKWFLtZ7UN
4J6pyOYO4J7u6+k5B4aq8ufeDaA7g7HeOJCGSj20J8HuMA83twdmSJmWjZB7Qdjnrw4OUV5s
mgSBUcFBvA8+n6eH7yq4h+bvSd8FUTui4qw/grmpIVN8HzJj89a5voLcstnz8v0Q/rHzDXsU
qKLwrtgI1LXEiC+BwZK3XekBaotA0/zrYHrSetswGnJr5L6v3oFAl+AYfy3gc7EL+0E+IS83
vAPKufxxeSNAnmWoZJgHfKwt1XuB8Wnr95b94K8aiPIlguktSgS7gPhi8LjmBLmlXts/D8IG
GFfKGSBdtXQ2DoagQTlmeB+0ukIbtRoYArY14jYILlH76g3A11pJ8FYCc4oxRRwCvp75sTm/
QZnVJY7aJXgivfKYYj9AXnR2B/EY6PeF18K8f/f0DhEiRIgQIUI8Th5ZOFe+WqV5sTOQPP7s
GU9raPrj097eKyHhw1rmesuAEaayVh206soWToDwnbBI3AhsE7IMc0A3qJmBF0CYKpYVM0F/
22XIygPDWL2l9QgwW/xabAeB466S+RVBmCDMVYuA1io4gI1w+/KdCfJgaGJ4oUXDNIju8FTp
iingrnl/SsorIAg5O/P2Q/jJIidLJoApv+TzlY9C5pOfdl/SCRKksZ0HXoecyi5r8EUwfm2N
jp0BZaeW2l0qHG62vh+dVwVyZ+Um2ieD52heMH0RWL5x2IpXBkudsFERAhgGcTuvBYStdHSR
ZXD94j3sCYCjgu12WEWgprBfKgLy7ojqEZ9A4I4QY/wC1G3KIn8U+Crn7M4YDnp1vZ/yIpAg
XpEEkHZKE4UmIG4VokUniOPMomkomCvartvXgbOo0WJJA+ubljXmIhDId73pmgzqvMBW71eQ
8WT+MS0eXPUCc7QtoB+R4sXq4Djr/MxcFeTd4nvaDTDskIrqXYGd1AmYwF0uf4HSBdTW+kr9
CmiqYDBuA62Hpmq7wNRC3i6mQ0ljmVKJ90FurZ/RRsPV7il6fk+QMAyX4yFwVmurlYPAJf1t
BkLEC87fwsMha0NOI09xyPDmHs3PBstZ80RtESiXXB2VBqDbMOqxIB8zTpA/BT2LNEyg/qTO
UieCcZ/psMkJ2mxNUBqCoa9psjEBlE6qRasPwTTtR/0XsL5ozTbdheBO9ZgwBTIOZ7XK2AP2
sfa3HBfBeNQw1Pg+SNFyf/NF8IqePu47gKI7lE9B3aTfFtYBqqeiOxmC4VJAvAfmqoErucug
sqW4KToIUfctSx3JkDM6dVDgKjg7xdgd2cDYv3uKhwgRIkSIECEeF4++q8YYX/3b16DGpZKT
yhWFyjSLeb4iaIo1SuwIgbaZXbIbgviNeYMpGkSF95VkUOcKgxQbGGubc+wvgLpcrK8PB7Vd
7veeMhCso9+z9wPLcwlh+gbI75y3wV8EnFr4xfDZ4G0a+ClQD+qfaPxuWTMkdE5SI5qBX8kz
pPUAVc3tltMMjIlunVwQW8aWNn8Oho8jwmLbANdtE8MrQOBk7v3c8hA9OW5m/PMQu9X+sVoG
pOTYoZYosB8NOy6sA2P18HGxqeC6lF7kZmfwFvO2S9gIZrNldcQyEO3uV30OCC9v3GWeD7bx
wo9KI5CtanqqCMI54ZxUHbQ3vdPz3wP1G3W7ZAFxsTZFag3+e8IctTUox7Qa+kzQvw6s8seA
3MLS2vYrCLW0EooHdI9S370d1CLeDdJmEBOEycbtwBGhtO8r0ItqWe7fQKhn2GGbAOpa9cfA
YHCqlgZyMbCes163dQLrecNSvQFYX5Onh0WCOjo4zN8GgqcDk9RfwF477JCwBCIdprmGVyGv
d2CAOBMCz3obB1ZBiZKxi00SKPHKAuky5K53l/IdgiLRsW9Zw8HzomdqsCxkFdf6Ct1Bve1P
8/YG5XtXXsZ1KPq1daDaCFzrbbvD9kC6MW9RsCtoyUpVVz9w1LSIxuVgqG0oZ0wE9pPCKNB+
0mOE0hBUtDj9BATfVzLFAyDMFg6KZ8F22NJeLg0xg53DLDKYNXOSPR2UdcFkYRjoOlf8gD5E
9WheCGT5dvlKgLDfsFlJgfzRrui8YSD4dI/2Nvjrar+oCgi11MbKAvCeDvRRP4NS1xNOmMZC
+Nik+iWTIKh7u4plwfiqrZ/lGbC1ivwx7MLfPb1DhAgRIkSIEI8T8VEHkG7qjfJEePpsS62z
AlyxzTMsgjxnar877WHvpJ96r4wA9847Z5LXgGdkZnb2W6BUyI/LfwHSa5/cf2QlqE97vnSl
Qm7lnFdUQH3Kctb5HShHArsUKyj31auWPBCWytcFCZxb7JJxO8RnxLUOew38Ddxl3e+BeMox
JzYD9JKuQ9oaECdlVsn8BcQVhpFWH0jzwvo5j4DwrO2crTLou6S9higQcgMfuzpAaXPxjGK7
Ifxe5DdaXXBss6r+fHBanF1jnSDJxlzzcPBMz5qeMhbUOKmqaRJ4DwnDbO/C+XnJH2WPhbzh
/kitDph+du5Nug52k+2ryA6Q3SV/pA/wf+2elb8Xsltnpae0Bc9bntu5S0A9HRjqPgXm90xB
qTFYixrb0glM1UxWyxBQL+vHxYmgXAy+4K4I2ZdyyyZfh3yXe4FrGGTczUlQB0NKx8zueRUg
amFYtG0aWMqZ3jPsBf209qT3Iggn9BdFBzjmWzTzaxC20zE8fBIYYsxPWoaBGCPVdKyHnNJ5
n4urwPVyrtU/FZRTgQXuA+Dv7X3L/y74Xwh874oE6xYpW1Mg7uOwZyzzQPlRXauHg2ua/03P
FPBEqO21w2DTja/olUBL41nJDuJYNUKNBEN5oYM4D6JfdRoiskH+1LTe2hGsKdaPrdtAeoaR
8kjQFwpPEwTTK6IqDwNTKcOr0jwQukhJhEMgN3hdXQSB6/4VWhXQygfwS2AaLiewHkytxfcM
n4FxqfS6XAqEVsJ04zVwX8t7NdAC3FneZq5t4M+hpR4AyWncaKwKYntLacsKCL8ZNsC+E0od
LZVWtBRofeQM5wZIm5S3yTcL4l9K6hnlAdMZrb9Y9O+e3iFChAgRIkSIx8kjR5yLua2tG70K
iQ1LqrWNkGfK/D41ES5XPl7r8FzIuB6zXBwKP8/ce27t01Ai15RcbDE0mNMzvJsA7DaMN9iB
Ju592REQ3JKzPn0DmFxPLKtcDbI7piYd3gNSW72+5TwY9prerj4LAk2CmxQFGKBe0aeCfFLI
MXwJQjVhoHQRlGMpC9NvgdJP+tmSCuaEqLKxdhAqxJ9KNIDxm/DUsPYgXNWq6XXAkGyrb2oB
2V/Z6l2YAhmf59Y7thme+PWJ65Ht4P6B/L6BIeCoH/1NsTzIKnN3+dWG4Nvi6pX/LJifs5nD
3SB8Fcj3vAm5Pf3l9B9BG5bmcm+EsC+NnTQVIt+LHRmzFfR5WphWEcyTXY3zx0PUSuec8Dqg
n8Agvg7uLwI3vfch/6inXeAT8Bq8ZXy1QEiVBprbgnaHgYIIYm29vToY3IJvRb4RhPZUYwEk
9Ima65gATqfpVaERuIf7FmrbQHhX7CPsBst2Y0fpOvhLBdvq/SHnRHZe1kAIlFIuMge8nygJ
ru9Av6O94Z8J9s+Ms5TOELzo9weLg3dW4FMGQ3yD8JExJ+Bm/4zlma9Ddh/3PO1JCH6jFxe/
BMtM09hgFbCnGl+TywIj1G3Kh8AoY3epKuSv9FViHOQ28szx2cG4TIqSfoL4b8NrmCeCmCzu
lBqAMs3c1WQCY5XA7kBb0A4KG3gDxGFKslAK9Gyluj4RTG6TSHHwt/NN808BaZkwWUyBnF55
QfdWCFZVJ+n1IBirrVK+A8MG01GrFXxn/GnuY+B8yXk4YgEol5WA9gUo4/RNCiCu1WcafoFi
MeGnxKNQ+WpZQ4keYPnAUNY2AqTe8mZ7S4gsEZkZocDx5b/1vdQcqvP0dvb/3dM8RIgQIUKE
CPE4eOSI85OTms7t8hoEvGo3ZSFIJwwmiwyMivxK3gQ5nTwr8upAxjh5qrsshIUnLdArQ7BJ
xkfX0sH4TlSFqNHALO+xzGEQ/VxcMccNkOqapxiHQ1TlmJpPXIDoVfHPlu4PyknlR304CNFs
1GuD+IN+jtWgXxV8LAJtJ+gZoH+mlhPCgHW2Jo5NoNv8S7RXwDDIYDFsAslcYn74YmCjPlVc
BwHRc9fzKZTdXiQ++jPIn6Gn6E7wTM6alfElFHNGbhcrg2GTY2p0SzDXdESGXwf/xOxmaRVB
SNQ+NE4D83zbV7ZW4L3i7yb8DHlj9Q6yA3K8Qox5Bni/UMYL/UDbqnWSxoNhu3m7zQvaG9oo
NQ3cp9w33T1BOqtmBnZC4vMRMXYnFEuOvRLxHhiD2kK/BlJQPRpMB0d183zbN2DeaFxq6ACW
2YbD0i4w35MPG3rBjdZp2ZlHIWDTB6tfg62bdaqjNHgmuFv7wuHuKxlJmUshp6L7bN7H4HnO
VyN7Gnhne6LT64LyXbCfKx/cN71NtXCQYqST2gIoVj9mRXQanIu48WJ6JCQ3yw7z9Yfs3u6h
3rkgzNUVdT04TVJDcTXEzrU1FDuCsNbYWCoNWRZXLSkfAiuCP6rvQkxUeGvLOrAtNB8wWICg
/qq2AdLPZkl5DSF7Zu47bhv4anmt3s/Aty3fn/8deDa5W+V2Bel5PvV9CKrBlyGeAj1b7yS3
h+yzroX+tpA5zlXM2xbSruU0zMmF7NGusZ5lkH04t2VOZzCeMXqZA8Zy4mZhF4SttD1t/ATC
F9ojbFvAEDTkMAOS9hVPid4OCbfie8VHgnOtKcJ2D4peLnOh7FcQrOMZrpngmu+4+WLjv3t6
hwgRIkSIECEeJ48ccXaciA5PrAXa6/pSEkHUjZGGk5D+Ws6P2c+BW7tjuW+DWiMq3Kl+Eyp/
U21pkzGgHDfNle+C1FA7pFtAre3Lc/8IHBC60hL4Xl3uLgPa/fxfvG1ALB/ZLvEuSFODq5Tr
oP0qrmIrUEp8CR0Cn6ot/K+AaVRgQOAWqO2VY9Ii0HNN+fYRIGzwDJAnAfdB2g7G1Um14yoC
PyjJwc8g0C6j0d2ikDfA0S0tC8q3rGl8sh6cPXLuwHw/1OtQ9esKL4K9q74wdjn8ttK3oWhf
yDl8d8jFMuAdkfda6kqwtI94JfIwSEOCb/o/BS1JGaSNB22c8XJMVch7Uq+v/gDKO/5G7lZg
uK5+p+0H9wveQ56yYOtqXeg4DmFzhabSIbB+ZOho+AWkHczVDkCJQwmzooaA+6hfUJaAd0r+
spwWUGRK3LGYSHBV9DnV2iDWlT+SLVCkjf2LYrdANOj4VPBO91x2LQPXfW9q7hbwHfUu8/rA
vNV0wuQEZgt7TR+D/aJ1fZgNLINlp/AGWOZI1ZVFYJpg/MRqhKvT7l5zzQT3fC3HPxAsuwxv
ma5DzKawiqaFkDIxdfi9cIiZ7+hrfR7sLW0dnNXhXPDOxPvPgukDU7R9BDieM8w0lwfZoCS6
B4HWXUsT90CyKXeU0hL0ZHVd4CZo1XjO2A1ymqjDgimgib6uyirQ2igX3FvANU3+Vs8A0S7U
0HtDRDCmVvw7EJykNCQL5AjxvnoeHGmWT8RToOfqg/UkMK6Xd2lPQdhts4UioO4J3vL3BvN2
+54IE+jfB7boXSD857hS9hiIvlBmX/m14M3WdFM/iElPKBXbAiKMiWtjUuBIwpohv9ngxtr7
r9wJA7r+PRM7JycnJyfnz2/wK3gVdnh4eHh4+N/jW4gQIUKECPF/K48snPXLQpK+EFSbu27+
WMhS7s+8Egslp6k2S2UoP6ma/Ex/SCpSbdPTz4D2Y2yLpHIg3gjc8CeCeFUPExaA671bbU8N
BWt6nK9qBdBdnsH5rwMfegZm1wHuRX6bWA30S2ITPRP0+sI9ZJD26WnC96DXpkTwJPg+8ke4
+0Kw1vWVyVtBW6D1pxfk9JfteS+A49Sd7y/OAN+mY72PVQPLk0/sLHkOzFWqa2UOgn7fVyds
Ejz5ZpHPLF7wj2i28fY1qFSh4nvtoqDlp/UG+2pD6qnpT37XFU4t8oyI94Lnk8wrd0+A3NiS
7ngTTFPNx8J/Bf+d/F+yN4Fncs6R7I/A4DfZjW1BKC7ME3qD57BeQv4ELM8a3eEVwLdCXcJe
yGklLRFbgj8quI0+ELPR8ZxNAJPJXMH2PuS3d+V67kIw0jzZ1BycC6xPW09CXP2IznIa+Jr5
p+rjwEVefu4VkF4WbuofgPS5vZRhHNium9s5PwbfWH8Ty0Cgs/JJsBqIMQbdeA2yu3m2KT9A
cEFAEKYAO+WRYmU4+/HNpLR0CF6R47VPwWE0bTSVBT5V6maUh7ud0seKvcD+pOUbkxdIE9O8
AmSYsn42L4Lw38KnxQyHeGNEinUU5Mo5NfPuQ8AdqKC/ABljcu+4PgP/WvWEehmiV4b9am4K
JtH0vv462N4IDhIPQobGUXkfyPGSGnEJYvaGHTfFgamcvFjNgkDbQD1xB3ifZZtaHqSeRsGg
g7RZO2qpAXoVvXHwJ1A3aN302ZC/1FNFdYD0imm3cSHk9XDt840CxwnzJsP3kLg28VjsdhAq
iAesS0Ftp1aXL4L9SNzW+EsQHOde7H4bDvoPeI6Z4GSNm81u6H/fxG7cuHHjxo0LBXQBBUL6
5MmTJ0+e/Pv8CxEiRIj/KbhcbrffDzNnLlz4229w+fLNm9nZ/zl75cqVKBERAW+91b9//fpg
t9tsJtMf/fH7g0GYNm337gsX4PLlrCyf7z/pT2Sk2QzvvNO4cYUKYLebTAZD4XGfT9M0Dfbs
yczMy4PcXEVRlP+cP06nLMsyNGoUFRUWBmazKIqPnF9RyKPvqrHNvcG9Bnz5nks5i8FWO3xV
3HAo2qxt0bqVQJvKOf0wBMspb6mpoM/zqb5bQH8xXG8HqjH4ptsI5oiIV6Jqg1yr6IIKlUCa
aW8Q1gT0bbaoiHGgaapdeBv03sIPtAZhLueFWNAq0oMfwLRWcDhmgtrAZotYDxGb61RPrAOn
jtxt4gvA8TqxX1y6BD3GSlm3IuD+pgr63Y8g8WrJt4tFgO0t08sJr4BU1vx5+McgobcLfAjN
X28WGFMJ9M/0bPqB8G7iEd6CLrVaxF/sCDcHr2l3egXkRLoP5lQA1/tZTe5lQrgYV67o+2Aq
a4sKWwze3vnHs3dBcLa3hXYIhHbiPnaA8JvhU9EO4q3gJMs3oDjlqsaPwLPN3F9OAOl7/2fe
3uDPU19kBeQvcHfI/QjMp1RH3rOQPSzjzv2fgHnmbyIGArODbZUNII6SF6rTwPy9ZZVpPQgj
6CyfAD0/6PSdhrA+pjtSPdCMksPWGpR0McOcAJ5ozzilOrg7ew3e+sAqbYivH4hthCPWLRCe
G3nLbgD3E3nbcxzgve/5OncjJJhiDNHvQGZuRvUrvSGsa/jiEtXBucgxNu5tyL7r7xE4B4Gc
nDfVs5Dxli8rZRaYt1q+Nn0DWSfyf/PdBm8nX5y/BBTJSpgTeQYM+w21rJ8DL6hdfDEQccL5
jLkJqBMDLfMGQmqsO8LdDTI1YYU8CPSPSNM+Aq0PpWkGpm8NbmMSqAeFZ/UjEPxF+0ibC/6J
wc+1X0F5UnnN2wukytpnQi3Qh9HWK4JjjbWEfBJKVirmKqtB5IDoi1G1wfBR4CUtHSJ+jnHF
7ATTbXGJ6IQDB9euPrYMfj190XX5Y0hLUAzalf/cB8PD2L179+7du+HUqVOnTp2CGzdu3Lhx
o/B4yZIlS5YsWdivQGCHCBEiRIh/j2nTvvpqzx7IzMzLCwahbNnSpaOjQRAEQRAenx1d13Vd
h7S0jAyXq9DupEkjR7ZoUdhv0qRt286eBa9X0wQBnn66WLHIyN/9eZzX/bs3cONGZqbLVWh3
2rTnnqtRo7Dfjh0ZGTk5YLVKkiRB9epOp90Oj9cb0P9XsOruXa/X7y+027ZtbGxk5OOz88jC
2VPeVTz7KTBeMM43zwEpN2xSxD7wunztvcVAKKbdFlJBXSlvZQIIT4it9LEgxRNm2Aj6NvVt
zwtgbFP8h0rnwHjEtt1xDdQ6/Mx1IJYhYlEwmPQ+gacg+IzgZyNwUG8q5oLuEw7rd4B21FXD
QbwZ2GMoBtYKjV+v/Trkn80qsSUbcsom7wp0hrzm7PLsBnVG6SNFq8FvHS6f25sBLfaGnSz/
AvjC046aj8L9j29bMhUw1jMsyRoJ2d1TFt8/AdkL7w+6kgKn+t96PjkarO87moT9Cp7n+Lp8
J/ANv3ng2CbIH529N70dhN2KiozdBMaGFnOgLgRd/uK5L4I0QOwkDAd7H2tkWFtgpsFiHAHG
Z+VkcTI4c8X52jkwlDTedhyCuzfyJulx4O/i/s7/AmSd0gcZ8kBpYMyJ1qHI3LBSxo8gc0LW
Ys9IkOZzS8+BPLfnF90C/tJqQ78Z5JLyEiEdfBW00tqzILcSw3LfgHtazjn3HpBEY01HJTDW
NviNjcE0xVDZ8TxYj3PDtw/8971fZqWCepIZuhVMw8zbtDBQjqvvalWhyLNxlctNh4gGkXG2
M+B93n1Bngt5KdkXvZ3B3VubEOgKjpr2c5bj4GsaTNbKgq+PupXOEPd67ILo02Cda21nKQJ3
HfcmZnsgOCQ40HsMOKp/GlwJOQbf2oAbhC/ll6yNIbhYu009MH9u+cq4AowH5GzpOChjtQix
CyjG4H1fMbDNMowUVoNlkeyQy4D8k7Qy4grkbgycDnYF+1TjZrEjlB9etEFcKhQbWGx6sftg
+F64K70BcZFRwyOuQXRE1KLo7nDpjd9KXP4B1rXfVHq3E5Lv+su5c0HuIm6zv/m/JsnWx/vh
8F9RvXr16tWrF9Znz549e/bsf94vRIgQIUL8e5w7d+VKVhYkJCQlhYfDzZv37uXl/efs2e0W
i8FQaPdBzpxJScnNhTJl4uPDw+HAgdu3MzL+c/7Ex9tsZnOh3QdJTw8EFAVKlbLbDQa4cMHr
9f4HXxAWESFJsgzp6b8L6MfNIwvnlNevGq+/BH5r6p2sSVD9Rre1XTIgEOkvF3wJ9JOyme9A
Oqud4CgILYVBwnzQE8VTvA36Rf2cvwmIpcRo+QvQfhHuyEnAVa1fsBkILwgLBQ8EpwividNA
vKjdFRsBccJJRQdhhL5fPAJaGA7ZCnwtfB0sC2oFz4vKN1B2VOLrVT+BW6rPu/dDyIiQD+Tv
hCSTdtXRCVKeU7+Vv4CsWvdfvrcbPnG8df2TpXDTlGYIvg9R40xT82aDflD53DUaMmPdC72v
gPdL+/riNSChV9GfSyQCc8PaODdD+t3o3GKHwHcgvWtyHPjOGJ817wFHmPOtsNsg3OJLvQSY
s8X5QQnCgwZdvQr6u+pVlwuc3YwviqXBvEsKD0bD1bbJL+acBH8nLc/aANT9DJDcoHehljYC
5J+FbvpZSE3NDQvsBltTRwVze5CHyNUsA8FX05vpfQ+cmXJfVQIxyEvCdTCWk7vbToM53Bxh
jgXjPPsWbwYIRWjNDRC3CcnCE6AW1T4I/gC2ZXK6dA3MLxpLR88E39P+LrnVQOhAK+Nh8OcE
n1DmgH+765n8HAg2N621esBt9MzKnQz6fOEt5UMo7ot4WagJRrcQJU2EbLN3vnYPYrs7d1jy
wXnSlK6dgJwS+Yvze4NH1b7QPUA86YZPQMumL83BfNFWxZoDlpcMTxuOgtpcP6L2ADVW3SZ0
A7WffkS8AfJaSQ/WAVN/c0M5ABHrnZ86OoNvua+EfBk8H/lr+yuD7YjBLk2G4pvjzjrPQ5yx
2PLib4BeVPjIEgT7QbGH8RSUeL+0Jak1uIPZNz0zYPNzv2zYdwPudM+9daMuWIrzsS8elE91
hGjgmf/ch8M/oiB3efHixYsXL4a+ffv27du38HhBeyjHOUSIECEeD4qiaaoKubm/p2w8+njB
oM8HPp/b/cdUO7s9PDw+vtBOgd0HCQQCgWAQbt/OyXG5CttTU0+dOnCgsB4XV63aU089ur8F
dgrs/vl6VFXXISNDUf7R8R07tmw5ehT27Ttw4MYNaNDgqadKloSmTVu2rFXrX/enwE6B3cfN
I2d9ZAfUJhkTISNIh7z2IH8nKNJ1EHrou7QYoCSrOAbCZGGVsAVI1/cKh0H4SFgm1IBAkath
v5pA2Zmdl7MbxBtyshwELUroKb4B+la8QlkQbgtf0BsYI1TTrgGdGSZUAl2ksl4dhPFCS6EY
iMuJYQb4FeEdfR0UnVjmy8YXoXlS7ZldWoP9GXP5hFpweXOGfL4smM2Wk85s2Jd88OkDFeDm
RYv5zlsQsFpreXeAvVW5L8ucgurVn3uvTQ6UblK9bL0hMLzMwNrdu0MDR0U99kOIe49VeXPB
Oj+2eZGVIAfCf47qBN69Oc+mlgZPH09L33tgbGqvEdYJtExdlI+Bt493tncKGJ+U7wTzwYfv
E89PcD7hxmv3v4NkS/p3GbfAl+0d4y4N0j2jxfgLmP3WV2zdgVOCT+oP0jmD17gXlIFahmE3
5A1wV/VZwbTY/JxxIYRbwupYv4HoSmE1wlqA+bgYqRwChgT9rr4Qdsd8lqch4evIT8KTIfaG
LWCvB0kf2Xo5loJREFvYcyCwRZkdCIf8b3OfyU+ClEP3v0yeBqpDfTk4C/LDlHDfi3D9aOaU
kwtBbiDc8s0GdumXck+D57fAskBpuHck80amFQxfSFGBnWB/wlpSehNSjBnFXfPANcV7O7AD
/JV81X0/gPdz/+agC5T7rBLmg1Saz3QZjLHGnfJ4sFewx5hagq28+Xvb+yDXNGaKIgS76nvF
TMj8KC9LuwNX5tx8OT0RMjZm6kgXlQAANJlJREFUl8i8AsoO5QfvzxDzTfTz1mWQsKd4/cTr
IH4nDzO1Bt+OQBXtA3A0jm8T1w3yJrjShFdgy73NR45Ew+Ffr3x9oSuk783bk9YZXPWyut5v
B4FR3hn3f3z8E/avUrAI8K+2Pyq1atWqVavWPy+77+i+o/uOv+++PG66TOkypcuUwut72H0p
6PffhZWOlY6Vjr/+3ArKy6Muj7o86u/2vpApmVMyp2TCVwO/GvjVwH/9/Pye+T3ze8JTxqeM
TxkLr/NO6zut77T+u6/uv+/fT4j/HVVVFFUFVVVVTfv3S7/f5/N4YMqUYcOaNoX16+fNGzSo
sPzzeb/bfZBAwO8PBCAQCAYVpbDcv/+jj956q7B88Pijl7/bfZBgUNMANO13GftgeeDAqVOZ
mWA2R0UlJRXWH9b/r5YFdh83jxxxluuWscbOAHNGxPcRn4K+gycZB3pTevIqCDu1uEAiqN/q
t/U3QeggvmlYDeKzQhkpCcSDQi/DcpB22mNjl4L6jv4jCSB6eVKpAEJznpXMoB/Qx9EY9EYY
eRmIQRBagtBdeEp/Heig19FPg57BarE3iD+LmuUAKAflYsFPoahWVG90C8TVMtJlyMwUx1y+
BdddqWnXf4KL6dfPeOtA+e+bptR/Ds5+/FPXEwMhfHDxzo4UqBBTdmnlzfD8sZ43Xq4E1q22
YqY2sKvbzjLfFYOme2Jv54+DsBPHc7WNcLZS4PXSdyDrQ+2wMhn8CzOKpMwHY19pZtFyII+y
PxkRDf6PA7PyPoQcf97KvFngKRecJXSB7IO+u3oWmI4ZPjE0A8O3wrpgRRB7K0c9AgTDfW45
GczTLD+b2kBwRuAlvxVyDuW9kH0ObEUscyzjQKmvWSxnwHXJV0T6EIyl5eLGkxAw6nO0I6Cc
Dw73XgbbFMOntm3g7Zi/OjgNAl/722VdA/cHys3LRkg9lbY/YyVIv8hNuQSGZcJ0y1jwrfeJ
UjfQV0kx5nBgkVg1PwjuQKBb1kkQazPT/ivklc8fkRcDZ+/feM9dAkodTBgTrULsGet+RxKk
PJv2VP5+8PUgKzAeLLUZI68Bc1k5lWwIX+GsYl4IwgphnukYKHvFi9JSkPca1kvvgRofvCv+
ArkR+W9nZwK1iJbag3Wo9Zi1EsTODeuktwI1N9DHtAoMnczdjU9AkWkRa8P3QuTNYlL8fJA3
Weo6roFayzeU0RDzdYIl6jzIqq1vuA4HXvj110s1YG/S0Xannof0RmwI/gzal8bZ0TL4nqbn
3U9A6CQ1lyoB9/4T0/bhFOQs79mzZ8+ePX8+XpBz16hRo0aNGhXmOj8uolpEtYhqAa+99tpr
r7325+OOy47Ljsv/Z+/J38n4n8b/NP4nsNvtdrv97/amkHr16tWrVw/GLx2/dPzSwvaJ7Se2
n9j+4c8xfkX8ivgVf7f3haxpuablmpZQvHPxzsU7wyAGMehfOH/79u3bt2+HYNVg1WDVwvYt
XbZ02dIF+tOf/n/3RYb4b4+iFAjZAsn27zFt2htvNG8OpUsXKxYd/efjD45fYPdBAgGvNxiE
QMBq/a8W4QUCv6dQKIrX63YXtsuyxWKzga6rqqJAMOh25+f/3m61gigaDH9cjPig3QcJBn9f
HKiqhXnIf0SWLRaH48/1h/X/qxTYfdw8snDOst5NTH4Z4kdGbC37IQifqAl6FjCU17AAfj1X
ugDiOvFZ4XMgyCdSLGhfaK20fiC1Kjqy3GIQD1iHxuwFIVId6t8L2nr9hnwaGC2OZTEIFn29
PgL0FJyYQSiJm1pALf0jwQD6FUrqNuCebtR/BL0l57T+IHWW60qJoNRXv1B+Bem+YZp1Jzyx
O650o14Qmav/EnYSooMlD5u3w+rTi7M2x0PpjpVOR7qhRm71Q6bGkBx2N+5cZUhskHZM2w5R
b9jL2DtD2erhKy1vgNBBa5X4HKQskFMufQL3Eu0bnM+CXpvwcj+Aa+m9FedkyLNn/pLsh4gZ
UQuT1oM+2zrb4YOcqsGeWg1QR/scaSfB0EoeLn4HsWsji0c/D4bOpKjjIXV/VqM7FcFZ01kx
8hnQivpPSgfBGR2mh88G+w7LbWkHuH71/OoZCYHWviP5e0C4bOhqjAPS9T7+++DO8d7xzgDL
WNML8j5QRyiTfG7w3PHlu4uALy/YKtML2ibjDn9vkNcb2tqng2eE5+mcZ0DMNc+R2oN1sXkP
J0FuJLyrnwYRfZztKYiPiImpegTyp7jb5FyFIneimsZdB+lrcVl6f0jc7IwOmwxZ5TOXeL+H
u19nkvMLlH4p4Un7JgjGCfnB2iBOMs+yTAJlDt35GOwJTFN8YFomntIvgsEldpSrQeauvOYZ
KyAm0Z5gmAbxF6Pfjf0ZzG+bv5GPQUr9zF6eCnBzfGrLe8Oh3AtllhU5B45NRd6JKQWGBcbu
tpPg7ZR/LfgyRDeILRG7F8KWxc6Jbgw33j7X9q4fDr9+IuNkdbh/Ua+mHwF1lPxZ9DVgZiAm
5SAY51pnyjfB1MFSIuH5xz9h/xkFEeUCAT1x4sSJEycWHh8/fvz48eOhRIkSJUqUePz2CwRi
u8R2ie0S/0GHRBJJBG2eNk+bB4vqLqq7qC6sW7du3bp1kJGRkZGRAdHR0dHR0dCxY8eOHTtC
v0P9DvU7BOIQcYg4pDASVyCYfhzz45gfxxRG5m6tubXm1ho4evTo0aNHC80XnBcfHx8fHw+W
ZZZllmXgKu8q7yoPIy+OvDjyIjSPbB7ZPBKUqkpVpSrMyJ2ROyMXNhbdWHRjUShTpkyZMmXA
28nbydsJWMMa1vz5cgtyzIumFU0rmgZNljRZ0mTJ4/OjhlZDq6HB7Va3W91uBXd/uvvT3Z/+
fN0PUnJbyW0lt0FJSlLyD+0TmcjE/+o5vsVbvFXof7HJxSYXmwx1F9VdVHcRZHXN6prVFXbM
2DFjx4y//nyurbq26toqmF56eunppeHs2bNnz54tNFv+hfIvlH8Bhp8bfm74Ofh8/+f7P//D
i4UKxhuRNiJtRNrDc/sfZGPaxrSNaVD+k/KflP8EjEuMS4xL/iCca/av2b8mcJzjHH/0v6PP
/J/5P/PDpvRN6ZvSweVyuVwuqPllzS9rfgkTJ0ycMHECRN+Ovh19u9Cef79/v38/9JjRY0aP
GZA3K29W3iwYdnbY2WFnoXVs69jWsY9vXj3suU7vPr379O6P/3Pj/3YU5XeBqSiPJtTKlPnf
BXOnTiNHrl79z+0+SCDg9xdEgv8Yka5SZfDgSZMK65GRFSvWrg3x8T7fH3Ogb9zIzs7MBIPB
48nJgVq1ypYtWhQuXrxz58YNyMuzWqOjwWh0OCIi/mz3QYLB3wX/w75WyLLZbDb/uX369GnT
Nmx4+PXXrVurVpEi0LBh06Z/XIz4oN3HzSOnahjyA87gbYioZloaNhqCJagivA56Q+ED4RkQ
lokrDRuApwSflAmsFHZjAvoon3omgDY8t1XaOKCidls8DbTjbWEZCE3FAboHkGmhfw6IZBED
GAQzEpBKPrdAb0NnPRmE6kI13QF8RxvlW9AFbVhAAr0vM429QZonOKWWoPZVznlPQkQJh7XC
VahQtdT4tjPBd1v+wdAUzGLZdrb+0Nvx/KT2LcDRzDs6ciAE7t4fnrsfXMK5Q6nJEDbXcDt8
JxRfGhWM7wH6YHmAVAScI4quNPWHqJG2Knl2iBprXyQlg3lw/M7y28C43zDRshI8jbIcdyVQ
O3kv+F0QNjPsGWdzcLSOPV3kAsTVjr4emwpx8dGxMZMgyud0xuhQpn/RiDJnIfJn25mwvRC9
z9HHUAlMO/SRnk9Aaup7K2sTlEiJGiTvAWdPQ1llOths0he+jWBYQwVXEli/NpY2NwbfQK89
WAKyv81U074A737PDr8GmLVExwowxWtHq2gQftLUv1QYWJsYblr6A3dVu3kBOPaY9hbPh+wW
7mD6CAg8r8+gKGQ1Se3pVsDwlv5KWDPwfO9Lzm8KpVNjjxafB7b35bSIveBu4f/cdxTilkcm
WW+AfbdpoWkHJJSP7BgRD0mNwotavwBfy/yzQTs4NlhUcQwYW+kfKyUgo8r9V273h8BPgc2p
gyA3ybssoytc+T6twqnecDHxTkTyUsg9kHfWUxwqHqt4tkgilOxaRij5HZgOmF52KuAu5tmp
/QDWY47K4c0hnNh3o3Ph3vVb32aVhqNPHss+dRtulMrf5zkMvoa6V+wP3vHeDbmvgesL1920
JDBkWe5FLwPPNH2j+cvHN1ELto+bMGHChAkTHt6vQDg/rF+BkL558+bNmzcfPk7B+f/qtnUF
AuZhP/VvKrqp6KaisOzCsgvLLhT+xF5ud7nd5XbDzNyZuTNzC+sFx1eMXDFyxcjHdz9TP0z9
MPVD6Dq169SuUyFnR86OnB0wc9fMXTN3FfZb+szSZ5Y+A2ti1sSsiYEWN1rcaHGj8Kf9tA/T
Pkz78OF2cnfm7szdCfnl8svll/v3/Vi2fNnyZcsL/Wg5puWYlmOg3Kxys8rNKhTM/6dJTk5O
Tk4uFO7PDH9m+DPD//Vxpm6dunXqVjg+6Pig44Ng0sZJGydthOndpneb3g2S45LjkuMKI+KT
J02eNPkPAiBhQ8KGhA3wbot3W7zb4p/bu594P/F+IpyofaL2idqFArd5RPOI5hFwo/mN5jea
w9WrV69evfrwcf7q8/va8LXhawN86/jW8a0DmjiaOJo4YErxKcWnFIeLFy9evHgRPq38aeVP
Kz/cTscPO37Y8cP/4u/kMc2rx/Vc/1/h303VyMvLyrp3r7B8kAeP/9VUjWDQ7/f7fxfOv0ee
fy/PnPnyy3HjCsuC9u+/HzOmX7/C8uWX69UrWxY2b5406dVX4dNPBw/u1g22bJk8+bXXoE6d
uDiL5c/jF9h9kEDg91xjVf19H44HS0kymczmP5c2W1JSmTIPL0+evHrV73/4uAV2HzePLJyN
C80Zxicgop/zQGQsaG/okxQPCPlCmJAKpGHSGwPb9SrCMhDeFz+RJoHwsX9m7qegXsqrmxcG
4pfCPPNeUAcIGfoqEOro3zAbqKyPFiJB91ASAZAQAPQ8MvCBMIc5QiPQVyAJc0HPUmd4JRC7
eq94XwZe9vh96wATn2spINQQqpIFYgPpTabD/e+zaqTfA3H3taeupsN4S89Vw9+AqscqNmx3
Fao3qPt8247QNuuF5l0HgGFCxY+SIuDn73e23bEatnfcm3V6ExhPBedoeVCpqSMiohEkOPRE
77tQOmCKyX0SKjwde9nYAcJKxPcvK4C017LP0Qv8m7NeSTsDgRGui+6+YEyWLc5yoLcxmaLO
QNqGvEFaVbhbNXemvwlkbnOVVTtA6vbMgx4R0hdlD3EvgnutMrbkfAvm4+bqkguE24E0bQTI
3ZmqDofobOtLQhWI+c76pbkmOM7JNrUsWM+YXjcmQCBWeY2G4Buu3shNhVwxuOdEFKS9mlPr
3BnI2hHsc2kkuGr7v/HEgXSHHQYZPO2CYd6vgAhpoOEeePr4jTmVIH97cH/yAkgfkHPs5izI
+CDnG+89yFjrMqa9C4bnwq87+kOY4MiO3gKOjqZvsEO4IeywsSIILyrTTRMg/0J+ovcZMJ6Q
zihe4CnRTkdQe4l221rQPjc39w8BoZNtYE4y5F4KFk/vBpcb3nNei4f0KO+ZexehyOjS3cJn
QbHDxdqV6QeCIiRYB4KnWH7xYDpY4hxDwl4F5+rYO7FVIP2zZGfePjgTd+SbUwLcfD73YG44
qPUMIw2ngG6aX+gOrBaaCXVAei4itWg8KBtkZ4IAQpY4UvgL/8D/KgX7MRcI34KI0YP7NP8z
ClIzHsx1LhinYNwCO//q+AUCZvXq1atXr/5z2eBCgwsNLsD26dunb59eeN64cePGjRsHDVc0
XNFwBYxdM3bN2D9EcB/s/6gU6VCkQ5EOhRG8gshh1tSsqVlTC/vt6bWn155ehfXhy4YvG74M
Bh0ddHTQUYi4HnE94vp/3o8HU2qGmYeZh5nhtcWvLX5tMYS9FfZW2FuP7/78VZzPOp91Pguf
+z/3f+6Hdvfa3Wv3b6QnFVx3ATNnzZw1cxZsy96WvS0bhpmGmYaZYJl5mXmZGeJT4lPiUwr7
GxcbFxsXQ1ybuDZxbf65vc1TNk/Z/Iec4WbNmjVr1gyavt307aZvF7Zv6bql65b/4iVGf/X5
7ft136/7fi2sF6TANLnS5EqTK7DwxMITC09A7969e/fu/Wc7SROTJiZNhJ75PfN75hfayZuZ
NzNvZmG/xzWvHtdz/X+FB1M1/mq5Y8eSJa+/Xlg+yIPHHzz/4akav+/jXBBxfjDyXNjvH7d3
7Pj00zVqgMNhsfyjSHCvXg0aVKv25/EL7D5IYcT59/qDZUHE+V8tn3uuSZNKlR4+7n8q4vzI
qRrFP4/qW+xLMNw0H7U6QFupZ2vlQUjghn4bdKveQ9gMYiLTlEbAKGGe9TvwP5UzO+86BI57
JedhMBoMvaXeIHZTLweXAmv1cHkjsFzso/tA+ESfSz7o+/UL/AbCAKE7y0CN0ttriSD10EoJ
V8E/KP8tvwBCitfluwuCLpczzQeprWmdtgaEZ2RRbgX6Qu2IOgYMG3zfe+OgsfNJf6caEHHd
dqt0IvgjAtm+QWDvGTOi+ChwGIVGJRtDtK+ER/kZIr2Rb4Q/AXv67Rmx/UNYlXrpQGYliJ3h
baBfgNIXwifbOoAxQdzti4YiPcJFtRmsfUKrTB4csxnqlh4M2u6s/nfWQfDDvPXpe4G31D56
H7BUD2sacQC0hfI64XMIPBvopW0Bz/280ek5EIzyh+V3BHsNc2tpKES9bFPNm8B+1nDAWg68
n+hN9XCIrhex2DAVIgeFJ4XnQtrXGT94l4JtqPyFew2YNsqZ0j5IK5YlpO6AxHei+sf3hPQd
/uExwyF9kb/hlUFgj7I2dIwFfaL0rlmF9DUe7dY6EBbnxcknIOy45bu4oiD9bP3JswFsFR3t
nPNA7Kn8GPkZGH8T7xiTQZtOCffPcKvh3UkZ5cD/ii/dtRqKNo1dbC8FN/emVdVfAE+isip9
IBTJiWgt94PgHOVL8yHwtPI+G4yA7PuegdosiCpr/7bIOXC/EhxMabDFmOYbx0DJLrHbyp+A
IreLflzqEIS/FjEyYQkE2ganSo3BUztQ0e8E57GIzpFx4LgcUymyC2Q/lb7FtRRunj4Vd349
3HFkv5E6CLQZxijncGCe+pLwJmg9WO8/C2JFU9NwEwjTtSPBSNCe9lfMPgDS/aDujgVKPZ6J
+mBqxfr169evX18YEf6r+zEX5DY/SME4BeM+zO4/o0DAlBhTYkyJMf9FRy9e/rAdkXBMOCYc
A1rQghYgHBeOC3/4aVwboA3QBvx5mAfb1cPqYfXwP/dTHCwOFgf/ob5AXCAu+HM/fYA+QB8A
WLFi/YOfBRzjGMeAbnSj21+/T/+qH8FqwWrBaoV1abA0WBoMgl2wC3aQxkhjpDH/3N7jJmxl
2MqwlSCOEceI/8D+X30+HyR9kPRBEnT8suOXHb+Ew88dfu7wc3Co36F+h/rBxqSNSRuTYNn0
ZdOXTYdVrGLVv+NwTWpSEzbO3Dhz4x8EZ8EXxgcpSNkYWnNozaH/IGXjrz6/ghSKP/X7X6kv
/wypjlRHqvPP7TzIvzuv/tlzDfG/U5iq8Y+F7OO088fxH5aqEQz6fH9cHPgwHnZ8+fJDhy5f
hmXLjhy5cQPef79162rVoFu3WrXKlIE6dcqXL1Hi9/OPHfuz3T/b+d8jzg/ysFSNiRO7di1e
/OH+37mTl5efDx7PPx73v23E2XzU3UBuBoZq9JKKAuhzuQ1cFyoLV0H0y6/Kt0FFmKqvBUYI
h/QjoL7nmyVdBH8LqVbcpyAOkRagAGW1s8wHfbjwLjeA8/pKPQr0dLxEAntwcR70HnpdvgLD
QOmg/B0YmhtnGauCdMiRFFsPktf7JxmLwqXFmWP0eZAz019MGAbST2I72oOyUdkV2AlhRRKK
l/sRnPaYEkW7gO9Hxee5D8JnYkcGg/KmmulbCsH6wSW+kaCd9L2hzoPEvvEVaxyGjmvqSE9X
goafVakYmQfhw0rWNdQDZY1xkP8jKGmJ2RkZC+Wjy9UPOwHVdaszpyY8Mdooaa0gXIkJK74M
JMKbFmsNahP/jZx64E7IOZIyCbik1WQaOE84f40aA3HjkvwlciHpbtHXSg4Dp99WObI0CNcN
s+QK4NwfMz8yCA6TZZrpG0jdm9Yx5yqc2X6xXNqHkLvZFxZYDra+9laR2WD/yibZOkC1PiW2
Fl8MZXtHxheLBoOd9v5FUCw/+lDJX6DCkPDsBm9D0Uv2xkW/AdtVi8XSAMokljxfpRVE2sJf
jjoOkZOcpvjJIE+TpMjy4O2hHvMqoIzU7bl7wCSaZ5p7QsRa+/OEQ+JH8RvD9oEq4rZWh+g3
on9xfAtPnilXNvEsOCNsHzkHgDRViJJbgc1pSbb0AavH9rLRCmILUwfzYYi7HZ5Q4iso26N4
RjkZKhyoWL9Wc7Anh/2Q9Cvk9nRP1fMhZ5jPpNwHa92onKhaYJoY9XlUHuTqd/vnVoVbZ4+9
cOIEpB7I6nf9MKiR5mqWVNBfkmKM50FT9FV6WxBKCl9QBLivbvc1AMXmX+e6D0pl9Rn3dVCs
PKvsfnwTtUDAFi9evPgfP0gK/uE/+Grtv0rBeQ8KhwI7/6lc6KbfN/2+6feF9Q83fbjpw02w
r8K+CvsqwKRJkyb9MRevebPmzZo3K6wX5OCmbkzdmLoRVjVd1XRVU7g7/u74u+Mfn5/1h9Uf
Vn9YYX32i7NfnP0izBfmC/MFyO6W3S373xDM/yp1TtQ5UedEYf2zA58d+OwAzD0y98jcI//n
/Pir/KvP5w3bG7Y3bIU5zjWO1DhS4wgMqTOkzpA6YH3D+ob1jT9HWIUFwgJhQWGucEGKwcO4
4rzivOKE629ff/v624XjP/jLSEFEOGV8yviU8XD2m7PfnP3m378f9ZfWX1r/D4swP9738b6P
98HOHjt77OwBr8x9Ze4rc2Hl5ZWXVz7C4tlHnVch/j0KUyf+tYhzs2aDB3/7bWH5IA8e//M4
/1ioB4O/bwv34K4XD/Kw9t27r1xJTS08vnjxgQNXrjz8/IKywO6f+xUsDvzHKRWy/HtqxoPl
3r3Xr6ekwPnzbrfX++cyP//3/Zofnqrx33RxoO23qPHxC0HvLNU1XAJxOeN5D5SUwO7gy+B/
wrvKUxVMLzmxfwbGYsJY/QycnXMtN7MfOBuX6FWiHRjHMksbAb4PhA7ifBB+4RfdD/rbHNeS
QZwl9JIOg1CVjcJq0M9Sm7LgetWVl3MNVs9ac3aDBfxfqObI7VB921PtG24DvYjhLrtA6i2n
yWdBjNG2KSVBGyCeMLwMvEht4QsIPhW4oZ8FMSC1YzuwXu9BJggreVOcCswVS6gvAkW0obIV
gr1JE98E8fukt6uVhCqHxfft66Hka6b5pz+FrNIRqTmjQbyQd9RrA/HjpHee8ELlcZX3Bi9A
0uq0NNd0OFUiy6+sgzNzxcv2t+FOBXOzEndAu5m3M20M+LtmNk8dCFpR+yLnVrC/G7YoTAHT
L5bmpiQQP7Z/bT8DWlDpGmgOadtzYoQB4C7mPa/mgnuW/rxhJ4ixcin1BjBcW6RHw51X005n
+IBN6qsGJ4S3dBa3nAHleemMfz+U3hbWr/hzICca5kUWhbwzbq93MeizhK3+d8C8RRscvhNo
pzVlEJimyJ3Er8F4ibaRaWDob+ufcxG8P3ilrIuQacztxpegjg9MTj4PZUvHxlUIgnOitC/h
JbCtC5+FH5TK7lMuCe6PSlbdYyHtZVeq2wLmF82q6TSIzYWd6hFwpJmn2nqDs3xkg7B5YB/v
MISvBPMH9tmWSuDP95cSdoPrfdeQgADSO6a3TREQpcYtjl0C5m7mnYYxkD/59supn0D6mpsD
rpogr1mudqsMeDEaIj4DdTjjjK+BPk2bo/7+9zdEvQD6Hf2QXhm0UcTpVYBIIUtdB6KdGONb
wDO01qv/r0nS6fFN2ILc44L9mXNzc3NzcwvrBeXDIsv/bNeNB+38p3jR+6L3RS8E9IAe0GHd
qHWj1o2CURmjMkZlQMytmFsxt2BwscHFBheD3sHewd5/+EAeaRtpG2mD2ebZ5tlm+G70d6O/
Gw0xt2Nux9yGNNJIewx+9q3at2rfqnD/ufvP3X8OtkzeMnnLZCi2u9juYrshamrU1KipkLk1
c2vmf/BFNwP1gfpAHe6Nvjf63mjYkLIhZUMKVI6sHFk5sjBFoUCo/t38q8+nQMDOXDlz5cyV
MMo2yjbKBuoh9ZB6qHAx5qjio4qP+sMXx87pndM7p8NPPX/q+VPPwkWDD1vEVrCokvOc5zy0
fb/t+23f/3OqSMFiuy/4gi+ALVO2TNkyBSp/W/nbyt/yL9O/f//+/fuDa7Zrtms2bN69effm
3bDx1sZbG29BnUCdQJ1A4eLHf5dHnVch/j1U9fdXSD9MyP774/7X4xXYfZBgMBAIBECSft81
42EU7KrxIBcu3L37xxerPFh/2PkFdv/sz++R34clTthsdrvFAn6/ovyxx/btBw8mJ4OmBYOp
qX8+74knSpQwm6F69Sef/EcBngK7jxvh4MGDBw8e1PW6devWrVv3Xx/Ag7tRdi3gsuGkvQcI
WXygVQWtQeDLwCHwx3p6ev1gM0bMjVwI6mX9TX8/OD9ta9Tx3lAqqu7YGtfB+krEccMQUM+r
mXoJ4Kjq0rcB2/SV6isg9DE8aSgP10vcTT63HIpvjq1dph4o/ZSOejzsydjrOlIDXL+5LWoU
0NbxQ9FeUCqztL/Ir1DhXsI6QzJYu1uLsh/UCmor8R5InYUJnASlgrrZtwfEgNBLPgrCq1Jl
8VPQ39I6SfuANeLHWhD0ZxGERBD366LyDgRquirmdQZjiqG9ugDU59xTM14H7auMFzO/A8kd
NTO8G/juZG687wB9avr09NdB2iXrrARfqnTHmwZZJa7vzEmH1df2lLzfCo6PyP5ZSofAEt+E
rM8hkOlplT0VhOryaMtlCH8jrG7kJnC85dxg3ggmh+FV/R4wWO0VkMFXyb3e9y34swPbg5+B
sky/qI2AQFzgqi8d/IPdlpwDYHZZ1lmHQmR21Ovhb4Lvjmecrwd4i3myXL9AZrWsnNSmoM4U
Nrpug9ZJeNFSFFzdAtuz0yEsz7FSrAqBNM824QPIbejJdfeB8mkJE4p+BvIFMdpSBW5GZNy8
exQM9eTtlpchek24GtcJovaYz5vKgLZHH6N0h7tD7ozwbQPNZxzCOnBMckpWAcwvySusNyE2
N2GDTYHIllHFozPBMMR8LewcaO8ruw1vgDvVVUHJB1+muiE4EixK+LnwY+BcFjEn/B6IlbRf
DDvAFX0/53438K/IHnQnFbx+5YvcqZAdcL8VPAB52/Qx4T1ALyPOMx+D4CRmSc+C/77yHq9C
8OVgr2A7CB5QvvefBmVWsKvvHLBAveedDlJlfYm/DxxL3ffJhlOPf+IWCNuC3QMKBPS/i9Pp
dDqdMGLEiBEjRvznhXOIf42CXwZS2qW0S2kH7RPaJ7RPKMxtfmHPC3te2FNY39hhY4eNHf5u
r0OE+H+DKlXatJkxA6pWrVWrQoV/f5wVKz74oF27wnqvXu+//1/tKnH69NGjFy7AmTMbN44e
XdgeE9Ot27RpYDIVK5aQUNienPzRRy+9VFgvUmTUqKVLH97+IP+sn99/+/a9e5Ce/sMP77xT
2D506NGjN25A5cqJiVbrn8dNS7t/32CAEyfu3ftXvngEAvn5WVnQrl3Dhk7nn4+fPZuS4vHA
nDm1apUs+dfHfRiHDh06dOjQY4g4a6r3J99AMHxrbG45Alp77SO9C8jljN8aaoC8xKSYk0AN
00dqPwBLvOsDk8DxhWO/bRcYv7R8ZegL4mapnmgC8QnhovAMaB14Xv0RpBg5w/AapOZlf56S
D9dfvz7/0BYo3j6+e3wzyPzSU8czBFwu0yTTC1Ds+7ILKhWFQBHPm3jg1qz7L7qHQqInor/9
JliP2MsZskGvrQ1lOHBcb6mfB3GysEAMgLBE7Cp/CXpR/UttGmgD+dGXBVRS16kjQVosnrCM
Bv2IOMR4D+TPHeuiokELqB2DTtA7G2ao34OywFLN1RLkDpY7ce+BOTyqoflzoE9sUpn+wFRH
+9ipYLknmeUYiFxc41PfEXj9dM13z30Hvy3bc+HEz7Buzv6y6tdw71XTaWcJUA7ldU3fB9kH
Mqvcfw98eZ6NlsUQsS38ZmRDCD/tLGe3gaVV1C1LPuj19SXqINA3KL7AaghU9U8wbQf3CEsD
w2kwnZfjpCGQeTF7ke8H8D2j7A6+A/J548TgMchZ4uuXPQys7c17LJPBHmVZZ7sHpsOWjv7W
IK8xTNC2gPtOXphnNoQXi5wdXgLy6wSM/iOQszK/S05fEA5Lo8RNYPzSMMnwIlwed7PxtRyw
vWo9ZOgIzi3hTYwBiB5T7GKR9RA1IywqojlE3A73O7qCaZbJ5dTBUN623T4BgobgSmkEuCfm
/ux/EvLX+S8G24BktuYYxkPEsdircRJYdlgPOUygvJR30bcPMrLv3L41HDLW3K16YT0EE/Sm
efNA+1h/W3gP8kt4qmkrwNVLlfNqQjBbK6IthUB19Tt9FCjb9M76E6DuV/qrmyFQI/hGMAr0
idpWdTroJ9X+wfqgBoPN/O89+kR9GAXCtkDoFgjoAoF169atW7duPfz8glSMgkWCBeOE3ij4
35OCbed2rdi1YtcKGMAABgDMZCYzC7dreyPzjcw3Mv9ub0OE+H8LTfs9Mpyfn5WVnw8mk9X6
j/Y5/lcJBP5xzrDf7/H4/YV2HyQY/P3Nebqel+dygSj+40V+/2oKx8P6aZrX6/OBovzjNwP6
/b/7mZ3t8SgKOJ0Wi/wH9Vm6dHS01/v7/tBhYXDhQmamIMB/HS+Hp58uWTIh4fdItsdT2J6b
6/UqSqHdx80jC2dlqjtf/xkMDcJXiPGgLg1sVGuB/1P9q+AyMDY2NSMW5HZyY0MSeA8Fv/a3
APG8sESbA4Zl5m6Gt+H+uPu3b64DZbvyW+AHMCF9rfcBx1Hb8IiDkP9UTs88P9hfMV+LHAem
Mub19sEQHWHfbI4E12pXkTMaXFmZ0jF3ESRVjJoVnQa2HZYX1IaQ8m3a3kBZKNYkoojpFKjN
BT9FQBmrlAoeBmGK2EFsAhRlgRAOwnbuy9+DbhM92RNAqENNsRoQpbjUZ0C563LnPAWGpvbm
RdqBWkW4p14C2eW4Hl8TDGft4fFVQHtGOeLKBrW972B+RTA2MDeI+QXUHYbVtmdA/UJ7UZdA
s8ovmg+DrUaFYw3fhTblKvR7uh+Un1y2+oZvYH6PH78+XA8ub7XKpU+Cr5K7RcYq8A7Ov5Yb
B4EdaRvvDgP3V3mbzRPBuciRHx0DYclhK00HwXbZ+pL5O3C+E/ahQ4Ho89G11TQInPWucT8D
BsWWlFcegruV/mIZUJJ8mr4J5E9K5RfrAnn9ct/0aWBqZnjdXB2ku+qasFTwGDy1AvPBvt8y
UCgNCT9FVoo5DXYMzyROhbSZxrYpL0HYLvsB22SI3he2KmY3uLoWfcvbDwyfGq+xGxwpEVbb
ALBcM7vCvwZjY9lsHwrBgLZdegoCRYMmYiEnJ/1L33MQ/EbNYStovxm7mzuB5WvnaMs7YK8W
sTayDUjF/AdxQ27jm8fTN4C7Y9b95L6gnFUWpH8Etu72RdpX4N+iXLHMB1+5wJ5AT7CLlhLa
IZDWB+d5ioL/A6WiXgb0hnJF8kG5rfVXnaA/ZYrnA1D66yb9adCOaZs0EYRLgsEYAEVUVsqP
8JPrX6VA6BYI6Qe3kSvYx7WAglzm6tWrV69e/T/vX4jHQ7VXqr1S7RVYylKWAgxjGMMeddQQ
IUI8Dp54onTpyEi4cyclJSMD4uMTE6OjH5+ALqBAMN+//7udArsPUqlS8eKRkXD69K1bmZkg
ik5nWBiEhw8Z8tVXf+7/sPZ/1k/XvV6vFzQtNzcvD6pWLV48KurP5zmdRqMs//5q7kAAEhN/
T6AID7dYJAmyskRRkqB4caczLw/q1UtKstlAkgRB/C9W4t269bvd/Hxdl2XIyfF6VRVSUnJz
A4FCu4+bR07VuNfo4js3tkDU+iemFRsFwXRvV7UkKJlqXHAMmPoaWxuOgy4rbr8Nckfv7nEo
DPI+1b+Wq0GRy89Wq98esr053nsNwb9cGaGMBVO2cYVYHc6+fjnxtxTIvaS+mv8ilC0ds7x0
D0hUo9ZUyoXTXS+4jufBuffuBi5cgotn7p6W6kLVNyp92Po5qDupcmaxsfDEsegNQmsQShm6
iMVA3Khv0VeCPk1rod4GPVVsL6SB2FMobmgKQqq4R28Dqabs65cGQXp336c3ykHkiMiOYS+D
9onLnT0NIiwmV6X3wTnH8XL5BuDvqFX0XADeF2RRBmEXKfLLIH6pRQZHgDJL/0VrD6IuVjO8
DiTpMVoqCF/r8/TToKbrjYREoBL7pGiwfWmpKjeBVc5Z/T6+C+s6HDXe6Ad6om1m9EXwTPU1
DTYAdb2nZO5voF/0zs67BqKsnQosBeu7cp40C8y77N3t+eCwOCzWzyFslPUF82kwzzSbDDIY
Rslj1GdB+40UzQCBMupHig/0k1pppRdo87TTwZ4QNClPqxp4q/teC4wF4Xs5WWgD0lwhXqwF
0gxhvnAJtPlaK0EAk8f0nnEPaBuFltqvYKoq1je+AIZ888/WJ0GLYI1wDrQpwcZiKviq+Fpo
FcC111csEITgmODWYAaoDaSFwpsgxRqP2I6DcaIlwpgPMWXD6lmAIv64IbZLcCd4//WMXyBf
yamY/iVk10lNvNgNcvPTvIGZoB5jU/A3kOOV9loJEE3i96ZGwGqjWY4E+QNxnVQU9Ld5W3ob
ApPUcrwD+sfk6+MBgSbCSdAThV/FlcD74hbpK9Bl7ZReG7Q3hRviTtAzxHPyDPip5y+jf9j2
+CduiBAhQoT470FWVk6OywV9+7799jffwPnzV66kPY5FFg+hYsWyZWNjYfHi6dNffBEiI8PD
//hm0vT03FyXC557buzYBQvg5MkrV/7RPtGPi+rVy5ZNSICff548ecAAiIlxOv/oT3b277Hj
998/cyY5GdLSfo88/6eIjbVaZRk++KBKlSJFICLi8Qjox5aqIU9wfGdcC8GZOfXyPaC/lP1t
zi4QJrpT3FbQx5abV7o1qGU8/TzLwVV887nf3oJw8/NvdcwHYZ8lUTgOiZONLxUdBNlDPFXz
7HAi47h2YBZYyhmNzhfAu8+2Rr8F0TuspRIag+FtY/mIerAjbVfEnb5wb5Tw491u4ImU1gVv
wNZju87/cAH8XQP0+AZKJzVdX7wBWNym8/QBdb/2mugF4ZR4V5gD4mhhj9QFtFw+CCSCPJ8G
5jPgqZPnzxoIl1df6XO8NCiH9ZmGr0BfYBqp+SHmVGRU8kWotL3IF/4SEJNsbZq0C7CIQw1e
0FeIaI2BKcJmMQwEaG1sC8IHeg21Iujr6M0GYLuwVJgMYoRwm2KgzaarEoSgphTRDoJQKZCb
r4O4IaPZdUCeoM1V3wO5n7mHfQNoz4WXjLoEyq9h1SKvgvpyQHD9AIGB/s35nUGJCY7TakFw
Q9aMrIuQ48qqL3cCU0PjB+LbYLaYdlg6gamyYaSpDIgRpnnSBpBuSLJ8EKR6hvLWnWDcIzcT
O4HBHLaXICDzrJYCgo9J4hIQwnRJ3wBac/0W5UAZrqdq/UAtr0SxEPJbKmV5Cfxrc/r54sDX
NzhNESEoBksqF0A9yl7OgrzGlGyeB8al1pW26WDsbG5kPQjxY+zLjUuhZrfys6PXQM3var1Y
ZRbEf1biculpsPmdrZ9+UwpSX8+bcrMM1GhUy9+hPazetObeL8NA3+x9xVAKmn9XtXbDdLgS
f7ZzRjk49u2x8ucrwp2FWZFZ48DfRhmqdAfLeNMy88sgHzO8YhgAWiW1iP4OqLW1RcoJ0L8R
BonfgthS7yU6Qbus39UMoB3X96ljgJ7/uQ+HECFChAjx91MgXNev/+qrV1/9u70pFK6HDn3x
xRtv/N3eFArXzz//x4v4/m/jkYWz5StlaqAtBJffzLu3Hojyt/JWBa2+r0jgeTDuFtqXWgM4
3Z+6fwG2BK4Hl4Dp49iosOpgWM4MeSNkvulZmyHA8fXHR+77FBJnG7fFvwnuZHNLdwSEpwmj
HEkQtym+ZPGX4dSpa4vSRBBPhw1Nmg/6wsw1KU4oWqTCyKodIKXm9X5X5sKF+Vd91zLgyJYS
nSIT4dnulWbbX4bgquAy/xSQt5kiLc+Aelhb70sB4ZQwx1QU6K+XFSLA8L5lsmkXxJasqJUF
kg+f8l4ZAaV3S5Hx34P9kjvK0gGupW7evSoe7HPLpFVvD8I6oYtUAvTbrJc7gWFU0e1le4D8
dkx2yadB3643Zh6wUuhDNugL9PPoICQzhqMg1tJjhNJgaKwnqu+D8I22WO0B7q9dT2beB/kV
Zbe3DIhdzbsdG0COteyPjAFjnuVC1CUQa1rm2H4C0y9OT4QA2jTXwKw48KHEaXMh+J5+T8sB
7ZBeXNPB1dK71nscxBfdgfzLoEjqLv0i0FL3cAaEVcIZcQoYF/CEcB70nWI/+oH+irBQcIPQ
mMVCIuhf8bO4GvQpwgLCQBuoP6PsAz1ceFcsC/qrQlH5Lghrpe1yK5BOGo4ZDoJ8MqxR+C2w
zLDMsP0CZodxjfkgxGdaPdpOqNm8eB2LHaq3rVO1Wn2I311OrimBslA4Z46B4El9Njuh8TsN
Pd0ngKuIK9jkHYh8OfHVMl9AjKXXgnJ7wL7AUbasDM5L4X2LvwsVM2vNuDsASmyt0ePccPjB
s/zWhtsQeDc/55wXkrukfpNdCdQ+4gzJBUaHWbMeBUOStMTwFchmaYFYH+iJS+wG+io1QTsD
2mDluP4ZAOVp8ndP8xAhQoQIESLE4+CRhbO0QT4inQbd42ho+wmETbFpcWNA6MwFIROoLAfk
ZuBffif++g2Qu0e/EjEO5PdiI+O+BW9Y8H5+Dcgbm5d8bwjU2FqlXr0FEDMwYmaCDQ6kn2+6
YSxExNh6xU4BvaN83fAGnBt8vMaOXWCcbe1QfDEUn21bVCEGam8rd/UpG1xoFNWnFCC0URdp
T0O1jHLeKAH8Y93PpL8LwpveplmtQVslq7biIC63DrT5QW9iyDP+CNIl80YxBlIGn5CvVoaU
s7nvXugItvkJH5iyIDI1ummJ2VDhvSr+1sPAa65U/W4A9OSs2veKgH/+vW43fgS9hPvdnGqg
ShEVHGvB8ExkQkwe8IQwwlkdOMsAZR7obTjHWOAUyXwPWmvhJz4A/8eBznoL8OcHNuACbZB8
19ANfLeDCz3LAIPvsGc7CHm5qzJ/BVO+Kfu+Dayt7ePCA1BsS7Gk6BToFNO/YYuqcD/93u3s
F+D2ymsJd/Ph9sCMoe4+kPmZp2RwOuSfDCwQ6oInRz+nnAShnRqlj4agU0VLAM8JNV3rBTwh
TNDXgx4j7GEesJYPyAQxVhwuPgVitOF9w48gbJCiDCtAXmdoZ2wE0iw5Q54M8iiD1/geGEqI
b8rLgYl04xkwxKjWYDpoMzIa368BzxZv07l0S3j6mfZ0KgW+d8V20TfB/1VwvC8G9MPil/4W
IMZJl8VuID1vDrcthOgxckVLPujjqGZeDEnFiu5tNgGCJmW6shUCmYHLgeNgfM+229wKgufV
oeEd4OlXanSs6oeEOeEZxV6B5IOebfoLsP3clk/2uiFlTubrd3eB12w4K68Hi6B8bToOpu9N
tYwbQDwk7hOPghxpeFL+ffucUMw5RIgQIUKE+B/CI+c4hwgRIkSIECFChAjxP5mCHOdHfnNg
iBAhQoQIESJEiBD/LxASziFChAgRIkSIECFC/AVCwjlEiBAhQoQIESJEiL9ASDiHCBEiRIgQ
IUKECPEXCAnnECFChAgRIkSIECH+Av//dnQFqwVDhAgRIkSIECFChAjxZ/4/obLWe3CTKPsA
AAAASUVORK5CYII=
--------------070606080508020907060001--

--------------090305040401050103060408--

From sberyozkin@gmail.com  Wed Aug 28 09:34:15 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ED1D21F9929 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:34:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.479
X-Spam-Level: 
X-Spam-Status: No, score=-2.479 tagged_above=-999 required=5 tests=[AWL=0.120,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jH3YxGO7Nxak for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:34:14 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) by ietfa.amsl.com (Postfix) with ESMTP id C569821F8895 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:34:13 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id x54so5476739wes.32 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:34:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=cblKWspApPxzhzTjUsykxS8lmeBulShExULd0zSGfVY=; b=FHeN3o9jfxyrG++yXPOYghT086UD3iAcjgmoDbjoVVzQpbti5/VpXEr9uBkGiOCg+2 BgaKkAoH7sp7LOMcwXOe9TNOv5UcKzoMnRjAHhMo9wU6ZD2yW/4ZYozOFeMSRGUHOAuD tCCMzQvNaUrrX4WSff9UkdZdE47U159b3upr0c/qWZX9jwrhL+WZHsplwzy+eFcbMMb9 EcId5bCSGGOVo82wTo6drLy2gZ6CxiLccY9RTtkDiXKayrOhU0NSdSK9ioJm6YEsToGm 5Fy5Cd6bvlH2m4qLD8lr1x1tbYP/dLRLDg5xZNshZ3XsfCB3s9ENDuCQ8JaqyaWEbNZ3 JNbQ==
X-Received: by 10.194.109.68 with SMTP id hq4mr21532456wjb.12.1377707652899; Wed, 28 Aug 2013 09:34:12 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id a8sm6273550wie.6.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 09:34:12 -0700 (PDT)
Message-ID: <521E2682.4020108@gmail.com>
Date: Wed, 28 Aug 2013 17:34:10 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2086.1010007@mitre.org> <4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com>
In-Reply-To: <4FBA391A-073B-4C67-BDC9-D5429B940951@oracle.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:34:15 -0000

On 28/08/13 17:20, Phil Hunt wrote:
> This is the key problem with dyn reg.
>
> You have to recognize software as distinct entities shared by clients as instances. Statements can be by a developer, an organization or an api owner that approves clients in the same way google or facebook does today.
>
> The approval happens once per client software or can even happen once per publisher or developer depending on trust.
>
> Dyn reg doesn't work in practice because each registration has to be approved individually yet the protocol doesn't support approvals. It must be immediate.
>
> This is why the question of who has used this in production matters. Implementation of dyn reg is easy. Operating it looks workable only in small installations.

What concerns me is that while it is obviously important that large 
installations should be supported, there does not seem to be much 
motivation to worry about the small installations. But the thing is, 
without the small installations, the possibility is OAuth apps will be 
developed by developers working for large OAuth providers only.

I'm sorry, I realize it is not much in scope of this discussion, my 
comment, but it worries me how strong a push is to get the JWT or SAML 
assertions becoming the main 'artifacts' of OAuth.

Cheers, Sergey

>
> Phil
>
> On 2013-08-28, at 9:08, Justin Richer <jricher@mitre.org> wrote:
>
>> I set up an auth server to protect my API, my users download a piece of software that speaks the API to access their data. Where is my server supposed to get the list of "approved" software classes from? Are you assuming a central registry per API? Or is it going to be provider-specific? If the latter, why wouldn't you just do manual registration and not use dynamic registration at all? After all, manual registration will always still be a valid option.
>>
>> -- Justin
>>
>> On 08/28/2013 12:02 PM, Phil Hunt wrote:
>>> Please define the all in one case. I think this is the edge case and is in fact rare.
>>>
>>> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>
>>> Dyn reg assumes every registration of an instance is unique which too me is a very extreme position.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>>>
>>>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>
>>>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>
>>>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>
>>>> -- Justin
>>>>
>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>>
>>>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>
>>>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>
>>>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>
>>>>> Phil
>>>>>
>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>>
>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>
>>>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>>
>>>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>>
>>>>>> Phil
>>>>>>
>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>>>>
>>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>
>>>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>>>
>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>> Meeting Number: 703 230 586
>>>>>>> Meeting Password: oauth
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>> To join the online meeting
>>>>>>> -------------------------------------------------------
>>>>>>> 1. Go to https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>> 2. Enter your name and email address.
>>>>>>> 3. Enter the meeting password: oauth
>>>>>>> 4. Click "Join Now".
>>>>>>>
>>>>>>> To view in other time zones or languages, please click the link:
>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>
>>>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>
>>>>>>> -------------------------------------------------------
>>>>>>> To join the teleconference only
>>>>>>> -------------------------------------------------------
>>>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>>>> Conference Code: 944 910 5485
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


From phil.hunt@oracle.com  Wed Aug 28 09:35:49 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C64A521F9981 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:35:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.239
X-Spam-Level: 
X-Spam-Status: No, score=-5.239 tagged_above=-999 required=5 tests=[AWL=-0.037, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D+sfhitNuarR for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:35:45 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id C4F8711E8203 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:35:35 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SGZWRK025241 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:35:33 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGZWLO020109 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:35:32 GMT
Received: from abhmt106.oracle.com (abhmt106.oracle.com [141.146.116.58]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGZVrb026358; Wed, 28 Aug 2013 16:35:31 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:35:31 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_F127D2AC-CF13-4306-90AA-E868B327D5E1"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <521E256A.60908@aol.com>
Date: Wed, 28 Aug 2013 09:35:39 -0700
Message-Id: <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com>
To: George Fletcher <gffletch@aol.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:35:49 -0000

--Apple-Mail=_F127D2AC-CF13-4306-90AA-E868B327D5E1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1

George,

It would be reasonable for a client to submit an assertion, and obtain =
its own client assertion in return.  This is very close to what is =
happening per 2.1, 2.2 of =
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06

In this case, the Software Statement is an authorization that is =
exchanged for a client assertion in return. Then the clients =
authenticate per section 2.2 of the JWT spec.

Regarding initial_access_token.  This does have some of the =
characteristics I am speaking of. But it is unspecified and the =
assumption is that it is issued by the local domain.  This doesn't work =
in the UMA case because that's more like a federated model. Thus the =
specified software statement works because the AS can approve the client =
software based on name, and/or developer, and/or publisher -- whatever =
trust requires.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com> wrote:

> I can't say I understand what you mean by a simple assertion swap... =
but if you are wanting to use a client_assertion flow instead of the =
code flow then that's something completely different. If you are saying =
that you want the client_id to represent an "instance" in a stateless =
way using an "assertion" then that's already possible today.
>=20
> George
>=20
> On 8/28/13 12:23 PM, Phil Hunt wrote:
>> George
>>=20
>> That case can be solved with a simple assertion swap. We just have to =
profile it.=20
>>=20
>> Phil
>>=20
>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com> wrote:
>>=20
>>>=20
>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>> Please define the all in one case. I think this is the edge case =
and is in fact rare.=20
>>>>=20
>>>> I agree, in many cases step 1 can be made by simply approving a =
class of software. But then step 2 is simplified.=20
>>>>=20
>>>> Dyn reg assumes every registration of an instance is unique which =
too me is a very extreme=20
>>> If you have a mobile app that needs to do the code flow... which =
requires a client_secret in order to retrieve the access token and =
refresh token, how does the app do this without per app instance =
registration?=20
>>>=20
>>> I'd argue that almost all user facing mobile apps will want the =
above flow and that's not a small, rare edge case.
>>>=20
>>> Thanks,
>>> George
>>>> position.=20
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>>>>=20
>>>>> Except for the cases where you want step 1 to happen in band. To =
me, that is a vitally and fundamentally important use case that we can't =
disregard, and we must have a solution that can accommodate that. The =
notions of "publisher" and "product" fade very quickly once you get =
outside of the software vendor world.
>>>>>=20
>>>>> This is, of course, not to stand in the way of other solutions or =
approaches (such as something assertion based like you're after). It's =
not a one-or-the-other proposition, especially when there are mutually =
exclusive aspects of each.
>>>>>=20
>>>>> Therefore I once again call for the WG to finish the current =
dynamic registration spec *AND* pursue the assertion based process that =
Phil's talking about. They're not mutually exclusive, let's please stop =
talking about them like they are.
>>>>>=20
>>>>> -- Justin
>>>>>=20
>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>> Sorry. I meant also to say i think there are 2 registration =
steps.
>>>>>>=20
>>>>>> 1. Software registration/approval. This often happens out of =
band. But in this step policy is defined that approves software for use. =
Many of the reg params are known here.
>>>>>>=20
>>>>>> Federation techniques come into play as trust approvals can be =
based on developer, product or even publisher.
>>>>>>=20
>>>>>> 2. Each instance associates in a stateless way. Only clients that =
need credential rotation need more.
>>>>>>=20
>>>>>> Phil
>>>>>>=20
>>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>>>=20
>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>=20
>>>>>>> I think a certificate based approach is going to simplify =
exchanges in all cases. I encourage the group to explore the concept on =
the call.
>>>>>>>=20
>>>>>>> I am not sure breaking dyn reg up helps. It creates yet another =
option. I would like to explore how federation concept in software =
statements can help with facilitating association and making many reg =
stateless.
>>>>>>>=20
>>>>>>> Phil
>>>>>>>=20
>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:
>>>>>>>=20
>>>>>>>> Here are the conference bridge / Webex details for the call =
today.
>>>>>>>> We are going to complete the use case discussions from last =
time (Phil wasn't able to walk through all slides). Justin was also able =
to work out a strawman proposal based on the discussions last week and =
we will have a look at it to see whether this is a suitable compromise. =
Here is Justin's mail, in case you have missed it: =
http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>=20
>>>>>>>> Phil, please feel free to make adjustments to your slides given =
the Justin's recent proposal.
>>>>>>>>=20
>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>>> Meeting Number: 703 230 586
>>>>>>>> Meeting Password: oauth
>>>>>>>>=20
>>>>>>>> -------------------------------------------------------
>>>>>>>> To join the online meeting
>>>>>>>> -------------------------------------------------------
>>>>>>>> 1. Go to =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
RT=3DMiM0
>>>>>>>> 2. Enter your name and email address.
>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>> 4. Click "Join Now".
>>>>>>>>=20
>>>>>>>> To view in other time zones or languages, please click the =
link:
>>>>>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
ORT=3DMiM0
>>>>>>>>=20
>>>>>>>> To add this meeting to your calendar program (for example =
Microsoft Outlook), click this link:
>>>>>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=3D=
2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>>>>>>>=20
>>>>>>>> -------------------------------------------------------
>>>>>>>> To join the teleconference only
>>>>>>>> -------------------------------------------------------
>>>>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>=20
>>>>>>>>=20
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>>=20
>>>=20
>>> --=20
>>> <XeC>
>=20
> --=20
> <XeC.png>


--Apple-Mail=_F127D2AC-CF13-4306-90AA-E868B327D5E1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=iso-8859-1

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
">George,<div><br></div><div>It would be reasonable for a client to =
submit an assertion, and obtain its own client assertion in return. =
&nbsp;This is very close to what is happening per 2.1, 2.2 of&nbsp;<a =
href=3D"http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06">http://=
tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06</a></div><div><br></div=
><div>In this case, the Software Statement is an authorization that is =
exchanged for a client assertion in return. Then the clients =
authenticate per section 2.2 of the JWT =
spec.</div><div><br></div><div>Regarding initial_access_token. =
&nbsp;This does have some of the characteristics I am speaking of. But =
it is unspecified and the assumption is that it is issued by the local =
domain. &nbsp;This doesn't work in the UMA case because that's more like =
a federated model. Thus the specified software statement works because =
the AS can approve the client software based on name, and/or developer, =
and/or publisher -- whatever trust requires.</div><div><br><div =
apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-28, at 9:29 AM, George Fletcher &lt;<a =
href=3D"mailto:gffletch@aol.com">gffletch@aol.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
 =20
    <meta content=3D"text/html; charset=3DISO-8859-1" =
http-equiv=3D"Content-Type">
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    <font face=3D"Helvetica, Arial, sans-serif">I can't say I understand
      what you mean by a simple assertion swap... but if you are wanting
      to use a client_assertion flow instead of the code flow then
      that's something completely different. If you are saying that you
      want the client_id to represent an "instance" in a stateless way
      using an "assertion" then that's already possible today.<br>
      <br>
      George<br>
      <br>
    </font>
    <div class=3D"moz-cite-prefix">On 8/28/13 12:23 PM, Phil Hunt =
wrote:<br>
    </div>
    <blockquote =
cite=3D"mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com" =
type=3D"cite">
      <meta http-equiv=3D"content-type" content=3D"text/html;
        charset=3DISO-8859-1">
      <div>George</div>
      <div><br>
      </div>
      <div>That case can be solved with a simple assertion swap. We just
        have to profile it.&nbsp;<br>
        <br>
        Phil</div>
      <div><br>
        On 2013-08-28, at 9:20, George Fletcher &lt;<a =
moz-do-not-send=3D"true" =
href=3D"mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;
        wrote:<br>
        <br>
      </div>
      <blockquote type=3D"cite">
        <div>
          <meta content=3D"text/html; charset=3DISO-8859-1" =
http-equiv=3D"Content-Type">
          <br>
          <div class=3D"moz-cite-prefix">On 8/28/13 12:02 PM, Phil Hunt
            wrote:<br>
          </div>
          <blockquote =
cite=3D"mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" =
type=3D"cite">
            <pre wrap=3D"">Please define the all in one case. I think =
this is the edge case and is in fact rare.=20

I agree, in many cases step 1 can be made by simply approving a class of =
software. But then step 2 is simplified.=20

Dyn reg assumes every registration of an instance is unique which too me =
is a very extreme </pre>
          </blockquote>
          If you have a mobile app that needs to do the code flow...
          which requires a client_secret in order to retrieve the access
          token and refresh token, how does the app do this without per
          app instance registration? <br>
          <br>
          I'd argue that almost all user facing mobile apps will want
          the above flow and that's not a small, rare edge case.<br>
          <br>
          Thanks,<br>
          George<br>
          <blockquote =
cite=3D"mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" =
type=3D"cite">
            <pre wrap=3D"">position.=20

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
            <blockquote type=3D"cite">
              <pre wrap=3D"">Except for the cases where you want step 1 =
to happen in band. To me, that is a vitally and fundamentally important =
use case that we can't disregard, and we must have a solution that can =
accommodate that. The notions of "publisher" and "product" fade very =
quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or =
approaches (such as something assertion based like you're after). It's =
not a one-or-the-other proposition, especially when there are mutually =
exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic =
registration spec *AND* pursue the assertion based process that Phil's =
talking about. They're not mutually exclusive, let's please stop talking =
about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
              <blockquote type=3D"cite">
                <pre wrap=3D"">Sorry. I meant also to say i think there =
are 2 registration steps.

1. Software registration/approval. This often happens out of band. But =
in this step policy is defined that approves software for use. Many of =
the reg params are known here.

Federation techniques come into play as trust approvals can be based on =
developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need =
credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> =
wrote:

</pre>
                <blockquote type=3D"cite">
                  <pre wrap=3D"">I have a conflict I cannot get out of =
for 2pacific.

I think a certificate based approach is going to simplify exchanges in =
all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. =
I would like to explore how federation concept in software statements =
can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a =
moz-do-not-send=3D"true" class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt=
;</a> wrote:

</pre>
                  <blockquote type=3D"cite">
                    <pre wrap=3D"">Here are the conference bridge / =
Webex details for the call today.
We are going to complete the use case discussions from last time (Phil =
wasn't able to walk through all slides). Justin was also able to work =
out a strawman proposal based on the discussions last week and we will =
have a look at it to see whether this is a suitable compromise. Here is =
Justin's mail, in case you have missed it: <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-freetext" =
href=3D"http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">=
http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the =
Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3D=
NNTI1ZWQzMDJk&amp;RT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D26956765=
7&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;RT=3DMiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3D=
NNTI1ZWQzMDJk&amp;ORT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D2695676=
57&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;ORT=3DMiM0</a>

To add this meeting to your calendar program (for example Microsoft =
Outlook), click this link:
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;ICS=
=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DC6-AjLGvhdYjmpVdx75M6UsA=
wrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D=
269567657&amp;UID=3D0&amp;ICS=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SH=
A2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-freetext" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
                  </blockquote>
                  <pre =
wrap=3D"">_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
                </blockquote>
                <pre =
wrap=3D"">_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
              </blockquote>
            </blockquote>
            <pre wrap=3D"">_______________________________________________=

OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>


</pre>
          </blockquote>
          <br>
          <div class=3D"moz-signature">-- <br>
            <a moz-do-not-send=3D"true" =
href=3D"http://connect.me/gffletch" title=3D"View full card on =
Connect.Me">&lt;XeC&gt;</a></div>
        </div>
      </blockquote>
    </blockquote>
    <br>
    <div class=3D"moz-signature">-- <br>
      <a href=3D"http://connect.me/gffletch" title=3D"View full card on
        Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
  </div>

</blockquote></div><br></div></body></html>=

--Apple-Mail=_F127D2AC-CF13-4306-90AA-E868B327D5E1--

From sberyozkin@gmail.com  Wed Aug 28 09:38:17 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C92B11E81BD for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:38:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level: 
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMuMh8fNts77 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:38:14 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) by ietfa.amsl.com (Postfix) with ESMTP id E7B5011E8197 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:38:12 -0700 (PDT)
Received: by mail-wi0-f173.google.com with SMTP id ey11so3728157wid.12 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:38:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=zQpRFCGu6HnzTVMNWdU8IcJMfE1jSRFRcpoa/emQ3mc=; b=k2732T+YuiBs4j5JymLzz9eX7KkGUPuXq3L8SRpD8Y5TWmi1+cmR6vm9lxhvpGEtHr t+ZuQcgXvzZ507FHk4ywonHSbSDDaHbLyd5BLYlMOQ1CGaXHe5dejyKgsDHMe69+Oxvj 7YKcqtPlxQjU+AIFDmTrjHKEZ6Y0Ze9rMv5rOCDhAPxoq7ibTrKsQanVt4Orkh8c1sAB 7s52RNotNr5k5LO1ygAFN8Rf+cmpOH3KKQKejdELbWATdULgMPfQs4HBZNfqqv+3lvXQ QV9FxkR4ZC+ltvNg4Vop8J3GCnOWm/xR8zdpzlfeOQ3jabluQVn1WYq4x0wxwMkoNT/Y 45fA==
X-Received: by 10.194.240.164 with SMTP id wb4mr3626084wjc.70.1377707890749; Wed, 28 Aug 2013 09:38:10 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id fz8sm6344989wic.0.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 09:38:09 -0700 (PDT)
Message-ID: <521E276F.3010804@gmail.com>
Date: Wed, 28 Aug 2013 17:38:07 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: oauth@ietf.org
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com>
In-Reply-To: <521E2657.1060506@aol.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:38:17 -0000

On 28/08/13 17:33, George Fletcher wrote:
> So I understand that you'd rather that OAuth doesn't require a
> client_secret and that's fine. However, I don't think we should impose
> that thinking on the rest of the world who have already implemented it
> and have it working and scaling without issues. If the core of this
> discussion is around replacing client_id and client_secret with a
> client_assertion then lets have that discussion separately and not bury
> it in the dynamic registration discussion.
>
> Could you not profile OAuth2 to support a flow that allows for retrieval
> of access and refresh tokens using code + client_assertion? Doesn't seem
> like that hard a profile and then the rest of this could fall out pretty
> easily.
>
That is already supported AFAIK, something like

grant_type=authorization_code
&code=12345678
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer
&client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion

probably the same works with JWT

Sergey


> Thanks,
> George
>
> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>
>> I do think that this is the rare-edge use case, we would not want
>> require client-secret, we already have that mess today with OAuth and
>> trying not to continue the proliferation, we solve this today with our
>> STS and assertion swaps/transformations, it scales, performs and we
>> don’t have the management debacle this specification creates
>>
>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>> Behalf Of *George Fletcher
>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>> *To:* Phil Hunt
>> *Cc:* oauth mailing list
>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>
>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>
>>     Please define the all in one case. I think this is the edge case and is in fact rare.
>>
>>
>>
>>     I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>
>>
>>
>>     Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>
>> If you have a mobile app that needs to do the code flow... which
>> requires a client_secret in order to retrieve the access token and
>> refresh token, how does the app do this without per app instance
>> registration?
>>
>> I'd argue that almost all user facing mobile apps will want the above
>> flow and that's not a small, rare edge case.
>>
>> Thanks,
>> George
>>
>>     position.
>>
>>
>>
>>     Phil
>>
>>
>>
>>     On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  <mailto:jricher@mitre.org>  wrote:
>>
>>
>>
>>         Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>
>>
>>
>>         This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>
>>
>>
>>         Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>
>>
>>
>>         -- Justin
>>
>>
>>
>>         On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>
>>             Sorry. I meant also to say i think there are 2 registration steps
>>
>>             1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>
>>
>>
>>             Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>
>>
>>
>>             2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>
>>
>>
>>             Phil
>>
>>
>>
>>             On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>  <mailto:phil.hunt@oracle.com>  wrote:
>>
>>
>>
>>                 I have a conflict I cannot get out of for 2pacific.
>>
>>
>>
>>                 I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>
>>
>>
>>                 I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>
>>
>>
>>                 Phil
>>
>>
>>
>>                 On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>  <mailto:hannes.tschofenig@nsn.com>  wrote:
>>
>>
>>
>>                     Here are the conference bridge / Webex details for the call today.
>>
>>                     We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>
>>
>>
>>                     Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>
>>
>>
>>                     Topic: OAuth Dynamic Client Registration
>>
>>                     Date: Wednesday, August 28, 2013
>>
>>                     Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>
>>                     Meeting Number: 703 230 586
>>
>>                     Meeting Password: oauth
>>
>>
>>
>>                     -------------------------------------------------------
>>
>>                     To join the online meeting
>>
>>                     -------------------------------------------------------
>>
>>                     1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>
>>                     2. Enter your name and email address.
>>
>>                     3. Enter the meeting password: oauth
>>
>>                     4. Click "Join Now".
>>
>>
>>
>>                     To view in other time zones or languages, please click the link:
>>
>>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>
>>
>>
>>                     To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>
>>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>
>>
>>
>>                     -------------------------------------------------------
>>
>>                     To join the teleconference only
>>
>>                     -------------------------------------------------------
>>
>>                     Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>
>>                     Conference Code: 944 910 5485
>>
>>
>>
>>
>>
>>                     _______________________________________________
>>
>>                     OAuth mailing list
>>
>>                     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>
>>                     https://www.ietf.org/mailman/listinfo/oauth
>>
>>                 _______________________________________________
>>
>>                 OAuth mailing list
>>
>>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>
>>                 https://www.ietf.org/mailman/listinfo/oauth
>>
>>             _______________________________________________
>>
>>             OAuth mailing list
>>
>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>
>>             https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>     _______________________________________________
>>
>>     OAuth mailing list
>>
>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>
>> --
>> George Fletcher <http://connect.me/gffletch>
>>
>
> --
> George Fletcher <http://connect.me/gffletch>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

From jricher@mitre.org  Wed Aug 28 09:39:45 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 684A521F8DA3 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:39:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.491
X-Spam-Level: 
X-Spam-Status: No, score=-6.491 tagged_above=-999 required=5 tests=[AWL=0.107,  BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AjBKesOII64c for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:39:40 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 8D69411E8194 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:39:40 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1B5C01F092E; Wed, 28 Aug 2013 12:39:38 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id F343A1F072D; Wed, 28 Aug 2013 12:39:37 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS01.MITRE.ORG (129.83.29.78) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 12:39:37 -0400
Message-ID: <521E27BF.3030408@mitre.org>
Date: Wed, 28 Aug 2013 12:39:27 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com> <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com>
In-Reply-To: <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com>
Content-Type: multipart/alternative; boundary="------------050106050507040903030700"
X-Originating-IP: [129.83.31.56]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:39:45 -0000

--------------050106050507040903030700
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

The initial_access_token doesn't assume that it's from the local domain. 
It merely assumes that the authorization server accepts the token, which 
would be true in the UMA case due to the federation. It could also be 
the exact same kinds of mechanisms that the software statement would use 
to achieve federation.

I still don't see how an auth server is going to know about a client's 
configuration state with the assertion swap method, since there's no 
defined mechanism for sending a JWT assertion to the authorization 
endpoint.

  -- Justin

On 08/28/2013 12:35 PM, Phil Hunt wrote:
> George,
>
> It would be reasonable for a client to submit an assertion, and obtain 
> its own client assertion in return.  This is very close to what is 
> happening per 2.1, 2.2 of 
> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06
>
> In this case, the Software Statement is an authorization that is 
> exchanged for a client assertion in return. Then the clients 
> authenticate per section 2.2 of the JWT spec.
>
> Regarding initial_access_token.  This does have some of the 
> characteristics I am speaking of. But it is unspecified and the 
> assumption is that it is issued by the local domain.  This doesn't 
> work in the UMA case because that's more like a federated model. Thus 
> the specified software statement works because the AS can approve the 
> client software based on name, and/or developer, and/or publisher -- 
> whatever trust requires.
>
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>
>
>
>
>
>
> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>> I can't say I understand what you mean by a simple assertion swap... 
>> but if you are wanting to use a client_assertion flow instead of the 
>> code flow then that's something completely different. If you are 
>> saying that you want the client_id to represent an "instance" in a 
>> stateless way using an "assertion" then that's already possible today.
>>
>> George
>>
>> On 8/28/13 12:23 PM, Phil Hunt wrote:
>>> George
>>>
>>> That case can be solved with a simple assertion swap. We just have 
>>> to profile it.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com 
>>> <mailto:gffletch@aol.com>> wrote:
>>>
>>>>
>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>> Please define the all in one case. I think this is the edge case and is in fact rare.
>>>>>
>>>>> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>>>
>>>>> Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>>> If you have a mobile app that needs to do the code flow... which 
>>>> requires a client_secret in order to retrieve the access token and 
>>>> refresh token, how does the app do this without per app instance 
>>>> registration?
>>>>
>>>> I'd argue that almost all user facing mobile apps will want the 
>>>> above flow and that's not a small, rare edge case.
>>>>
>>>> Thanks,
>>>> George
>>>>> position.
>>>>>
>>>>> Phil
>>>>>
>>>>> On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  wrote:
>>>>>
>>>>>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>>>
>>>>>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>>>
>>>>>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>>>
>>>>>> -- Justin
>>>>>>
>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>>>>
>>>>>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>>>
>>>>>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>>>
>>>>>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>>>
>>>>>>> Phil
>>>>>>>
>>>>>>> On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>  wrote:
>>>>>>>
>>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>>
>>>>>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>>>>
>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>>>>
>>>>>>>> Phil
>>>>>>>>
>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>  wrote:
>>>>>>>>
>>>>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>>
>>>>>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>>>>>
>>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>>>> Meeting Number: 703 230 586
>>>>>>>>> Meeting Password: oauth
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------
>>>>>>>>> To join the online meeting
>>>>>>>>> -------------------------------------------------------
>>>>>>>>> 1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>>>> 2. Enter your name and email address.
>>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>>> 4. Click "Join Now".
>>>>>>>>>
>>>>>>>>> To view in other time zones or languages, please click the link:
>>>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>>>
>>>>>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------
>>>>>>>>> To join the teleconference only
>>>>>>>>> -------------------------------------------------------
>>>>>>>>> Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> <XeC> <http://connect.me/gffletch>
>>
>> -- 
>> <XeC.png> <http://connect.me/gffletch>
>


--------------050106050507040903030700
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    The initial_access_token doesn't assume that it's from the local
    domain. It merely assumes that the authorization server accepts the
    token, which would be true in the UMA case due to the federation. It
    could also be the exact same kinds of mechanisms that the software
    statement would use to achieve federation.<br>
    <br>
    I still don't see how an auth server is going to know about a
    client's configuration state with the assertion swap method, since
    there's no defined mechanism for sending a JWT assertion to the
    authorization endpoint. <br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/28/2013 12:35 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote
      cite="mid:9F232504-FC58-41FD-B040-31F898034AD2@oracle.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      George,
      <div><br>
      </div>
      <div>It would be reasonable for a client to submit an assertion,
        and obtain its own client assertion in return. &nbsp;This is very
        close to what is happening per 2.1, 2.2 of&nbsp;<a
          moz-do-not-send="true"
          href="http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06">http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06</a></div>
      <div><br>
      </div>
      <div>In this case, the Software Statement is an authorization that
        is exchanged for a client assertion in return. Then the clients
        authenticate per section 2.2 of the JWT spec.</div>
      <div><br>
      </div>
      <div>Regarding initial_access_token. &nbsp;This does have some of the
        characteristics I am speaking of. But it is unspecified and the
        assumption is that it is issued by the local domain. &nbsp;This
        doesn't work in the UMA case because that's more like a
        federated model. Thus the specified software statement works
        because the AS can approve the client software based on name,
        and/or developer, and/or publisher -- whatever trust requires.</div>
      <div><br>
        <div apple-content-edited="true">
          <span class="Apple-style-span" style="border-collapse:
            separate; color: rgb(0, 0, 0); font-family: Helvetica;
            font-style: normal; font-variant: normal; font-weight:
            normal; letter-spacing: normal; line-height: normal;
            orphans: 2; text-indent: 0px; text-transform: none;
            white-space: normal; widows: 2; word-spacing: 0px;
            border-spacing: 0px; -webkit-text-decorations-in-effect:
            none; -webkit-text-size-adjust: auto;
            -webkit-text-stroke-width: 0px; font-size: medium; ">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; "><span
                class="Apple-style-span" style="border-collapse:
                separate; color: rgb(0, 0, 0); font-family: Helvetica;
                font-size: medium; font-style: normal; font-variant:
                normal; font-weight: normal; letter-spacing: normal;
                line-height: normal; orphans: 2; text-indent: 0px;
                text-transform: none; white-space: normal; widows: 2;
                word-spacing: 0px; border-spacing: 0px;
                -webkit-text-decorations-in-effect: none;
                -webkit-text-size-adjust: auto;
                -webkit-text-stroke-width: 0px; ">
                <div style="word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span
                    class="Apple-style-span" style="border-collapse:
                    separate; color: rgb(0, 0, 0); font-family:
                    Helvetica; font-size: medium; font-style: normal;
                    font-variant: normal; font-weight: normal;
                    letter-spacing: normal; line-height: normal;
                    orphans: 2; text-indent: 0px; text-transform: none;
                    white-space: normal; widows: 2; word-spacing: 0px;
                    border-spacing: 0px;
                    -webkit-text-decorations-in-effect: none;
                    -webkit-text-size-adjust: auto;
                    -webkit-text-stroke-width: 0px; ">
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span
                        class="Apple-style-span" style="border-collapse:
                        separate; color: rgb(0, 0, 0); font-family:
                        Helvetica; font-size: 12px; font-style: normal;
                        font-variant: normal; font-weight: normal;
                        letter-spacing: normal; line-height: normal;
                        orphans: 2; text-indent: 0px; text-transform:
                        none; white-space: normal; widows: 2;
                        word-spacing: 0px; border-spacing: 0px;
                        -webkit-text-decorations-in-effect: none;
                        -webkit-text-size-adjust: auto;
                        -webkit-text-stroke-width: 0px; ">
                        <div style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div>Phil</div>
                          <div><br>
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send="true"
                              href="http://www.independentid.com">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send="true"
                        href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br>
                      <br>
                    </div>
                  </span><br class="Apple-interchange-newline">
                </div>
              </span><br class="Apple-interchange-newline">
            </div>
          </span><br class="Apple-interchange-newline">
          <br class="Apple-interchange-newline">
        </div>
        <br>
        <div>
          <div>On 2013-08-28, at 9:29 AM, George Fletcher &lt;<a
              moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <div bgcolor="#FFFFFF" text="#000000"> <font
                face="Helvetica, Arial, sans-serif">I can't say I
                understand what you mean by a simple assertion swap...
                but if you are wanting to use a client_assertion flow
                instead of the code flow then that's something
                completely different. If you are saying that you want
                the client_id to represent an "instance" in a stateless
                way using an "assertion" then that's already possible
                today.<br>
                <br>
                George<br>
                <br>
              </font>
              <div class="moz-cite-prefix">On 8/28/13 12:23 PM, Phil
                Hunt wrote:<br>
              </div>
              <blockquote
                cite="mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com"
                type="cite">
                <div>George</div>
                <div><br>
                </div>
                <div>That case can be solved with a simple assertion
                  swap. We just have to profile it.&nbsp;<br>
                  <br>
                  Phil</div>
                <div><br>
                  On 2013-08-28, at 9:20, George Fletcher &lt;<a
                    moz-do-not-send="true"
                    href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;

                  wrote:<br>
                  <br>
                </div>
                <blockquote type="cite">
                  <div> <br>
                    <div class="moz-cite-prefix">On 8/28/13 12:02 PM,
                      Phil Hunt wrote:<br>
                    </div>
                    <blockquote
                      cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
                      type="cite">
                      <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare. 

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. 

Dyn reg assumes every registration of an instance is unique which too me is a very extreme </pre>
                    </blockquote>
                    If you have a mobile app that needs to do the code
                    flow... which requires a client_secret in order to
                    retrieve the access token and refresh token, how
                    does the app do this without per app instance
                    registration? <br>
                    <br>
                    I'd argue that almost all user facing mobile apps
                    will want the above flow and that's not a small,
                    rare edge case.<br>
                    <br>
                    Thanks,<br>
                    George<br>
                    <blockquote
                      cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
                      type="cite">
                      <pre wrap="">position. 

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
                      <blockquote type="cite">
                        <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
                        <blockquote type="cite">
                          <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
                          <blockquote type="cite">
                            <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
                            <blockquote type="cite">
                              <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                            </blockquote>
                            <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                          </blockquote>
                          <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                        </blockquote>
                      </blockquote>
                      <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
                    </blockquote>
                    <br>
                    <div class="moz-signature">-- <br>
                      <a moz-do-not-send="true"
                        href="http://connect.me/gffletch" title="View
                        full card on Connect.Me">&lt;XeC&gt;</a></div>
                  </div>
                </blockquote>
              </blockquote>
              <br>
              <div class="moz-signature">-- <br>
                <a moz-do-not-send="true"
                  href="http://connect.me/gffletch" title="View full
                  card on Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>

--------------050106050507040903030700--

From jricher@mitre.org  Wed Aug 28 09:41:39 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC33421F9E6A for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:41:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.494
X-Spam-Level: 
X-Spam-Status: No, score=-6.494 tagged_above=-999 required=5 tests=[AWL=0.105,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bHbjyJkXpM9l for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:41:35 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 2B8FA21F9B94 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:41:35 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id C52AD1F072D; Wed, 28 Aug 2013 12:41:34 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id AE2CC1F02CD; Wed, 28 Aug 2013 12:41:34 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 12:41:34 -0400
Message-ID: <521E2834.4010102@mitre.org>
Date: Wed, 28 Aug 2013 12:41:24 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Sergey Beryozkin <sberyozkin@gmail.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com>
In-Reply-To: <521E276F.3010804@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [129.83.31.56]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:41:39 -0000

Yes, that already works. And you could accomplish that with the current 
dynamic registration spec, too -- it's just that client assertions were 
deemed too-underspecified to include in the base draft, and nobody's 
stepped up to offer a full writeup and extension of using other auth 
mechanisms (outside of OpenID Connect).

  -- Justin

On 08/28/2013 12:38 PM, Sergey Beryozkin wrote:
> On 28/08/13 17:33, George Fletcher wrote:
>> So I understand that you'd rather that OAuth doesn't require a
>> client_secret and that's fine. However, I don't think we should impose
>> that thinking on the rest of the world who have already implemented it
>> and have it working and scaling without issues. If the core of this
>> discussion is around replacing client_id and client_secret with a
>> client_assertion then lets have that discussion separately and not bury
>> it in the dynamic registration discussion.
>>
>> Could you not profile OAuth2 to support a flow that allows for retrieval
>> of access and refresh tokens using code + client_assertion? Doesn't seem
>> like that hard a profile and then the rest of this could fall out pretty
>> easily.
>>
> That is already supported AFAIK, something like
>
> grant_type=authorization_code
> &code=12345678
> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer 
>
> &client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion
>
> probably the same works with JWT
>
> Sergey
>
>
>> Thanks,
>> George
>>
>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>
>>> I do think that this is the rare-edge use case, we would not want
>>> require client-secret, we already have that mess today with OAuth and
>>> trying not to continue the proliferation, we solve this today with our
>>> STS and assertion swaps/transformations, it scales, performs and we
>>> don’t have the management debacle this specification creates
>>>
>>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>>> Behalf Of *George Fletcher
>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>> *To:* Phil Hunt
>>> *Cc:* oauth mailing list
>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>
>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>
>>>     Please define the all in one case. I think this is the edge case 
>>> and is in fact rare.
>>>
>>>
>>>
>>>     I agree, in many cases step 1 can be made by simply approving a 
>>> class of software. But then step 2 is simplified.
>>>
>>>
>>>
>>>     Dyn reg assumes every registration of an instance is unique 
>>> which too me is a very extreme
>>>
>>> If you have a mobile app that needs to do the code flow... which
>>> requires a client_secret in order to retrieve the access token and
>>> refresh token, how does the app do this without per app instance
>>> registration?
>>>
>>> I'd argue that almost all user facing mobile apps will want the above
>>> flow and that's not a small, rare edge case.
>>>
>>> Thanks,
>>> George
>>>
>>>     position.
>>>
>>>
>>>
>>>     Phil
>>>
>>>
>>>
>>>     On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org> 
>>> <mailto:jricher@mitre.org>  wrote:
>>>
>>>
>>>
>>>         Except for the cases where you want step 1 to happen in 
>>> band. To me, that is a vitally and fundamentally important use case 
>>> that we can't disregard, and we must have a solution that can 
>>> accommodate that. The notions of "publisher" and "product" fade very 
>>> quickly once you get outside of the software vendor world.
>>>
>>>
>>>
>>>         This is, of course, not to stand in the way of other 
>>> solutions or approaches (such as something assertion based like 
>>> you're after). It's not a one-or-the-other proposition, especially 
>>> when there are mutually exclusive aspects of each.
>>>
>>>
>>>
>>>         Therefore I once again call for the WG to finish the current 
>>> dynamic registration spec *AND* pursue the assertion based process 
>>> that Phil's talking about. They're not mutually exclusive, let's 
>>> please stop talking about them like they are.
>>>
>>>
>>>
>>>         -- Justin
>>>
>>>
>>>
>>>         On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>
>>>             Sorry. I meant also to say i think there are 2 
>>> registration steps
>>>
>>>             1. Software registration/approval. This often happens 
>>> out of band. But in this step policy is defined that approves 
>>> software for use. Many of the reg params are known here.
>>>
>>>
>>>
>>>             Federation techniques come into play as trust approvals 
>>> can be based on developer, product or even publisher.
>>>
>>>
>>>
>>>             2. Each instance associates in a stateless way. Only 
>>> clients that need credential rotation need more.
>>>
>>>
>>>
>>>             Phil
>>>
>>>
>>>
>>>             On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com> 
>>> <mailto:phil.hunt@oracle.com>  wrote:
>>>
>>>
>>>
>>>                 I have a conflict I cannot get out of for 2pacific.
>>>
>>>
>>>
>>>                 I think a certificate based approach is going to 
>>> simplify exchanges in all cases. I encourage the group to explore 
>>> the concept on the call.
>>>
>>>
>>>
>>>                 I am not sure breaking dyn reg up helps. It creates 
>>> yet another option. I would like to explore how federation concept 
>>> in software statements can help with facilitating association and 
>>> making many reg stateless.
>>>
>>>
>>>
>>>                 Phil
>>>
>>>
>>>
>>>                 On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - 
>>> FI/Espoo)"<hannes.tschofenig@nsn.com> 
>>> <mailto:hannes.tschofenig@nsn.com>  wrote:
>>>
>>>
>>>
>>>                     Here are the conference bridge / Webex details 
>>> for the call today.
>>>
>>>                     We are going to complete the use case 
>>> discussions from last time (Phil wasn't able to walk through all 
>>> slides). Justin was also able to work out a strawman proposal based 
>>> on the discussions last week and we will have a look at it to see 
>>> whether this is a suitable compromise. Here is Justin's mail, in 
>>> case you have missed 
>>> it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>
>>>
>>>
>>>                     Phil, please feel free to make adjustments to 
>>> your slides given the Justin's recent proposal.
>>>
>>>
>>>
>>>                     Topic: OAuth Dynamic Client Registration
>>>
>>>                     Date: Wednesday, August 28, 2013
>>>
>>>                     Time: 2:00 pm, Pacific Daylight Time (San 
>>> Francisco, GMT-07:00)
>>>
>>>                     Meeting Number: 703 230 586
>>>
>>>                     Meeting Password: oauth
>>>
>>>
>>>
>>> -------------------------------------------------------
>>>
>>>                     To join the online meeting
>>>
>>> -------------------------------------------------------
>>>
>>>                     1. Go 
>>> tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>
>>>                     2. Enter your name and email address.
>>>
>>>                     3. Enter the meeting password: oauth
>>>
>>>                     4. Click "Join Now".
>>>
>>>
>>>
>>>                     To view in other time zones or languages, please 
>>> click the link:
>>>
>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>
>>>
>>>
>>>                     To add this meeting to your calendar program 
>>> (for example Microsoft Outlook), click this link:
>>>
>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>
>>>
>>>
>>> -------------------------------------------------------
>>>
>>>                     To join the teleconference only
>>>
>>> -------------------------------------------------------
>>>
>>>                     Global dial-in 
>>> Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>
>>>                     Conference Code: 944 910 5485
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>>
>>>                     OAuth mailing list
>>>
>>>                     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>>
>>>                 OAuth mailing list
>>>
>>>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>                 https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>             _______________________________________________
>>>
>>>             OAuth mailing list
>>>
>>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>     _______________________________________________
>>>
>>>     OAuth mailing list
>>>
>>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>
>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>
>>>
>>> -- 
>>> George Fletcher <http://connect.me/gffletch>
>>>
>>
>> -- 
>> George Fletcher <http://connect.me/gffletch>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>


From phil.hunt@oracle.com  Wed Aug 28 09:41:52 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A085B21F9CBD for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:41:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.239
X-Spam-Level: 
X-Spam-Status: No, score=-5.239 tagged_above=-999 required=5 tests=[AWL=-0.036, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3wTurFa1FDQ for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:41:47 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 968A611E81B6 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:41:45 -0700 (PDT)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SGfhkB031507 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:41:44 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGfhIY021437 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:41:43 GMT
Received: from abhmt116.oracle.com (abhmt116.oracle.com [141.146.116.68]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGfhRw010297; Wed, 28 Aug 2013 16:41:43 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:41:43 -0700
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <521E276F.3010804@gmail.com>
Date: Wed, 28 Aug 2013 09:41:53 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:41:52 -0000

Yes. A client could pass the software statement *directly* as its client =
credential.  Which is one of the *simple* solutions. 8-)

The other case is where the client instance needs its own credential as =
George indicates.  In that case it could swap the statement for a unique =
client assertion.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-28, at 9:38 AM, Sergey Beryozkin <sberyozkin@gmail.com> =
wrote:

> On 28/08/13 17:33, George Fletcher wrote:
>> So I understand that you'd rather that OAuth doesn't require a
>> client_secret and that's fine. However, I don't think we should =
impose
>> that thinking on the rest of the world who have already implemented =
it
>> and have it working and scaling without issues. If the core of this
>> discussion is around replacing client_id and client_secret with a
>> client_assertion then lets have that discussion separately and not =
bury
>> it in the dynamic registration discussion.
>>=20
>> Could you not profile OAuth2 to support a flow that allows for =
retrieval
>> of access and refresh tokens using code + client_assertion? Doesn't =
seem
>> like that hard a profile and then the rest of this could fall out =
pretty
>> easily.
>>=20
> That is already supported AFAIK, something like
>=20
> grant_type=3Dauthorization_code
> &code=3D12345678
> =
&client_assertion_type=3Durn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-ty=
pe%3Asaml2-bearer
> &client_assertion=3DBase64UrlEncoded-SAML2-Bearer-Assertion
>=20
> probably the same works with JWT
>=20
> Sergey
>=20
>=20
>> Thanks,
>> George
>>=20
>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>=20
>>> I do think that this is the rare-edge use case, we would not want
>>> require client-secret, we already have that mess today with OAuth =
and
>>> trying not to continue the proliferation, we solve this today with =
our
>>> STS and assertion swaps/transformations, it scales, performs and we
>>> don=92t have the management debacle this specification creates
>>>=20
>>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>>> Behalf Of *George Fletcher
>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>> *To:* Phil Hunt
>>> *Cc:* oauth mailing list
>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference =
Call:
>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>=20
>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>=20
>>>    Please define the all in one case. I think this is the edge case =
and is in fact rare.
>>>=20
>>>=20
>>>=20
>>>    I agree, in many cases step 1 can be made by simply approving a =
class of software. But then step 2 is simplified.
>>>=20
>>>=20
>>>=20
>>>    Dyn reg assumes every registration of an instance is unique which =
too me is a very extreme
>>>=20
>>> If you have a mobile app that needs to do the code flow... which
>>> requires a client_secret in order to retrieve the access token and
>>> refresh token, how does the app do this without per app instance
>>> registration?
>>>=20
>>> I'd argue that almost all user facing mobile apps will want the =
above
>>> flow and that's not a small, rare edge case.
>>>=20
>>> Thanks,
>>> George
>>>=20
>>>    position.
>>>=20
>>>=20
>>>=20
>>>    Phil
>>>=20
>>>=20
>>>=20
>>>    On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  =
<mailto:jricher@mitre.org>  wrote:
>>>=20
>>>=20
>>>=20
>>>        Except for the cases where you want step 1 to happen in band. =
To me, that is a vitally and fundamentally important use case that we =
can't disregard, and we must have a solution that can accommodate that. =
The notions of "publisher" and "product" fade very quickly once you get =
outside of the software vendor world.
>>>=20
>>>=20
>>>=20
>>>        This is, of course, not to stand in the way of other =
solutions or approaches (such as something assertion based like you're =
after). It's not a one-or-the-other proposition, especially when there =
are mutually exclusive aspects of each.
>>>=20
>>>=20
>>>=20
>>>        Therefore I once again call for the WG to finish the current =
dynamic registration spec *AND* pursue the assertion based process that =
Phil's talking about. They're not mutually exclusive, let's please stop =
talking about them like they are.
>>>=20
>>>=20
>>>=20
>>>        -- Justin
>>>=20
>>>=20
>>>=20
>>>        On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>=20
>>>            Sorry. I meant also to say i think there are 2 =
registration steps
>>>=20
>>>            1. Software registration/approval. This often happens out =
of band. But in this step policy is defined that approves software for =
use. Many of the reg params are known here.
>>>=20
>>>=20
>>>=20
>>>            Federation techniques come into play as trust approvals =
can be based on developer, product or even publisher.
>>>=20
>>>=20
>>>=20
>>>            2. Each instance associates in a stateless way. Only =
clients that need credential rotation need more.
>>>=20
>>>=20
>>>=20
>>>            Phil
>>>=20
>>>=20
>>>=20
>>>            On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>  =
<mailto:phil.hunt@oracle.com>  wrote:
>>>=20
>>>=20
>>>=20
>>>                I have a conflict I cannot get out of for 2pacific.
>>>=20
>>>=20
>>>=20
>>>                I think a certificate based approach is going to =
simplify exchanges in all cases. I encourage the group to explore the =
concept on the call.
>>>=20
>>>=20
>>>=20
>>>                I am not sure breaking dyn reg up helps. It creates =
yet another option. I would like to explore how federation concept in =
software statements can help with facilitating association and making =
many reg stateless.
>>>=20
>>>=20
>>>=20
>>>                Phil
>>>=20
>>>=20
>>>=20
>>>                On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - =
FI/Espoo)"<hannes.tschofenig@nsn.com>  =
<mailto:hannes.tschofenig@nsn.com>  wrote:
>>>=20
>>>=20
>>>=20
>>>                    Here are the conference bridge / Webex details =
for the call today.
>>>=20
>>>                    We are going to complete the use case discussions =
from last time (Phil wasn't able to walk through all slides). Justin was =
also able to work out a strawman proposal based on the discussions last =
week and we will have a look at it to see whether this is a suitable =
compromise. Here is Justin's mail, in case you have missed =
it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>=20
>>>=20
>>>=20
>>>                    Phil, please feel free to make adjustments to =
your slides given the Justin's recent proposal.
>>>=20
>>>=20
>>>=20
>>>                    Topic: OAuth Dynamic Client Registration
>>>=20
>>>                    Date: Wednesday, August 28, 2013
>>>=20
>>>                    Time: 2:00 pm, Pacific Daylight Time (San =
Francisco, GMT-07:00)
>>>=20
>>>                    Meeting Number: 703 230 586
>>>=20
>>>                    Meeting Password: oauth
>>>=20
>>>=20
>>>=20
>>>                    =
-------------------------------------------------------
>>>=20
>>>                    To join the online meeting
>>>=20
>>>                    =
-------------------------------------------------------
>>>=20
>>>                    1. Go =
tohttps://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJ=
k&RT=3DMiM0
>>>=20
>>>                    2. Enter your name and email address.
>>>=20
>>>                    3. Enter the meeting password: oauth
>>>=20
>>>                    4. Click "Join Now".
>>>=20
>>>=20
>>>=20
>>>                    To view in other time zones or languages, please =
click the link:
>>>=20
>>>                    =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
ORT=3DMiM0
>>>=20
>>>=20
>>>=20
>>>                    To add this meeting to your calendar program (for =
example Microsoft Outlook), click this link:
>>>=20
>>>                    =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=3D=
2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>>=20
>>>=20
>>>=20
>>>                    =
-------------------------------------------------------
>>>=20
>>>                    To join the teleconference only
>>>=20
>>>                    =
-------------------------------------------------------
>>>=20
>>>                    Global dial-in =
Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>=20
>>>                    Conference Code: 944 910 5485
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>>                    _______________________________________________
>>>=20
>>>                    OAuth mailing list
>>>=20
>>>                    OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>=20
>>>                    https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>>                _______________________________________________
>>>=20
>>>                OAuth mailing list
>>>=20
>>>                OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>=20
>>>                https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>>            _______________________________________________
>>>=20
>>>            OAuth mailing list
>>>=20
>>>            OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>=20
>>>            https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>>=20
>>>=20
>>>    _______________________________________________
>>>=20
>>>    OAuth mailing list
>>>=20
>>>    OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>=20
>>>    https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>> --
>>> George Fletcher <http://connect.me/gffletch>
>>>=20
>>=20
>> --
>> George Fletcher <http://connect.me/gffletch>
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>=20
>=20
> --=20
> Sergey Beryozkin
>=20
> Talend Community Coders
> http://coders.talend.com/
>=20
> Blog: http://sberyozkin.blogspot.com
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From gffletch@aol.com  Wed Aug 28 09:43:23 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 125A821F95DC for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:43:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.498
X-Spam-Level: 
X-Spam-Status: No, score=-2.498 tagged_above=-999 required=5 tests=[AWL=0.100,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Otxj7nGIg6WX for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:43:19 -0700 (PDT)
Received: from omr-m08.mx.aol.com (omr-m08.mx.aol.com [64.12.222.129]) by ietfa.amsl.com (Postfix) with ESMTP id 2904E21F8BE6 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:43:16 -0700 (PDT)
Received: from mtaout-ma04.r1000.mx.aol.com (mtaout-ma04.r1000.mx.aol.com [172.29.41.4]) by omr-m08.mx.aol.com (Outbound Mail Relay) with ESMTP id C7037700D7F9F; Wed, 28 Aug 2013 12:43:11 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-ma04.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 743F3E0003A7; Wed, 28 Aug 2013 12:43:09 -0400 (EDT)
Message-ID: <521E289D.5060308@aol.com>
Date: Wed, 28 Aug 2013 12:43:09 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com> <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com>
In-Reply-To: <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com>
Content-Type: multipart/alternative; boundary="------------020201000602090608060304"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93305
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377708189; bh=BmjfTGO6hkrHIL6AupicG/0dqIb+tx/eXOqX/4EvGRk=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=HYNpxXKFa+f/htA7hE8PzGCOZszRzOkZth3lrZ8+fNBomRY6xLg+676JDWlxfq4vE slevWrbr3crS0l9e7cUzpDmAt6qVUlclv/Jf+nJJsuANKW6ULLC41DbJo+ZzJp1Abt NkMUcOYenXfgJ1oOVyf2UuY9vJW9PuGyTOzBAJJw=
x-aol-sid: 3039ac1d2904521e289d4c4f
X-AOL-IP: 10.181.176.48
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:43:23 -0000

This is a multi-part message in MIME format.
--------------020201000602090608060304
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Thanks for the reference...

We have some deployed implementation that require the use of a 
refresh_token that doesn't seem to be supported by the assertion set of 
specs, but I supposed we could add support for that, though at the 
moment I don't have any pressing requirements to do so.

On 8/28/13 12:35 PM, Phil Hunt wrote:
> George,
>
> It would be reasonable for a client to submit an assertion, and obtain 
> its own client assertion in return.  This is very close to what is 
> happening per 2.1, 2.2 of 
> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06
>
> In this case, the Software Statement is an authorization that is 
> exchanged for a client assertion in return. Then the clients 
> authenticate per section 2.2 of the JWT spec.
>
> Regarding initial_access_token.  This does have some of the 
> characteristics I am speaking of. But it is unspecified and the 
> assumption is that it is issued by the local domain.  This doesn't 
> work in the UMA case because that's more like a federated model. Thus 
> the specified software statement works because the AS can approve the 
> client software based on name, and/or developer, and/or publisher -- 
> whatever trust requires.
I did not have the same set of assumptions about the 
initial_access_token. Given that we already support federated 
access_tokens (i.e. access tokens issued by different Authorization 
Servers) my assumption around the initial_access_token is that it is 
generated by an entity (local or otherwise) that makes sense for the 
given deployment environment of that application. I would NOT want the 
core spec to be very specific in this regard as it just constrains the 
uses and forces wacky work arounds for use cases not supported by the 
core spec.

>
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>
>
>
>
>
>
> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>> I can't say I understand what you mean by a simple assertion swap... 
>> but if you are wanting to use a client_assertion flow instead of the 
>> code flow then that's something completely different. If you are 
>> saying that you want the client_id to represent an "instance" in a 
>> stateless way using an "assertion" then that's already possible today.
>>
>> George
>>
>> On 8/28/13 12:23 PM, Phil Hunt wrote:
>>> George
>>>
>>> That case can be solved with a simple assertion swap. We just have 
>>> to profile it.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com 
>>> <mailto:gffletch@aol.com>> wrote:
>>>
>>>>
>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>> Please define the all in one case. I think this is the edge case and is in fact rare.
>>>>>
>>>>> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>>>
>>>>> Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>>> If you have a mobile app that needs to do the code flow... which 
>>>> requires a client_secret in order to retrieve the access token and 
>>>> refresh token, how does the app do this without per app instance 
>>>> registration?
>>>>
>>>> I'd argue that almost all user facing mobile apps will want the 
>>>> above flow and that's not a small, rare edge case.
>>>>
>>>> Thanks,
>>>> George
>>>>> position.
>>>>>
>>>>> Phil
>>>>>
>>>>> On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  wrote:
>>>>>
>>>>>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>>>
>>>>>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>>>
>>>>>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>>>
>>>>>> -- Justin
>>>>>>
>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>>>>
>>>>>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>>>
>>>>>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>>>
>>>>>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>>>
>>>>>>> Phil
>>>>>>>
>>>>>>> On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>  wrote:
>>>>>>>
>>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>>
>>>>>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>>>>
>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>>>>
>>>>>>>> Phil
>>>>>>>>
>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>  wrote:
>>>>>>>>
>>>>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>>
>>>>>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>>>>>
>>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>>>> Meeting Number: 703 230 586
>>>>>>>>> Meeting Password: oauth
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------
>>>>>>>>> To join the online meeting
>>>>>>>>> -------------------------------------------------------
>>>>>>>>> 1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>>>> 2. Enter your name and email address.
>>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>>> 4. Click "Join Now".
>>>>>>>>>
>>>>>>>>> To view in other time zones or languages, please click the link:
>>>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>>>
>>>>>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>>>
>>>>>>>>> -------------------------------------------------------
>>>>>>>>> To join the teleconference only
>>>>>>>>> -------------------------------------------------------
>>>>>>>>> Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>
>>>> -- 
>>>> <XeC> <http://connect.me/gffletch>
>>
>> -- 
>> <XeC.png> <http://connect.me/gffletch>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------020201000602090608060304
Content-Type: multipart/related;
 boundary="------------010401000501020602070708"


--------------010401000501020602070708
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">Thanks for the
      reference...</font><br>
    <br>
    We have some deployed implementation that require the use of a
    refresh_token that doesn't seem to be supported by the assertion set
    of specs, but I supposed we could add support for that, though at
    the moment I don't have any pressing requirements to do so.<br>
    <br>
    <div class="moz-cite-prefix">On 8/28/13 12:35 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:9F232504-FC58-41FD-B040-31F898034AD2@oracle.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      George,
      <div><br>
      </div>
      <div>It would be reasonable for a client to submit an assertion,
        and obtain its own client assertion in return. &nbsp;This is very
        close to what is happening per 2.1, 2.2 of&nbsp;<a
          moz-do-not-send="true"
          href="http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06">http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06</a></div>
      <div><br>
      </div>
      <div>In this case, the Software Statement is an authorization that
        is exchanged for a client assertion in return. Then the clients
        authenticate per section 2.2 of the JWT spec.</div>
      <div><br>
      </div>
      <div>Regarding initial_access_token. &nbsp;This does have some of the
        characteristics I am speaking of. But it is unspecified and the
        assumption is that it is issued by the local domain. &nbsp;This
        doesn't work in the UMA case because that's more like a
        federated model. Thus the specified software statement works
        because the AS can approve the client software based on name,
        and/or developer, and/or publisher -- whatever trust requires.</div>
    </blockquote>
    I did not have the same set of assumptions about the
    initial_access_token. Given that we already support federated
    access_tokens (i.e. access tokens issued by different Authorization
    Servers) my assumption around the initial_access_token is that it is
    generated by an entity (local or otherwise) that makes sense for the
    given deployment environment of that application. I would NOT want
    the core spec to be very specific in this regard as it just
    constrains the uses and forces wacky work arounds for use cases not
    supported by the core spec.<br>
    <br>
    <blockquote
      cite="mid:9F232504-FC58-41FD-B040-31F898034AD2@oracle.com"
      type="cite">
      <div><br>
        <div apple-content-edited="true">
          <span class="Apple-style-span" style="border-collapse:
            separate; color: rgb(0, 0, 0); font-family: Helvetica;
            font-style: normal; font-variant: normal; font-weight:
            normal; letter-spacing: normal; line-height: normal;
            orphans: 2; text-indent: 0px; text-transform: none;
            white-space: normal; widows: 2; word-spacing: 0px;
            border-spacing: 0px; -webkit-text-decorations-in-effect:
            none; -webkit-text-size-adjust: auto;
            -webkit-text-stroke-width: 0px; font-size: medium; ">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; "><span
                class="Apple-style-span" style="border-collapse:
                separate; color: rgb(0, 0, 0); font-family: Helvetica;
                font-size: medium; font-style: normal; font-variant:
                normal; font-weight: normal; letter-spacing: normal;
                line-height: normal; orphans: 2; text-indent: 0px;
                text-transform: none; white-space: normal; widows: 2;
                word-spacing: 0px; border-spacing: 0px;
                -webkit-text-decorations-in-effect: none;
                -webkit-text-size-adjust: auto;
                -webkit-text-stroke-width: 0px; ">
                <div style="word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span
                    class="Apple-style-span" style="border-collapse:
                    separate; color: rgb(0, 0, 0); font-family:
                    Helvetica; font-size: medium; font-style: normal;
                    font-variant: normal; font-weight: normal;
                    letter-spacing: normal; line-height: normal;
                    orphans: 2; text-indent: 0px; text-transform: none;
                    white-space: normal; widows: 2; word-spacing: 0px;
                    border-spacing: 0px;
                    -webkit-text-decorations-in-effect: none;
                    -webkit-text-size-adjust: auto;
                    -webkit-text-stroke-width: 0px; ">
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span
                        class="Apple-style-span" style="border-collapse:
                        separate; color: rgb(0, 0, 0); font-family:
                        Helvetica; font-size: 12px; font-style: normal;
                        font-variant: normal; font-weight: normal;
                        letter-spacing: normal; line-height: normal;
                        orphans: 2; text-indent: 0px; text-transform:
                        none; white-space: normal; widows: 2;
                        word-spacing: 0px; border-spacing: 0px;
                        -webkit-text-decorations-in-effect: none;
                        -webkit-text-size-adjust: auto;
                        -webkit-text-stroke-width: 0px; ">
                        <div style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div>Phil</div>
                          <div><br>
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send="true"
                              href="http://www.independentid.com">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send="true"
                        href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br>
                      <br>
                    </div>
                  </span><br class="Apple-interchange-newline">
                </div>
              </span><br class="Apple-interchange-newline">
            </div>
          </span><br class="Apple-interchange-newline">
          <br class="Apple-interchange-newline">
        </div>
        <br>
        <div>
          <div>On 2013-08-28, at 9:29 AM, George Fletcher &lt;<a
              moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <meta content="text/html; charset=ISO-8859-1"
              http-equiv="Content-Type">
            <div bgcolor="#FFFFFF" text="#000000"> <font
                face="Helvetica, Arial, sans-serif">I can't say I
                understand what you mean by a simple assertion swap...
                but if you are wanting to use a client_assertion flow
                instead of the code flow then that's something
                completely different. If you are saying that you want
                the client_id to represent an "instance" in a stateless
                way using an "assertion" then that's already possible
                today.<br>
                <br>
                George<br>
                <br>
              </font>
              <div class="moz-cite-prefix">On 8/28/13 12:23 PM, Phil
                Hunt wrote:<br>
              </div>
              <blockquote
                cite="mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com"
                type="cite">
                <meta http-equiv="content-type" content="text/html;
                  charset=ISO-8859-1">
                <div>George</div>
                <div><br>
                </div>
                <div>That case can be solved with a simple assertion
                  swap. We just have to profile it.&nbsp;<br>
                  <br>
                  Phil</div>
                <div><br>
                  On 2013-08-28, at 9:20, George Fletcher &lt;<a
                    moz-do-not-send="true"
                    href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;

                  wrote:<br>
                  <br>
                </div>
                <blockquote type="cite">
                  <div>
                    <meta content="text/html; charset=ISO-8859-1"
                      http-equiv="Content-Type">
                    <br>
                    <div class="moz-cite-prefix">On 8/28/13 12:02 PM,
                      Phil Hunt wrote:<br>
                    </div>
                    <blockquote
                      cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
                      type="cite">
                      <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare. 

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. 

Dyn reg assumes every registration of an instance is unique which too me is a very extreme </pre>
                    </blockquote>
                    If you have a mobile app that needs to do the code
                    flow... which requires a client_secret in order to
                    retrieve the access token and refresh token, how
                    does the app do this without per app instance
                    registration? <br>
                    <br>
                    I'd argue that almost all user facing mobile apps
                    will want the above flow and that's not a small,
                    rare edge case.<br>
                    <br>
                    Thanks,<br>
                    George<br>
                    <blockquote
                      cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
                      type="cite">
                      <pre wrap="">position. 

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
                      <blockquote type="cite">
                        <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
                        <blockquote type="cite">
                          <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
                          <blockquote type="cite">
                            <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
                            <blockquote type="cite">
                              <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                            </blockquote>
                            <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                          </blockquote>
                          <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                        </blockquote>
                      </blockquote>
                      <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
                    </blockquote>
                    <br>
                    <div class="moz-signature">-- <br>
                      <a moz-do-not-send="true"
                        href="http://connect.me/gffletch" title="View
                        full card on Connect.Me">&lt;XeC&gt;</a></div>
                  </div>
                </blockquote>
              </blockquote>
              <br>
              <div class="moz-signature">-- <br>
                <a moz-do-not-send="true"
                  href="http://connect.me/gffletch" title="View full
                  card on Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part24.00060404.07050709@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------010401000501020602070708
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part24.00060404.07050709@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------010401000501020602070708--

--------------020201000602090608060304--

From phil.hunt@oracle.com  Wed Aug 28 09:43:39 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9765411E8199 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:43:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.238
X-Spam-Level: 
X-Spam-Status: No, score=-5.238 tagged_above=-999 required=5 tests=[AWL=-0.035, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HA0kcy4iJATc for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:43:35 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by ietfa.amsl.com (Postfix) with ESMTP id E9EB821F8DA3 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:43:34 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SGhWAZ030712 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:43:33 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGhVnu014578 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:43:31 GMT
Received: from abhmt108.oracle.com (abhmt108.oracle.com [141.146.116.60]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGhVfH014570; Wed, 28 Aug 2013 16:43:31 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:43:31 -0700
Content-Type: text/plain; charset=windows-1252
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <521E2834.4010102@mitre.org>
Date: Wed, 28 Aug 2013 09:43:40 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E9A4949D-5969-4667-8ACF-945F2D16BDFD@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com> <521E2834.4010102@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:43:39 -0000

So why are you fighting so hard against standardizing software =
assertions?  You're affectively already using the solution for BB+. =20

The fact that a standardized initial_access_token eliminates most of the =
registration endpoint seems to be your primary objection.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-28, at 9:41 AM, Justin Richer <jricher@mitre.org> wrote:

> Yes, that already works. And you could accomplish that with the =
current dynamic registration spec, too -- it's just that client =
assertions were deemed too-underspecified to include in the base draft, =
and nobody's stepped up to offer a full writeup and extension of using =
other auth mechanisms (outside of OpenID Connect).
>=20
> -- Justin
>=20
> On 08/28/2013 12:38 PM, Sergey Beryozkin wrote:
>> On 28/08/13 17:33, George Fletcher wrote:
>>> So I understand that you'd rather that OAuth doesn't require a
>>> client_secret and that's fine. However, I don't think we should =
impose
>>> that thinking on the rest of the world who have already implemented =
it
>>> and have it working and scaling without issues. If the core of this
>>> discussion is around replacing client_id and client_secret with a
>>> client_assertion then lets have that discussion separately and not =
bury
>>> it in the dynamic registration discussion.
>>>=20
>>> Could you not profile OAuth2 to support a flow that allows for =
retrieval
>>> of access and refresh tokens using code + client_assertion? Doesn't =
seem
>>> like that hard a profile and then the rest of this could fall out =
pretty
>>> easily.
>>>=20
>> That is already supported AFAIK, something like
>>=20
>> grant_type=3Dauthorization_code
>> &code=3D12345678
>> =
&client_assertion_type=3Durn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-ty=
pe%3Asaml2-bearer=20
>> &client_assertion=3DBase64UrlEncoded-SAML2-Bearer-Assertion
>>=20
>> probably the same works with JWT
>>=20
>> Sergey
>>=20
>>=20
>>> Thanks,
>>> George
>>>=20
>>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>>=20
>>>> I do think that this is the rare-edge use case, we would not want
>>>> require client-secret, we already have that mess today with OAuth =
and
>>>> trying not to continue the proliferation, we solve this today with =
our
>>>> STS and assertion swaps/transformations, it scales, performs and we
>>>> don=92t have the management debacle this specification creates
>>>>=20
>>>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>>>> Behalf Of *George Fletcher
>>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>>> *To:* Phil Hunt
>>>> *Cc:* oauth mailing list
>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference =
Call:
>>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>>=20
>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>=20
>>>>    Please define the all in one case. I think this is the edge case =
and is in fact rare.
>>>>=20
>>>>=20
>>>>=20
>>>>    I agree, in many cases step 1 can be made by simply approving a =
class of software. But then step 2 is simplified.
>>>>=20
>>>>=20
>>>>=20
>>>>    Dyn reg assumes every registration of an instance is unique =
which too me is a very extreme
>>>>=20
>>>> If you have a mobile app that needs to do the code flow... which
>>>> requires a client_secret in order to retrieve the access token and
>>>> refresh token, how does the app do this without per app instance
>>>> registration?
>>>>=20
>>>> I'd argue that almost all user facing mobile apps will want the =
above
>>>> flow and that's not a small, rare edge case.
>>>>=20
>>>> Thanks,
>>>> George
>>>>=20
>>>>    position.
>>>>=20
>>>>=20
>>>>=20
>>>>    Phil
>>>>=20
>>>>=20
>>>>=20
>>>>    On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org> =
<mailto:jricher@mitre.org>  wrote:
>>>>=20
>>>>=20
>>>>=20
>>>>        Except for the cases where you want step 1 to happen in =
band. To me, that is a vitally and fundamentally important use case that =
we can't disregard, and we must have a solution that can accommodate =
that. The notions of "publisher" and "product" fade very quickly once =
you get outside of the software vendor world.
>>>>=20
>>>>=20
>>>>=20
>>>>        This is, of course, not to stand in the way of other =
solutions or approaches (such as something assertion based like you're =
after). It's not a one-or-the-other proposition, especially when there =
are mutually exclusive aspects of each.
>>>>=20
>>>>=20
>>>>=20
>>>>        Therefore I once again call for the WG to finish the current =
dynamic registration spec *AND* pursue the assertion based process that =
Phil's talking about. They're not mutually exclusive, let's please stop =
talking about them like they are.
>>>>=20
>>>>=20
>>>>=20
>>>>        -- Justin
>>>>=20
>>>>=20
>>>>=20
>>>>        On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>=20
>>>>            Sorry. I meant also to say i think there are 2 =
registration steps
>>>>=20
>>>>            1. Software registration/approval. This often happens =
out of band. But in this step policy is defined that approves software =
for use. Many of the reg params are known here.
>>>>=20
>>>>=20
>>>>=20
>>>>            Federation techniques come into play as trust approvals =
can be based on developer, product or even publisher.
>>>>=20
>>>>=20
>>>>=20
>>>>            2. Each instance associates in a stateless way. Only =
clients that need credential rotation need more.
>>>>=20
>>>>=20
>>>>=20
>>>>            Phil
>>>>=20
>>>>=20
>>>>=20
>>>>            On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com> =
<mailto:phil.hunt@oracle.com>  wrote:
>>>>=20
>>>>=20
>>>>=20
>>>>                I have a conflict I cannot get out of for 2pacific.
>>>>=20
>>>>=20
>>>>=20
>>>>                I think a certificate based approach is going to =
simplify exchanges in all cases. I encourage the group to explore the =
concept on the call.
>>>>=20
>>>>=20
>>>>=20
>>>>                I am not sure breaking dyn reg up helps. It creates =
yet another option. I would like to explore how federation concept in =
software statements can help with facilitating association and making =
many reg stateless.
>>>>=20
>>>>=20
>>>>=20
>>>>                Phil
>>>>=20
>>>>=20
>>>>=20
>>>>                On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - =
FI/Espoo)"<hannes.tschofenig@nsn.com> <mailto:hannes.tschofenig@nsn.com> =
 wrote:
>>>>=20
>>>>=20
>>>>=20
>>>>                    Here are the conference bridge / Webex details =
for the call today.
>>>>=20
>>>>                    We are going to complete the use case =
discussions from last time (Phil wasn't able to walk through all =
slides). Justin was also able to work out a strawman proposal based on =
the discussions last week and we will have a look at it to see whether =
this is a suitable compromise. Here is Justin's mail, in case you have =
missed =
it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>=20
>>>>=20
>>>>=20
>>>>                    Phil, please feel free to make adjustments to =
your slides given the Justin's recent proposal.
>>>>=20
>>>>=20
>>>>=20
>>>>                    Topic: OAuth Dynamic Client Registration
>>>>=20
>>>>                    Date: Wednesday, August 28, 2013
>>>>=20
>>>>                    Time: 2:00 pm, Pacific Daylight Time (San =
Francisco, GMT-07:00)
>>>>=20
>>>>                    Meeting Number: 703 230 586
>>>>=20
>>>>                    Meeting Password: oauth
>>>>=20
>>>>=20
>>>>=20
>>>> -------------------------------------------------------
>>>>=20
>>>>                    To join the online meeting
>>>>=20
>>>> -------------------------------------------------------
>>>>=20
>>>>                    1. Go =
tohttps://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJ=
k&RT=3DMiM0
>>>>=20
>>>>                    2. Enter your name and email address.
>>>>=20
>>>>                    3. Enter the meeting password: oauth
>>>>=20
>>>>                    4. Click "Join Now".
>>>>=20
>>>>=20
>>>>=20
>>>>                    To view in other time zones or languages, please =
click the link:
>>>>=20
>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
ORT=3DMiM0
>>>>=20
>>>>=20
>>>>=20
>>>>                    To add this meeting to your calendar program =
(for example Microsoft Outlook), click this link:
>>>>=20
>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=3D=
2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>>>=20
>>>>=20
>>>>=20
>>>> -------------------------------------------------------
>>>>=20
>>>>                    To join the teleconference only
>>>>=20
>>>> -------------------------------------------------------
>>>>=20
>>>>                    Global dial-in =
Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>=20
>>>>                    Conference Code: 944 910 5485
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>>=20
>>>>                    OAuth mailing list
>>>>=20
>>>>                    OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>=20
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>> _______________________________________________
>>>>=20
>>>>                OAuth mailing list
>>>>=20
>>>>                OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>=20
>>>>                https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>>            _______________________________________________
>>>>=20
>>>>            OAuth mailing list
>>>>=20
>>>>            OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>=20
>>>>            https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>>=20
>>>>=20
>>>>    _______________________________________________
>>>>=20
>>>>    OAuth mailing list
>>>>=20
>>>>    OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>=20
>>>>    https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> --=20
>>>> George Fletcher <http://connect.me/gffletch>
>>>>=20
>>>=20
>>> --=20
>>> George Fletcher <http://connect.me/gffletch>
>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>=20
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From phil.hunt@oracle.com  Wed Aug 28 09:46:01 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BC1211E823E for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.635
X-Spam-Level: 
X-Spam-Status: No, score=-5.635 tagged_above=-999 required=5 tests=[AWL=0.364,  BAYES_00=-2.599, J_CHICKENPOX_55=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhrUSqSPxFPu for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:45:55 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2B68411E8240 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:45:51 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SGjnn8003431 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:45:50 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGjm1Z013642 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:45:49 GMT
Received: from abhmt118.oracle.com (abhmt118.oracle.com [141.146.116.70]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGjm3E022450; Wed, 28 Aug 2013 16:45:48 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:45:48 -0700
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <521DC26B.1000005@gmail.com>
Date: Wed, 28 Aug 2013 09:45:58 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <06BB4B37-8C7E-4289-A64E-EAA0E35E488D@oracle.com>
References: <20130827155645.1310.29989.idtracker@ietfa.amsl.com> <805A22A4-E086-435E-BBA2-E0A04241A334@oracle.com> <1426A97F-8A71-4297-9F46-C824121D36BB@ve7jtb.com> <521DC26B.1000005@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-hunt-oauth-v2-user-a4c-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:46:01 -0000

Sergey,

I agree, the text may still be a bit awkward.  What I was trying to open =
the door to is that some client may not actually want access to the =
resource in question -- they just want to authenticate the user.

So, if the client has an empty scope, the AS could interpret that as an =
authentication only request and it doesn't have to return an access =
token.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-28, at 2:27 AM, Sergey Beryozkin <sberyozkin@gmail.com> =
wrote:

> Hi Phil,
>=20
> A have a question, re:
>=20
> "The authorization server MUST:
>=20
> -Perform the normal OAuth2 authorization process,
> -MAY elect not to request consent if no access token is to be
>      issued (i.e. this is an authentication only request),
> "
>=20
> This last statement confuses me, given that the Authentication =
Response
> "is identical to the one described in Section 4.1.2 [RFC6749]."
>=20
> In other words, the client may only request the login but get the =
'code' back without the user consent ? This seems wrong but may be I'm =
missing something ?
>=20
> Thanks, Sergey
>=20
>=20
>=20
>>=20
>> On 2013-08-27, at 12:52 PM, Phil Hunt <phil.hunt@oracle.com
>> <mailto:phil.hunt@oracle.com>> wrote:
>>=20
>>> FYI.  Based on feedback from Berlin, Tony and I have revised the =
draft
>>> to include:
>>>=20
>>> * Alignment with OpenID Connect (using id_token)
>>> * Always returns a JWT
>>> * Minimum assertion level on request
>>> * Return information about the type of authentication performed
>>>=20
>>> Thanks for your input.
>>>=20
>>> Phil
>>>=20
>>> @independentid
>>> www.independentid.com <http://www.independentid.com/>
>>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>>=20
>>>=20
>>> Begin forwarded message:
>>>=20
>>>> *From: *internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>>> *Subject: **New Version Notification for
>>>> draft-hunt-oauth-v2-user-a4c-01.txt*
>>>> *Date: *27 August, 2013 8:56:45 AM PDT
>>>> *To: *Phil Hunt <phil.hunt@yahoo.com <mailto:phil.hunt@yahoo.com>>,
>>>> Anthony Nadalin <tonynad@microsoft.com
>>>> <mailto:tonynad@microsoft.com>>, Tony Nadalin =
<tonynad@microsoft.com
>>>> <mailto:tonynad@microsoft.com>>
>>>>=20
>>>>=20
>>>> A new version of I-D, draft-hunt-oauth-v2-user-a4c-01.txt
>>>> has been successfully submitted by Phil Hunt and posted to the
>>>> IETF repository.
>>>>=20
>>>> Filename:draft-hunt-oauth-v2-user-a4c
>>>> Revision:01
>>>> Title:OAuth 2.0 User Authentication and Consent For Clients
>>>> Creation date:2013-08-27
>>>> Group:Individual Submission
>>>> Number of pages: 10
>>>> URL:
>>>> =
http://www.ietf.org/internet-drafts/draft-hunt-oauth-v2-user-a4c-01.txt
>>>> Status: =
http://datatracker.ietf.org/doc/draft-hunt-oauth-v2-user-a4c
>>>> Htmlized: =
http://tools.ietf.org/html/draft-hunt-oauth-v2-user-a4c-01
>>>> Diff: =
http://www.ietf.org/rfcdiff?url2=3Ddraft-hunt-oauth-v2-user-a4c-01
>>>>=20
>>>> Abstract:
>>>>  This specification defines a new OAuth2 endpoint that enables user
>>>>  authentication session and consent information to be shared with
>>>>  client applications.
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> Please note that it may take a couple of minutes from the time of
>>>> submission
>>>> until the htmlized version and diff are available at tools.ietf.org
>>>> <http://tools.ietf.org/>.
>>>>=20
>>>> The IETF Secretariat
>>>>=20
>>>=20
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listi
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


From ve7jtb@ve7jtb.com  Wed Aug 28 09:46:12 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ED8D11E8208 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.618
X-Spam-Level: 
X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[AWL=-0.416, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOqrcfaExg3o for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:46:08 -0700 (PDT)
Received: from mail-qe0-f48.google.com (mail-qe0-f48.google.com [209.85.128.48]) by ietfa.amsl.com (Postfix) with ESMTP id 3876811E8240 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:46:04 -0700 (PDT)
Received: by mail-qe0-f48.google.com with SMTP id 1so3587909qec.35 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:46:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=zuuf9Rl73HVjft+DnqjV7r2si1m3mONTX0jkE68hfSY=; b=A2/dunddJqhlydYM1EW7I7Mq7c1aIJpxUNQQd65DLBv+f1Dq1NI0UfSs+cnHSl0mRW onHDm/LSZzeGILLl0FxAC1FFaimJITVSoDPn4FDtdw9axXXpFDAhaRbGDo45gQjz1tgk 31ZsTkabFe3uLJhc6T5vY666lVbrwqRb0VdsUc23Ay7a8CMaT9IHvtMyr2thudlSrFqz IdllUyx/IJx5yTFYpsyYR8TVxB8cc1GkSnuPV/K5AFcrBVu9n2C2EDXLTEWuciwdgrQF rVjIUuBfA7zQ7ciSYrTOwByZsFQMUvY6Qz9aDiPnQg+DaKQKmJaiVBMSl395BWJHHpzo anAg==
X-Gm-Message-State: ALoCoQmrSCBgbLzBE9QzBU1tdfLHqZCgrlBU8W7/UZ6Kz+Xd7jjm3mVrDEKYVj57y45xhhW803jL
X-Received: by 10.49.106.226 with SMTP id gx2mr23006225qeb.67.1377708363585; Wed, 28 Aug 2013 09:46:03 -0700 (PDT)
Received: from [192.168.1.216] (190-20-36-119.baf.movistar.cl. [190.20.36.119]) by mx.google.com with ESMTPSA id y6sm37779166qaj.11.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 09:46:02 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_6C7076C9-E15F-4D62-AA80-F44E945FBD27"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <521E27BF.3030408@mitre.org>
Date: Wed, 28 Aug 2013 12:45:57 -0400
Message-Id: <5B2C7096-939A-4EA2-81FF-F15BDDFB7ABB@ve7jtb.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com> <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com> <521E27BF.3030408@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1508)
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:46:12 -0000

--Apple-Mail=_6C7076C9-E15F-4D62-AA80-F44E945FBD27
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_F172CFDA-30FC-4C6F-AD6B-A160CABCD01A"


--Apple-Mail=_F172CFDA-30FC-4C6F-AD6B-A160CABCD01A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1

That is my concern as well, sending an assertion to the authorization =
endpoint requires a extension of OAuth to add another parameter or =
placing it in the client_id which you can do now with the dynamic reg =
spec if the AS wants to.=20

Holding up client registration for something that will require an =
extension to OAuth is overdoing it.   We need something for the OAuth =
spec we have now without requiring clients implement the assertion flow =
and other extensions.

John B.

On 2013-08-28, at 12:39 PM, Justin Richer <jricher@mitre.org> wrote:

> The initial_access_token doesn't assume that it's from the local =
domain. It merely assumes that the authorization server accepts the =
token, which would be true in the UMA case due to the federation. It =
could also be the exact same kinds of mechanisms that the software =
statement would use to achieve federation.
>=20
> I still don't see how an auth server is going to know about a client's =
configuration state with the assertion swap method, since there's no =
defined mechanism for sending a JWT assertion to the authorization =
endpoint.=20
>=20
>  -- Justin
>=20
> On 08/28/2013 12:35 PM, Phil Hunt wrote:
>> George,
>>=20
>> It would be reasonable for a client to submit an assertion, and =
obtain its own client assertion in return.  This is very close to what =
is happening per 2.1, 2.2 of =
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06
>>=20
>> In this case, the Software Statement is an authorization that is =
exchanged for a client assertion in return. Then the clients =
authenticate per section 2.2 of the JWT spec.
>>=20
>> Regarding initial_access_token.  This does have some of the =
characteristics I am speaking of. But it is unspecified and the =
assumption is that it is issued by the local domain.  This doesn't work =
in the UMA case because that's more like a federated model. Thus the =
specified software statement works because the AS can approve the client =
software based on name, and/or developer, and/or publisher -- whatever =
trust requires.
>>=20
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com> wrote:
>>=20
>>> I can't say I understand what you mean by a simple assertion swap... =
but if you are wanting to use a client_assertion flow instead of the =
code flow then that's something completely different. If you are saying =
that you want the client_id to represent an "instance" in a stateless =
way using an "assertion" then that's already possible today.
>>>=20
>>> George
>>>=20
>>> On 8/28/13 12:23 PM, Phil Hunt wrote:
>>>> George
>>>>=20
>>>> That case can be solved with a simple assertion swap. We just have =
to profile it.=20
>>>>=20
>>>> Phil
>>>>=20
>>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com> wrote:
>>>>=20
>>>>>=20
>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>> Please define the all in one case. I think this is the edge case =
and is in fact rare.=20
>>>>>>=20
>>>>>> I agree, in many cases step 1 can be made by simply approving a =
class of software. But then step 2 is simplified.=20
>>>>>>=20
>>>>>> Dyn reg assumes every registration of an instance is unique which =
too me is a very extreme=20
>>>>> If you have a mobile app that needs to do the code flow... which =
requires a client_secret in order to retrieve the access token and =
refresh token, how does the app do this without per app instance =
registration?=20
>>>>>=20
>>>>> I'd argue that almost all user facing mobile apps will want the =
above flow and that's not a small, rare edge case.
>>>>>=20
>>>>> Thanks,
>>>>> George
>>>>>> position.=20
>>>>>>=20
>>>>>> Phil
>>>>>>=20
>>>>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>>>>>>=20
>>>>>>> Except for the cases where you want step 1 to happen in band. To =
me, that is a vitally and fundamentally important use case that we can't =
disregard, and we must have a solution that can accommodate that. The =
notions of "publisher" and "product" fade very quickly once you get =
outside of the software vendor world.
>>>>>>>=20
>>>>>>> This is, of course, not to stand in the way of other solutions =
or approaches (such as something assertion based like you're after). =
It's not a one-or-the-other proposition, especially when there are =
mutually exclusive aspects of each.
>>>>>>>=20
>>>>>>> Therefore I once again call for the WG to finish the current =
dynamic registration spec *AND* pursue the assertion based process that =
Phil's talking about. They're not mutually exclusive, let's please stop =
talking about them like they are.
>>>>>>>=20
>>>>>>> -- Justin
>>>>>>>=20
>>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>>> Sorry. I meant also to say i think there are 2 registration =
steps.
>>>>>>>>=20
>>>>>>>> 1. Software registration/approval. This often happens out of =
band. But in this step policy is defined that approves software for use. =
Many of the reg params are known here.
>>>>>>>>=20
>>>>>>>> Federation techniques come into play as trust approvals can be =
based on developer, product or even publisher.
>>>>>>>>=20
>>>>>>>> 2. Each instance associates in a stateless way. Only clients =
that need credential rotation need more.
>>>>>>>>=20
>>>>>>>> Phil
>>>>>>>>=20
>>>>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>>>>>=20
>>>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>>>=20
>>>>>>>>> I think a certificate based approach is going to simplify =
exchanges in all cases. I encourage the group to explore the concept on =
the call.
>>>>>>>>>=20
>>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet =
another option. I would like to explore how federation concept in =
software statements can help with facilitating association and making =
many reg stateless.
>>>>>>>>>=20
>>>>>>>>> Phil
>>>>>>>>>=20
>>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:
>>>>>>>>>=20
>>>>>>>>>> Here are the conference bridge / Webex details for the call =
today.
>>>>>>>>>> We are going to complete the use case discussions from last =
time (Phil wasn't able to walk through all slides). Justin was also able =
to work out a strawman proposal based on the discussions last week and =
we will have a look at it to see whether this is a suitable compromise. =
Here is Justin's mail, in case you have missed it: =
http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>>>=20
>>>>>>>>>> Phil, please feel free to make adjustments to your slides =
given the Justin's recent proposal.
>>>>>>>>>>=20
>>>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, =
GMT-07:00)
>>>>>>>>>> Meeting Number: 703 230 586
>>>>>>>>>> Meeting Password: oauth
>>>>>>>>>>=20
>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>> To join the online meeting
>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>> 1. Go to =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
RT=3DMiM0
>>>>>>>>>> 2. Enter your name and email address.
>>>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>>>> 4. Click "Join Now".
>>>>>>>>>>=20
>>>>>>>>>> To view in other time zones or languages, please click the =
link:
>>>>>>>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
ORT=3DMiM0
>>>>>>>>>>=20
>>>>>>>>>> To add this meeting to your calendar program (for example =
Microsoft Outlook), click this link:
>>>>>>>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=3D=
2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>>>>>>>>>=20
>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>> To join the teleconference only
>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>> Global dial-in Numbers: =
http://www.nokiasiemensnetworks.com/nvc
>>>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>>>=20
>>>>>>>>>>=20
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>=20
>>>>>>=20
>>>>>=20
>>>>> --=20
>>>>> <XeC>
>>>=20
>>> --=20
>>> <XeC.png>
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_F172CFDA-30FC-4C6F-AD6B-A160CABCD01A
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
	charset=iso-8859-1

<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">That is my concern as well, sending an assertion to the authorization endpoint requires a extension of OAuth to add another parameter or placing it in the client_id which you can do now with the dynamic reg spec if the AS wants to.&nbsp;<div><br></div><div>Holding up client registration for something that will require an extension to OAuth is overdoing it. &nbsp; We need something for the OAuth spec we have now without requiring clients implement the assertion flow and other extensions.</div><div><br></div><div>John B.</div><div><br><div><div>On 2013-08-28, at 12:39 PM, Justin Richer &lt;<a href="mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  <div bgcolor="#FFFFFF" text="#000000">
    The initial_access_token doesn't assume that it's from the local
    domain. It merely assumes that the authorization server accepts the
    token, which would be true in the UMA case due to the federation. It
    could also be the exact same kinds of mechanisms that the software
    statement would use to achieve federation.<br>
    <br>
    I still don't see how an auth server is going to know about a
    client's configuration state with the assertion swap method, since
    there's no defined mechanism for sending a JWT assertion to the
    authorization endpoint. <br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/28/2013 12:35 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote cite="mid:9F232504-FC58-41FD-B040-31F898034AD2@oracle.com" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      George,
      <div><br>
      </div>
      <div>It would be reasonable for a client to submit an assertion,
        and obtain its own client assertion in return. &nbsp;This is very
        close to what is happening per 2.1, 2.2 of&nbsp;<a moz-do-not-send="true" href="http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06">http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06</a></div>
      <div><br>
      </div>
      <div>In this case, the Software Statement is an authorization that
        is exchanged for a client assertion in return. Then the clients
        authenticate per section 2.2 of the JWT spec.</div>
      <div><br>
      </div>
      <div>Regarding initial_access_token. &nbsp;This does have some of the
        characteristics I am speaking of. But it is unspecified and the
        assumption is that it is issued by the local domain. &nbsp;This
        doesn't work in the UMA case because that's more like a
        federated model. Thus the specified software statement works
        because the AS can approve the client software based on name,
        and/or developer, and/or publisher -- whatever trust requires.</div>
      <div><br>
        <div apple-content-edited="true">
          <span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
                <div style="word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
                        <div style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div>Phil</div>
                          <div><br>
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send="true" href="http://www.independentid.com/">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send="true" href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br>
                      <br>
                    </div>
                  </span><br class="Apple-interchange-newline">
                </div>
              </span><br class="Apple-interchange-newline">
            </div>
          </span><br class="Apple-interchange-newline">
          <br class="Apple-interchange-newline">
        </div>
        <br>
        <div>
          <div>On 2013-08-28, at 9:29 AM, George Fletcher &lt;<a moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <div bgcolor="#FFFFFF" text="#000000"> <font face="Helvetica, Arial, sans-serif">I can't say I
                understand what you mean by a simple assertion swap...
                but if you are wanting to use a client_assertion flow
                instead of the code flow then that's something
                completely different. If you are saying that you want
                the client_id to represent an "instance" in a stateless
                way using an "assertion" then that's already possible
                today.<br>
                <br>
                George<br>
                <br>
              </font>
              <div class="moz-cite-prefix">On 8/28/13 12:23 PM, Phil
                Hunt wrote:<br>
              </div>
              <blockquote cite="mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com" type="cite">
                <div>George</div>
                <div><br>
                </div>
                <div>That case can be solved with a simple assertion
                  swap. We just have to profile it.&nbsp;<br>
                  <br>
                  Phil</div>
                <div><br>
                  On 2013-08-28, at 9:20, George Fletcher &lt;<a moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;

                  wrote:<br>
                  <br>
                </div>
                <blockquote type="cite">
                  <div> <br>
                    <div class="moz-cite-prefix">On 8/28/13 12:02 PM,
                      Phil Hunt wrote:<br>
                    </div>
                    <blockquote cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" type="cite">
                      <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare. 

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. 

Dyn reg assumes every registration of an instance is unique which too me is a very extreme </pre>
                    </blockquote>
                    If you have a mobile app that needs to do the code
                    flow... which requires a client_secret in order to
                    retrieve the access token and refresh token, how
                    does the app do this without per app instance
                    registration? <br>
                    <br>
                    I'd argue that almost all user facing mobile apps
                    will want the above flow and that's not a small,
                    rare edge case.<br>
                    <br>
                    Thanks,<br>
                    George<br>
                    <blockquote cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" type="cite">
                      <pre wrap="">position. 

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
                      <blockquote type="cite">
                        <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
                        <blockquote type="cite">
                          <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
                          <blockquote type="cite">
                            <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
                            <blockquote type="cite">
                              <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                            </blockquote>
                            <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                          </blockquote>
                          <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                        </blockquote>
                      </blockquote>
                      <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
                    </blockquote>
                    <br>
                    <div class="moz-signature">-- <br>
                      <a moz-do-not-send="true" href="http://connect.me/gffletch" title="View
                        full card on Connect.Me">&lt;XeC&gt;</a></div>
                  </div>
                </blockquote>
              </blockquote>
              <br>
              <div class="moz-signature">-- <br>
                <a moz-do-not-send="true" href="http://connect.me/gffletch" title="View full
                  card on Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div>

_______________________________________________<br>OAuth mailing list<br><a href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>https://www.ietf.org/mailman/listinfo/oauth<br></blockquote></div><br></div></body></html>
--Apple-Mail=_F172CFDA-30FC-4C6F-AD6B-A160CABCD01A--

--Apple-Mail=_6C7076C9-E15F-4D62-AA80-F44E945FBD27
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODI4MTY0NTU3WjAjBgkqhkiG9w0BCQQxFgQUUb+VT/b8
T8ETwjhrVa5YMP1kWugwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAfW9VFVSAPY/TDwOiWFt1BwanbQmRdfn6vVb3MrRp
ECJs5wIShD3Vy9ILfLWQ3IxIRxLFdnhMENDWyY/xz52NG0WjwKOYHnmk91Ll2FiLKUI7qS6iJtNG
u7pR5Ui1OrYfScCnPAgreM60752LPROuoss2wuObK6xd3PQmrKynHrt9kD45KgWc6wB1o1BvI/aN
Vcr++9pUrCFXkDAFbCszEVqOmjHjOPT6aFWSKQQ8NwD0pgOmwG7dpzBYD8tsmfoJz98DPa1HFxMr
FNEzPi3pjjb+uczHK2l2Pf2mmEtJRm30OSQZD82f+GbB0sbv4kexFXVw79fR2dITKRRa0PgzzAAA
AAAAAA==

--Apple-Mail=_6C7076C9-E15F-4D62-AA80-F44E945FBD27--

From jricher@mitre.org  Wed Aug 28 09:47:23 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E342E11E8208 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:47:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.497
X-Spam-Level: 
X-Spam-Status: No, score=-6.497 tagged_above=-999 required=5 tests=[AWL=0.102,  BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KpB5zrg5c0eR for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:47:19 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 7B32811E8240 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:47:18 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1F8E81F02CD; Wed, 28 Aug 2013 12:47:18 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG (imccas04.mitre.org [129.83.29.81]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 000C81F02B6; Wed, 28 Aug 2013 12:47:17 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS04.MITRE.ORG (129.83.29.81) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 12:47:17 -0400
Message-ID: <521E298C.5070704@mitre.org>
Date: Wed, 28 Aug 2013 12:47:08 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com> <521E2834.4010102@mitre.org> <E9A4949D-5969-4667-8ACF-945F2D16BDFD@oracle.com>
In-Reply-To: <E9A4949D-5969-4667-8ACF-945F2D16BDFD@oracle.com>
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Transfer-Encoding: 8bit
X-Originating-IP: [129.83.31.56]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:47:24 -0000

For the last time, I am not against standardizing software assertions. I 
have no idea where you keep getting that idea from, considering how many 
times I've publicly come out in support of it. I've even offered to help 
edit a spec to bring the ideas to their full and proper fruition.

What I disagree with is your conjecture that it eliminates the 
registration and configuration endpoints. It just doesn't, and they can 
work together fine.

Why are you fighting so hard against use cases that can't use or don't 
need software assertions?

  -- Justin

On 08/28/2013 12:43 PM, Phil Hunt wrote:
> So why are you fighting so hard against standardizing software assertions?  You're affectively already using the solution for BB+.
>
> The fact that a standardized initial_access_token eliminates most of the registration endpoint seems to be your primary objection.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-28, at 9:41 AM, Justin Richer <jricher@mitre.org> wrote:
>
>> Yes, that already works. And you could accomplish that with the current dynamic registration spec, too -- it's just that client assertions were deemed too-underspecified to include in the base draft, and nobody's stepped up to offer a full writeup and extension of using other auth mechanisms (outside of OpenID Connect).
>>
>> -- Justin
>>
>> On 08/28/2013 12:38 PM, Sergey Beryozkin wrote:
>>> On 28/08/13 17:33, George Fletcher wrote:
>>>> So I understand that you'd rather that OAuth doesn't require a
>>>> client_secret and that's fine. However, I don't think we should impose
>>>> that thinking on the rest of the world who have already implemented it
>>>> and have it working and scaling without issues. If the core of this
>>>> discussion is around replacing client_id and client_secret with a
>>>> client_assertion then lets have that discussion separately and not bury
>>>> it in the dynamic registration discussion.
>>>>
>>>> Could you not profile OAuth2 to support a flow that allows for retrieval
>>>> of access and refresh tokens using code + client_assertion? Doesn't seem
>>>> like that hard a profile and then the rest of this could fall out pretty
>>>> easily.
>>>>
>>> That is already supported AFAIK, something like
>>>
>>> grant_type=authorization_code
>>> &code=12345678
>>> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer
>>> &client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion
>>>
>>> probably the same works with JWT
>>>
>>> Sergey
>>>
>>>
>>>> Thanks,
>>>> George
>>>>
>>>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>>> I do think that this is the rare-edge use case, we would not want
>>>>> require client-secret, we already have that mess today with OAuth and
>>>>> trying not to continue the proliferation, we solve this today with our
>>>>> STS and assertion swaps/transformations, it scales, performs and we
>>>>> don’t have the management debacle this specification creates
>>>>>
>>>>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>>>>> Behalf Of *George Fletcher
>>>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>>>> *To:* Phil Hunt
>>>>> *Cc:* oauth mailing list
>>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>>>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>>>
>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>
>>>>>     Please define the all in one case. I think this is the edge case and is in fact rare.
>>>>>
>>>>>
>>>>>
>>>>>     I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>>>
>>>>>
>>>>>
>>>>>     Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>>>>
>>>>> If you have a mobile app that needs to do the code flow... which
>>>>> requires a client_secret in order to retrieve the access token and
>>>>> refresh token, how does the app do this without per app instance
>>>>> registration?
>>>>>
>>>>> I'd argue that almost all user facing mobile apps will want the above
>>>>> flow and that's not a small, rare edge case.
>>>>>
>>>>> Thanks,
>>>>> George
>>>>>
>>>>>     position.
>>>>>
>>>>>
>>>>>
>>>>>     Phil
>>>>>
>>>>>
>>>>>
>>>>>     On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org> <mailto:jricher@mitre.org>  wrote:
>>>>>
>>>>>
>>>>>
>>>>>         Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>>
>>>>>
>>>>>
>>>>>         This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>>
>>>>>
>>>>>
>>>>>         Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>>
>>>>>
>>>>>
>>>>>         -- Justin
>>>>>
>>>>>
>>>>>
>>>>>         On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>
>>>>>             Sorry. I meant also to say i think there are 2 registration steps
>>>>>
>>>>>             1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>
>>>>>
>>>>>
>>>>>             Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>
>>>>>
>>>>>
>>>>>             2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>
>>>>>
>>>>>
>>>>>             Phil
>>>>>
>>>>>
>>>>>
>>>>>             On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com> <mailto:phil.hunt@oracle.com>  wrote:
>>>>>
>>>>>
>>>>>
>>>>>                 I have a conflict I cannot get out of for 2pacific.
>>>>>
>>>>>
>>>>>
>>>>>                 I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>
>>>>>
>>>>>
>>>>>                 I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>
>>>>>
>>>>>
>>>>>                 Phil
>>>>>
>>>>>
>>>>>
>>>>>                 On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com> <mailto:hannes.tschofenig@nsn.com>  wrote:
>>>>>
>>>>>
>>>>>
>>>>>                     Here are the conference bridge / Webex details for the call today.
>>>>>
>>>>>                     We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>
>>>>>
>>>>>
>>>>>                     Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>
>>>>>
>>>>>
>>>>>                     Topic: OAuth Dynamic Client Registration
>>>>>
>>>>>                     Date: Wednesday, August 28, 2013
>>>>>
>>>>>                     Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>
>>>>>                     Meeting Number: 703 230 586
>>>>>
>>>>>                     Meeting Password: oauth
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------
>>>>>
>>>>>                     To join the online meeting
>>>>>
>>>>> -------------------------------------------------------
>>>>>
>>>>>                     1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>
>>>>>                     2. Enter your name and email address.
>>>>>
>>>>>                     3. Enter the meeting password: oauth
>>>>>
>>>>>                     4. Click "Join Now".
>>>>>
>>>>>
>>>>>
>>>>>                     To view in other time zones or languages, please click the link:
>>>>>
>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>
>>>>>
>>>>>
>>>>>                     To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>
>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>
>>>>>
>>>>>
>>>>> -------------------------------------------------------
>>>>>
>>>>>                     To join the teleconference only
>>>>>
>>>>> -------------------------------------------------------
>>>>>
>>>>>                     Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>>
>>>>>                     Conference Code: 944 910 5485
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>>
>>>>>                     OAuth mailing list
>>>>>
>>>>>                     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> _______________________________________________
>>>>>
>>>>>                 OAuth mailing list
>>>>>
>>>>>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>
>>>>>                 https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>             _______________________________________________
>>>>>
>>>>>             OAuth mailing list
>>>>>
>>>>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>
>>>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>
>>>>>     OAuth mailing list
>>>>>
>>>>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>
>>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> George Fletcher <http://connect.me/gffletch>
>>>>>
>>>> -- 
>>>> George Fletcher <http://connect.me/gffletch>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth


From gffletch@aol.com  Wed Aug 28 09:47:45 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9895811E8255 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:47:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level: 
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.150,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1IKBGiCj6mX4 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:47:41 -0700 (PDT)
Received: from omr-d07.mx.aol.com (omr-d07.mx.aol.com [205.188.109.204]) by ietfa.amsl.com (Postfix) with ESMTP id 4A97811E8208 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:47:41 -0700 (PDT)
Received: from mtaout-db02.r1000.mx.aol.com (mtaout-db02.r1000.mx.aol.com [172.29.51.194]) by omr-d07.mx.aol.com (Outbound Mail Relay) with ESMTP id 92BE1700000B3; Wed, 28 Aug 2013 12:47:40 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db02.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 2BA6DE0001EA; Wed, 28 Aug 2013 12:47:40 -0400 (EDT)
Message-ID: <521E29AB.4070303@aol.com>
Date: Wed, 28 Aug 2013 12:47:39 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com> <48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com>
In-Reply-To: <48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com>
Content-Type: multipart/alternative; boundary="------------010607000001080506040607"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93305
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377708460; bh=+O9u6lnFdV/zZcsJkccUcNlbIsYIpfp5uMpKhczYv+s=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=YuwrHohXsPCSrt49R31V/euQpNcwLe/yeZXu91YcDzG4PE+U6UkEVjrOgbyc5G0bb gJyUbv28YcExH49ucSdo8iGZ3mlxSqIkxgYj9ofArKRVkIvuTkAvMZs4re6wdtGiC2 AqssvGDHdMuXr/DzLxDmdqp+2DXf4qaLl8MBrrpA=
x-aol-sid: 3039ac1d33c2521e29ac6311
X-AOL-IP: 10.181.176.48
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:47:45 -0000

This is a multi-part message in MIME format.
--------------010607000001080506040607
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

So Phil... given that you can do all this today with the existing set of 
specifications... why not write the software statements/client assertion 
registration spec so that it meets your use case and deployment needs. 
I'd much rather have two straight forward ways to do something when the 
core use cases are so different than to try and munge everything into 
one and end up with unnecessary complexity in one or both of the solutions.

I see the use case you are trying to solve for as significantly 
different than the one I'm trying to solve for. Now maybe your way is 
the better way but why not let the market make that decision? We will 
not confuse developers by having two ways to do things as it will be 
very clear at the beginning of development which way is needed for their 
use case:)

Thanks,
George

On 8/28/13 12:41 PM, Phil Hunt wrote:
> Yes. A client could pass the software statement *directly* as its client credential.  Which is one of the *simple* solutions. 8-)
>
> The other case is where the client instance needs its own credential as George indicates.  In that case it could swap the statement for a unique client assertion.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
>
>
>
>
>
>
>
> On 2013-08-28, at 9:38 AM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>
>> On 28/08/13 17:33, George Fletcher wrote:
>>> So I understand that you'd rather that OAuth doesn't require a
>>> client_secret and that's fine. However, I don't think we should impose
>>> that thinking on the rest of the world who have already implemented it
>>> and have it working and scaling without issues. If the core of this
>>> discussion is around replacing client_id and client_secret with a
>>> client_assertion then lets have that discussion separately and not bury
>>> it in the dynamic registration discussion.
>>>
>>> Could you not profile OAuth2 to support a flow that allows for retrieval
>>> of access and refresh tokens using code + client_assertion? Doesn't seem
>>> like that hard a profile and then the rest of this could fall out pretty
>>> easily.
>>>
>> That is already supported AFAIK, something like
>>
>> grant_type=authorization_code
>> &code=12345678
>> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer
>> &client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion
>>
>> probably the same works with JWT
>>
>> Sergey
>>
>>
>>> Thanks,
>>> George
>>>
>>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>> I do think that this is the rare-edge use case, we would not want
>>>> require client-secret, we already have that mess today with OAuth and
>>>> trying not to continue the proliferation, we solve this today with our
>>>> STS and assertion swaps/transformations, it scales, performs and we
>>>> don't have the management debacle this specification creates
>>>>
>>>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>>>> Behalf Of *George Fletcher
>>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>>> *To:* Phil Hunt
>>>> *Cc:* oauth mailing list
>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>>
>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>
>>>>     Please define the all in one case. I think this is the edge case and is in fact rare.
>>>>
>>>>
>>>>
>>>>     I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>>
>>>>
>>>>
>>>>     Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>>>
>>>> If you have a mobile app that needs to do the code flow... which
>>>> requires a client_secret in order to retrieve the access token and
>>>> refresh token, how does the app do this without per app instance
>>>> registration?
>>>>
>>>> I'd argue that almost all user facing mobile apps will want the above
>>>> flow and that's not a small, rare edge case.
>>>>
>>>> Thanks,
>>>> George
>>>>
>>>>     position.
>>>>
>>>>
>>>>
>>>>     Phil
>>>>
>>>>
>>>>
>>>>     On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  <mailto:jricher@mitre.org>  wrote:
>>>>
>>>>
>>>>
>>>>         Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>
>>>>
>>>>
>>>>         This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>
>>>>
>>>>
>>>>         Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>
>>>>
>>>>
>>>>         -- Justin
>>>>
>>>>
>>>>
>>>>         On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>
>>>>             Sorry. I meant also to say i think there are 2 registration steps
>>>>
>>>>             1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>
>>>>
>>>>
>>>>             Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>
>>>>
>>>>
>>>>             2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>
>>>>
>>>>
>>>>             Phil
>>>>
>>>>
>>>>
>>>>             On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>  <mailto:phil.hunt@oracle.com>  wrote:
>>>>
>>>>
>>>>
>>>>                 I have a conflict I cannot get out of for 2pacific.
>>>>
>>>>
>>>>
>>>>                 I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>
>>>>
>>>>
>>>>                 I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>
>>>>
>>>>
>>>>                 Phil
>>>>
>>>>
>>>>
>>>>                 On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>  <mailto:hannes.tschofenig@nsn.com>  wrote:
>>>>
>>>>
>>>>
>>>>                     Here are the conference bridge / Webex details for the call today.
>>>>
>>>>                     We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>
>>>>
>>>>
>>>>                     Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>
>>>>
>>>>
>>>>                     Topic: OAuth Dynamic Client Registration
>>>>
>>>>                     Date: Wednesday, August 28, 2013
>>>>
>>>>                     Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>
>>>>                     Meeting Number: 703 230 586
>>>>
>>>>                     Meeting Password: oauth
>>>>
>>>>
>>>>
>>>>                     -------------------------------------------------------
>>>>
>>>>                     To join the online meeting
>>>>
>>>>                     -------------------------------------------------------
>>>>
>>>>                     1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>
>>>>                     2. Enter your name and email address.
>>>>
>>>>                     3. Enter the meeting password: oauth
>>>>
>>>>                     4. Click "Join Now".
>>>>
>>>>
>>>>
>>>>                     To view in other time zones or languages, please click the link:
>>>>
>>>>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>
>>>>
>>>>
>>>>                     To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>
>>>>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>
>>>>
>>>>
>>>>                     -------------------------------------------------------
>>>>
>>>>                     To join the teleconference only
>>>>
>>>>                     -------------------------------------------------------
>>>>
>>>>                     Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>
>>>>                     Conference Code: 944 910 5485
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>                     _______________________________________________
>>>>
>>>>                     OAuth mailing list
>>>>
>>>>                     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>
>>>>                     https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>                 _______________________________________________
>>>>
>>>>                 OAuth mailing list
>>>>
>>>>                 OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>
>>>>                 https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>             _______________________________________________
>>>>
>>>>             OAuth mailing list
>>>>
>>>>             OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>
>>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>>     _______________________________________________
>>>>
>>>>     OAuth mailing list
>>>>
>>>>     OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>
>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> George Fletcher <http://connect.me/gffletch>
>>>>
>>> --
>>> George Fletcher <http://connect.me/gffletch>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> -- 
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------010607000001080506040607
Content-Type: multipart/related;
 boundary="------------040408040803090801030301"


--------------040408040803090801030301
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">So Phil... given that you
      can do all this today with the existing set of specifications...
      why not write the software statements/client assertion
      registration spec so that it meets your use case and deployment
      needs. I'd much rather have two straight forward ways to do
      something when the core use cases are so different than to try and
      munge everything into one and end up with unnecessary complexity
      in one or both of the solutions.<br>
      <br>
      I see the use case you are trying to solve for as significantly
      different than the one I'm trying to solve for. Now maybe your way
      is the better way but why not let the market make that decision?
      We will not confuse developers by having two ways to do things as
      it will be very clear at the beginning of development which way is
      needed for their use case:)<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/28/13 12:41 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com"
      type="cite">
      <pre wrap="">Yes. A client could pass the software statement *directly* as its client credential.  Which is one of the *simple* solutions. 8-)

The other case is where the client instance needs its own credential as George indicates.  In that case it could swap the statement for a unique client assertion.

Phil

@independentid
<a class="moz-txt-link-abbreviated" href="http://www.independentid.com">www.independentid.com</a>
<a class="moz-txt-link-abbreviated" href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>







On 2013-08-28, at 9:38 AM, Sergey Beryozkin <a class="moz-txt-link-rfc2396E" href="mailto:sberyozkin@gmail.com">&lt;sberyozkin@gmail.com&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">On 28/08/13 17:33, George Fletcher wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">So I understand that you'd rather that OAuth doesn't require a
client_secret and that's fine. However, I don't think we should impose
that thinking on the rest of the world who have already implemented it
and have it working and scaling without issues. If the core of this
discussion is around replacing client_id and client_secret with a
client_assertion then lets have that discussion separately and not bury
it in the dynamic registration discussion.

Could you not profile OAuth2 to support a flow that allows for retrieval
of access and refresh tokens using code + client_assertion? Doesn't seem
like that hard a profile and then the rest of this could fall out pretty
easily.

</pre>
        </blockquote>
        <pre wrap="">That is already supported AFAIK, something like

grant_type=authorization_code
&amp;code=12345678
&amp;client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer
&amp;client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion

probably the same works with JWT

Sergey


</pre>
        <blockquote type="cite">
          <pre wrap="">Thanks,
George

On 8/28/13 12:28 PM, Anthony Nadalin wrote:
</pre>
          <blockquote type="cite">
            <pre wrap="">
I do think that this is the rare-edge use case, we would not want
require client-secret, we already have that mess today with OAuth and
trying not to continue the proliferation, we solve this today with our
STS and assertion swaps/transformations, it scales, performs and we
don&#8217;t have the management debacle this specification creates

*From:*oauth-bounces@ietf.org [<a class="moz-txt-link-freetext" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] *On
Behalf Of *George Fletcher
*Sent:* Wednesday, August 28, 2013 9:21 AM
*To:* Phil Hunt
*Cc:* oauth mailing list
*Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
Wed 28 Aug, 2pm PDT: Conference Bridge Details

On 8/28/13 12:02 PM, Phil Hunt wrote:

   Please define the all in one case. I think this is the edge case and is in fact rare.



   I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.



   Dyn reg assumes every registration of an instance is unique which too me is a very extreme

If you have a mobile app that needs to do the code flow... which
requires a client_secret in order to retrieve the access token and
refresh token, how does the app do this without per app instance
registration?

I'd argue that almost all user facing mobile apps will want the above
flow and that's not a small, rare edge case.

Thanks,
George

   position.



   Phil



   On 2013-08-28, at 8:41, Justin Richer<a class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a>  <a class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;mailto:jricher@mitre.org&gt;</a>  wrote:



       Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.



       This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.



       Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.



       -- Justin



       On 08/28/2013 11:17 AM, Phil Hunt wrote:

           Sorry. I meant also to say i think there are 2 registration steps

           1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.



           Federation techniques come into play as trust approvals can be based on developer, product or even publisher.



           2. Each instance associates in a stateless way. Only clients that need credential rotation need more.



           Phil



           On 2013-08-28, at 8:04, Phil Hunt<a class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a>  <a class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;mailto:phil.hunt@oracle.com&gt;</a>  wrote:



               I have a conflict I cannot get out of for 2pacific.



               I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.



               I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.



               Phil



               On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a>  <a class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;mailto:hannes.tschofenig@nsn.com&gt;</a>  wrote:



                   Here are the conference bridge / Webex details for the call today.

                   We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:<a class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>



                   Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.



                   Topic: OAuth Dynamic Client Registration

                   Date: Wednesday, August 28, 2013

                   Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)

                   Meeting Number: 703 230 586

                   Meeting Password: oauth



                   -------------------------------------------------------

                   To join the online meeting

                   -------------------------------------------------------

                   1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0

                   2. Enter your name and email address.

                   3. Enter the meeting password: oauth

                   4. Click "Join Now".



                   To view in other time zones or languages, please click the link:

                   <a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>



                   To add this meeting to your calendar program (for example Microsoft Outlook), click this link:

                   <a class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>



                   -------------------------------------------------------

                   To join the teleconference only

                   -------------------------------------------------------

                   Global dial-in Numbers:<a class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>

                   Conference Code: 944 910 5485





                   _______________________________________________

                   OAuth mailing list

                   <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

                   <a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

               _______________________________________________

               OAuth mailing list

               <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

               <a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

           _______________________________________________

           OAuth mailing list

           <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

           <a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>



   _______________________________________________

   OAuth mailing list

   <a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

   <a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>





--
George Fletcher <a class="moz-txt-link-rfc2396E" href="http://connect.me/gffletch">&lt;http://connect.me/gffletch&gt;</a>

</pre>
          </blockquote>
          <pre wrap="">
--
George Fletcher <a class="moz-txt-link-rfc2396E" href="http://connect.me/gffletch">&lt;http://connect.me/gffletch&gt;</a>


_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

</pre>
        </blockquote>
        <pre wrap="">

-- 
Sergey Beryozkin

Talend Community Coders
<a class="moz-txt-link-freetext" href="http://coders.talend.com/">http://coders.talend.com/</a>

Blog: <a class="moz-txt-link-freetext" href="http://sberyozkin.blogspot.com">http://sberyozkin.blogspot.com</a>
_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
      </blockquote>
      <pre wrap="">
_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part1.03040200.07030307@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------040408040803090801030301
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part1.03040200.07030307@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------040408040803090801030301--

--------------010607000001080506040607--

From phil.hunt@oracle.com  Wed Aug 28 09:48:51 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2AB211E825F for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:48:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.245
X-Spam-Level: 
X-Spam-Status: No, score=-5.245 tagged_above=-999 required=5 tests=[AWL=-0.043, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHHrJVueT9XV for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:48:32 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2EA1711E8208 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:48:32 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com [141.146.126.237]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SGmVOv006571 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:48:31 GMT
Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGmUkH026506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:48:30 GMT
Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by userz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGmTaX020037; Wed, 28 Aug 2013 16:48:29 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:48:29 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_787B78ED-C0F7-4D22-9CD4-1D9EBEC48213"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <5B2C7096-939A-4EA2-81FF-F15BDDFB7ABB@ve7jtb.com>
Date: Wed, 28 Aug 2013 09:48:38 -0700
Message-Id: <146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com> <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com> <521E27BF.3030408@mitre.org> <5B2C7096-939A-4EA2-81FF-F15BDDFB7ABB@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: acsinet21.oracle.com [141.146.126.237]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:48:51 -0000

--Apple-Mail=_787B78ED-C0F7-4D22-9CD4-1D9EBEC48213
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1

You can pass anything as a client_id.  It just has to be accepted. =
That's the point of us writing a draft here isn't it?

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-28, at 9:45 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> That is my concern as well, sending an assertion to the authorization =
endpoint requires a extension of OAuth to add another parameter or =
placing it in the client_id which you can do now with the dynamic reg =
spec if the AS wants to.=20
>=20
> Holding up client registration for something that will require an =
extension to OAuth is overdoing it.   We need something for the OAuth =
spec we have now without requiring clients implement the assertion flow =
and other extensions.
>=20
> John B.
>=20
> On 2013-08-28, at 12:39 PM, Justin Richer <jricher@mitre.org> wrote:
>=20
>> The initial_access_token doesn't assume that it's from the local =
domain. It merely assumes that the authorization server accepts the =
token, which would be true in the UMA case due to the federation. It =
could also be the exact same kinds of mechanisms that the software =
statement would use to achieve federation.
>>=20
>> I still don't see how an auth server is going to know about a =
client's configuration state with the assertion swap method, since =
there's no defined mechanism for sending a JWT assertion to the =
authorization endpoint.=20
>>=20
>>  -- Justin
>>=20
>> On 08/28/2013 12:35 PM, Phil Hunt wrote:
>>> George,
>>>=20
>>> It would be reasonable for a client to submit an assertion, and =
obtain its own client assertion in return.  This is very close to what =
is happening per 2.1, 2.2 of =
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06
>>>=20
>>> In this case, the Software Statement is an authorization that is =
exchanged for a client assertion in return. Then the clients =
authenticate per section 2.2 of the JWT spec.
>>>=20
>>> Regarding initial_access_token.  This does have some of the =
characteristics I am speaking of. But it is unspecified and the =
assumption is that it is issued by the local domain.  This doesn't work =
in the UMA case because that's more like a federated model. Thus the =
specified software statement works because the AS can approve the client =
software based on name, and/or developer, and/or publisher -- whatever =
trust requires.
>>>=20
>>> Phil
>>>=20
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com> wrote:
>>>=20
>>>> I can't say I understand what you mean by a simple assertion =
swap... but if you are wanting to use a client_assertion flow instead of =
the code flow then that's something completely different. If you are =
saying that you want the client_id to represent an "instance" in a =
stateless way using an "assertion" then that's already possible today.
>>>>=20
>>>> George
>>>>=20
>>>> On 8/28/13 12:23 PM, Phil Hunt wrote:
>>>>> George
>>>>>=20
>>>>> That case can be solved with a simple assertion swap. We just have =
to profile it.=20
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com> wrote:
>>>>>=20
>>>>>>=20
>>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>>> Please define the all in one case. I think this is the edge case =
and is in fact rare.=20
>>>>>>>=20
>>>>>>> I agree, in many cases step 1 can be made by simply approving a =
class of software. But then step 2 is simplified.=20
>>>>>>>=20
>>>>>>> Dyn reg assumes every registration of an instance is unique =
which too me is a very extreme=20
>>>>>> If you have a mobile app that needs to do the code flow... which =
requires a client_secret in order to retrieve the access token and =
refresh token, how does the app do this without per app instance =
registration?=20
>>>>>>=20
>>>>>> I'd argue that almost all user facing mobile apps will want the =
above flow and that's not a small, rare edge case.
>>>>>>=20
>>>>>> Thanks,
>>>>>> George
>>>>>>> position.=20
>>>>>>>=20
>>>>>>> Phil
>>>>>>>=20
>>>>>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> wrote:
>>>>>>>=20
>>>>>>>> Except for the cases where you want step 1 to happen in band. =
To me, that is a vitally and fundamentally important use case that we =
can't disregard, and we must have a solution that can accommodate that. =
The notions of "publisher" and "product" fade very quickly once you get =
outside of the software vendor world.
>>>>>>>>=20
>>>>>>>> This is, of course, not to stand in the way of other solutions =
or approaches (such as something assertion based like you're after). =
It's not a one-or-the-other proposition, especially when there are =
mutually exclusive aspects of each.
>>>>>>>>=20
>>>>>>>> Therefore I once again call for the WG to finish the current =
dynamic registration spec *AND* pursue the assertion based process that =
Phil's talking about. They're not mutually exclusive, let's please stop =
talking about them like they are.
>>>>>>>>=20
>>>>>>>> -- Justin
>>>>>>>>=20
>>>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>>>> Sorry. I meant also to say i think there are 2 registration =
steps.
>>>>>>>>>=20
>>>>>>>>> 1. Software registration/approval. This often happens out of =
band. But in this step policy is defined that approves software for use. =
Many of the reg params are known here.
>>>>>>>>>=20
>>>>>>>>> Federation techniques come into play as trust approvals can be =
based on developer, product or even publisher.
>>>>>>>>>=20
>>>>>>>>> 2. Each instance associates in a stateless way. Only clients =
that need credential rotation need more.
>>>>>>>>>=20
>>>>>>>>> Phil
>>>>>>>>>=20
>>>>>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> =
wrote:
>>>>>>>>>=20
>>>>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>>>>=20
>>>>>>>>>> I think a certificate based approach is going to simplify =
exchanges in all cases. I encourage the group to explore the concept on =
the call.
>>>>>>>>>>=20
>>>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet =
another option. I would like to explore how federation concept in =
software statements can help with facilitating association and making =
many reg stateless.
>>>>>>>>>>=20
>>>>>>>>>> Phil
>>>>>>>>>>=20
>>>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" =
<hannes.tschofenig@nsn.com> wrote:
>>>>>>>>>>=20
>>>>>>>>>>> Here are the conference bridge / Webex details for the call =
today.
>>>>>>>>>>> We are going to complete the use case discussions from last =
time (Phil wasn't able to walk through all slides). Justin was also able =
to work out a strawman proposal based on the discussions last week and =
we will have a look at it to see whether this is a suitable compromise. =
Here is Justin's mail, in case you have missed it: =
http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>>>>=20
>>>>>>>>>>> Phil, please feel free to make adjustments to your slides =
given the Justin's recent proposal.
>>>>>>>>>>>=20
>>>>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, =
GMT-07:00)
>>>>>>>>>>> Meeting Number: 703 230 586
>>>>>>>>>>> Meeting Password: oauth
>>>>>>>>>>>=20
>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>> To join the online meeting
>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>> 1. Go to =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
RT=3DMiM0
>>>>>>>>>>> 2. Enter your name and email address.
>>>>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>>>>> 4. Click "Join Now".
>>>>>>>>>>>=20
>>>>>>>>>>> To view in other time zones or languages, please click the =
link:
>>>>>>>>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
ORT=3DMiM0
>>>>>>>>>>>=20
>>>>>>>>>>> To add this meeting to your calendar program (for example =
Microsoft Outlook), click this link:
>>>>>>>>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=3D=
2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>>>>>>>>>>=20
>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>> To join the teleconference only
>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>> Global dial-in Numbers: =
http://www.nokiasiemensnetworks.com/nvc
>>>>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>>>>=20
>>>>>>>>>>>=20
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>=20
>>>>>>>=20
>>>>>>=20
>>>>>> --=20
>>>>>> <XeC>
>>>>=20
>>>> --=20
>>>> <XeC.png>
>>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20


--Apple-Mail=_787B78ED-C0F7-4D22-9CD4-1D9EBEC48213
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=iso-8859-1

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">You =
can pass anything as a client_id. &nbsp;It just has to be accepted. =
That's the point of us writing a draft here isn't it?<div><br><div =
apple-content-edited=3D"true">
<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-28, at 9:45 AM, John Bradley &lt;<a =
href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite"><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">That =
is my concern as well, sending an assertion to the authorization =
endpoint requires a extension of OAuth to add another parameter or =
placing it in the client_id which you can do now with the dynamic reg =
spec if the AS wants to.&nbsp;<div><br></div><div>Holding up client =
registration for something that will require an extension to OAuth is =
overdoing it. &nbsp; We need something for the OAuth spec we have now =
without requiring clients implement the assertion flow and other =
extensions.</div><div><br></div><div>John B.</div><div><br><div><div>On =
2013-08-28, at 12:39 PM, Justin Richer &lt;<a =
href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
 =20
    <meta content=3D"text/html; charset=3DISO-8859-1" =
http-equiv=3D"Content-Type">
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    The initial_access_token doesn't assume that it's from the local
    domain. It merely assumes that the authorization server accepts the
    token, which would be true in the UMA case due to the federation. It
    could also be the exact same kinds of mechanisms that the software
    statement would use to achieve federation.<br>
    <br>
    I still don't see how an auth server is going to know about a
    client's configuration state with the assertion swap method, since
    there's no defined mechanism for sending a JWT assertion to the
    authorization endpoint. <br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class=3D"moz-cite-prefix">On 08/28/2013 12:35 PM, Phil Hunt
      wrote:<br>
    </div>
    <blockquote =
cite=3D"mid:9F232504-FC58-41FD-B040-31F898034AD2@oracle.com" =
type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html;
        charset=3DISO-8859-1">
      George,
      <div><br>
      </div>
      <div>It would be reasonable for a client to submit an assertion,
        and obtain its own client assertion in return. &nbsp;This is =
very
        close to what is happening per 2.1, 2.2 of&nbsp;<a =
moz-do-not-send=3D"true" =
href=3D"http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06">http://=
tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06</a></div>
      <div><br>
      </div>
      <div>In this case, the Software Statement is an authorization that
        is exchanged for a client assertion in return. Then the clients
        authenticate per section 2.2 of the JWT spec.</div>
      <div><br>
      </div>
      <div>Regarding initial_access_token. &nbsp;This does have some of =
the
        characteristics I am speaking of. But it is unspecified and the
        assumption is that it is issued by the local domain. &nbsp;This
        doesn't work in the UMA case because that's more like a
        federated model. Thus the specified software statement works
        because the AS can approve the client software based on name,
        and/or developer, and/or publisher -- whatever trust =
requires.</div>
      <div><br>
        <div apple-content-edited=3D"true">
          <span class=3D"Apple-style-span" style=3D"border-collapse: =
separate; font-family: Helvetica; font-style: normal; font-variant: =
normal; font-weight: normal; letter-spacing: normal; line-height: =
normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: =
normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; ">
            <div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space;
              -webkit-line-break: after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; ">
                <div style=3D"word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; ">
                    <div style=3D"word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; ">
                        <div style=3D"word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div>Phil</div>
                          <div><br>
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send=3D"true" =
href=3D"http://www.independentid.com/">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send=3D"true" =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style=3D"word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br>
                      <br>
                    </div>
                  </span><br class=3D"Apple-interchange-newline">
                </div>
              </span><br class=3D"Apple-interchange-newline">
            </div>
          </span><br class=3D"Apple-interchange-newline">
          <br class=3D"Apple-interchange-newline">
        </div>
        <br>
        <div>
          <div>On 2013-08-28, at 9:29 AM, George Fletcher &lt;<a =
moz-do-not-send=3D"true" =
href=3D"mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;
            wrote:</div>
          <br class=3D"Apple-interchange-newline">
          <blockquote type=3D"cite">
            <div bgcolor=3D"#FFFFFF" text=3D"#000000"> <font =
face=3D"Helvetica, Arial, sans-serif">I can't say I
                understand what you mean by a simple assertion swap...
                but if you are wanting to use a client_assertion flow
                instead of the code flow then that's something
                completely different. If you are saying that you want
                the client_id to represent an "instance" in a stateless
                way using an "assertion" then that's already possible
                today.<br>
                <br>
                George<br>
                <br>
              </font>
              <div class=3D"moz-cite-prefix">On 8/28/13 12:23 PM, Phil
                Hunt wrote:<br>
              </div>
              <blockquote =
cite=3D"mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com" =
type=3D"cite">
                <div>George</div>
                <div><br>
                </div>
                <div>That case can be solved with a simple assertion
                  swap. We just have to profile it.&nbsp;<br>
                  <br>
                  Phil</div>
                <div><br>
                  On 2013-08-28, at 9:20, George Fletcher &lt;<a =
moz-do-not-send=3D"true" =
href=3D"mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;

                  wrote:<br>
                  <br>
                </div>
                <blockquote type=3D"cite">
                  <div> <br>
                    <div class=3D"moz-cite-prefix">On 8/28/13 12:02 PM,
                      Phil Hunt wrote:<br>
                    </div>
                    <blockquote =
cite=3D"mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" =
type=3D"cite">
                      <pre wrap=3D"">Please define the all in one case. =
I think this is the edge case and is in fact rare.=20

I agree, in many cases step 1 can be made by simply approving a class of =
software. But then step 2 is simplified.=20

Dyn reg assumes every registration of an instance is unique which too me =
is a very extreme </pre>
                    </blockquote>
                    If you have a mobile app that needs to do the code
                    flow... which requires a client_secret in order to
                    retrieve the access token and refresh token, how
                    does the app do this without per app instance
                    registration? <br>
                    <br>
                    I'd argue that almost all user facing mobile apps
                    will want the above flow and that's not a small,
                    rare edge case.<br>
                    <br>
                    Thanks,<br>
                    George<br>
                    <blockquote =
cite=3D"mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" =
type=3D"cite">
                      <pre wrap=3D"">position.=20

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
                      <blockquote type=3D"cite">
                        <pre wrap=3D"">Except for the cases where you =
want step 1 to happen in band. To me, that is a vitally and =
fundamentally important use case that we can't disregard, and we must =
have a solution that can accommodate that. The notions of "publisher" =
and "product" fade very quickly once you get outside of the software =
vendor world.

This is, of course, not to stand in the way of other solutions or =
approaches (such as something assertion based like you're after). It's =
not a one-or-the-other proposition, especially when there are mutually =
exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic =
registration spec *AND* pursue the assertion based process that Phil's =
talking about. They're not mutually exclusive, let's please stop talking =
about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
                        <blockquote type=3D"cite">
                          <pre wrap=3D"">Sorry. I meant also to say i =
think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But =
in this step policy is defined that approves software for use. Many of =
the reg params are known here.

Federation techniques come into play as trust approvals can be based on =
developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need =
credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> =
wrote:

</pre>
                          <blockquote type=3D"cite">
                            <pre wrap=3D"">I have a conflict I cannot =
get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in =
all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. =
I would like to explore how federation concept in software statements =
can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a =
moz-do-not-send=3D"true" class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt=
;</a> wrote:

</pre>
                            <blockquote type=3D"cite">
                              <pre wrap=3D"">Here are the conference =
bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil =
wasn't able to walk through all slides). Justin was also able to work =
out a strawman proposal based on the discussions last week and we will =
have a look at it to see whether this is a suitable compromise. Here is =
Justin's mail, in case you have missed it: <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-freetext" =
href=3D"http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">=
http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the =
Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3D=
NNTI1ZWQzMDJk&amp;RT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D26956765=
7&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;RT=3DMiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3D=
NNTI1ZWQzMDJk&amp;ORT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D2695676=
57&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;ORT=3DMiM0</a>

To add this meeting to your calendar program (for example Microsoft =
Outlook), click this link:
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;ICS=
=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DC6-AjLGvhdYjmpVdx75M6UsA=
wrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D=
269567657&amp;UID=3D0&amp;ICS=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SH=
A2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-freetext" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
                            </blockquote>
                            <pre =
wrap=3D"">_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
                          </blockquote>
                          <pre =
wrap=3D"">_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
                        </blockquote>
                      </blockquote>
                      <pre =
wrap=3D"">_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>


</pre>
                    </blockquote>
                    <br>
                    <div class=3D"moz-signature">-- <br>
                      <a moz-do-not-send=3D"true" =
href=3D"http://connect.me/gffletch" title=3D"View
                        full card on Connect.Me">&lt;XeC&gt;</a></div>
                  </div>
                </blockquote>
              </blockquote>
              <br>
              <div class=3D"moz-signature">-- <br>
                <a moz-do-not-send=3D"true" =
href=3D"http://connect.me/gffletch" title=3D"View full
                  card on =
Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </div>

_______________________________________________<br>OAuth mailing =
list<br><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br></blockquote></div><br></div></div></blockqu=
ote></div><br></div></body></html>=

--Apple-Mail=_787B78ED-C0F7-4D22-9CD4-1D9EBEC48213--

From jricher@mitre.org  Wed Aug 28 09:50:59 2013
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF10611E825F for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:50:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.5
X-Spam-Level: 
X-Spam-Status: No, score=-6.5 tagged_above=-999 required=5 tests=[AWL=0.098, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dS88Lu-JMk7P for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:50:54 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 0914B11E81E8 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:50:54 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id A48691F0A61; Wed, 28 Aug 2013 12:50:53 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 8198A1F0A5A; Wed, 28 Aug 2013 12:50:53 -0400 (EDT)
Received: from [10.146.15.13] (129.83.31.56) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.342.3; Wed, 28 Aug 2013 12:50:53 -0400
Message-ID: <521E2A63.80203@mitre.org>
Date: Wed, 28 Aug 2013 12:50:43 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: George Fletcher <gffletch@aol.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com> <48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com> <521E29AB.4070303@aol.com>
In-Reply-To: <521E29AB.4070303@aol.com>
Content-Type: multipart/alternative; boundary="------------070206000802070502010800"
X-Originating-IP: [129.83.31.56]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:50:59 -0000

--------------070206000802070502010800
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit

I completely agree with George. I think this is the most sensible way 
forward.

  -- Justin

On 08/28/2013 12:47 PM, George Fletcher wrote:
> So Phil... given that you can do all this today with the existing set 
> of specifications... why not write the software statements/client 
> assertion registration spec so that it meets your use case and 
> deployment needs. I'd much rather have two straight forward ways to do 
> something when the core use cases are so different than to try and 
> munge everything into one and end up with unnecessary complexity in 
> one or both of the solutions.
>
> I see the use case you are trying to solve for as significantly 
> different than the one I'm trying to solve for. Now maybe your way is 
> the better way but why not let the market make that decision? We will 
> not confuse developers by having two ways to do things as it will be 
> very clear at the beginning of development which way is needed for 
> their use case:)
>
> Thanks,
> George
>
> On 8/28/13 12:41 PM, Phil Hunt wrote:
>> Yes. A client could pass the software statement *directly* as its client credential.  Which is one of the *simple* solutions. 8-)
>>
>> The other case is where the client instance needs its own credential as George indicates.  In that case it could swap the statement for a unique client assertion.
>>
>> Phil
>>
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>
>>
>>
>>
>>
>>
>>
>> On 2013-08-28, at 9:38 AM, Sergey Beryozkin<sberyozkin@gmail.com>  wrote:
>>
>>> On 28/08/13 17:33, George Fletcher wrote:
>>>> So I understand that you'd rather that OAuth doesn't require a
>>>> client_secret and that's fine. However, I don't think we should impose
>>>> that thinking on the rest of the world who have already implemented it
>>>> and have it working and scaling without issues. If the core of this
>>>> discussion is around replacing client_id and client_secret with a
>>>> client_assertion then lets have that discussion separately and not bury
>>>> it in the dynamic registration discussion.
>>>>
>>>> Could you not profile OAuth2 to support a flow that allows for retrieval
>>>> of access and refresh tokens using code + client_assertion? Doesn't seem
>>>> like that hard a profile and then the rest of this could fall out pretty
>>>> easily.
>>>>
>>> That is already supported AFAIK, something like
>>>
>>> grant_type=authorization_code
>>> &code=12345678
>>> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer
>>> &client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion
>>>
>>> probably the same works with JWT
>>>
>>> Sergey
>>>
>>>
>>>> Thanks,
>>>> George
>>>>
>>>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>>> I do think that this is the rare-edge use case, we would not want
>>>>> require client-secret, we already have that mess today with OAuth and
>>>>> trying not to continue the proliferation, we solve this today with our
>>>>> STS and assertion swaps/transformations, it scales, performs and we
>>>>> don't have the management debacle this specification creates
>>>>>
>>>>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>>>>> Behalf Of *George Fletcher
>>>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>>>> *To:* Phil Hunt
>>>>> *Cc:* oauth mailing list
>>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>>>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>>>
>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>
>>>>>     Please define the all in one case. I think this is the edge case and is in fact rare.
>>>>>
>>>>>
>>>>>
>>>>>     I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>>>
>>>>>
>>>>>
>>>>>     Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>>>>
>>>>> If you have a mobile app that needs to do the code flow... which
>>>>> requires a client_secret in order to retrieve the access token and
>>>>> refresh token, how does the app do this without per app instance
>>>>> registration?
>>>>>
>>>>> I'd argue that almost all user facing mobile apps will want the above
>>>>> flow and that's not a small, rare edge case.
>>>>>
>>>>> Thanks,
>>>>> George
>>>>>
>>>>>     position.
>>>>>
>>>>>
>>>>>
>>>>>     Phil
>>>>>
>>>>>
>>>>>
>>>>>     On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>   <mailto:jricher@mitre.org>   wrote:
>>>>>
>>>>>
>>>>>
>>>>>         Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>>
>>>>>
>>>>>
>>>>>         This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>>
>>>>>
>>>>>
>>>>>         Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>>
>>>>>
>>>>>
>>>>>         -- Justin
>>>>>
>>>>>
>>>>>
>>>>>         On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>
>>>>>             Sorry. I meant also to say i think there are 2 registration steps
>>>>>
>>>>>             1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>
>>>>>
>>>>>
>>>>>             Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>
>>>>>
>>>>>
>>>>>             2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>
>>>>>
>>>>>
>>>>>             Phil
>>>>>
>>>>>
>>>>>
>>>>>             On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>   <mailto:phil.hunt@oracle.com>   wrote:
>>>>>
>>>>>
>>>>>
>>>>>                 I have a conflict I cannot get out of for 2pacific.
>>>>>
>>>>>
>>>>>
>>>>>                 I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>
>>>>>
>>>>>
>>>>>                 I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>
>>>>>
>>>>>
>>>>>                 Phil
>>>>>
>>>>>
>>>>>
>>>>>                 On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>   <mailto:hannes.tschofenig@nsn.com>   wrote:
>>>>>
>>>>>
>>>>>
>>>>>                     Here are the conference bridge / Webex details for the call today.
>>>>>
>>>>>                     We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>
>>>>>
>>>>>
>>>>>                     Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>
>>>>>
>>>>>
>>>>>                     Topic: OAuth Dynamic Client Registration
>>>>>
>>>>>                     Date: Wednesday, August 28, 2013
>>>>>
>>>>>                     Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>
>>>>>                     Meeting Number: 703 230 586
>>>>>
>>>>>                     Meeting Password: oauth
>>>>>
>>>>>
>>>>>
>>>>>                     -------------------------------------------------------
>>>>>
>>>>>                     To join the online meeting
>>>>>
>>>>>                     -------------------------------------------------------
>>>>>
>>>>>                     1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>
>>>>>                     2. Enter your name and email address.
>>>>>
>>>>>                     3. Enter the meeting password: oauth
>>>>>
>>>>>                     4. Click "Join Now".
>>>>>
>>>>>
>>>>>
>>>>>                     To view in other time zones or languages, please click the link:
>>>>>
>>>>>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>
>>>>>
>>>>>
>>>>>                     To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>
>>>>>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>
>>>>>
>>>>>
>>>>>                     -------------------------------------------------------
>>>>>
>>>>>                     To join the teleconference only
>>>>>
>>>>>                     -------------------------------------------------------
>>>>>
>>>>>                     Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>>
>>>>>                     Conference Code: 944 910 5485
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                     _______________________________________________
>>>>>
>>>>>                     OAuth mailing list
>>>>>
>>>>>                     OAuth@ietf.org   <mailto:OAuth@ietf.org>
>>>>>
>>>>>                     https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>                 _______________________________________________
>>>>>
>>>>>                 OAuth mailing list
>>>>>
>>>>>                 OAuth@ietf.org   <mailto:OAuth@ietf.org>
>>>>>
>>>>>                 https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>             _______________________________________________
>>>>>
>>>>>             OAuth mailing list
>>>>>
>>>>>             OAuth@ietf.org   <mailto:OAuth@ietf.org>
>>>>>
>>>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>
>>>>>     OAuth mailing list
>>>>>
>>>>>     OAuth@ietf.org   <mailto:OAuth@ietf.org>
>>>>>
>>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> George Fletcher<http://connect.me/gffletch>
>>>>>
>>>> --
>>>> George Fletcher<http://connect.me/gffletch>
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> -- 
>>> Sergey Beryozkin
>>>
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>
>>> Blog:http://sberyozkin.blogspot.com
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
> -- 
> George Fletcher <http://connect.me/gffletch>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--------------070206000802070502010800
Content-Type: multipart/related;
	boundary="------------090301020504040102090408"

--------------090301020504040102090408
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    I completely agree with George. I think this is the most sensible
    way forward.<br>
    <br>
    &nbsp;-- Justin<br>
    <br>
    <div class="moz-cite-prefix">On 08/28/2013 12:47 PM, George Fletcher
      wrote:<br>
    </div>
    <blockquote cite="mid:521E29AB.4070303@aol.com" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <font face="Helvetica, Arial, sans-serif">So Phil... given that
        you can do all this today with the existing set of
        specifications... why not write the software statements/client
        assertion registration spec so that it meets your use case and
        deployment needs. I'd much rather have two straight forward ways
        to do something when the core use cases are so different than to
        try and munge everything into one and end up with unnecessary
        complexity in one or both of the solutions.<br>
        <br>
        I see the use case you are trying to solve for as significantly
        different than the one I'm trying to solve for. Now maybe your
        way is the better way but why not let the market make that
        decision? We will not confuse developers by having two ways to
        do things as it will be very clear at the beginning of
        development which way is needed for their use case:)<br>
        <br>
        Thanks,<br>
        George<br>
        <br>
      </font>
      <div class="moz-cite-prefix">On 8/28/13 12:41 PM, Phil Hunt wrote:<br>
      </div>
      <blockquote
        cite="mid:48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com"
        type="cite">
        <pre wrap="">Yes. A client could pass the software statement *directly* as its client credential.  Which is one of the *simple* solutions. 8-)

The other case is where the client instance needs its own credential as George indicates.  In that case it could swap the statement for a unique client assertion.

Phil

@independentid
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.independentid.com">www.independentid.com</a>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>







On 2013-08-28, at 9:38 AM, Sergey Beryozkin <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:sberyozkin@gmail.com">&lt;sberyozkin@gmail.com&gt;</a> wrote:

</pre>
        <blockquote type="cite">
          <pre wrap="">On 28/08/13 17:33, George Fletcher wrote:
</pre>
          <blockquote type="cite">
            <pre wrap="">So I understand that you'd rather that OAuth doesn't require a
client_secret and that's fine. However, I don't think we should impose
that thinking on the rest of the world who have already implemented it
and have it working and scaling without issues. If the core of this
discussion is around replacing client_id and client_secret with a
client_assertion then lets have that discussion separately and not bury
it in the dynamic registration discussion.

Could you not profile OAuth2 to support a flow that allows for retrieval
of access and refresh tokens using code + client_assertion? Doesn't seem
like that hard a profile and then the rest of this could fall out pretty
easily.

</pre>
          </blockquote>
          <pre wrap="">That is already supported AFAIK, something like

grant_type=authorization_code
&amp;code=12345678
&amp;client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer
&amp;client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion

probably the same works with JWT

Sergey


</pre>
          <blockquote type="cite">
            <pre wrap="">Thanks,
George

On 8/28/13 12:28 PM, Anthony Nadalin wrote:
</pre>
            <blockquote type="cite">
              <pre wrap="">I do think that this is the rare-edge use case, we would not want
require client-secret, we already have that mess today with OAuth and
trying not to continue the proliferation, we solve this today with our
STS and assertion swaps/transformations, it scales, performs and we
don&#8217;t have the management debacle this specification creates

*From:*oauth-bounces@ietf.org [<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] *On
Behalf Of *George Fletcher
*Sent:* Wednesday, August 28, 2013 9:21 AM
*To:* Phil Hunt
*Cc:* oauth mailing list
*Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
Wed 28 Aug, 2pm PDT: Conference Bridge Details

On 8/28/13 12:02 PM, Phil Hunt wrote:

   Please define the all in one case. I think this is the edge case and is in fact rare.



   I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.



   Dyn reg assumes every registration of an instance is unique which too me is a very extreme

If you have a mobile app that needs to do the code flow... which
requires a client_secret in order to retrieve the access token and
refresh token, how does the app do this without per app instance
registration?

I'd argue that almost all user facing mobile apps will want the above
flow and that's not a small, rare edge case.

Thanks,
George

   position.



   Phil



   On 2013-08-28, at 8:41, Justin Richer<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;mailto:jricher@mitre.org&gt;</a>  wrote:



       Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.



       This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.



       Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.



       -- Justin



       On 08/28/2013 11:17 AM, Phil Hunt wrote:

           Sorry. I meant also to say i think there are 2 registration steps

           1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.



           Federation techniques come into play as trust approvals can be based on developer, product or even publisher.



           2. Each instance associates in a stateless way. Only clients that need credential rotation need more.



           Phil



           On 2013-08-28, at 8:04, Phil Hunt<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;mailto:phil.hunt@oracle.com&gt;</a>  wrote:



               I have a conflict I cannot get out of for 2pacific.



               I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.



               I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.



               Phil



               On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;mailto:hannes.tschofenig@nsn.com&gt;</a>  wrote:



                   Here are the conference bridge / Webex details for the call today.

                   We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>



                   Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.



                   Topic: OAuth Dynamic Client Registration

                   Date: Wednesday, August 28, 2013

                   Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)

                   Meeting Number: 703 230 586

                   Meeting Password: oauth



                   -------------------------------------------------------

                   To join the online meeting

                   -------------------------------------------------------

                   1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0

                   2. Enter your name and email address.

                   3. Enter the meeting password: oauth

                   4. Click "Join Now".



                   To view in other time zones or languages, please click the link:

                   <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>



                   To add this meeting to your calendar program (for example Microsoft Outlook), click this link:

                   <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>



                   -------------------------------------------------------

                   To join the teleconference only

                   -------------------------------------------------------

                   Global dial-in Numbers:<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>

                   Conference Code: 944 910 5485





                   _______________________________________________

                   OAuth mailing list

                   <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

                   <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

               _______________________________________________

               OAuth mailing list

               <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

               <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

           _______________________________________________

           OAuth mailing list

           <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

           <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>



   _______________________________________________

   OAuth mailing list

   <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

   <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>





--
George Fletcher <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="http://connect.me/gffletch">&lt;http://connect.me/gffletch&gt;</a>

</pre>
            </blockquote>
            <pre wrap="">--
George Fletcher <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="http://connect.me/gffletch">&lt;http://connect.me/gffletch&gt;</a>


_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

</pre>
          </blockquote>
          <pre wrap="">
-- 
Sergey Beryozkin

Talend Community Coders
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://coders.talend.com/">http://coders.talend.com/</a>

Blog: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://sberyozkin.blogspot.com">http://sberyozkin.blogspot.com</a>
_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
        </blockquote>
        <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
      </blockquote>
      <br>
      <div class="moz-signature">-- <br>
        <a moz-do-not-send="true" href="http://connect.me/gffletch"
          title="View full card on Connect.Me"><img
            src="cid:part37.01000407.01040803@mitre.org" alt="George
            Fletcher" height="113" width="359"></a></div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------090301020504040102090408
Content-Type: image/png
Content-Transfer-Encoding: base64
Content-ID: <part37.01000407.01040803@mitre.org>

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------090301020504040102090408--

--------------070206000802070502010800--

From ve7jtb@ve7jtb.com  Wed Aug 28 09:51:57 2013
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8EDE21F9A13 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.292
X-Spam-Level: 
X-Spam-Status: No, score=-3.292 tagged_above=-999 required=5 tests=[AWL=0.307,  BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WtfNxPQaEbZ4 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:51:52 -0700 (PDT)
Received: from mail-qa0-f47.google.com (mail-qa0-f47.google.com [209.85.216.47]) by ietfa.amsl.com (Postfix) with ESMTP id 45E1F11E81E8 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:51:52 -0700 (PDT)
Received: by mail-qa0-f47.google.com with SMTP id j7so2026716qaq.6 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:51:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=bDJzpOP4cGh/XNhs8DViuSxj/4YYUD7ILgGE77y980o=; b=GBd6my7Jj751oQTmaK4w7ZUHE3N1bzk2viU1IgxtnOmuzI9+bKjajbz/goD4ZLAdjN 35hO3UVv6Fwk4wZZefdfvu4ceAOGOaZOXQKTcPEg4DXU59Dv25Sgb+8+eVynKR0lK2om p3X7d8wJPpELyiXALkyXLAj0s66qXRGfxahbUreqVjVl8fTI9meuW5PvBDvQtBxmSK5l yUAi9yOP2/KthPmmTouxBGctfayOXVzJxGu28R3PBu9UGqkGNNXIQWz8Tgox63zR+EaP 6h9Lo8jRRU+r6bd+VJBrwgtZcs/5jVSRm+vPn2yj6/DAx7pZDbNy9m+dlpsgOUZjWO7V 8DyA==
X-Gm-Message-State: ALoCoQl9X8+vVmDiQ3qdbJnoPZ8ontA9Ls8KrelQGDhrhmjJiRxAI+BgahcgD+Sxd2uct6ruXc/p
X-Received: by 10.49.58.132 with SMTP id r4mr28550740qeq.10.1377708711665; Wed, 28 Aug 2013 09:51:51 -0700 (PDT)
Received: from [192.168.1.216] (190-20-36-119.baf.movistar.cl. [190.20.36.119]) by mx.google.com with ESMTPSA id t4sm37820396qas.1.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 09:51:50 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_EA029E4E-52F8-49A8-BE08-F3CA072CD6B8"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <521E2183.1010007@gmail.com>
Date: Wed, 28 Aug 2013 12:51:46 -0400
Message-Id: <E6AC8378-BC52-42DC-9E4E-25423336EB71@ve7jtb.com>
References: <20130730095129.29309.12243.idtracker@ietfa.amsl.com> <CABzCy2CC3Oi2J7GZJVBa07=xtjMXvy9ah_h_ZwwZQXDd4qtSzw@mail.gmail.com> <CABzCy2Ax56ithEc2AvKCqybzK9RjV1cDYPoKdj7DBu6euj8F7w@mail.gmail.com> <521E2183.1010007@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] New Version Notification for draft-sakimura-oauth-tcse-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:51:57 -0000

--Apple-Mail=_EA029E4E-52F8-49A8-BE08-F3CA072CD6B8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

We probably don't want this secret that is used as confirmation of the =
code to be confused with a client secret that is bound to a client. =20
They are verified by different levels of the stack.   One client_id may =
have many instances all using different values of the code proof of =
possession simultaneously.

So I prefer to eliminate the term client secret entirely.


On 2013-08-28, at 12:12 PM, Sergey Beryozkin <sberyozkin@gmail.com> =
wrote:

> Hi,
>=20
> can you consider replacing "tcs" and "tcsh" with "temp_client_secret" =
and "temp_client_secret_hash" ? in OAuth2 we have "client_id", =
"client_secret" (ex, in dyn reg), and having a temp variant of =
"client_secret" called as "tcs" seems a bit cryptic to me :-), not a bit =
issue though
>=20
> Sergey
>=20
> On 30/07/13 16:36, Nat Sakimura wrote:
>> Hi.
>>=20
>> I had to fix a few issues with the previous draft text.
>> No normative changes, but just removed some extra text.
>>=20
>> Nat
>>=20
>> ---------- Forwarded message ----------
>> From: **<internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
>> Date: 2013/7/31
>> Subject: New Version Notification for =
draft-sakimura-oauth-tcse-01.txt
>> To: Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>, =
John
>> Bradley <jbradley@pingidentity.com =
<mailto:jbradley@pingidentity.com>>,
>> Naveen Agarwal <naa@google.com <mailto:naa@google.com>>
>>=20
>>=20
>>=20
>> A new version of I-D, draft-sakimura-oauth-tcse-01.txt
>> has been successfully submitted by Nat Sakimura and posted to the
>> IETF repository.
>>=20
>> Filename:        draft-sakimura-oauth-tcse
>> Revision:        01
>> Title:           OAuth Transient Client Secret Extension for Public =
Clients
>> Creation date:   2013-07-30
>> Group:           Individual Submission
>> Number of pages: 7
>> URL: =
http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-01.txt
>> Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
>> Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
>> Diff: http://www.ietf.org/rfcdiff?url2=3Ddraft-sakimura-oauth-tcse-01
>>=20
>> Abstract:
>>    The OAuth 2.0 public client utilizing authorization code grant is
>>    susceptible to the code interception attack.  This specification
>>    describe a mechanism that acts as a control against this threat.
>>=20
>>=20
>>=20
>>=20
>>=20
>> Please note that it may take a couple of minutes from the time of =
submission
>> until the htmlized version and diff are available at tools.ietf.org
>> <http://tools.ietf.org/>.
>>=20
>> The IETF Secretariat
>>=20
>>=20
>>=20
>>=20
>> --
>> Nat Sakimura (=3Dnat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>=20
>>=20
>> 2013/7/30 Nat Sakimura <sakimura@gmail.com =
<mailto:sakimura@gmail.com>>
>>=20
>>    As some of you know, passing the authorization code securely to a
>>    native app on iOS platform is next to impossible. Malicious
>>    application may register the same custom scheme as the victim
>>    application and hope to obtain the code, whose success rate is
>>    rather high.
>>=20
>>    We have discussed about it during the OpenID Conenct Meeting at =
IETF
>>    87 on Sunday, and over a lengthy thread on the OpenID AB/Connect
>>    work group list. I have captured the discussion in the form of =
I-D.
>>    It is pretty short and hopefully easy to read.
>>=20
>>    IMHO, although it came up as an issue in OpenID Connect, this is a
>>    quite useful extension to OAuth 2.0 in general.
>>=20
>>    Best,
>>=20
>>    Nat Sakimura
>>=20
>>    ---------- Forwarded message ----------
>>    From: ** <internet-drafts@ietf.org =
<mailto:internet-drafts@ietf.org>>
>>    Date: 2013/7/30
>>    Subject: New Version Notification for =
draft-sakimura-oauth-tcse-00.txt
>>    To: Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>,
>>    John Bradley <jbradley@pingidentity.com
>>    <mailto:jbradley@pingidentity.com>>, Naveen Agarwal =
<naa@google.com
>>    <mailto:naa@google.com>>
>>=20
>>=20
>>=20
>>    A new version of I-D, draft-sakimura-oauth-tcse-00.txt
>>    has been successfully submitted by Nat Sakimura and posted to the
>>    IETF repository.
>>=20
>>    Filename:        draft-sakimura-oauth-tcse
>>    Revision:        00
>>    Title:           OAuth Transient Client Secret Extension for =
Public
>>    Clients
>>    Creation date:   2013-07-29
>>    Group:           Individual Submission
>>    Number of pages: 7
>>    URL:
>>    =
http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-00.txt
>>    Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
>>    Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-00
>>=20
>>=20
>>    Abstract:
>>        The OAuth 2.0 public client utilizing code flow is susceptible
>>    to the
>>        code interception attack.  This specification describe a =
mechanism
>>        that acts as a control against this threat.
>>=20
>>=20
>>=20
>>=20
>>=20
>>    Please note that it may take a couple of minutes from the time of
>>    submission
>>    until the htmlized version and diff are available at =
tools.ietf.org
>>    <http://tools.ietf.org>.
>>=20
>>    The IETF Secretariat
>>=20
>>=20
>>=20
>>=20
>>    --
>>    Nat Sakimura (=3Dnat)
>>    Chairman, OpenID Foundation
>>    http://nat.sakimura.org/
>>    @_nat_en
>>=20
>>=20
>>=20
>>=20
>> --
>> Nat Sakimura (=3Dnat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_EA029E4E-52F8-49A8-BE08-F3CA072CD6B8
Content-Disposition: attachment;
	filename=smime.p7s
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIN8TCCBjQw
ggQcoAMCAQICASAwDQYJKoZIhvcNAQEFBQAwfTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0
Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxKTAn
BgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA3MTAyNDIxMDI1NVoX
DTE3MTAyNDIxMDI1NVowgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSsw
KQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFy
dENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMsohUWcASz7GfKrpTOMKqANy9BV7V0igWdGxA8IU77L3aTxErQ+
fcxtDYZ36Z6GH0YFn7fq5RADteP0AYzrCA+EQTfi8q1+kA3m0nwtwXG94M5sIqsvs7lRP1aycBke
/s5g9hJHryZ2acScnzczjBCAo7X1v5G3yw8MDP2m2RCye0KfgZ4nODerZJVzhAlOD9YejvAXZqHk
sw56HzElVIoYSZ3q4+RJuPXXfIoyby+Y2m1E+YzX5iCZXBx05gk6MKAW1vaw4/v2OOLy6FZH3XHH
tOkzUreG//CsFnB9+uaYSlR65cdGzTsmoIK8WH1ygoXhRBm98SD7Hf/r3FELNvUCAwEAAaOCAa0w
ggGpMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSuVYNv7DHKufcd
+q9rMfPIHeOsuzAfBgNVHSMEGDAWgBROC+8apEBbpRdphzDKNGhD0EGu8jBmBggrBgEFBQcBAQRa
MFgwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbS9jYTAtBggrBgEFBQcwAoYh
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vc2ZzY2EuY3J0MFsGA1UdHwRUMFIwJ6AloCOGIWh0dHA6
Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2NhLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5j
b20vc2ZzY2EuY3JsMIGABgNVHSAEeTB3MHUGCysGAQQBgbU3AQIBMGYwLgYIKwYBBQUHAgEWImh0
dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUHAgEWKGh0dHA6Ly93d3cu
c3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwDQYJKoZIhvcNAQEFBQADggIBADqpJw3I07QW
ke9plNBpxUxcffc7nUrIQpJHDci91DFG7fVhHRkMZ1J+BKg5UNUxIFJ2Z9B90Micc/NXcs7kPBRd
n6XGO/vPc87Y6R+cWS9Nc9+fp3Enmsm94OxOwI9wn8qnr/6o3mD4noP9JphwUPTXwHovjavRnhUQ
HLfo/i2NG0XXgTHXS2Xm0kVUozXqpYpAdumMiB/vezj1QHQJDmUdPYMcp+reg9901zkyT3fDW/iv
JVv6pWtkh6Pw2ytZT7mvg7YhX3V50Nv860cV11mocUVcqBLv0gcT+HBDYtbuvexNftwNQKD5193A
7zN4vG7CTYkXxytSjKuXrpEatEiFPxWgb84nVj25SU5q/r1Xhwby6mLhkbaXslkVtwEWT3Van49r
KjlK4XrUKYYWtnfzq6aSak5u0Vpxd1rY79tWhD3EdCvOhNz/QplNa+VkIsrcp7+8ZhP1l1b2U6Ma
xIVteuVMD3X0vziIwr7jxYae9FZjbxlpUemqXjcC0QaFfN7qI0JsQMALL7iGRBg7K0CoOBzECdD3
fuZil5kU/LP9cr1BK31U0Uy651bFnAMMMkqhAChIbn0ei72VnbpSsrrSdF0BAGYQ8vyHae5aCg+H
75dVCV33K6FuxZrf09yTz+Vx/PkdRUYkXmZz/OTfyJXsUOUXrym6KvI2rYpccSk5MIIHtTCCBp2g
AwIBAgICHlwwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENv
bSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVudCBDQTAeFw0x
MjAzMTgwNDMyNDhaFw0xNDAzMTkxMTA3MzJaMIGbMRkwFwYDVQQNExBHclRNNkxTN1gzNTc3OHM5
MQswCQYDVQQGEwJDTDEiMCAGA1UECBMZTWV0cm9wb2xpdGFuYSBkZSBTYW50aWFnbzEWMBQGA1UE
BxMNSXNsYSBkZSBNYWlwbzEVMBMGA1UEAxMMSm9obiBCcmFkbGV5MR4wHAYJKoZIhvcNAQkBFg9q
YnJhZGxleUBtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCySuUEj3esFMs5
AZLAhPpyjp0DD+vAM+tFeXr8XahzgoOf5A3oJ0V4ejTwfzjpUlL0IOMsq+cr2NvHGzjBip6cp09v
eODO3yhztv1le1aQ6CzGAx/p0Fn8g+biVYGkJtKvex4MYNcSmITaVNleejtzbk6C5HgTpBqFykcA
FmN4RYrrmYwfbmCahF/kxjWTeq67nL4UJgIcTaLBTmPOr6YjceYbn35QwUvHV+NX7NOyVHDbpxAM
L+56nCN5hKnxLbqF9aKlVbBCPiOz8LtGg+2+3aLJ5T4tIfzWMbjCUBae2I4bVa2hdS5dZJwTGFyI
p4pYKd6bL2qqbFF8moFE54aVAgMBAAGjggQOMIIECjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFD8Dv8LEoSfOmqZmUvP2JpAz
Lbh5MB8GA1UdIwQYMBaAFK5Vg2/sMcq59x36r2sx88gd46y7MH4GA1UdEQR3MHWBD2picmFkbGV5
QG1lLmNvbYEPamJyYWRsZXlAbWUuY29tgRBqYnJhZGxleUBtYWMuY29tgRF2ZTdqdGJAdmU3anRi
LmNvbYETamJyYWRsZXlAd2luZ2FhLmNvbYEXam9obi5icmFkbGV5QHdpbmdhYS5jb20wggIhBgNV
HSAEggIYMIICFDCCAhAGCysGAQQBgbU3AQICMIIB/zAuBggrBgEFBQcCARYiaHR0cDovL3d3dy5z
dGFydHNzbC5jb20vcG9saWN5LnBkZjA0BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5j
b20vaW50ZXJtZWRpYXRlLnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRp
bmcgdG8gdGhlIENsYXNzIDIgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29t
cGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wgZwGCCsGAQUFBwICMIGP
MCcWIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQIaZExpYWJpbGl0eSBhbmQg
d2FycmFudGllcyBhcmUgbGltaXRlZCEgU2VlIHNlY3Rpb24gIkxlZ2FsIGFuZCBMaW1pdGF0aW9u
cyIgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeS4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2Ny
bC5zdGFydHNzbC5jb20vY3J0dTItY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcw
AYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczIvY2xpZW50L2NhMEIGCCsGAQUF
BzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MyLmNsaWVudC5jYS5j
cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IB
AQARx8Pg+Yetf5bfNo/8qxHiDAsAvRRNozPXhIieDpr0XeRvxkNtNSd5L25uCmp4lA/YgVzRTmBC
cndd4Ifqn0jzya+bU2opDDxa9+CVLRohLX29+lOBclI90g7Ykk9GpoG1d/fOR1cnByRf3900yssZ
4a9oVP19Q11B0dTgEjWlVSmAqvv3pPstNz8RF8fyIWnX4KZ1WQnpjaIl1ZSniHXteZvFshPQJ1Lh
JKT9VbwsWyf+ZXPqEHvdW2HCMawiS7nhanilG6rUpf6kBOdGTekdFrXPebEkyars4RcQ1wJWb5sC
fJSthtSKU1L1RVNhLz/d1WwqI26kFo5k7686AmpUMYIDbDCCA2gCAQEwgZMwgYwxCzAJBgNVBAYT
AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0
aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJt
ZWRpYXRlIENsaWVudCBDQQICHlwwCQYFKw4DAhoFAKCCAa0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTMwODI4MTY1MTQ3WjAjBgkqhkiG9w0BCQQxFgQUPT5wuYJq
nrIJ5oiojc/UMiK5V1QwgaQGCSsGAQQBgjcQBDGBljCBkzCBjDELMAkGA1UEBhMCSUwxFjAUBgNV
BAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNp
Z25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xp
ZW50IENBAgIeXDCBpgYLKoZIhvcNAQkQAgsxgZaggZMwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK
Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWdu
aW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAyIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQICHlwwDQYJKoZIhvcNAQEBBQAEggEAG+yj/SXgfU24qoyONekiaHqdbxzPaZReZH0PwNC/
fwWb6LEMiskMPMYhFqj/c0xirGkxUv3I/MEySYzCY/o9nR+lkd7uYyKlN9gugu7OW+jxnPd9Puyj
udyiR2PV0Zpfj4bbpQeIOmljeZCd54yIFnfVExIwpEzBHrDPvOkE21EQ/e9Y5DTsCK+lYZSyn01J
VrmM9JR1Ta0eGYMSe7styQvD9Ca1OVVYoOkLRH8t5+jY71X2zpRfx+c+lUqyIQyBiQSRj8zzDbAY
yjOoZgNe03GN01cFUAXsJzAnZuaSEsFRDRBtVtoH/Att+OiShxZqJJvy2+Ej6dSO01zfKtmdGwAA
AAAAAA==

--Apple-Mail=_EA029E4E-52F8-49A8-BE08-F3CA072CD6B8--

From phil.hunt@oracle.com  Wed Aug 28 09:54:44 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3943911E81B8 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.094
X-Spam-Level: 
X-Spam-Status: No, score=-4.094 tagged_above=-999 required=5 tests=[AWL=-1.192, BAYES_00=-2.599, HTML_MESSAGE=0.001, MANGLED_PREMTR=2.3, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOYAJymUsExB for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:54:39 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 34C6F11E81B2 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:54:39 -0700 (PDT)
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SGsZHb013782 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 16:54:36 GMT
Received: from aserz7021.oracle.com (aserz7021.oracle.com [141.146.126.230]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGsYZP005055 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 16:54:34 GMT
Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) by aserz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SGsYcW013151; Wed, 28 Aug 2013 16:54:34 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 09:54:33 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_1A5A6CAA-E043-47CC-9B03-F0B1762390B7"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <521E29AB.4070303@aol.com>
Date: Wed, 28 Aug 2013 09:54:43 -0700
Message-Id: <EEA753B5-C42A-4228-A8C7-B9A0FED0CB4F@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com> <48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com> <521E29AB.4070303@aol.com>
To: George Fletcher <gffletch@aol.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:54:44 -0000

--Apple-Mail=_1A5A6CAA-E043-47CC-9B03-F0B1762390B7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

That's what I'm trying to do. All I have been asking for is time to =
explore the spec and to see how it can impact and simplify dyn reg -- =
which I believe is a significant amount.  It would be pre-mature at this =
point to move Dyn Reg forward without exploring this.

I still believe dyn reg is over-specified because it assumes *every* =
cllient registration is different when in fact 99.9% of registrations =
are going to fall in clusters of client applications.  Much of the =
paramaters can be moved to step 1 of registration or at the least be =
bundled into the software assertion. Thus the reg endpoint only has to =
deal with truly instance specific details (e.g. like credential =
management).

I don't pre-clude that most of dyn reg may remain intact, but it seems =
clear there will be substantive breaking changes that simplify =
registration.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-28, at 9:47 AM, George Fletcher <gffletch@aol.com> wrote:

> So Phil... given that you can do all this today with the existing set =
of specifications... why not write the software statements/client =
assertion registration spec so that it meets your use case and =
deployment needs. I'd much rather have two straight forward ways to do =
something when the core use cases are so different than to try and munge =
everything into one and end up with unnecessary complexity in one or =
both of the solutions.
>=20
> I see the use case you are trying to solve for as significantly =
different than the one I'm trying to solve for. Now maybe your way is =
the better way but why not let the market make that decision? We will =
not confuse developers by having two ways to do things as it will be =
very clear at the beginning of development which way is needed for their =
use case:)
>=20
> Thanks,
> George
>=20
> On 8/28/13 12:41 PM, Phil Hunt wrote:
>> Yes. A client could pass the software statement *directly* as its =
client credential.  Which is one of the *simple* solutions. 8-)
>>=20
>> The other case is where the client instance needs its own credential =
as George indicates.  In that case it could swap the statement for a =
unique client assertion.
>>=20
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>> On 2013-08-28, at 9:38 AM, Sergey Beryozkin <sberyozkin@gmail.com> =
wrote:
>>=20
>>> On 28/08/13 17:33, George Fletcher wrote:
>>>> So I understand that you'd rather that OAuth doesn't require a
>>>> client_secret and that's fine. However, I don't think we should =
impose
>>>> that thinking on the rest of the world who have already implemented =
it
>>>> and have it working and scaling without issues. If the core of this
>>>> discussion is around replacing client_id and client_secret with a
>>>> client_assertion then lets have that discussion separately and not =
bury
>>>> it in the dynamic registration discussion.
>>>>=20
>>>> Could you not profile OAuth2 to support a flow that allows for =
retrieval
>>>> of access and refresh tokens using code + client_assertion? Doesn't =
seem
>>>> like that hard a profile and then the rest of this could fall out =
pretty
>>>> easily.
>>>>=20
>>> That is already supported AFAIK, something like
>>>=20
>>> grant_type=3Dauthorization_code
>>> &code=3D12345678
>>> =
&client_assertion_type=3Durn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-ty=
pe%3Asaml2-bearer
>>> &client_assertion=3DBase64UrlEncoded-SAML2-Bearer-Assertion
>>>=20
>>> probably the same works with JWT
>>>=20
>>> Sergey
>>>=20
>>>=20
>>>> Thanks,
>>>> George
>>>>=20
>>>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>>> I do think that this is the rare-edge use case, we would not want
>>>>> require client-secret, we already have that mess today with OAuth =
and
>>>>> trying not to continue the proliferation, we solve this today with =
our
>>>>> STS and assertion swaps/transformations, it scales, performs and =
we
>>>>> don=92t have the management debacle this specification creates
>>>>>=20
>>>>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>>>>> Behalf Of *George Fletcher
>>>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>>>> *To:* Phil Hunt
>>>>> *Cc:* oauth mailing list
>>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference =
Call:
>>>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>>>=20
>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>=20
>>>>>    Please define the all in one case. I think this is the edge =
case and is in fact rare.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>    I agree, in many cases step 1 can be made by simply approving a =
class of software. But then step 2 is simplified.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>    Dyn reg assumes every registration of an instance is unique =
which too me is a very extreme
>>>>>=20
>>>>> If you have a mobile app that needs to do the code flow... which
>>>>> requires a client_secret in order to retrieve the access token and
>>>>> refresh token, how does the app do this without per app instance
>>>>> registration?
>>>>>=20
>>>>> I'd argue that almost all user facing mobile apps will want the =
above
>>>>> flow and that's not a small, rare edge case.
>>>>>=20
>>>>> Thanks,
>>>>> George
>>>>>=20
>>>>>    position.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>    Phil
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>    On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  =
<mailto:jricher@mitre.org>  wrote:
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>        Except for the cases where you want step 1 to happen in =
band. To me, that is a vitally and fundamentally important use case that =
we can't disregard, and we must have a solution that can accommodate =
that. The notions of "publisher" and "product" fade very quickly once =
you get outside of the software vendor world.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>        This is, of course, not to stand in the way of other =
solutions or approaches (such as something assertion based like you're =
after). It's not a one-or-the-other proposition, especially when there =
are mutually exclusive aspects of each.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>        Therefore I once again call for the WG to finish the =
current dynamic registration spec *AND* pursue the assertion based =
process that Phil's talking about. They're not mutually exclusive, let's =
please stop talking about them like they are.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>        -- Justin
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>        On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>=20
>>>>>            Sorry. I meant also to say i think there are 2 =
registration steps
>>>>>=20
>>>>>            1. Software registration/approval. This often happens =
out of band. But in this step policy is defined that approves software =
for use. Many of the reg params are known here.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>            Federation techniques come into play as trust approvals =
can be based on developer, product or even publisher.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>            2. Each instance associates in a stateless way. Only =
clients that need credential rotation need more.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>            Phil
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>            On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com> =
 <mailto:phil.hunt@oracle.com>  wrote:
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                I have a conflict I cannot get out of for 2pacific.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                I think a certificate based approach is going to =
simplify exchanges in all cases. I encourage the group to explore the =
concept on the call.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                I am not sure breaking dyn reg up helps. It creates =
yet another option. I would like to explore how federation concept in =
software statements can help with facilitating association and making =
many reg stateless.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                Phil
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - =
FI/Espoo)"<hannes.tschofenig@nsn.com>  =
<mailto:hannes.tschofenig@nsn.com>  wrote:
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                    Here are the conference bridge / Webex details =
for the call today.
>>>>>=20
>>>>>                    We are going to complete the use case =
discussions from last time (Phil wasn't able to walk through all =
slides). Justin was also able to work out a strawman proposal based on =
the discussions last week and we will have a look at it to see whether =
this is a suitable compromise. Here is Justin's mail, in case you have =
missed =
it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                    Phil, please feel free to make adjustments to =
your slides given the Justin's recent proposal.
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                    Topic: OAuth Dynamic Client Registration
>>>>>=20
>>>>>                    Date: Wednesday, August 28, 2013
>>>>>=20
>>>>>                    Time: 2:00 pm, Pacific Daylight Time (San =
Francisco, GMT-07:00)
>>>>>=20
>>>>>                    Meeting Number: 703 230 586
>>>>>=20
>>>>>                    Meeting Password: oauth
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                    =
-------------------------------------------------------
>>>>>=20
>>>>>                    To join the online meeting
>>>>>=20
>>>>>                    =
-------------------------------------------------------
>>>>>=20
>>>>>                    1. Go =
tohttps://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJ=
k&RT=3DMiM0
>>>>>=20
>>>>>                    2. Enter your name and email address.
>>>>>=20
>>>>>                    3. Enter the meeting password: oauth
>>>>>=20
>>>>>                    4. Click "Join Now".
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                    To view in other time zones or languages, =
please click the link:
>>>>>=20
>>>>>                    =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
ORT=3DMiM0
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                    To add this meeting to your calendar program =
(for example Microsoft Outlook), click this link:
>>>>>=20
>>>>>                    =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=3D=
2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                    =
-------------------------------------------------------
>>>>>=20
>>>>>                    To join the teleconference only
>>>>>=20
>>>>>                    =
-------------------------------------------------------
>>>>>=20
>>>>>                    Global dial-in =
Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>>=20
>>>>>                    Conference Code: 944 910 5485
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>                    _______________________________________________
>>>>>=20
>>>>>                    OAuth mailing list
>>>>>=20
>>>>>                    OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>=20
>>>>>                    https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>>                _______________________________________________
>>>>>=20
>>>>>                OAuth mailing list
>>>>>=20
>>>>>                OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>=20
>>>>>                https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>>            _______________________________________________
>>>>>=20
>>>>>            OAuth mailing list
>>>>>=20
>>>>>            OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>=20
>>>>>            https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>    _______________________________________________
>>>>>=20
>>>>>    OAuth mailing list
>>>>>=20
>>>>>    OAuth@ietf.org  <mailto:OAuth@ietf.org>
>>>>>=20
>>>>>    https://www.ietf.org/mailman/listinfo/oauth
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> --
>>>>> George Fletcher <http://connect.me/gffletch>
>>>>>=20
>>>> --
>>>> George Fletcher <http://connect.me/gffletch>
>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>=20
>>>=20
>>> --=20
>>> Sergey Beryozkin
>>>=20
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>=20
>>> Blog: http://sberyozkin.blogspot.com
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>=20
>>=20
>=20
> --=20
> <XeC.png>


--Apple-Mail=_1A5A6CAA-E043-47CC-9B03-F0B1762390B7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dwindows-1252"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
">That's what I'm trying to do.&nbsp;All I have been asking for is time =
to explore the spec and to see how it can impact and simplify dyn reg -- =
which I believe is a significant amount. &nbsp;It would be pre-mature at =
this point to move Dyn Reg forward without exploring =
this.<div><br></div><div>I still believe dyn reg is over-specified =
because it assumes *every* cllient registration is different when in =
fact 99.9% of registrations are going to fall in clusters of client =
applications. &nbsp;Much of the paramaters can be moved to step 1 of =
registration or at the least be bundled into the software assertion. =
Thus the reg endpoint only has to deal with truly instance specific =
details (e.g. like credential management).</div><div><br></div><div>I =
don't pre-clude that most of dyn reg may remain intact, but it seems =
clear there will be substantive breaking changes that simplify =
registration.</div><div><br></div><div><div apple-content-edited=3D"true">=

<span class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px; "><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; orphans: 2; text-indent: 0px; =
text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; =
border-spacing: 0px; -webkit-text-decorations-in-effect: none; =
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; =
"><div>Phil</div><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-28, at 9:47 AM, George Fletcher &lt;<a =
href=3D"mailto:gffletch@aol.com">gffletch@aol.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
 =20
    <meta content=3D"text/html; charset=3DISO-8859-1" =
http-equiv=3D"Content-Type">
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    <font face=3D"Helvetica, Arial, sans-serif">So Phil... given that =
you
      can do all this today with the existing set of specifications...
      why not write the software statements/client assertion
      registration spec so that it meets your use case and deployment
      needs. I'd much rather have two straight forward ways to do
      something when the core use cases are so different than to try and
      munge everything into one and end up with unnecessary complexity
      in one or both of the solutions.<br>
      <br>
      I see the use case you are trying to solve for as significantly
      different than the one I'm trying to solve for. Now maybe your way
      is the better way but why not let the market make that decision?
      We will not confuse developers by having two ways to do things as
      it will be very clear at the beginning of development which way is
      needed for their use case:)<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class=3D"moz-cite-prefix">On 8/28/13 12:41 PM, Phil Hunt =
wrote:<br>
    </div>
    <blockquote =
cite=3D"mid:48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com" =
type=3D"cite">
      <pre wrap=3D"">Yes. A client could pass the software statement =
*directly* as its client credential.  Which is one of the *simple* =
solutions. 8-)

The other case is where the client instance needs its own credential as =
George indicates.  In that case it could swap the statement for a unique =
client assertion.

Phil

@independentid
<a class=3D"moz-txt-link-abbreviated" =
href=3D"http://www.independentid.com/">www.independentid.com</a>
<a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>







On 2013-08-28, at 9:38 AM, Sergey Beryozkin <a =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:sberyozkin@gmail.com">&lt;sberyozkin@gmail.com&gt;</a> =
wrote:

</pre>
      <blockquote type=3D"cite">
        <pre wrap=3D"">On 28/08/13 17:33, George Fletcher wrote:
</pre>
        <blockquote type=3D"cite">
          <pre wrap=3D"">So I understand that you'd rather that OAuth =
doesn't require a
client_secret and that's fine. However, I don't think we should impose
that thinking on the rest of the world who have already implemented it
and have it working and scaling without issues. If the core of this
discussion is around replacing client_id and client_secret with a
client_assertion then lets have that discussion separately and not bury
it in the dynamic registration discussion.

Could you not profile OAuth2 to support a flow that allows for retrieval
of access and refresh tokens using code + client_assertion? Doesn't seem
like that hard a profile and then the rest of this could fall out pretty
easily.

</pre>
        </blockquote>
        <pre wrap=3D"">That is already supported AFAIK, something like

grant_type=3Dauthorization_code
&amp;code=3D12345678
=
&amp;client_assertion_type=3Durn%3Aietf%3Aparams%3Aoauth%3Aclient-assertio=
n-type%3Asaml2-bearer
&amp;client_assertion=3DBase64UrlEncoded-SAML2-Bearer-Assertion

probably the same works with JWT

Sergey


</pre>
        <blockquote type=3D"cite">
          <pre wrap=3D"">Thanks,
George

On 8/28/13 12:28 PM, Anthony Nadalin wrote:
</pre>
          <blockquote type=3D"cite">
            <pre wrap=3D"">I do think that this is the rare-edge use =
case, we would not want
require client-secret, we already have that mess today with OAuth and
trying not to continue the proliferation, we solve this today with our
STS and assertion swaps/transformations, it scales, performs and we
don=92t have the management debacle this specification creates

*From:*<a =
href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a =
class=3D"moz-txt-link-freetext" =
href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] =
*On
Behalf Of *George Fletcher
*Sent:* Wednesday, August 28, 2013 9:21 AM
*To:* Phil Hunt
*Cc:* oauth mailing list
*Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
Wed 28 Aug, 2pm PDT: Conference Bridge Details

On 8/28/13 12:02 PM, Phil Hunt wrote:

   Please define the all in one case. I think this is the edge case and =
is in fact rare.



   I agree, in many cases step 1 can be made by simply approving a class =
of software. But then step 2 is simplified.



   Dyn reg assumes every registration of an instance is unique which too =
me is a very extreme

If you have a mobile app that needs to do the code flow... which
requires a client_secret in order to retrieve the access token and
refresh token, how does the app do this without per app instance
registration?

I'd argue that almost all user facing mobile apps will want the above
flow and that's not a small, rare edge case.

Thanks,
George

   position.



   Phil



   On 2013-08-28, at 8:41, Justin Richer<a class=3D"moz-txt-link-rfc2396E"=
 href=3D"mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a>  <a =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:jricher@mitre.org">&lt;mailto:jricher@mitre.org&gt;</a>  =
wrote:



       Except for the cases where you want step 1 to happen in band. To =
me, that is a vitally and fundamentally important use case that we can't =
disregard, and we must have a solution that can accommodate that. The =
notions of "publisher" and "product" fade very quickly once you get =
outside of the software vendor world.



       This is, of course, not to stand in the way of other solutions or =
approaches (such as something assertion based like you're after). It's =
not a one-or-the-other proposition, especially when there are mutually =
exclusive aspects of each.



       Therefore I once again call for the WG to finish the current =
dynamic registration spec *AND* pursue the assertion based process that =
Phil's talking about. They're not mutually exclusive, let's please stop =
talking about them like they are.



       -- Justin



       On 08/28/2013 11:17 AM, Phil Hunt wrote:

           Sorry. I meant also to say i think there are 2 registration =
steps

           1. Software registration/approval. This often happens out of =
band. But in this step policy is defined that approves software for use. =
Many of the reg params are known here.



           Federation techniques come into play as trust approvals can =
be based on developer, product or even publisher.



           2. Each instance associates in a stateless way. Only clients =
that need credential rotation need more.



           Phil



           On 2013-08-28, at 8:04, Phil Hunt<a =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a>  =
<a class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:phil.hunt@oracle.com">&lt;mailto:phil.hunt@oracle.com&gt;</=
a>  wrote:



               I have a conflict I cannot get out of for 2pacific.



               I think a certificate based approach is going to simplify =
exchanges in all cases. I encourage the group to explore the concept on =
the call.



               I am not sure breaking dyn reg up helps. It creates yet =
another option. I would like to explore how federation concept in =
software statements can help with facilitating association and making =
many reg stateless.



               Phil



               On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - =
FI/Espoo)"<a class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt=
;</a>  <a class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:hannes.tschofenig@nsn.com">&lt;mailto:hannes.tschofenig@nsn=
.com&gt;</a>  wrote:



                   Here are the conference bridge / Webex details for =
the call today.

                   We are going to complete the use case discussions =
from last time (Phil wasn't able to walk through all slides). Justin was =
also able to work out a strawman proposal based on the discussions last =
week and we will have a look at it to see whether this is a suitable =
compromise. Here is Justin's mail, in case you have missed it:<a =
class=3D"moz-txt-link-freetext" =
href=3D"http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">=
http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>



                   Phil, please feel free to make adjustments to your =
slides given the Justin's recent proposal.



                   Topic: OAuth Dynamic Client Registration

                   Date: Wednesday, August 28, 2013

                   Time: 2:00 pm, Pacific Daylight Time (San Francisco, =
GMT-07:00)

                   Meeting Number: 703 230 586

                   Meeting Password: oauth



                   =
-------------------------------------------------------

                   To join the online meeting

                   =
-------------------------------------------------------

                   1. Go <a =
href=3D"tohttps://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;P=
W=3DNNTI1ZWQzMDJk&amp;RT=3DMiM0">tohttps://nsn.webex.com/nsn/j.php?ED=3D26=
9567657&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;RT=3DMiM0</a>

                   2. Enter your name and email address.

                   3. Enter the meeting password: oauth

                   4. Click "Join Now".



                   To view in other time zones or languages, please =
click the link:

                   <a class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3D=
NNTI1ZWQzMDJk&amp;ORT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D2695676=
57&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;ORT=3DMiM0</a>



                   To add this meeting to your calendar program (for =
example Microsoft Outlook), click this link:

                   <a class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;ICS=
=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DC6-AjLGvhdYjmpVdx75M6UsA=
wrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D=
269567657&amp;UID=3D0&amp;ICS=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SH=
A2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0</a>



                   =
-------------------------------------------------------

                   To join the teleconference only

                   =
-------------------------------------------------------

                   Global dial-in Numbers:<a =
class=3D"moz-txt-link-freetext" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a>

                   Conference Code: 944 910 5485





                   _______________________________________________

                   OAuth mailing list

                   <a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

                   <a class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>

               _______________________________________________

               OAuth mailing list

               <a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

               <a class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>

           _______________________________________________

           OAuth mailing list

           <a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

           <a class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>



   _______________________________________________

   OAuth mailing list

   <a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

   <a class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>





--
George Fletcher <a class=3D"moz-txt-link-rfc2396E" =
href=3D"http://connect.me/gffletch">&lt;http://connect.me/gffletch&gt;</a>=


</pre>
          </blockquote>
          <pre wrap=3D"">--
George Fletcher <a class=3D"moz-txt-link-rfc2396E" =
href=3D"http://connect.me/gffletch">&lt;http://connect.me/gffletch&gt;</a>=



_______________________________________________
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>

</pre>
        </blockquote>
        <pre wrap=3D"">
--=20
Sergey Beryozkin

Talend Community Coders
<a class=3D"moz-txt-link-freetext" =
href=3D"http://coders.talend.com/">http://coders.talend.com/</a>

Blog: <a class=3D"moz-txt-link-freetext" =
href=3D"http://sberyozkin.blogspot.com/">http://sberyozkin.blogspot.com</a=
>
_______________________________________________
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
      </blockquote>
      <pre wrap=3D"">_______________________________________________
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>


</pre>
    </blockquote>
    <br>
    <div class=3D"moz-signature">-- <br>
      <a href=3D"http://connect.me/gffletch" title=3D"View full card on
        Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
  </div>

</blockquote></div><br></div></body></html>=

--Apple-Mail=_1A5A6CAA-E043-47CC-9B03-F0B1762390B7--

From gffletch@aol.com  Wed Aug 28 09:55:47 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EE6411E81B2 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:55:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.512
X-Spam-Level: 
X-Spam-Status: No, score=-2.512 tagged_above=-999 required=5 tests=[AWL=0.086,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JPvgeyUip5oL for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 09:55:27 -0700 (PDT)
Received: from omr-m06.mx.aol.com (omr-m06.mx.aol.com [64.12.143.80]) by ietfa.amsl.com (Postfix) with ESMTP id E017421E8050 for <oauth@ietf.org>; Wed, 28 Aug 2013 09:55:20 -0700 (PDT)
Received: from mtaout-db05.r1000.mx.aol.com (mtaout-db05.r1000.mx.aol.com [172.29.51.197]) by omr-m06.mx.aol.com (Outbound Mail Relay) with ESMTP id 9312F700308D7; Wed, 28 Aug 2013 12:55:18 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db05.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 1ACC6E0000B6; Wed, 28 Aug 2013 12:55:18 -0400 (EDT)
Message-ID: <521E2B74.9080104@aol.com>
Date: Wed, 28 Aug 2013 12:55:16 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com> <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com> <521E27BF.3030408@mitre.org> <5B2C7096-939A-4EA2-81FF-F15BDDFB7ABB@ve7jtb.com> <146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com>
In-Reply-To: <146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com>
Content-Type: multipart/alternative; boundary="------------060401030506010908020406"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93305
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377708918; bh=Jjah6Rb/rNty92+mznPHUlJu32WTSWY7F7UXEd/N+2c=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=f5FP7/I05S7WJj2Qlf9hfupAnosn1m2kDl5dfJg5F/2uZv2cNrZ0HBwfQcP0E6kk9 Ot9K+Yp9a6438ooBmBHdnutHy9DryhYc2NDrKxt3wtZKHJhwvxW5fffhddVGwBsgLV qZAZZinZ03nrgRGXmOPxz4L6uKXG6yAu6RuFV2Kk=
x-aol-sid: 3039ac1d33c5521e2b754e6b
X-AOL-IP: 10.181.176.48
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 16:55:47 -0000

This is a multi-part message in MIME format.
--------------060401030506010908020406
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

OAuth has never specified anything regarding the format the "tokens" 
that the AS has to accept and that's one of it's virtues. It allows for 
many implementations from local only to federated.

I fully believe there is value in defining profiles of OAuth for 
particular problem domains that put restrictions on client_id format, 
access_token format etc (e.g. the assertion set of specs). However, 
those should be layered on top of OAuth as a profile and not be forced 
into the core. Otherwise, we are forcing all implementations down a much 
narrower path than is supported today. I definitely don't want to see 
that happen.

Thanks,
George

On 8/28/13 12:48 PM, Phil Hunt wrote:
> You can pass anything as a client_id.  It just has to be accepted. 
> That's the point of us writing a draft here isn't it?
>
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>
>
>
>
>
>
> On 2013-08-28, at 9:45 AM, John Bradley <ve7jtb@ve7jtb.com 
> <mailto:ve7jtb@ve7jtb.com>> wrote:
>
>> That is my concern as well, sending an assertion to the authorization 
>> endpoint requires a extension of OAuth to add another parameter or 
>> placing it in the client_id which you can do now with the dynamic reg 
>> spec if the AS wants to.
>>
>> Holding up client registration for something that will require an 
>> extension to OAuth is overdoing it.   We need something for the OAuth 
>> spec we have now without requiring clients implement the assertion 
>> flow and other extensions.
>>
>> John B.
>>
>> On 2013-08-28, at 12:39 PM, Justin Richer <jricher@mitre.org 
>> <mailto:jricher@mitre.org>> wrote:
>>
>>> The initial_access_token doesn't assume that it's from the local 
>>> domain. It merely assumes that the authorization server accepts the 
>>> token, which would be true in the UMA case due to the federation. It 
>>> could also be the exact same kinds of mechanisms that the software 
>>> statement would use to achieve federation.
>>>
>>> I still don't see how an auth server is going to know about a 
>>> client's configuration state with the assertion swap method, since 
>>> there's no defined mechanism for sending a JWT assertion to the 
>>> authorization endpoint.
>>>
>>>  -- Justin
>>>
>>> On 08/28/2013 12:35 PM, Phil Hunt wrote:
>>>> George,
>>>>
>>>> It would be reasonable for a client to submit an assertion, and 
>>>> obtain its own client assertion in return.  This is very close to 
>>>> what is happening per 2.1, 2.2 of 
>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06
>>>>
>>>> In this case, the Software Statement is an authorization that is 
>>>> exchanged for a client assertion in return. Then the clients 
>>>> authenticate per section 2.2 of the JWT spec.
>>>>
>>>> Regarding initial_access_token.  This does have some of the 
>>>> characteristics I am speaking of. But it is unspecified and the 
>>>> assumption is that it is issued by the local domain.  This doesn't 
>>>> work in the UMA case because that's more like a federated model. 
>>>> Thus the specified software statement works because the AS can 
>>>> approve the client software based on name, and/or developer, and/or 
>>>> publisher -- whatever trust requires.
>>>>
>>>> Phil
>>>>
>>>> @independentid
>>>> www.independentid.com <http://www.independentid.com/>
>>>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com 
>>>> <mailto:gffletch@aol.com>> wrote:
>>>>
>>>>> I can't say I understand what you mean by a simple assertion 
>>>>> swap... but if you are wanting to use a client_assertion flow 
>>>>> instead of the code flow then that's something completely 
>>>>> different. If you are saying that you want the client_id to 
>>>>> represent an "instance" in a stateless way using an "assertion" 
>>>>> then that's already possible today.
>>>>>
>>>>> George
>>>>>
>>>>> On 8/28/13 12:23 PM, Phil Hunt wrote:
>>>>>> George
>>>>>>
>>>>>> That case can be solved with a simple assertion swap. We just 
>>>>>> have to profile it.
>>>>>>
>>>>>> Phil
>>>>>>
>>>>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com 
>>>>>> <mailto:gffletch@aol.com>> wrote:
>>>>>>
>>>>>>>
>>>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>>>> Please define the all in one case. I think this is the edge case and is in fact rare.
>>>>>>>>
>>>>>>>> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>>>>>>
>>>>>>>> Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>>>>>> If you have a mobile app that needs to do the code flow... which 
>>>>>>> requires a client_secret in order to retrieve the access token 
>>>>>>> and refresh token, how does the app do this without per app 
>>>>>>> instance registration?
>>>>>>>
>>>>>>> I'd argue that almost all user facing mobile apps will want the 
>>>>>>> above flow and that's not a small, rare edge case.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> George
>>>>>>>> position.
>>>>>>>>
>>>>>>>> Phil
>>>>>>>>
>>>>>>>> On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  wrote:
>>>>>>>>
>>>>>>>>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>>>>>>
>>>>>>>>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>>>>>>
>>>>>>>>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>>>>>>
>>>>>>>>> -- Justin
>>>>>>>>>
>>>>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>>>>>>>
>>>>>>>>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>>>>>>
>>>>>>>>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>>>>>>
>>>>>>>>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>>>>>>
>>>>>>>>>> Phil
>>>>>>>>>>
>>>>>>>>>> On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>  wrote:
>>>>>>>>>>
>>>>>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>>>>>
>>>>>>>>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>>>>>>>
>>>>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>>>>>>>
>>>>>>>>>>> Phil
>>>>>>>>>>>
>>>>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>  wrote:
>>>>>>>>>>>
>>>>>>>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>>>>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>>>>>
>>>>>>>>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>>>>>>>>
>>>>>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>>>>>>> Meeting Number: 703 230 586
>>>>>>>>>>>> Meeting Password: oauth
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>> To join the online meeting
>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>> 1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>>>>>>> 2. Enter your name and email address.
>>>>>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>>>>>> 4. Click "Join Now".
>>>>>>>>>>>>
>>>>>>>>>>>> To view in other time zones or languages, please click the link:
>>>>>>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>>>>>>
>>>>>>>>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>>>>>>
>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>> To join the teleconference only
>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>> Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> <XeC> <http://connect.me/gffletch>
>>>>>
>>>>> -- 
>>>>> <XeC.png> <http://connect.me/gffletch>
>>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
George Fletcher <http://connect.me/gffletch>

--------------060401030506010908020406
Content-Type: multipart/related;
 boundary="------------050400080705000904000305"


--------------050400080705000904000305
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">OAuth has never specified
      anything regarding the format the "tokens" that the AS has to
      accept and that's one of it's virtues. It allows for many
      implementations from local only to federated. <br>
      <br>
      I fully believe there is value in defining profiles of OAuth for
      particular problem domains that put restrictions on client_id
      format, access_token format etc (e.g. the assertion set of specs).
      However, those should be layered on top of OAuth as a profile and
      not be forced into the core. Otherwise, we are forcing all
      implementations down a much narrower path than is supported today.
      I definitely don't want to see that happen.<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/28/13 12:48 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      You can pass anything as a client_id. &nbsp;It just has to be accepted.
      That's the point of us writing a draft here isn't it?
      <div><br>
        <div apple-content-edited="true">
          <span class="Apple-style-span" style="border-collapse:
            separate; color: rgb(0, 0, 0); font-family: Helvetica;
            font-style: normal; font-variant: normal; font-weight:
            normal; letter-spacing: normal; line-height: normal;
            orphans: 2; text-indent: 0px; text-transform: none;
            white-space: normal; widows: 2; word-spacing: 0px;
            border-spacing: 0px; -webkit-text-decorations-in-effect:
            none; -webkit-text-size-adjust: auto;
            -webkit-text-stroke-width: 0px; font-size: medium; ">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; "><span
                class="Apple-style-span" style="border-collapse:
                separate; color: rgb(0, 0, 0); font-family: Helvetica;
                font-size: medium; font-style: normal; font-variant:
                normal; font-weight: normal; letter-spacing: normal;
                line-height: normal; orphans: 2; text-indent: 0px;
                text-transform: none; white-space: normal; widows: 2;
                word-spacing: 0px; border-spacing: 0px;
                -webkit-text-decorations-in-effect: none;
                -webkit-text-size-adjust: auto;
                -webkit-text-stroke-width: 0px; ">
                <div style="word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span
                    class="Apple-style-span" style="border-collapse:
                    separate; color: rgb(0, 0, 0); font-family:
                    Helvetica; font-size: medium; font-style: normal;
                    font-variant: normal; font-weight: normal;
                    letter-spacing: normal; line-height: normal;
                    orphans: 2; text-indent: 0px; text-transform: none;
                    white-space: normal; widows: 2; word-spacing: 0px;
                    border-spacing: 0px;
                    -webkit-text-decorations-in-effect: none;
                    -webkit-text-size-adjust: auto;
                    -webkit-text-stroke-width: 0px; ">
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span
                        class="Apple-style-span" style="border-collapse:
                        separate; color: rgb(0, 0, 0); font-family:
                        Helvetica; font-size: 12px; font-style: normal;
                        font-variant: normal; font-weight: normal;
                        letter-spacing: normal; line-height: normal;
                        orphans: 2; text-indent: 0px; text-transform:
                        none; white-space: normal; widows: 2;
                        word-spacing: 0px; border-spacing: 0px;
                        -webkit-text-decorations-in-effect: none;
                        -webkit-text-size-adjust: auto;
                        -webkit-text-stroke-width: 0px; ">
                        <div style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div>Phil</div>
                          <div><br>
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send="true"
                              href="http://www.independentid.com">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send="true"
                        href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br>
                      <br>
                    </div>
                  </span><br class="Apple-interchange-newline">
                </div>
              </span><br class="Apple-interchange-newline">
            </div>
          </span><br class="Apple-interchange-newline">
          <br class="Apple-interchange-newline">
        </div>
        <br>
        <div>
          <div>On 2013-08-28, at 9:45 AM, John Bradley &lt;<a
              moz-do-not-send="true" href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <meta http-equiv="Content-Type" content="text/html;
              charset=ISO-8859-1">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; ">That is my
              concern as well, sending an assertion to the authorization
              endpoint requires a extension of OAuth to add another
              parameter or placing it in the client_id which you can do
              now with the dynamic reg spec if the AS wants to.&nbsp;
              <div><br>
              </div>
              <div>Holding up client registration for something that
                will require an extension to OAuth is overdoing it. &nbsp; We
                need something for the OAuth spec we have now without
                requiring clients implement the assertion flow and other
                extensions.</div>
              <div><br>
              </div>
              <div>John B.</div>
              <div><br>
                <div>
                  <div>On 2013-08-28, at 12:39 PM, Justin Richer &lt;<a
                      moz-do-not-send="true"
                      href="mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
                    wrote:</div>
                  <br class="Apple-interchange-newline">
                  <blockquote type="cite">
                    <meta content="text/html; charset=ISO-8859-1"
                      http-equiv="Content-Type">
                    <div bgcolor="#FFFFFF" text="#000000"> The
                      initial_access_token doesn't assume that it's from
                      the local domain. It merely assumes that the
                      authorization server accepts the token, which
                      would be true in the UMA case due to the
                      federation. It could also be the exact same kinds
                      of mechanisms that the software statement would
                      use to achieve federation.<br>
                      <br>
                      I still don't see how an auth server is going to
                      know about a client's configuration state with the
                      assertion swap method, since there's no defined
                      mechanism for sending a JWT assertion to the
                      authorization endpoint. <br>
                      <br>
                      &nbsp;-- Justin<br>
                      <br>
                      <div class="moz-cite-prefix">On 08/28/2013 12:35
                        PM, Phil Hunt wrote:<br>
                      </div>
                      <blockquote
                        cite="mid:9F232504-FC58-41FD-B040-31F898034AD2@oracle.com"
                        type="cite">
                        <meta http-equiv="Content-Type"
                          content="text/html; charset=ISO-8859-1">
                        George,
                        <div><br>
                        </div>
                        <div>It would be reasonable for a client to
                          submit an assertion, and obtain its own client
                          assertion in return. &nbsp;This is very close to
                          what is happening per 2.1, 2.2 of&nbsp;<a
                            moz-do-not-send="true"
                            href="http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06">http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06</a></div>
                        <div><br>
                        </div>
                        <div>In this case, the Software Statement is an
                          authorization that is exchanged for a client
                          assertion in return. Then the clients
                          authenticate per section 2.2 of the JWT spec.</div>
                        <div><br>
                        </div>
                        <div>Regarding initial_access_token. &nbsp;This does
                          have some of the characteristics I am speaking
                          of. But it is unspecified and the assumption
                          is that it is issued by the local domain.
                          &nbsp;This doesn't work in the UMA case because
                          that's more like a federated model. Thus the
                          specified software statement works because the
                          AS can approve the client software based on
                          name, and/or developer, and/or publisher --
                          whatever trust requires.</div>
                        <div><br>
                          <div apple-content-edited="true"> <span
                              class="Apple-style-span"
                              style="border-collapse: separate;
                              font-family: Helvetica; font-style:
                              normal; font-variant: normal; font-weight:
                              normal; letter-spacing: normal;
                              line-height: normal; orphans: 2;
                              text-indent: 0px; text-transform: none;
                              white-space: normal; widows: 2;
                              word-spacing: 0px; border-spacing: 0px;
                              -webkit-text-decorations-in-effect: none;
                              -webkit-text-size-adjust: auto;
                              -webkit-text-stroke-width: 0px; font-size:
                              medium; ">
                              <div style="word-wrap: break-word;
                                -webkit-nbsp-mode: space;
                                -webkit-line-break: after-white-space; "><span
                                  class="Apple-style-span"
                                  style="border-collapse: separate;
                                  font-family: Helvetica; font-size:
                                  medium; font-style: normal;
                                  font-variant: normal; font-weight:
                                  normal; letter-spacing: normal;
                                  line-height: normal; orphans: 2;
                                  text-indent: 0px; text-transform:
                                  none; white-space: normal; widows: 2;
                                  word-spacing: 0px; border-spacing:
                                  0px;
                                  -webkit-text-decorations-in-effect:
                                  none; -webkit-text-size-adjust: auto;
                                  -webkit-text-stroke-width: 0px; ">
                                  <div style="word-wrap: break-word;
                                    -webkit-nbsp-mode: space;
                                    -webkit-line-break:
                                    after-white-space; "><span
                                      class="Apple-style-span"
                                      style="border-collapse: separate;
                                      font-family: Helvetica; font-size:
                                      medium; font-style: normal;
                                      font-variant: normal; font-weight:
                                      normal; letter-spacing: normal;
                                      line-height: normal; orphans: 2;
                                      text-indent: 0px; text-transform:
                                      none; white-space: normal; widows:
                                      2; word-spacing: 0px;
                                      border-spacing: 0px;
                                      -webkit-text-decorations-in-effect:
                                      none; -webkit-text-size-adjust:
                                      auto; -webkit-text-stroke-width:
                                      0px; ">
                                      <div style="word-wrap: break-word;
                                        -webkit-nbsp-mode: space;
                                        -webkit-line-break:
                                        after-white-space; "><span
                                          class="Apple-style-span"
                                          style="border-collapse:
                                          separate; font-family:
                                          Helvetica; font-size: 12px;
                                          font-style: normal;
                                          font-variant: normal;
                                          font-weight: normal;
                                          letter-spacing: normal;
                                          line-height: normal; orphans:
                                          2; text-indent: 0px;
                                          text-transform: none;
                                          white-space: normal; widows:
                                          2; word-spacing: 0px;
                                          border-spacing: 0px;
                                          -webkit-text-decorations-in-effect:
                                          none;
                                          -webkit-text-size-adjust:
                                          auto;
                                          -webkit-text-stroke-width:
                                          0px; ">
                                          <div style="word-wrap:
                                            break-word;
                                            -webkit-nbsp-mode: space;
                                            -webkit-line-break:
                                            after-white-space; ">
                                            <div>Phil</div>
                                            <div><br>
                                            </div>
                                            <div>@independentid</div>
                                            <div><a
                                                moz-do-not-send="true"
                                                href="http://www.independentid.com/">www.independentid.com</a></div>
                                          </div>
                                        </span><a moz-do-not-send="true"
href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                                      <div style="word-wrap: break-word;
                                        -webkit-nbsp-mode: space;
                                        -webkit-line-break:
                                        after-white-space; "><br>
                                        <br>
                                      </div>
                                    </span><br
                                      class="Apple-interchange-newline">
                                  </div>
                                </span><br
                                  class="Apple-interchange-newline">
                              </div>
                            </span><br class="Apple-interchange-newline">
                            <br class="Apple-interchange-newline">
                          </div>
                          <br>
                          <div>
                            <div>On 2013-08-28, at 9:29 AM, George
                              Fletcher &lt;<a moz-do-not-send="true"
                                href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;

                              wrote:</div>
                            <br class="Apple-interchange-newline">
                            <blockquote type="cite">
                              <div bgcolor="#FFFFFF" text="#000000"> <font
                                  face="Helvetica, Arial, sans-serif">I
                                  can't say I understand what you mean
                                  by a simple assertion swap... but if
                                  you are wanting to use a
                                  client_assertion flow instead of the
                                  code flow then that's something
                                  completely different. If you are
                                  saying that you want the client_id to
                                  represent an "instance" in a stateless
                                  way using an "assertion" then that's
                                  already possible today.<br>
                                  <br>
                                  George<br>
                                  <br>
                                </font>
                                <div class="moz-cite-prefix">On 8/28/13
                                  12:23 PM, Phil Hunt wrote:<br>
                                </div>
                                <blockquote
                                  cite="mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com"
                                  type="cite">
                                  <div>George</div>
                                  <div><br>
                                  </div>
                                  <div>That case can be solved with a
                                    simple assertion swap. We just have
                                    to profile it.&nbsp;<br>
                                    <br>
                                    Phil</div>
                                  <div><br>
                                    On 2013-08-28, at 9:20, George
                                    Fletcher &lt;<a
                                      moz-do-not-send="true"
                                      href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;


                                    wrote:<br>
                                    <br>
                                  </div>
                                  <blockquote type="cite">
                                    <div> <br>
                                      <div class="moz-cite-prefix">On
                                        8/28/13 12:02 PM, Phil Hunt
                                        wrote:<br>
                                      </div>
                                      <blockquote
                                        cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
                                        type="cite">
                                        <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare. 

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. 

Dyn reg assumes every registration of an instance is unique which too me is a very extreme </pre>
                                      </blockquote>
                                      If you have a mobile app that
                                      needs to do the code flow... which
                                      requires a client_secret in order
                                      to retrieve the access token and
                                      refresh token, how does the app do
                                      this without per app instance
                                      registration? <br>
                                      <br>
                                      I'd argue that almost all user
                                      facing mobile apps will want the
                                      above flow and that's not a small,
                                      rare edge case.<br>
                                      <br>
                                      Thanks,<br>
                                      George<br>
                                      <blockquote
                                        cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
                                        type="cite">
                                        <pre wrap="">position. 

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
                                        <blockquote type="cite">
                                          <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
                                          <blockquote type="cite">
                                            <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
                                            <blockquote type="cite">
                                              <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
                                              <blockquote type="cite">
                                                <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                                              </blockquote>
                                              <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                                            </blockquote>
                                            <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                                          </blockquote>
                                        </blockquote>
                                        <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
                                      </blockquote>
                                      <br>
                                      <div class="moz-signature">-- <br>
                                        <a moz-do-not-send="true"
                                          href="http://connect.me/gffletch"
                                          title="View full card on
                                          Connect.Me">&lt;XeC&gt;</a></div>
                                    </div>
                                  </blockquote>
                                </blockquote>
                                <br>
                                <div class="moz-signature">-- <br>
                                  <a moz-do-not-send="true"
                                    href="http://connect.me/gffletch"
                                    title="View full card on Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
                              </div>
                            </blockquote>
                          </div>
                          <br>
                        </div>
                      </blockquote>
                      <br>
                    </div>
                    _______________________________________________<br>
                    OAuth mailing list<br>
                    <a moz-do-not-send="true"
                      href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    <a moz-do-not-send="true"
                      href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                  </blockquote>
                </div>
                <br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part30.07010700.00080503@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------050400080705000904000305
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part30.07010700.00080503@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///YO+84K4o1fz/V3SdOTgw55yA5o0Ql5yRRkCgoQQEBlRwUFQlK
lowElZwFBJGcc84MDMwwOZzQXfX7Y5cP+9ldf/d60fXe3Xn+mTndVdXv+616+7ynurp7nzPD
WAeqs/zOGg75x+ctn3sPRG+Kzha1GnL3yf5TjmKQ40m2H7Ingj/T/458F5I9yfUT10PEgohP
I86DsIskW2fQymrvyolgnbdWmidB2VRT2ygwV1rV/cEguoinYjroW7VfNA/46/o+liVAL2sU
lxXA09W/QJ0C1VvYxTYwFlBd9gLe8dcxu4P5kbe89xxkLvIZ1gjwLLISKQypb3vH+7uDzXQO
cQ2F/PPzF8hzCGrdraiV/QJKdi05v8gs0OMDWtjPg2uAPZfrXyARPJB2IO1AGjiXO5c7l0NF
VVFVVHBm0ZlFZxZB8ufJnyd/Dg0aNGjQoMHLH+9/Gxs3bty4cSO0atWqVatWf7U1WWSRRRZZ
/NEcO3bs2LFjoPfu3bt3797jxj2/qeL3sunAgfFfVQKP3V8lcyOIetqhgGtwmwfDrl+BkyGX
bx5fB1HTg2WhJKi3svbIV3PDE/W4xcPB8LDJo0Z3S8CzeUlzMiMhfkh6ubi+YNwWOxJi4OGN
x/Pj1oJ8PfNZZh/INzvvrfx5wV+cMYYb9IFykGc22PM608LugjysVwvUQATqdvNz0KReyD0D
uC/eZwVQWewxLfB/c23k8fKQ3OrQrp+vQnKZde9u3wEJw25uexoCPg/fhNcGrbG7VZ5hYK+U
6+OiuyC0Y/XiZe/CUy0x5f4vcOGdveaOZnAn837eRx9A0gDjk4D7EDIzQDrPgJpsVje3QeLe
1L5JtSD1VMb7afWBCfoVMRCMUO2WuAWOQfYfjGEgOolL5hHQzqstchn42/vftHQwS1qXzSag
vlKj1RKwfrWumX2A7ehSgHhTe5OfQGnqkqwK7FI/EwvygjwsC4M0lUvlA2uKEuoNMJOsdWYv
UNXUA3kTbPuN4qIGqFfFz+oyqPOqnvCAWmq1tN4GaZcrZThIN+XoAuyUbeUxsJTMJVeBTFab
1GpQkWoSu0Bml+NlQ5DV1AH5AOQxGWPuA5VLvKvnhKdvxs1IPQYJ7RM+fLYFfI39nTNvgXXM
DPfHQNSvUfej80FspycLY11gX+RY7xgEtpy2Zs4QeLD8Qfu7Fmgr9VriDKQXyKziWwOnj59b
f3YaxBeMPxlfC4zi9pXGUgiIDyju7ARPc8fHJ1WH4++fLne2KcTPeVY/9nvIdjNb+7BiYFzS
L7kSgFhth/YY9PwUk/3AGiEXm0OBGP2a9i1kVvOM9p0H64w50PoF4pekzEmNB1+RzDrehxD4
oeUU1yC4Z7aQ8NF/dbj/baKORh2NOvriec2HZx+efXg2yE1yk9wErya9mvRqEjjyO/I78v/V
1v7zUbx48eLF/4QlIFlkkUUWWfxzEBMTExMT8wcs1Tj+7YnggwLurs3X5HwZcAy1UsuOgbA3
A9uGJcDTCZ4Hl85C+CqfFtYe7u29N/POfkj+xns71YITM+7uffAq5EpwXAmzQeENkc3LXoYn
+tPq6QvAEeMclLwdLpV42v54MJT4uPDhktUhdGAuX8FfwTPH+CJoDshA9Y62FvSpooJ1BDIK
XdS29wTb0oj+BTeDUSX4XthV8Bx+XPumB7yX75aLDQFxwIgMjIOAIrV99atCsD9bZq7N4JwQ
3iWsGySuOrTtfFGQo8NGh1yDx5rMm7AUbu08Xv9wPDwcfC/kXgrED8PSj4E7yr3XKYFlYq4w
Ib1NWtXUW5AWnRGS9gC09+1farPBOce53dYT1EdWjHoKvi7WFG8gMJjdPAM6y97iDVC3ZHGz
PmhDxOvMAKuf+re1ubOM3FoFEKOs2/I9cAxxFBFzQaap2noCZKSkp5kStAz9SyxQk2moXQc5
1LohT4J4n1PaDdBWiMXMBX9+b7KMA+sq5SkB7OGq+T74a8jDqhEYSXyrtQU+ZqUqBdLPOlUL
xFfyiDgFYrp4QhiIBHLJEqAeqiK8CqoUAzgGWjmzqegNRrAt1PoS5DFVS82GtIh0zGMQu/JJ
+ScrwO10LbF3Anrd+lX/AZyD3E3creH2Z3dz3zsHPsPXV5YDzwXP/NQPIe2HtNqRb8KTe4mH
EjVI+CL1y6QVwJqUIcYCuFMiZvZ9B5Q7+IooshVi9j+YlrEL4oISCybWAdEwYY05DLSW+kR1
BPQm2oeOIDDu23aqC5DPG/00xwaQXZll5QMjRgw3PgJnHeOgKAypZvJXSVNA+9B90PUmnEq9
2u72E7i3/H6pRxOhD6VSCv/V0f53EPBawGsBr0ErWtEK/sM//05ucvMP/LDOIossssgii/9N
vHTi7OniqOHT4O4n8d2exkJ455B+RwbCrTH3r2WaUOZ45O16kfCT72SLtQXB19j6WX4PeckT
XLAeZA8xfo4AGjar2L9ZV6iztp63wU9w7/C9ireDwXvYezVjEHhIym3VBX8vc4/3QzAvqLE+
E7R7tjtBVYCy1hbzAxB5xEfeV8EXfpPr0+BZ+pqZWzIgsn6n3D3zgXNWwfwVXeDYWqCGOw30
C/Ya+mTgiFbGuAf+gQlFHyVAWo6TnY+NAeNV+w+pCqyfclzN2RPu3jgz7+x2eFDhYoXz+eFp
vsyZ3p9AfekKDnwCjhb27/SvIaNcRou0h/CsXup3Sb+A75RZyPoVxJfiZ70e+GI82X0fgNna
v9oqCf4FsqhaAmq7ShYrQEUoyQRQPpUp+4HIFB0JBZGgd1JjQXRgiVgFjk6O9/QgELVlfuqD
0mSYVQTss9y3tNNgtvGusCqBzGXetWLAiDEKikqgVqke1kmgj7gqPgbrdZWgroC5yKwmF4Ea
yGA6ghishxvZQdZU45QAbZdaJiaA+lF8qT4AVVOOldWBmezlfRCJIo94AljiB/ElmAtkiuwC
egJD9CogG/oa+38C3bCVZDDoyUZbYyskDkzOlt4fTlc9N/vyRcg/L+/VVCeofuqivQ0865Rw
PyEf2Kraxun7Ibhw0CdB+cG31b9DAalp6SVSkiHdn9Yj7RBYk9WnrALPfm9IamH4tcHRRqkz
QHylXtPHgtpPcb04aBW16Vo2uNX7zpWYy0BdMUFlgpzAJetreJrjSc3YHFBI5G4S3RaC3w/6
IHojiGJ6eaMaYJpXZWdIDY7Ln/A+8JPYr+8F/5u+Z/7nTxkY8leHeRZZZJFFFllk8Ufw8onz
WvkxoZA++lmYJxlsVmKm8yw4mgTMCa0Kj4JEw/N+sL0S/bbZBDKd1g/P3oe0FU9soTHwTnKb
iAEfQWBL+9aALiAmMVtOg0K9C7Ys7oX4uylTHrnh9OXUxO3fQciP/omVu0F0Mb2M/XXwJvrW
m6kglhpOxydg9WOJ5QZ9ZnCvoAwIXVHznWq7wHmgTIPaMSAqS7u/Kqiucr95GeT3/pKMAt/r
T6pcGQvJTbaM2hQEvs5JB83sEDS/yobajeGxK31MSgrc958aemQcxP6QcDmxGmSUEo+0NhD8
natkQHZQIeYjqwGknkiLSF0E3nPWUTkI1Aoeimsg3PKK/B5UI5FIB5BBah5vAnNVOXKBaqOu
q/4garCLyyBeoy0eUB+qn5UJLJIjCQR5iVlqGnhvmYPNNDAeiLJaEIge4hWcwBdmNrMGSJt1
W60HdVGW4RKIEO2+VgRUX3VUrQO6Ul7LCdZNlUO2BtZRWT0CvZ3orQkQ8aKnWgeytQqgI1iV
rWTrCKAorn4EfbKWQ38X5Keqg5wI6nu1QU0A8bVoIrKBbY/oyBkw+tua8C5QFMlcMD+VFbgK
3vLeNGs8qDuyv6oLopD4XqsG13ffrPEwFkyPNcDKDvpIo5l+HLRUrYh2ABJsSQuT34Lctpyz
olpCYpXkZ0l5wOwoI1RH8B32/uRPBC1TL6O3BF+Eb7D3JNBafiymgXZDO61vACPQENpG0MaL
aqwCcUHPo0tQTVWsWA9PNz9bk34ZXF/YFz/LD/YRtiHuM+A44YgPyQXKbkRrvcCb4t2c2Roy
a6aMSN4I1nZ3Tnt14Afi/uogzyKLLLLIIoss/hheOnFO+eRZ44wxkP2UrU2pMtA3tHncsE5g
vx22wF8bflp8ttjqGeDv6u7kuQAB+5yh6S3g+1aHh80YB91Kuku9fx88OzLWiyNwtOeWxL02
cF8LmB9pgFlb22pNgsKDw08VOg8P5ySviC0JUcVDZj48B4GusPbRMSCbyRHWItC+FwMch8E2
Iefigu+CNj2oUVg6MEIrpQSoK759/rqgKmk/GfsBj7FKPQN/xr30q4vAN/PplKRDoI/OkVKs
JvjSws8GeeHawF8O7FsHD5fc2XprEDytauaXRcGY5ZoS1B70j+mjDkHypfTMlD2QdsZTwTME
bB0dUt8D5nmztLUPNLuWIk6C6shqmQj+H/2brE+A3UwRD0BPMOrr74IsZhU3R4E50SxvhoHm
0PppocBiNVzMAnldFpTrwL9Pfay2g0+p5VigubRocQb4jnPiF5Br5C25GcRoFSHKgD/RN8o8
CLQR5cUOoIo4qNqClahWylygD9GTtO3AKTFcVQXZzHrHqgiqvuqKBnKJtdLKA3ouo4exGdQ6
tV8K0GqKyWwFI7dRX78OapiKVl1A3yUuMx30942ZfALmm9aHaiCwSuUnEKwWVl0rDrQfDUPb
DdRiltwMZj95ShmgxRpztNxghim/3AFMNQ+rOmBGmU/kKrjb4V7A02fALW29egRiqfaGjAb7
FftF/XXw3/D7vMXA2me9JReAvkdvbiwBFaZCJCC+tzpqg0AuFsOoB3oPMtUWkB+pPsYHoO7K
x0qH2K/jRyRVheCooIoBiyH7B+FvOpyg5eKi/T3QO4ns4gPwp6cvS5sORmf71cDxf3V4Z5FF
FllkkUUWfyQvnTgXHxL9cfUtMEB1aDUiGgKCw4q5PoX4AU8OPysIaXnjCgZdhqvd7125XRSe
PHka8Og2aKvthSPywVbbsZJ7+oN7sv5dwBBI+sI/5n4EPG7ka33zCKR/lxaVMRFS0tKOPlkN
Qcm+9QGTIU/fXK9lbwJhVaOt3Bng3ZzZ2dcTeEpPpwf04ZH7ChhA/cyvnu0E7bi134oGs6w2
XJQDbbe6w2mgiizl8YMxKCQ5IAl0PXpWYE+IuFzjiwrt4VmAJ0+6DR6cOP3TyU4Q2zfF78kF
me+JpUYwOCrJcdZ9yDiRcSTNhKTMjLEpS8HXUo62eoDe20xSJqjlag1zwV/KHyvfAv8oy2Ol
g/YVYfoSIJ27NARru3+ptQ/kU5lobgZjrHZMfw9ETm2YmAr+ymZnsxSIH6klyoB4IB8qJ6j+
Iln0Ayu7GqmGgRjDIHUdVCXexgPqjOhAO9BHiFAEyPxyu1oM6o62gvv82/NHvwexWWsljoHY
IiZTANR5856KBeqrdtQBw2f8YISDWKfZRXGgJlPVFRBVRVERArKPLC1bgJjN62oZWOOpz3Lw
7/cYqjPI0uqcygv2FcZyrQDIX+RI8T2QWzWhEqhlYhz1Qd1Xc1Q40E8VlCdBXFQ/UhpUdjlI
7Qf5Fqf5Cvzz5S6rHugrjT5GJChkb9kV5Otqt9UY1Dcyr7oB6jPVVuUH9ataZc4ErZ+YKucA
4/VuxlmwlbNV0gDq/Ns7c83q5lNfd3Ast2/U80DmMe/nYjDEvPK0e1w7CLjlfCXAC4HSnRC+
FnxJYrwIB1nUH+c9DvLXzP3aFaANbf/qIM8iiyyyyCKLLP4YXjpxzq/yNMw1F471Ppd2sBns
v37CsTcvPByV+FlMCLhWR9RInAzBnUN/dLWGRO3RCN9MCOzmHuYMhdTcni8fvgapP8ijqUCe
1kH9Qi5A8KchGZVSIXBntgxXLhAunigHVB5bdnXz03DddiXfiZuQ70GxyYXKAW/bdjvaAnXN
Ep5pYCSFRGf/FtRUxwJWg5LWOrM2iMrimpYK2m013GoBqqSSrvvgqFTwrdINIGJBtshCFgQM
y76j8JdwftLKbxeNgccxdz++txsSx1gleQOsLSKT6eBdnjkqfSSY4dpoaoM33d/UWgjyB5nA
aFD35PtyKchGMkquAmuC6qQ2gFVBRsv2IN7QqqhLwGLGUQJkP1VcPgW1gW9EZ5DJPFXRIIqr
yqwGoshLQ1CBVFS5gYJiCj+AeJsSqjqoVDlAJQF7xHgegdZDZRIHXBY9RDSoTyiqfQqyLXYz
E9RE+T61gRIMEqvAOmSGqZOgf62XEWGgP7K9qt0AtVF1FnHAIDVM9Qe204xJoApKp9oGtNAi
1CqQp63q8i6oXNZB0Q1ENuMtLQnsFexRwgF8Zj+i3QOttrlTfQDWND6X+UFNls+MVcARevEl
UIu8MgKstvKO+g7Q1V4jEsQmbCI3yF6qgjkI1Gh8zALKyiQrL4iPhd3ID+Z88yEdQCspQkRB
EJXoI98AkVflln1AjuSWuA7WNFnBagOijGmqKJC6vCa6gTXdHKQqgO810QMbaGuNulp2eJaU
EJQ5BJ7WCYp8lgjuKc549xawPxKz3Ach4z2xROYH3+7Mn7wh/x4kV14+UK9du3bt2rX/iVNC
FllkkUUWWfzvpVixYsWKFfvH67904rw/z6W1W5fB/TMJC5MHgbuYvacxF8x71j7ZHUTOpPl2
C7JFRTwJqQKeT7I5H9WB7F19+UqUg8c5UyfHvgkBt+yR9kNwe+3TV6wlEDQnuWqsAba3jDmm
CwyHW2S8Db5dt/qqtXB1+QX3xg6QbWyuVLMpVD1T++SATyCjVKY9czjoDr2U2wWiqXtsjp7A
QxWjaoNWm0gGgNwvbCIHqBgSZDCIdcav0aHg7B593z4YUro9GHvnFTjb/kCBg5Xg2aeZEb4k
yFjFHDEN3Dscoe4QMPOIH0QIpJfzXMgMBP8Cc6FcDuJNka4dAS1Oz2P0B/mmOcW3C7RTso1M
Ai1OL6vlB9lM3la/AnmowQXFXdIAAIAASURBVAgQmvCJa8BMNVX9ADgozXugpCqtjoD4XFTX
PgbVS3VXrcCobxtv1AFrvhwoXwc5UzaSX4JeQ2QTUaBd0a5qbUE+kmHqIcjmVGAD2FJtbzuK
g1nVymXmAWlZk2Qb4E3lZCRIJduppwBMktlBS9Gq6ztB+1g/px8Cq6DVxeoBeglRVPwIKpfM
tCqDWqsecwqQek1xEvhU2OgPKoOKJIKa5yslAVnaek3uAJUgOujLgEv8rJaCOq7eUAOACrRT
y0BdtEoTDOJbkcMsDaK3pmkngWrqmrYO5B55QtYFcot4vgYxirrWVuAtlSR/BP8rzJKvgNit
lurZgb2UkIdB7NDfsmaBGmKMNhaDVc7qJ74HvbFmqECQS1Wklgp0E4W5C7bloppWH/xlzbGW
AxLWJg5OqwBRncOcaTYI7OvGfg+E3ZxGbjAPm1WFF+jGw3+GQM8iiyyyyCKLLF4e7WUb8Kzx
7YzzQhlHPodsBeUalOuQ2hxy/JK3ovgFYuMyL/iGw7UBN0fGZoOAlp7rRhCoY8G9nx2Hgk2K
FytcBeJiMyqqziBLcjHjM4hflHbq+vfw5Epqx3vvQ0L5jI2PjsGZ8+d67S8NAQMjKxRuBkc5
+9qu6pC6Ifbd24NAszsm2gaA9YnKZj4CuYeGzmpAA94WeYBqNFb7gIo05H3QqsrlYgzImtyQ
XwEzmeYPhztJR1ccjYeYlneDHtghfrhvsXoPjE8ct931IWR7wOuBY0Bfqn2rXQUZogzugj3F
kdcxFrQG2mn9NsjFcoP1DWjrtO+1xWBEGcWMkqAN1Dpr+0DkwsZ9ENfETvEhaG9ob2kfgsir
l9RdYMtlK20/Beq+OqVeA1tZW1kjPzgPOQ87z4G9h6253QeO2o5TzlRwHXP2dY0CbYW22RgA
+mt6faMrGBcNU78HYrsoQEXQdmvv6KvBZXN848wJ7u+d1xxlwDnLfsWeH+yP9BG2o6CNV2hv
AlusInIWiPpyuloMtuz6Bn0sKEltToIVr2ZzFeRnfMxaUHdklDwEIo1a1AarkZld5QfZzptT
xYPcZ32knQdVSx2jCYh6wqnVABawm3eAUswXT0F8LT7SU0HEiECxBZjHAlYAHeimLoKoLl4R
FqjxsoRqA9IuS2ntQNM1m70n2DKM9e4joKrJndpVsJ6aFdgBTORHfRQwU66iBlhrzSoyBixh
pkgbsE89UM3BKurfb94F61t/tNwK5g1rhNkb4vs+m5FWHhLvJsekNQfaKad3IBgfaG+xA6y6
MrtZ6a8O7yyyyCKLLLLI4o/kpWecXcOdJ51jIGWDd2pqM8iZwRvu7hAwXj0234AcMWFNnSkQ
dc4YFDwf8raNsGv34OYPKaueLIQ87zqrVHwPSs0ptypPPNyr+ODauTuQdiRFBowGA9uXtoKg
X7N1TQ0D7aD3R8cMCPspWAtZDrF3kkpkNIQdtXfXnh0JHVd2Pj+tEKTfU/uMpqC1FQlqEKjc
4pb6BshGgtYN2C46qnYgq9BR9QNtt9beSAB/46TzyRXhon6i19GSED80PSp9MaT71XBtOrh7
u9oERIG2Qz22DoN/rPewtyDgEuPEBtDOiLc0AVqyVlvGgDnHd8m8BNpYcUnzgGhlVNRrAT1V
J/E1iDUkWx+CcrJPNQfq0UMcBPm+shED0i0rqVagfa0t078FXdPdekMQSkjtMFi65bGGgtZD
36LNBbFR7NeOgj7UZhm/gNwjK8gjYI6zGphXwJipj9MXgLVEpsszwCRVlF1gG6/X0lJA3NdS
tJqgNda6abXAumh2Uj6gKpNUOnBTLGMKiClisDgHxkxHWz0QrAeeW77TIPea2c0coFXTArQq
QKr8XCSALCfyiuogZqry/ASqot5Lvw9Gdv17wwUqXaXIAkBBlotoMC5qo43Xge4CVQj4SozQ
R4OYxcfUB+HQBqmuIB7yRNwD0VufJwqC/ZSjbFAwqBU4RU3Q59FZawD41by0U+D/yjcy8xbI
r6zGmgRGyE/kQ9A2qfNsBxxigGoJMlSuMaeAvlbvbKSCOKyKaKXBtd811LkEtLVGc8dVSJ2c
XtQ6Br6F/lZWKOgt9WCxE1SscvoXAR3+6hDPIossssgiiyz+KF56xvlpj7jozPVgD3NMdfaC
cBEZV6ANeJxafPJpsHWnlBoD5hr74swjEBvn/SyxAGT0zyiUuR3OV3y89qdrcL32w4/O14OU
hGcNVGWwxbvGOq+D2xV+NHAx8IN5Qj8OqovVy7oOd4resD8Ih9QKief0XvBor3XqTgpcX3F7
6MJF4L7ivGhvBPJTGloeYAln9X3AWXFbSSCbWsrXwDLZQf4I9tm2ukYGPB1xtealc3C/y623
b70Dz+J9v5rBoMLENJsBjhDHM70leNb5avjOQ0Yd0/BtAllAnZd28C33VfYfAmuKtdt0gnHY
ds8+H/xLzOrWOlDKOiYXg6OVrax2F7SDRnfDAbqh1zFOgm2srbmtEThK2N6zhQHnOKdeA8pQ
TnUCBvEuDUFsF9tYA6quymvdAM93mSMznoG/hz/U9zb4S5uPrH5gWlZBaxPoOfXSeiZoF8VJ
bRpo74krnAWlMVFeAnFGG6flBz5Wq9RgIJ2yfAxikZbJWVBbRDQfgLHU2GQcAnOCnC43gN5c
LRW1wTHcXt4xGfRWxg17HdAjDbf+NahKqqSoC8omJ8ilIGOYQgHQ5zJY18C4r7WyBYFYTWnt
U5CJ0k4LsLZbD2QI+Pv7u5nrwbZM7DBKgG2RFmA7DfYd9vfdd0F+JpurkiDLmFvkTvANyryS
9hX43sm4lVoZMuqmN0wZDtYr/sVmdQioH6SHZkKOq7niihaDsDXhS/OdAkeXgP4Ra8EdGto0
Wx+I3BU1Jd9XEPp5ZJc8hcDVP2RcZH8IqhU2MEdLyLY/en5OB9g+da0ILQn+7uZ6vQLYvhBL
rQVgdBG1jI//6vD+/QyvN7ze8HrQYW+HvR32vtg+rdC0QtMK/dXW/d+hUqVKlSr9jisW/7n8
X9VfL3vcl/X7r/Lvn0X/f1X+2fv9z+LvHU9Z/HPx0olznmPZOtovQs4FuSNCYiAmM+F64q9w
33dvROY+eNoq/bGnIyTc8QQmTIMHnZ6e1s6AUdfq7GoImV+r2WnNwFvFPGrlgYy8/rKOviBu
pBRKrgnaQJ6lNAQr1pilj4OMeBkkZ0DmCdktZQ6Yq4ztdxrBg7bPbFYeWNxz65QfDsO5Jr8G
LY0H12XniYDeYC5RBb3fA9lVGxEOKkKVEz1ArBAV9FygRlv5vbfh5vhTlU8tgPhuiQ+SykFq
N99jTLDdcl5wzQc9SlzSukDGtMz6Ge+B95y6IoeCyivixHqwTbTNM1LAmKI3s00BfYM+XFsB
9ur2KGMHyNvqO7kb5I9qjmwDRgejs/4G6NX12no90MZpH2mTQKSJ+6wEDnOfb0B8K1aIqiCj
ZDG1AcTborv2AdgrGw0dTnCeczxwDQFtqLbG+BxksqrHLtAi9W6aAZpPJOhrwGpmvSM1MN7V
G+kNwJFq15yFwJhnuI2ZIDK1O1o1EI0FYglwBItPwF7QqGyMBEK5RApolcWrojhQT20kAHS7
mKK/CcZIfbFeGVSGrCl6ghrOejkHqIpbfQrGr0ai1gxEC3GXRSCXWsXUdFDL5WN1AEQsE8RU
IFlc0NqAvk+/Z68Avj3+sr5LIMdZm60Q8M7POJL2GPw/+/f5J4NcKGeo70CcEj2FBPWT6ml9
C5QSNWkJWi6jjlENrCLSoR5D0NmgeoF+yPY0R7/chSHPuTyDi9yHPHVyfVToK8j7au6eeUdC
vhXZk7P/CvlP5uwaGQjZ94Yuc6VD6ELHdiM/hFx2v+NsBkZN7aLWC7ROYrjWHvQobZPW7a8O
79/Pzyk/p/ycAmuur7m+5vqL7evC1oWtC/urrcvitzj81uG3Dr/14vNf1V8ve9z/7Mc/G7/l
3z+L/v+q/LP3+59F1jj51+SlE2fzqi3dMx+uNb/95K4dzk67uvjqFoh+NXetwKKQeUplPH0E
cScTyrmqgnZDhDk2Qdyy9G7yJCQOTC4UvAX8LawOEbvB0TfsveRbkFHd3yttCTzbfT9XugbJ
h55O8I4HOda6rBaBJyBzil4TnqYldUluBbGdEyrEjINrhWMeJ70Ly07tbTk5GWIcV3vvmwTO
3M72QQ1A5pFFze4gVotdqi1ot40PtcXguRW3MbYY3L1x6fClZ5DYPnO2NwHS6ltTmA/2mq4v
HH3B97G/qHUGMuf6FmRGg1mDCqSBtUhut4aB0MRFWoA8JJtLQHRjDTfA2G30N5aDbYDRx1Ag
n8rq6iaYb5hNza1gZbfCrWag6qgGagDI+fI7uQbUYjlYbgX1rqrHtyAKCp9oDSzgLdYCH3Ne
pgMLxFpVDVjMl+YQEDnZZhnAbfWY/SC6ad9o2UFfot/S24C2SJ+h/wC2+caPxlegvlXbqA78
qBaLcqBZTNLOg/BQXmwDRqtMDoAqJseqK6Av09ppg4Hv0bQbYE2Wi601IDqLQZoGoofoqV8A
fMSIV8G2xLbTaARaDi1BewvsF+zn7b+CeoDbSgJxmaqqJahw+Zl1HMwwM8U8B2q1fKAag/8H
a6i/PKQv8k4z54C5xBpDMOhP9TXGeMBAiDfA38L/prkN/DP986yDoKorp7UOzJ7mHv91yPgl
o3XK9xBb5/Hpe20hYX78oJjZkNE5tWXcI5Cp/tJpmyA9V3rb5COQ0iglb3InSHen38j4ADzv
e3P670JqsfS+mWGQ6kmrlToaks+m9UxLAf9xq4VvKzja6TPkpT8uUH9K+Cnhp4QXM8Gt87bO
2zovtJzQckLLCbBpzKYxm8a8KJ+UlJSUlAQjR44cOXIkNNnUZFOTTS/Kj3pj1Buj3nhRbkzM
mJgxMS/q96/Sv0r/Kv91e99TfU/1PQVdu3bt2rUrXHn1yqtXXn2xv3fv3r1794ZJkyZNmjTp
xfYtj7Y82vIIPmnySZNPmsDOnTt37twJ7dq1a9eu3Qt/mjVr1qxZM1hyfsn5Jef/qw7PZ2JW
XF5xecVl6JTaKbVTKqSlpaWlpcGQIUOGDBkCzXM2z9k8JwxcPHDxwMUv/Pxb/NF2xeeNzxuf
FwboA/QBOrRq1apVq1Yv9l9afmn5peW/bc+UZ1OeTXkGLba12NZiG8wpO6fsnLL/tVyNZTWW
1Vj22/31e/X5vXb/1nF/L8/9eG7P8ysgDRo0aNCgwYvxO/f43ONzj7+o94/2//N+m+Wd5Z3l
fdH+vHnz5s2b9/f797f0n7h94vaJ22Hr1q1bt259sd86bh23jkPjB40fNH4Az3Y/2/1s99+v
1++N8//s9+zDsw/PPvyiXreS3Up2KwkPsz3M9jDbn6/ry/b7n6XTy54H/tb2vzde/t74z+J/
lpdOnP0lrZjgCeCPT3DaBkJAhPSFtIVs591Efw0loqM2RN4BV7YAW1J/SL2r9X/SGIwV9ooJ
04C7aUPjDfBWNHultgCSxBcZHrBmBVZJPgeBG50+1xMIiNbr24cCFcyNnq3g2BnUyzMKfB/5
ytueQUyTmCvaSfB8mDnbUxOMeiHNI3+CRdU33Bk2A1JnxfS7fBSMEY73Au6DjDL7+Q8Ah4wh
WggkNLxT+nZleHDvUfDDfZCYlBnprwbWU62qfgRsmfYTtn7gSfP19j6BjPH+Mt4WICoKj5gG
qoB1QT4GSzMbmCVBNqed3AmqjPWBvAMkyYbyXdCGiJtCA9FMfSxWgiwkXTIfcJDj6k2Ql+QF
qxqIoaKnAPQ4PVPEgmZRmzagnlqFrNfAOm4m+g6B+Uyuki1B5VZ+lRcYqgqwHFwNHIYzHuwb
bR1t4WDPY1P2SLC3s5Wy1wVRTD5TlYHXVSnmg95XH6i3AXFH+0IsBC1Bq6KNBr2nFq5tB74j
mJsgB8rbMhhoTi56gTyvNqtFwA/iAvuAJDGFWmBgeOwFwXjbqOxwgqORwxGQCa7PXXFBtcDl
dfUNvgiuBu4tQQ3A8bG9uHsLBNcO3BdWHIJaBN8Jbw7WeCvCugfyPFfZBUHLQqaEzwCjg6OS
cxeo0tzmR/AHmp3MaLCOWcWkF2ScrKVqgics43J6D/B/4gvNtIPZ0Zsvow94NqXeTOoMT1yx
kx9dgrvv3Vl0wwl3Pn8w4N5JiGkTNz9pGqR0927wl4Dk5d5jpEDMoMS+mdUgbn9ma38kJLZO
TzEPQ3x48lvenyDzkK+ttQu029hkoz8uUCfknpB7Qm6Y3ml6p+mdYMP9Dfc33If5fef3nd8X
DnQ50OVAlxflp+6eunvqboi6H3U/6j5sfbT10dZHsPHBxgcbH0DOcTnH5RwHn3X4rMNnHWBC
rgm5JuR6UX9BxQUVF1T87e3V7dXt1e1wcv7J+Sfng2+2b7ZvNsTHx8fHx8O5xecWn1v8ot7p
/qf7n+4PNS7UuFDjAqy+vvr66uvQp0KfCn0qvPBn6fml55eeh7kn5p6Ye+Jv67Jq5aqVq1a+
+EJ+/gX1PFGvvar2qtqr4Ktfvvrlq1/+dnt/tF2fFf6s8GeF4dUrr1559Qps3Lhx48aN8O6S
d5e8uwS+LPZlsS//P09LqVunbp26dWBx1cVVF1eFFStXrFyx8v8zTn6jv36vPr/X7t867j/K
84QhNDQ0NDT0RSKzIWpD1IYoSO2U2im104vyL9v/lUVlUVnAojOLziw6A8tqLqu5rObv9++3
yjVq1KhRo0awu8DuArsLvNh/9OjRo0ePQvEuxbsU7wIRb0S8EfHG36/T743z/0xkw8iGkQ1h
e8vtLbe3hHpr6q2ptwam/Tzt52k///m6vmy//1k6/VHngd/i7x1Pvzf+s/if4aUTZ+dE/1v+
nRC+MHhtQAuIdAXvtPUArYhcbVWF5BVWumsfGM3lDdUQQkcbuyJygWOhY4V1CjwntTyxm8BX
3r85KRl8qel5giIg36ng/jlSwVlN3TKbgO1m2jw9HlwnrYKOCmCb7Ppe3YOIJzkm2stCZGRE
ZXM45PSGzw4oARnH4m2aHWLaeqZmHoFV19Z1+LAfkJSukmqDmGcb5m4FxlZVk1YQe+JB0+vF
4VmxxFZpHkh6am6Rh0HPZhNGfxDjRRVtJqQXynyc2hm8y8xU3zQQI6wW8jvApK5YAXwnh4gq
oA/lfe0NUOeYZp4CK7f8zIwDq6Plt34EFjCayiCbyS5qNWgOLVULB+1D8TorwNbbeFe8Cmo6
e7VyoBc0Ttj6gbikjdQjwLoh8zIViCZJ7QXRXjTSagFDxUR9Ilj11Dx6gPpKTsEJ1nrzY/8P
oD0Vm8QW0AfoH+sVgS405jqIHqKD6Ab6ct2rXwS6i2B2gDZXr673A+5qScIGYra4RgvQ1nGc
haCb+iyOgLFW26FdBHFVVRRDwGhj/9o4C9FTczXKPwJyXM7RqogbgiaE3I/MD6FrItOyNYAo
b/Zf8tWCqNw5S+UNhtBz2cpFF4Do5jmiCowG53n3+LB0iP46x8xCHUFbYrj0j8Habc7yTgRz
pD/WlCA/sQ6bn4H81Nrm3wNqlbVPngW5jqlaeRAFSZZDwUy3gs3G4C4XfD10L9hHOwa6WoPV
WFW3akP6rdRdyefA955nRUZFkNPkF9YqsO207XaMB1crd52wOeBc4igVkgPkG6Kd6x6kjzIP
OH6AtLW+7EwDFaK9pw/+4wL1+RfQmC1jtozZAkuXLl26dCnExsbGxsbCl198+cWXX7wof7jH
4R6He0Cvo72O9joK2jvaO9o7IBaKhWIh9JjdY3aP2XDorUNvHfoHLpE+T4BPLTi14NQCuDz4
8uDLg6GyVlmrrIFxzjhnnIOEqQlTE6bCGe2MdkaDatWqVatWDRZXW1xtcTUI/z78+/DvYe2I
tSPWjoA5J+acmHMC5Fw5V8797eO3b9e+Xft2L/x6vsSk5baW21pue1GuTVybuDZxcGzOsTnH
5vxtv/5ou54nRv/ZrppLay6tuRTm9JzTc07P327vecISGRkZGRkJ/p7+nv7/T/nf4vfq87J2
vyzPL90/n/E2DMMwjBe6Pk9o/lH//ovO/Sr1q9QPojZEbYja8I/r/FtUnF9xfsX5cPvD2x/e
/hBSPk/5POVz2DZ+2/ht46HF4xaPWzz+B3R6yThvnqN5juY5/oNe8W3i28TD6X6n+53u9z+v
6+/t9z9Lp5c9D/xR/FHxn8Ufy0s/VcMxzjirVYS0A95gWxuQIUaw3QueGeZjKx0Mp2Nb+hhQ
O8wjagaISvKa5xtwF8DGWIgdaN109gHHYGNv5kJwjNe+ti+A1PXJIwgGedTbKn0bWJO1du4c
EDQyZ2VHIqReSasYUB2e/Ox5nN4fQu45V+nfQ0gjjgUcBOeFnMOS48DTLqVHUByc7Boz/tEy
KNV5d7vFVeDV4g2b9t0I4j3dL0ZATN7rU+5FQ6InM8PzKngvmhvMguAqF/ihqxTI02qQGg6e
YZ5Ezy3gHhvFEbAqq8nWFKC3Gqc9ALlZnVbzQYzge5YDe3Cq9aC2yuWqPfBUNFFrQOzWfGIp
GP2Mxsb7IOfImSoMdGW0Nt4B+bFMlztBDBBuURr0lfo6rQ3Io/KoOgiMUbspCtpIduufgZZb
aJofjNPGM1EfzGfmaPMBiOJ6ET0VtAxRSXwF2lTtJ/EUeCzc+kXgfTGAJ6ALo6KRF7TblrBO
AD+qx0SC2qvlUvdAVFX99QEgSooQcRi0A1QiP6g5RIkWIO4Kv80Dgd+G3Ag5A87jASp4C5i5
zWPWdUh+N3ndk7PAWis+vSp4v06vHD8FhE3P5XwE6pC8YHYGc7pZzDcZ9IF6zqTxEDQ5cKdz
IHjbZg7IdEJq1ZT3E/uDPOUr558BVmkzyjsc1OtUlW+CGi+maMuBs2K0dgXEzzxRVcAMsd4R
YeD4wZ0YIsExz/1F8CjIeDODOBuYZ60Qf20IuxfsyZYAoZ+G9cwRCeITvQB9QJQycF4Go7qt
kqs8qAxVmoZgpBtljEtgFJYzMt8A85rv7YyzYHa0NIYC6/+YQJ1ebHqx6cXg2q1rt67dgvND
zw89PxQW/7r418W/AkMYwhCYxSxmAaqCqqAqgLHT2Gns/K/tiVPilDgF8oF8IB8AXehCl7/f
njJHyhwpcwSub7u+7fo2OFn6ZOmTpaH8lvJbym8B+wn7CfsJ2NV2V9tdbSFoRdCKoBUQdjns
cthleK/GezXeqwFRO6N2Ru18MbNSq1atWrVqwWY2s/n/c3znZedl5+UXn+PyxeWLywd1t9fd
Xnc7UIlKVALs2LGDmCqmiql/26/nl6T/KLusudZcay7ItrKt/G/eIfn8h09+8pP/v2nPtsS2
xLbkJQbOP6jPy9r9sojT4rQ4DTSlKU3/m/3/Pn4JJ5zwl+//P0rn3+J5olZvRr0Z9WbA5jc3
v7n5TTi7+Ozis4thwicTPpnwye9v94+Oc22htlBb+KLd/2ldf2+//1k6DZFD5BD5j58HnvP8
Stw/yp89LrP4x3jpGedEd+rrVneQY/UIXw/wv2N2JgUeb4obnvk5mNPThZ4HwmrohyNvQnRE
yM00N+gx1nGxCLLtCWwSMhmyNY14X8wEWz1bvfgBEBUVvsdWEtxvBWVz9IPAjxyN2QTxc9IP
Jx4FM1uwL3kJRA3JPTVTQcQrIYvcJUDb5BzFl5BWOLkbk8DzxBvsfxd8+13XMtvBmpDj3df2
gJ2lt4QtWgzeVx+vuhMEj5rfcz3MCcmdfSH+IpCxzfpUjgO9ua2b7Wvw9zQL+neDZ5Qv0zcc
VEmG6rOAVXTVqoJ0qFlyBKi+JKn+oALVCXULrHoyTq0DJmgPtbYgftY3a++DWkBpPgCtLfNE
XRBz1VNug1nEPG4eBzlUBak7oM6qX9RBsFZZ0+QCwE0GCuRJuV/uBNVb9ZZvgz5Rn60NA62t
1lE0BH20Pl77BrTvxALxFuhP9Bh9M2g7tZ3aVNCmi0miCNgq2AbZPgOjjbZJLwxGKX2aEQ+G
23jNqAdGupFoKwf2GvZLjl1gW28UtgeDmipiRU6w53YE2Q0IaBB8P+gc2Ac5dzrzgWoip8ov
Ia3Qs8Wxp4Be/pnplUG7JnIbhYFJ6pL2APQLnPANAK2ammeNA9t1rbdWHOw9bM90HQJmBDvD
TkJ4vciz2ZZBvugCQ4s9hejWeX4oDOQpXej6K6GQ93ThORWqQc6pBd4t+yHkulJwVtlZkOPr
vN+U+BnyVCqUUr4iFDCKzK+wCvT69gKh1SDwSviQbF4oUvWVIa8egrDsOYNLXAfXwvBnkekQ
EBbcN6wEiNeNNrYSYN1nNR+AvtRYrm8DFZLeLm4PpOVP+OLhF5DZNX1I5nawqlsLVMAfF6gd
Pu/weYfPX8yAtE9sn9g+ET689eGtD2/BuW/PfXvu2xfln68ZXDZo2aBlg0D1UX1Unxd/lyxd
snTJ0hdfBH8vz+s/nwkqkV4ivUQ6/Njwx4Y/NoTysrwsL1/MsC2vtbzW8lpQ/UL1C9UvvGjn
7NmzZ8+ehYHnBp4beO7FkoAH2R5ke5DtPxywAhX4O2aYco3PNT7XeFhec3nN5TXh5MmTJ0+e
hM1NNzfd3BRGjRw1ctTIv93OH23X8xmj/7wG/YQ6oU4o+CT7J9k/yf7HjZPf6q/fq8/L2v38
uM+J2RyzOebvyTT+nZqDag6qOejFmlbTNE3TfDHTt0AsEAvEi/J/VP//Xl1/b7nnSzbmWHOs
ORbUu1HvRr0bYJw3zhv/zZrZv6Xby8b5lsdbHm/5DzPd66PWR62PggonK5yscPJ/Xtff2+9/
lk7/6HnAdt523nb+xZK1U/1O9TvV7/ePk9/L742vLF6Ol1+qcSU6JrEy2N911X8WDWKpMM0P
Ie0D7/DkkmDP9N21rYWi7ULm5RwOxVLDfIXXQ1Bsjp729eBJSV8jj4I4lvZLSGcQE0RGQH14
siz9kZUGvjeTqtjXQ1jX8JWOvhBUOedc7yhIvPisemYZoHVSA/c0SH+q5/PPh/TU9N7O0uD8
RfiCN0BEVKTI1gIC3OoLx3lIOupf8SQ//Fr1ety+YrBr084bB5ZCzOiUUp4ckF7N28C/FaRN
5JN3wKhtvG60Am8ns5JfA39Zq57/UzBLqy1qJljDzS/lcZCNVQajQN6UE0kBfwdrvCVBXVb5
2ApWa6u39S74VvgO+46DGqjmq49AbBPPxIcgJ8t5VjGQuVUfuQ98hX07/XvBdJmrzQZg9jV3
+4eA+Zb5k382UJWJFAbLrc5bESCvqhFqM1h31TjmghymfqQDsJpDKiewkomMAoE4LZ4CDanD
M7AKmI/NFcAHapzcBFqi1kdEgzZRe6QdAu0N7ouFoLUQc/RzoDc1mtvqg1M4xwakg+MbV4ng
dkA/Ldn5GWjhYqxRFbwT0vOmDQA5nR99NlAV9HtaOgilee3zwPhBvytqg7FZtxvfgauke0/I
Ogg4Hro2m4LwT6O25e4HIbmCPggbDgFRAT8HfQ6unoGlgltD6HtR83MOgpDKEYNyVITwbdne
zmOHyC+yF8m7CcJfyfZurrWQLWfOhfkdkF3L3S1PZXAMd9SznQH3r44tWn+Izpbtg9zfQsB4
9xT3Tghs43bb74OejcosBGuUFOo1EO+zTq6EkGmBJ+znwL5CvKHugHzXGGk/Bq6BkU1z2sCW
O2hWrvogJoqhAeYfF6hvHXrr0FuHoHf53uV7l4fWca3jWsfB4OWDlw9eDh9//PHHH/+Hx9+N
jhgdMToC7n1076N7H0HLVi1btWz14u/zE+3zm2L+FiUOljhY4iB06dqla5euL7bXuFjjYo2L
L2aKcsTkiMkRAxVOVDhR4QTE5Y3LG5f3xdKO5zy/uej5zYQ9/T39Pf1wQp6QJ+SL483oPqP7
jO5/275x48aNGzcOJu6YuGPijhc38wyrN6zesHqQr22+tvna/u12/mi7Rr8++vXRr8P+/fv3
79//4uaqLzp90emLTi9uVvqj+c/99Xv1+Uft/q1x0mV6l+ldpv/99j9vP6F9QvuE9tA4W+Ns
jbO9GPc5tuTYkmPLH9//v1fX31uu5MGSB0seBKfT6XQ6//YSjb+l28vG+e3Xb79++/UXNyfu
zr87/+78MCJkRMiIkP85Xf/Rfv+zdPpHzwPdSnQr0a0E9JrTa06vOXDEf8R/xP/y4+lv8Xvj
K4uXQ/zbWjalqlatWrVq1d/fQM9XxtwoswMqhBbeWqUheOLNk75f4PjRqw8Pn4WQte5BAR9B
9orBVXM/BvlE22F7C549fPJG7Em4Ov9O2eTGEPVV9kO2y1D2YvSb+Y7DvZbPenv9ENya2nIA
xLUxJqQMgwBH+FCzDWgXrapqPjxakVzBWxfCeos9ueeBvJ82LuMARE/N8VFEEgRfsm/NvApJ
5dJdHi/4Nxi7k6ZBgfPh5ar1haJ3wz0NXLDpzKK+i5bA2Qr3y949D5nvqs72RZDzaO5xBRIh
LSH9++Qf4cHUR43u7QCriChs3AZ50HKo7oBGQXUBREcusQRklJKyBKid6pjqASK/aCU6gjwk
d8stoOXTh2jVQVstzurzQV21PlCPAZfopx6BfIdPxSSQB+Ql6xhon+OhGVBZrRGtQNTQToqR
ILzaNUywFTNwNgFxRyymL2gfa7HqImh9td36etBi9A2OiWD8atzSB4ARaVx1dAU1mQJyHaiL
KlN5wHnQedZ9F+yGI5u7PegPtVJ6edCy6UPsx8CWZn/fkQO0ROOR3g2sXeItNoFWSdyx7QOu
yCh5DbyxntfSZwJbmWC9A66+zu7OJyBXWMd8bcD82DMy8wswqhmb7UNAVLZtsX8MYrq+wj4b
1DxW6G+BtGROuRLUYRFpaCAeaEu1HSC3yb3mPPAsybyf2gm0QLarFFD1CNa6gj9WNtPLQeb4
1HyJp8A7wJ+Z+S6E9w6vHvkeBE4PTIv8BLyzvQGZpcA8Jh9njAfbEm2TvhNshVwjwuuDN8Hb
wbcSQj9wYcwHbTdf+8dAUp1UX9rnoK+z3w+6D3phrSkJoP3EObMQ5K2ULdkRCIuci88sPPBX
h3kWWfy19OjRo0ePHi/W5v9f4/mM6Rn9jH5Gf/EDZHXQ6qDVQb9d78/S7fkVheczyP/q/F8f
X//X/f+f4tixY8eOHfsD1jg/+SqpoO6Ho1/fynnlKKhtvnupoyFyYMDn7iDQzKBftWMQ/9R+
PW4DnEo9FvfsFARWdR0Wh8DRVlXV20PEbMIixoNeJDCfHA8Fz7p12xl4eOz+vYRkMDfaJ6fn
huQBGd/4a4NRUB4MiAL3UF3ZvgFfYW+qWgHujaFDxD5IKySWPm4NT4KSLpslwLHV0S+wNASN
kHkDp0DlkUW3v/YQLC2pjWMyJOZJOZA6FjwfWJWs+qD9aFQXr4PYqh9TR8Br877hbw5WdXOJ
soGKM0pLAWqpHC9bgIpUudU5UFUZorKDPKb2qwTQL4lvdBuQm720AlVY3SEeeFv2Ej+BNUb9
aAmgDh4FcFU1Fl+BOiHCcYA2SNtPO9CixHv6QeCeuiISQQWpw3IJ0EZUEFXBekXllbnB1dtx
2h0O+hTjbV0H+1jnuwE3IXhuyOPImyB+Eu8pD2gjRH+bBtJudfetACmts/JXcNx02p3zwSji
GOZcAuqe6GRrCXqGPlIXYDuqbzDeADNZlvTVAOG1GvjeAFVDWdZroL1qBOo+CDga9FFAGshB
/jXWaCBBdvF1ByF4wDBwXAlsG+oHI7vR0ogEvZfxnfMeyF+tb9VwEEdFc3UFZBv2q4lgNjbf
tF4DedE8kVkC5EpvyYx9YG+oAqxL4LtthZEE3k/88818kKQlfJtYAtK/yvg5MQcYA2muPgZT
8/RM/wVkzRw3ZBdwlnUVc/rB3OOz1AYQlbSNag74f0jPkTwG1FT1tj4Mnu3w1kr3gFwqi5mt
QbxtP2nfAfYc1iTPj2CNMW+qJxCaN/DLwApg9MetXwGW/tWhnkUWfz3/17/Qt03YNmHbBJie
Pj19ejpMmT1l9pTZwAUucOG36/1f1+3v5f+6Tv/X/f+f5qUT57xPopdq70JyD8/h2N4Qsltf
4a4PEZ2NANdySLRl5E5rDN7RxgHzfSgti4YFWpBR2VqkBoCRov/onAyOp6mXbB+BrJLp8TeA
UBl6LvBTcGZ62lmTICBIfJlrNHjXOt97+hi856yZmYeAXf7GrjYg5jM4MRY8VczuxgUwNmhl
DA3ChkZ2CP8VPFfc5z1DQH6cONh1FiI/CbHnj4RfLh/utn8v+A4zhx1gdjK/kOPA9qO9tOgA
zBftCQX/FGuQGQ72UJcMmAG2i+6woCQwY/3D1FXgDC4RAs4JLqf7JDiGOy44y4Asat00+4J/
n6n8OUG7po/X+4FQ9Na+A+sbq5P5DmjntNdVBtiu2uOCaoG0i9uyErBKxYrvwZhra+BYATxT
hdgHVrg/p/cA6ENERassGEtsfntRMOKMavaCoH9o2G0GsFgT2odgK2wb624O8heUtQuMwdo2
4x0QXemlOoNeRZ+jh4H1jjxp5gU+4Y7WF8Q4sY6zwEZVWz0E1VL1NV8FowPn1W7QXfa3XRXB
SlLttfsgZukt9ONgvuOv7e8J6msSqQ7292zDHKXBtdf5pv0UeK+ac1VjkEtkqmkDNVh+bkWB
dlO0xQsigRtWMFivkK71BOuW1Ut2Ao6pV1UBCDwcEO5+BGquuVl+DrEn4pxxoyDB9WzQk27g
a+t9Ne02yF+tn2QLyDzlzy0fglzMXi0I4k/GtY0dCQGz3YNC8oGjkysi8CYkH039NCE/OF93
++3lQTzQJzjXgT/Vu99bFxxj9CBbF7D9bP6iHYOMRH+u9DngLhhYMmQZJM9O7ZYWAIGn9VDb
lL86vLPIIot/Bpo/bv64+WNoTnOa/9XGABvvb7y/8f5fbUUWWfxr8vLPcd6dGuHJBfm6ha/J
DgQWdZRw34O08nqKGQ76fPOmHg8RMUbBgDoQni/fWes9cFZ1ZtcaQWTzXDlzHoR43RaTVAKe
FHpS3H4ACt0ILlM2ErLp0UVDl0CEJ+iaV0JEJ0d6dC/QPqGPvTFwi9VqC/ifZbZXv4JjjG2u
0RfcBRxN9K/Au81Z6+l8SGgZd/XObnilRIFb5TeAGKMF0RgelIw9dWsA+D+UFywXyMvyNb4F
8YHWWEsGWVAWEL1Aize66o8htErkoagtEFUg+9ICgZCrW4EbRYMh5958FQubENYl24PcjSDA
ExYUvRQCv4l4L8ctCNajrudpDqEHoivld0GwGfVa3nchpFXE1zmXQWBoaMMoNwR1DduVfT0E
RYa2jz4AwWfCLkZVAle1oEthD8H1flCn8KMQVCRseLa94B4dMj26CNgXBFwOWw96Tler4Hog
ytk7B+QD+25nucDdoP9sT3HNBns9x7WAFaCPtXtcQUATx1z3LyDXanX0WaBV1ffZe4PWRn9o
s4HjXdt9xypwPnTGuXaD1U4elTlBTDSqGl+DqKn/pO0AI9aWU98MIk7EamHgnOY84x4HAa0D
sgemgtMdYAvpA+ptkcu2FbRBVi/5EIx7Io4EYJt8xaODL8ZbNLkpeLJn9k37BtJfS16QNBg8
nTM7pgeC9kBbqs0Cbbmx3T4arHlyiq8mRHUKPetaAtmLRBYNqwPau9pShwHOe86urs6Q/Ua+
wHx2yHY2z/E8H0Fo09CqoVshOCC4ZGA1sD103DEiILRRaIXwRxBZPrRndD2wW9oF+TMYRYyT
WjmQZzWfSAJrhhhoDgdHP3t9Yxkwno9oDubHojffg38oW8h6ZWoWWWTxT0jup7mf5n76V1uR
RRb/mrz0jLPtPfPz0DEg2yX8bGsBTzt6l2SuASMyzJNZDlILstvaDta+2C+8eyGssnu+kQSO
jfp3WiAkjVGH7qSBKyKkt3sPpB/0TElZDccXXTxxEjA+sE/Q+4Jrd3A9+oBnXGqy2RzMilTn
WwiID3ys1QFbA89hdyT4O2Xc82WAN3tYB6MJ2CZmBAe+DpE24xvVCYoVy52rWlNQgzNHaJlg
7JA/i1rgbWr2tfKBv6R6qN4FV0t9NI9AFWWlqgAU5JgxFozj9qXB74BVU67zPwX/wowhGedB
tVfN1AXQvjYG2/uBfsx+KzAX6Iv1Mq7FoA3U23hNUIPMC1YzEJVoarUD0ULPTw2wpenLAtyg
Vqvv/OVAVpV1ZGnQGgmbsRBkJqWthsBEUV/bD850Z58gGwiHWiuPgqX4gADgc1FKjgHjlX97
6oY+RUxUnYEnuL0WiHas0FeAuEy8ag1Ga9nK/A6k6UtJmwE01z6w3wGtsJ5kvAvWJDMnfpDt
aUpvYKIaoJoBDdQuEQHWOauJlQ2sauatzMFgNTY3Mxx8V/yPPZMhY2ZyYkI2cFxyfuXoAs4e
zgGu/RBghGyM7AUiWEwzJoPWV3b2jgI5XG0VBUGeVgPpA46JejZtP2RU9dby94NEe/L61HTA
E9TKNQVsl/Xv9HkQeCLoQOgFCNkVOT37GdBd7ifRg0G7Z0TTFPRXHENtVUCfbY1SgKovKqjJ
oM0yAm3xgKUPcA0Df1jmovQN4DmW0TLVAWGTgloGbQS9iF7K3gMyxni/yFgDVkdi9Z1gFjMt
PgW9kF7DKUBfYp9BCaCksdnoD8BL3PKRRRZZZJFFFln8M/HSifPj0wnfps6BO2P0vQkdQP8x
qBTvgbN7RsPALiDdnrfUz5C2wWfLTAbp8Tx1dobo8a67+dwQ/1la4tXzUKiW4y1nIciIMF41
ckPSWG9hqytYaak9MvZBUOk8vXwTwNXM+Z33MqQfODfBswX8Ne2lDBOiVwU9CxsA7tY0cq6F
iE76GvcBSHvg6x/bCmpvrOBteB0KbIsYWux7uOu88vBqdvC+q85KDaxoMdIqAdZyVphXQNWT
w4zdoAqpYaIh4BHBeiHQXrctctUE9baWz7gEjnKuWUHXwb/GX9A3FYxG9mjjVdCqi/tGY5Bl
zBqZDYBQYq2mwCcyTXwE2hW9negIxIiZRi8wfrU3dvUDa51KZCvYC9kn2TRQV80U6xqob632
3APDZ6wQy8H3rXkiIxbkLPXAMRSMaQxT34Jqbw3JrAH+KvK8vy/4xpnjPXlANNIOqm/AOdix
IbAveL705swYBXTVCtAQjM9405EAFDJy+AuCCLDeogfopp7DGA7WEMvrfxNkH/MV/w3QyzJD
XgFPz4zSac0heU1yrWd7wfu2d5qnOFhLzdc8BcCey9bJGAHead6LojykRyaP0EaC94p3bGZP
kD7NckwGmskB/l6Q2TgtJW0lBD0K/jVoETjuBRG+BxzLHNccFcAWbitgk2DuU9WsiuAq4hrg
/BCMRq63Au+AOV3tJy9E3shRz/4VeBdlbPe/B/7a/jjPDyBihNdfHrwdM+um1QI5nl/FYdB+
0A6ktgfvq5n1U+tAUKWwESE2cA8MnBJ4FNKLpDRPuwJiv5VqrgFjlbATCt4+XgcNwdcn83jy
DZA+PRuZEDRILx6Q4x8MqiyyyCKLLLLI4p+Sl06cnd3drdKagCPTWdz1PmQmmX3lLghp5GgY
UBYK7crfyF0Crud4cCnhGXgOZ3yt34G0Np7I2Otg3+z8XssJSXvTwo0fwWyWOcu6Aum3tNKZ
ucFVRC8V9CuIyw/WZzghpXPmE78B/ivmzsCD4HVa5TzZIG966Bbfbcj1VpVqYT+AdtrVIvF1
KNXXbF75HlRqUmx0x8bgrhBYOioOnIeUeT0G9HZneor7YC43h4inoO+SecVFsDqK0b6pIHOr
MrI/0EGtsvKCWiY3yetg+8xW1GgOvndlP6sM6I2c452JoG00GtneADFHzlFbQXQxc/iTwPzV
6iYvgNTUJPMU6BdVNtsAsP1q/85eFPzf+wdYE4B1Ypc2AMyDvjbmAtA6kF1bBVYf/6PkReAr
nVnU1wX0Lvoz90QQle1FtD0gK/vjvB+CGmcV9NcB6yoX5FLQ8qpMGQT2y7a19nHgsWUGpQeB
mdOsmbEHjLeNtbYo8K2xzqrPwbfZu81fCOzzDc0xFrTTWln9KFgLzbPePeAsbjuv7wRPYtrA
lGmQ1iW1RcI4kPPMRdZtMN/29c24CbpXSzRugixBQXEazLfNPZYTRAs11J8bMr582vixAY5o
9+qAe6DtYojwgxXjz/QnQ3yzZ88yt4K7g3+0FQbGTNurzlDQRmlbjKXg6OIYb3eCNUAsNoZD
ShXvRGskyDB1Ex/4Z5vj/dnBmGHfZDwAsdP6RKsGvk/8v5jXwTfQN8w3FryNMiun7gU9u7Hd
MRR0v5ZNNQPzfZ/yDYHHq55cexoK6WEpWlJrsBfVq6hC4FjjvBHYE2wNjY8C3OCtmnk18zMw
7uvdHIC2VR73VgFaACl/dZhnkUUWWWSRRRZ/BC+dOFvHzOW2shB10VXaKeFRUmo7/3owNOV0
tYbMdv6+cg9kfpo41yYg+ExwweB0uN03JtuD++Bvm5mmd4eggKBvzM6gdHlXHwnittU5aTbI
zfpY/SdI+OzRZK06RL8X9q1zCQTWybNcVgHtVupAdy8I6mCPSTPAX/BeWTkBOjVsVn1SHyj8
bb4adaaBL8QszKegF9AGWBEgDiZMDHoIbHt2wF8I7ANsle23wVqu31GPQbtgdTe6gdjFEHEI
5C052r8HMvemnoivCWaYr6YrFLS+WrweD/JH46GzCch7xjjHXFATrFdVMXAsdNZ3lgd7mD7V
/ilkFva0SzkMqjnDCAL/BWuHdQB0Yett5AXxpRzv6w2ynq+j9wLg0jvqo8CTkXY89QrIZtYN
8w7Y45wlVRL4/Gm3n9YAxxzna85HEDgluHtYb9D3aWVtK8Ecbd2yHOBr4FvjKQ76fVuS9hWI
ipyz9oA2x1jsuA7+VsqVeR6MBrTSOkFSs4RdsRlga6CnaMdBZpfXzfOQuYAVygbyNTnVKgT6
p3qqHgR046jWDUR3MRcTzJJylHUY9GDzhPgA/A3MeVZhkC3lFv9UkHHyrhgKMoYVYhRQjsZi
Jdgv2Lbb3wPrNgdVLPiHqrMo0AeLJto0UBkKVR1UjNqmZoOvhTfRPxtkey3W8oH9I/sxxx0w
Q311ZAp4F5uVkr4EEWuu91cFrZLeU9wF40vhNXKAMS2kZfh4cIeGeqP3Abfl+2oFqJHmNLMW
yOK+b61J4JrlXocE4aOa/yOgk/aLPR1oLpaJDRBUIOh2+Bfg3+O9bpWHlO7PnE+GA0l/dYhn
kUUWWWSRRRZ/FC99c6DR2HlR/QwpjaxxcX3BXOk77D0BidUTsmf2gAu+a8PTCkB6E8dmGsOz
O75Gj6ZAzhxh61VOyF4y4qq2GNKfuqdkXAN2slx1Ba2HHmK7C+HdbXv9k8HRSi8qx8LdV9NC
ky5C6pj0cNMF3i585S0PZe5HD6/3AAaWaffVmktQYELeQvWWQcYdz21/IPhy+19P/hYe3n74
2rklEN/qcq6YYZAtw/G5uzI4DP0r3QHaEO0Qt0HdEu2s4yBWa1u1WaAMGcs9UNus1uZsMEbo
q+33wb0t6FR0DAR+EvpJVEVw6QEZAQ3BftLts30EjuuOV/RyIFDutCvg+i5kX2gFCLweXCu8
DbjPuF5z5AdHmDHHrAT6UIT6BVJGJr/x7CCkVUrZkvAqaN/qj4wUMJuYs/wuyKycUvWJC+R2
s7H/NqjxIkYPBqudCpErwBxlvu05CXIaa9UNcFZ2nnTVBCOvrb59FxgHbD+5DoO6qH1newbq
Q5FkU+Dr5XnVNxbMBv5BvkqQliv1dvwp8DzOjEiJhozGnqlptUHdF6ZcCXK1uq7WgWgu1qsA
4CCtxXaQgVYbazXISVa43wTGmd19w8Ea6B9pOkA+lsv8rcG/x/+VtyuoMNlBXAVvRf9kX0Ow
D3WeCRwAxibtQ/v3wCPlJw/om42GRnfwHzd7mdPBF+Nbk/kRyIFWonkNZBU+pzrYfnGMcsWC
fsj+aVB5YJfzhO0+OCu6iwbWA/eC0AcRDyDgteAiUbnA0cuW4igGtvG2J45e4A30FbF+AeNd
rYXeEdw/uO8420JAoaA2YfEQUjvcHtkdAuJDXg1OAVsHZwvHQTB+Uq39JUBf6ahhG/5Xh/f/
Pp4/f/bPYlqhaYWmFfqrvfyf58/WNYssssjifwsvPePscThGp+yAyKDQ4kERkH7XX95qB2lx
3iqJ9yHlveTPfWuhtC13jULH4frbCcUzwiA6X9iuHPFg5BXfJK6HnPlC5wcmQOIBFa4tgMi+
Rv9oB/h6iv3pn4DtjG+hvTUYt/zekB8h/njKtcfNoMmXJaLK54IOV3tem3IUvF8Kw1YfvF97
EtNmgfiCZPEmJGc8Dn/SFPSZ6npIWdBWpea05kH2qjnuBKeD1lzckLlAX67fcawCNdTq5W8D
orS6Z74BzsGOe/aZIL4KPBLRDYJ+iZiTYwWIJnozezZQF7jHEdC6Cw9rwbXTcAYPhvQpSXMe
lYH0u8mvPLkDwSf0OVo38HW2VujzQA6RCf6eYO2Un1hzwWGz9XcbEGgGqbBR4L/k65T6CmhX
7OX10mB343UFgL7Q2mGvBrblgYkh98Ax3hFozwayl+m1okEVNQbYxoOx0LillwY53nzbFwHp
w9I/SakLLFf75ERIu588MDkBUoumhzx7CAF6wL2A3eC95OmSOQ0YJXda58B4bETzC+jperr+
Nfje9rXw/Qh6RU2T3UC7pZXTCoI2QIvSmoGoKWzSD7IjVcQ0wK0laQMBXa6Xr4AxRT9sewra
SGETbvBb/rMZr4DjA/eRwPvgCHLkCzgPegm9hrEeRGmhiVjQOhjNjH1AJ32Ftgtsd7iuRYF6
WysgPgJVynxkhoDoxy2ugi3OkaFL0LKJstkGg9XCap4eDNqb9jn6EbC9pYXpU8D6wXfKVwC8
pzwbMs4A36t1ZhEgntH+meC95mmW0Q7UDjH935+icdKsCdYjc5L2GOiv5VVJ4Hjg/sT2CkQ8
Ccod/TnQDPjkrw7zLP5e1oWtC1sXBiMYwYi/2pgsssgiiyz+6XjpGecA6e2fbRKEykB7viuQ
s3LwoZxNod61fKsqFYdGm2rfqXIUwoeH3RaZUPHTwntydwO1y2hg+SDwdsCn4TfgfuG0Gemt
ILlAZoCtFViVxIjMAqD9KNY4MyDb0tBi2RtA7kt6UOKr0ORM8c3lhsDbQf3OzWoEnjDVWdYC
65zvduZAMGYZic6DkDk+vUxKCLh6ORdpxyAx4UGRR2XAMdfutMdDicEV4ioKcLxtfC1eAaO0
2GirBaqVjKUzWHGiqf4FaNL4xbkctI3abXEV1CMrj+8mWAE+Z0Z3sH7xNEx9CuZ+T7u0uuDL
ldEqrSkoy8puWwruOQEyfDl4c2T0T78GmdkyniVbYH1uvqKOgtZGa2SvCN6L1seZH4Nx27HC
eADuQqG2yFRwnAi4HzQJgm6EJ0ffAld62HfRC8G22fHMZYKZbmpmH5DDrJPWIhBS3pafAhOs
clZ18Pk8az0jwT7AUcdWF4wzxmZbCgSNDd8U2R9y1s3tKvERBA0NuBn9AcivzVGZjcF6xfrR
Pw+8g3xh3gvg031Hva3A2mguNA+C9CtlVgT/CLO7fyKYgXKPBVg9qKsegJVpLvLNBPnIOuVb
BXq6tl18Bdo5fbutLRgF7EmBKyEoPKJGticQJiPfyZ0N7C2dM4OKgVjg/Mr9Pug57DkdycBJ
63PxLti78op9JKg8Il7/AdRE3HoR0O8YB2wHQJVX+8Q10A5Zhc2noMr4h/oNoLrV0PoF9PVa
OS0CSNbfcxYEfYr9okMH51r3wYCxENUn26zsNcA5wPVpSE4I7B3yU3R1CFkVciY6CrR4o5n7
KohzegHbN2A/5zgS0B7kamOUqyDYSjq/d7/2xwfsb80M/q3tX3b+svOXnV+8OvnzfZ/v+3zf
i1fMPn/O7KxSs0rNKvWi/s6dO3fu3Ant2rVr167di1fuNmvWrFmzZrDk/JLzS86/vD+zD88+
PPswNNnUZFOTTdCtZLeS3UrCw2wPsz3M9l/rTXk25dmUZ9BiW4ttLbbBnLJzys4p+2J/UlJS
UlLSi1f4Pm+35YSWE1pOeOH383JjYsbEjIl5Ub/vqb6n+p76/e3ExsbGxsa+eEVvq1atWrVq
9ULXv9VPKy6vuLziMnRK7ZTaKfUf1//P0jUtLS0tLQ2GDBkyZMiQF+Pp+SuKn+vw9/qXRRZZ
ZPGvxksnziH5Q35y54e0uLRfY1eA70z61fgOYJ4E/9cwZvBb6WuqQJ/2zbYNXAtR2YKCMzOg
cN9cDXMMhxzzjHeDjkD2pu429mUQkTdbV+sQPLZ8YfbLcP/1tGvxk0Ar7K14vT801ivb3qwD
3Tr302aXAq11SLlgAaKc/1O9NIiOeph+EcxLarR1CFSw7OO7B+kD/As90yHp7cdPY0dBvi/K
HXr1KQTMj8qXdwy4Um2rjWhwFjICbaFgdVOb5RzQXARYb4A+QQwQB8F7J6OR5xl4i3h2mQ9A
zZEX8ICpvOHedaAc5mv+GWDtND/zXQQjj1hn9Qd22mu6EsG46gwOtIEL92vBLuB1+1FtD9g3
u2q5DkBgVHBqeHlwnQzYFjoRHGOd0wNjwRajGomCYF7NvOmdDWK0UdXmB32nvaGrFtgIdISH
g/27wGJhv4J4V99o+xB8s+RKvTXYWrlTQsqB/Rf3vojh4LYHD8h5CAL3BhXNVhwCO4dVjCoL
7o5hY6PnQK5BBSeW/xCi0nLNKxgD4VuiR+YNhvCN0b/m/RYC3wyLz14bbCUc6YGhoKXZGgbM
gqCGIbujq0LY/Igauc+Dq2/gsmgDgm6HF87zHUR2zP1RyaUQWTBvxzI/QLjIHl7oc4jMHT2q
8F1wtgs4lG0SiPpaJb0M2OrrB0Qf0GYrt/ULWDusGhnlIfNeZpekd8D/YWaPlNnADLOOpytY
kb43M3KClluFyrpg1THXanlA5iHcNx9kG1XFpoGvmi+3FQ/+1b656b3A6u/zZU4ErZgqLhuA
mM9VvgGuCKneBF8Z71ZfMzA3++PNlaDySp+cBVqA9rH6Gsyi3h+s70G3EyBOgTufzaZi/+rw
fkH9EfVH1B/xItFaO2LtiLUjoOO0jtM6ToPFAxYPWDwAVq9ZvWb1mhf1Vl9ffX31dehToU+F
PhVgw/0N9zfch6Xnl55feh7mnph7Yu6Jl7cvsmFkw8iGsL3l9pbbW0K9NfXW1FsD036e9vO0
n/9r+bp16tapWwcWV11cdXFVWLFyxcoVK1/sn7p76u6puyHqftT9qPuw9dHWR1sfwcYHGx9s
fAA5x+Ucl3McfNbhsw6fdYAJuSbkmpDrRf0FFRdUXFDx97czLXla8rRkeOPOG3feuAMbN27c
uHEj5NmRZ0eeHX+/HqtWrlq5auXL6/9H6zpv3rx58+a9SIS3PNryaMsjqL2q9qraq+CrX776
5atf/n7/ssgiiyz+1XjppRpidfhP8UvAWcO2OawDZHyftMX3EByPmOcKgG0Tto6csR/kes/b
qaOgyL3sF+pOA3u6d4lvBNwxrV8vToJSl5wfv5oTMj4VvsQa8HPOE7UTCkCx6pEf5R8B3Vd2
7/hhfshxrMjqSg7w9fd/5v8WzO6+zeYi0G7rT9Uh0PIRrSeAucaf0xMKYriMs/wQuMK5Nvw1
KHy10revloDgnbncYWUhvWPcDO8kiGgWuiuoGhgN47/OGACqkXeN1wvqjlxNJdAuGMP1ISBm
Ze717IPMd1LrJ8wDn9/+tvsg2MoYj/kGPDLzS88aMJoY52znQI9XZ1V+kGOU12oIYquIFBvA
fGw28P0CNrvtnMMF1geeNamrwPwsPckaCsLU7xlrwD7Y+XbgXBDD9Cu2UqCnOqZrS8G8Zi72
DgCqWxesacA8ddMqCCJGizaWgHVNPdPHglZYO2yNBvEK99kD1m1zuzgLWqS9i8oF7NCO6FNB
zjILWtfAuGofYP8CAvLY1kV/Ce42Mi4qHbS3bUF6e8Dv+ybzHPhn+p6kvwcctyapd0D3GT3E
AFBzxHdaJbBN1saKFaB8aq51Gqz6ShMVAISpVwMVzAOtC5iNZUdKgdXGdHvfBkdx+yOtNHDR
6mGTYBW2PN7K4Lxo5DQUWO/b9zqbgLaDIAk437A1FrPBOiXPqwZgKjNKxoMsI+KtSNAmamts
o0GvZBRzhYEuxRXjPBghWj0zBcwS/ie+oSDW8oEeA0ZFPa9tAHjf8J6zuoAnwXfV0kFrrzWx
zQJLl8XUJmCK8ogLIGrqfucXIM7aXpO9IMCvNzd/AKdl764n/nuQdPyrwxzKflP2m7LfgFgo
FoqF/832DWKD2AD+Sv5K/krASU5yEhZXW1xtcTU43e90v9P9YG3S2qS1SXDtxLUT106AbCqb
yqZAL3rR6x+3r3mO5jma/4fH97WJbxPfJh6+HfPtmG/HAL/yK7++2P88cbNF2iJtkeBv5G/k
b/TC7sM9Dvc43AO2ZN+SfUt20L7TvtO+e1G/R6cenXp0gqZvNX2r6Vu/bdfvbUeVV+VVeZiQ
e0LuCbmB61znOjT8seGPDX+EyUxm8v9Hh/bt2rdr3w60y9pl7TIsPr74+OLj/7j+f7SuP6f8
nPJzCqw5tebUmlNAV7rSFdrEtYlrEweL5yyes3gO0IIWtPjb/mWRRRZZ/Kvx0onzTfvNtj4D
cicEd7DeBOcU7UP5DRxZ+7D46cNwoN2dTvs3Q5Fz4ctyjoESYwtfKrkJnvYk+PFKOFPv2vGn
30BuV45OZjrgSg/0+OGVUkXfKTwB3szVcdngxhBmyxFWIQW8G9InZfwEVprtmToKWgdx1ngP
1KdyhdUYtOJGfnqD1cGTmnEdmGI8tp8Cbbe2KmA3WKc9M558A/4vMj9wjIfIqzmD8nWHPKl5
vsk9Hk7Ku9Pjd4B2xGdprUF2kf1kGhgNbJUcn4HY6c/rXwh6hHOCrRnYmmvdRQLwgVpqAWIL
JbT7YBi2L50/gD7b1dH9DERds4tfgDZKDpMOEN96zIzXwF/Ae98zC6Qh3/QvAb/DXO4xwEjR
u2grwXwiY+QpsNV0tQ0oAVp5/aLRC1Qp2UN1BfOKMFRRUNWtsv6F4KzimKFFgmuCs5NzBKg4
pYsegF0Fy4HgGeCflbkfzDKepqI9aPXt1Z3DQTsururrwVjDm0wG+xlHnIoBsZk5MgqSWqe+
np4beGw9VcvBOGPE2/eAltPeTL8B1vueSZnnQG2Vm7ylIWO2uM1PoFvquJkbbNv03UZxEOfV
FJkL9MdUs9qDdkNVtUqDHqK/57oM7gxjpF4XxFTjrrUHVBOS9K4Q8kpwqdAE8OQxq3ABrChr
o7wN9mzOdcZsUPNUEetj8Lf1LSATvPH+Zd4vwOV0jDVagPhVSO0GmLv8G61+YBzU64gNoBd1
vO10grijCqlnILpplcRTCEhTxbWbEDYhYF/QCPB8bz6y9oBZRXq0D0EVNe+piqBf0CfL+WBE
OPY5KkDwAdsxfRTYlSNcVAPgnT8zgH2zfbN9s/92uf+cMP+t7c95fkk+amfUzqidL2Yka9Wq
VatWLdjMZjb/CX5pC7WF2kJQFVQFVeG/7rctsS2xLfnt+s/rGTuNncbO/8bvU+KUOAXygXwg
HwBd6EKXl29HzpVz5VzQ9+h79D3/odxpcVqc/tt+Oy87Lzv/Q0L5R+v/srrG5YvLF5cP6m6v
u73udqASlagE2LFjBzFVTBVT/37/ssgiiyz+1XjpxNn3ffLntiKQ+ZPRJMUE+ydiamg5cA6z
WljPIPjzgIX5R8KzotrPVghcqHLn1qU0yFEg8mLoVxBcO/qdwEbwdIkv6nIa1JpfvFKjdtC5
2OtpQxLBnjO4VMFY8K/NfJJxA7RLukuUACOn+k7vC6qXymPWBrmdR9avoF1hhjgNvmX+PZmx
4J4VHBt5F+KGPop4fAVs39jaWEFg7+qOc04AzWdr6qoBOZfnrZ5rK7h/tj+6/DOkXvB1dAwE
a5xaKFLB/dRe2FEZUvcnl0j+Bkj0TPNUBdvQkC9c6eAN8eYyC4KjjTPU3RQYI14nO3hnJld6
egscjZzfBe4FsV7kNj4B4yvbN87HIIbo3xr3wIEjzDkKuCG2iSogVlrvWrnB+sKs5h0PehEt
XI8FXx5fXTMfOJYatYxGoH9mtzskqDfU5/oqoJj11GwGqYOTjPhHwKvWT95+4N1r1lAXwfkw
8HRwChj3HV8EtgFbA5thbACjrH7NfglYLNeaoSAWqfW+L8D4hQhbO3AdMCrJEuBo7jwpzoP7
mvu+Xh70FBXjLwBqiP2wLsFXx/ujVQAy3VZBFQTO0e7rQUUg86S/I8ngX80X2n7wnjQ3mAHg
aKMX0TuBfkP/1vY6qPnaRLURXJmuPc4WIOaqRvprYJZXOf0NIWSfK5ctFxhN9K72aDBXyp6M
AnFLVNMsUDNtmaIP+O+YSwkH29e2r4w0kLVldfUdaONdp2wHwd/Zv85TDvSWxke6DuI1tVTl
BdlSLrciQWTXnukKtAJsMUpAQB4SlQWiKh/JVmCfz6fad+ALNxfJa+C9ID+3coLjnnZdfQbu
UfY89qr/HiSv/3EBaztvO287D/Hx8fHx8XCj341+N/oBy1jGsj/+BHH27NmzZ8/CxnMbz208
BxFXIq5EXIGjR48ePXr0PxSsQAUqAKc5zWmI2RyzOWYz5GqRq0WuFn/7OFseb3m85TF0ohOd
gPVR66PWR0GFkxVOVjj5++2usazGshrLYNmgZYOWDYIB+gB9gP5i/5KlS5YuWQq1NtfaXOu/
yTxVH9VH9fn97aTPT5+fPh92BO0I2hEEbWhDG2BX211td7UFJjGJSX++/n+WrrnG5xqfazxM
bj259eTWUHJmyZklZ8KjsY/GPhoLR0ceHXl0JLCLXez6/e1nkUUWWfyz89KJs/tacMHImZCr
R3Dx/MWhfLXoNwo0gLDTIT/5g+CYvLnhbjqcGh3X7vJRMH+Mruv+HsIt32hfCJRc6/vGlQIN
Njb9aObPUDqsyNs1QsCzSIx19wcxTHxq7w8qTsw3GwKa+oEMUK+ISgwH0UkN07qDHqlN08uB
maxaaengaueYGdgZku88OZj0EG6eOpfnSBIUH1xhVtWnoEcYDxwrQO0CcR1ybc3TJPcKCAhz
LnUeBC1H5gDPDGCq9ZOWArZYW4RjNthTnT+41oFV0jZS7wNmFWLFaQiwB34TPA7M7f4YXyOw
hpgD/UXBldsdE7Ia/MPMOKaD9qrxSO8BelVbHL1Ae1d+KeaAKKpt17aBlWydM2uAb5e3euYt
0O9pV4ytoE6pEPUjkGS004JBbRcTVR/wr/XFZjQDLmoJ2jGwZnpP+jqBqqRuirogdHtU4Efg
fuweYgsGVvCZlRfkIt84axH4zkufdQf8zbUA73mwDptPrMugzpk11Vcgc9JX3gNbnE0aFtjf
pqhoDWkjUyek3wWrnBXDFLC9p/+kWoEpuSwtCLwfMjnkCXhi/EO0BFCpmmWOguiCofNDrkCQ
z/G2VhRsG4yVWikQUaK0Vhv8p3wzzD6gjySb9gaIVfoJTUF6Vd9qcxDYRmp35WrQBuuV9Glg
lVad5Bnw3/RN8A4FKrNBLwr+Mb7Dpgkyh/9db3NwTHDMMFqDcMp7/ADaY1qqxWCtMzuYd8FR
1P6pEQJ6OzHSNhbM16w58idQn4mvZG8Qd1VXywD9rH7FWABqv75WCwPP1vTtntfAuq4Fq3Zg
/Wo8EpfAGGRP0ncCc/7YgO1WoluJbiWg15xec3rNgdof1P6g9gd/3gni+U1fvXv37t27N4Te
Cr0VegsqyAqygoQSB0scLHEQZsyfMX/GfBjCEIYAXaZ3md5lOuxvsb/F/r8jcb79+u3Xb78O
jR80ftD4AYTnD88fnh8+vfHpjU9v/H67R0eMjhgdAVM+mvLRlI+g5dWWV1tefbG/5OaSm0tu
fnFz33Oe+9PleJfjXY7DnIg5EXN+RztpNdJqpNWAj9Z/tP6j9fBdu+/afdcOGjRo0KBBA9Cr
6FX0Kn++/n+WruPGjRs3bhxM/HTipxM/Bc8GzwbPBnCtcK1wrYAPcn2Q64Ncv7/dLLLIIot/
FcS/zVwoVbVq1apVq/7+Bmrl7/tR3t5Q7ft8Zyv9BB/+0uXOgKdwPteNdy/MgaUltnVc2Q+0
K4HDHQ3g8da4BQ+fQvc6lWvU3g5tU5oXmfAreL/zd3LOBm19wHHHDrAtDrgTGA1ioByovGB5
1Oa0YaDtEcNdk0E1E8uMKNBO86a5G/hFPtJvAUn2fMZdSG4X1/9+JCTsfHLqWRewhpqdn+WD
XCMKvf5KELh/cDWI3A76DsdYvTfcKn/kvb1pMNE7sfycT+H6e7GPnn4O9iOOgsFnIHRhzm55
S0Faw8StsW+B9xtrpmoMNlvAueCuIIKsXf7NwCTp9uUFMYuPtbWgNdLL2+aAPK7FG0ng7hbW
NPsDsA5m1szoDSljE/M+OQoqyirk3wG288YKIy/YfnUEBzwE+TM1tEtgmd645FMgF9hKu8+B
MUjboBcAZZMN1WLQjxvf2N4B5vGhOAnSoXLKA2Ast690SdB+VNnNa+AtkpEnpRz4k319PZPB
mKvvdfYAUVwvIQJBlNNGywdgbNdTA4LB6G7fYi8EKkqW848DMUOOlffBM8r7kWchyCeqqOUG
85bvjK8OBN5093L8Ag4CroUA5nmrrv4MXMtdP9sdEDrYHWHrCmKhP4evNtjX2G7oH4LtTf0N
UR6ceW03tbqgd9XSCANfWX9x1Qcy4jzrMlPBOKuc1idg5rVCvTr4wvx7/FXBdtU4aXOB1Um+
Q0Ogg9jIXlAfWEF8BJzWhnIMqKGCzOIQMCRQD88AeVbUM14BvYJxw6HA08PzcUZ2kNvNHf5y
YF9sL6r7QHTUDmjVwPSJsWI+yG1mXa0PECLd/plgv+coo8+DyLXumMCZEPJa+HvO0TD0w09O
fnLprw7z/3l69OjRo0cPWLp06dKlS3+73PM1tSdPnjx58h+YAf1n4/ka4PLlypcrXw5Cb4fe
Dr0NCVMTpiZMffE0iV1Tdk3ZNeXPs+N/m65ZZJFFFn81x44dO3bs2B8w48wTERp2Fi5XutXv
dHmYUW/V7c8bQ2Yl80LgZUidYfMoDbT9ySOe1Ie3ZkS9UfUgtHql/I9j2kLyxaQn6T3BE/K0
3fUDkOtIjYD6XcHXz/rBXATaeJXfTAZNioX2niCStdpiIIj3VYJaAPJV8amxCJjKbHMtONyi
jq0ieCfpNzLjIbnjiZ+3n4b0QTvnnnsPoj8b22BcDKiYMr9E3QQ1neraPoi+lbdw/tWQp3TY
rrA6cKvJs3ZpR8Fr82ueiSALKlNEg/HYfsvlgIwzyfUSOoJtrau4ywT9oX5ZXwJWe5qLbmBr
Zay3PwZruvxArw7Mtn7wPwT/nvTYZ4vAN8ez11cZXGedb7nyg3jCY4cN5DnVVTYGFcYYuRJ8
3/ire14BMQFT3wBiE3G2zWDO9V/03+P/tfeecVIVa7/2tULn7unJkRwlB0mKJMkgOYmAimRR
QFBUQAElg4oBUIKAgCgiQZScUXLOOQ4Dk1PnXuH94Jl3PLh5tnvDPj7nOX19qV/VqlX3vdaa
6vn33XfVgmS9V+B5kIeJ+foqCBwKnlfCQRwgjhaPg3hY/E2/CeIAY7TRAWHznWfCFeAp7Zlg
ErBFumYeAv5J3tr+fhBI8Q9xdwUtVk90nwbPSm9qzg9gqWCdYPOAf61STR0C6kVtsvo5WGfb
LhtHg9TeGm90gPGyYbxkBflj2csSMK6V3tO/A27zmXoOXL0DjcW3QWojBKWh4P4uUAYnGPaJ
u7kDQjt/VNACxuOGs4bVECju/y74AwRbBz5Wp4P0rqYqI0A6Kp0SE8E203o+rCTIC8Q2Yn/w
9/Ed93UF9ybvYt/noHQWh0oSBHZ6iqoWMHc3fGt4EaQP/AP8TSFYWf3IOwhUP4O9lUH8VB5n
Wg6KrJYQBoPL7nJ6OoDprPFHcz9QfwzMDpQA6yBLJ3kPaOHCMvNkUH9V94srQb5gPSScAMEn
r5bn/N3T/O/jnwnm/6ns8+7z7vPCGcsZyxkLDKw4sOLAirCy3sp6K+tBjdgasTViH91OiBAh
QoT4e3hk4WxZYarhfh7Csv3PRQPJy+95gt9C9Lb4odpEMJ3TUjNPQxdXzDd1jkH7Le2OjPfB
rd2+oWkaWC+nf+P5BaKKVZ7/ZFHQ5mtLOQ1CCX2C3h/UMH1+dheQ7OKhcA+wgYvCRdCv6bfF
uYBT/SnQFaQ061Lbs3C7yo0jB6rC3WGTPpqwGky9f/sptRdoJf37pNsgfuJLUluBrBCQq8Md
cV+HHVlgmxM91fEllBer+kp3gf2zbz2fegACif5a/hcg+Iy/qPIBGPqah0fsB2F/zrKsl0Av
FzAGUkD/xfibZSvQTy8pvQvKcmWd/iooG5RI9wXAL+YLmRBYl70j1QlSX8MMgwVMGy0/R9QA
7yu+095lYLlkbWs9BGoZtb92FkzV+UxqCNImabn8C/C6eJW9oG1U31fXg5amug37QSjNTbUK
SC8K7ym5ENAC6doYELprN4MfQXSbsFhbEvguer/1fgf5Yq41ayPQVX06MBL0NH6U1oClqW29
8w4IZaWtYh/QdWWZbyn42/nXewaC1MLQyNgGHJXt3S2nQSiteeS+oO7TXlJKgdKCiuoc8J/3
X827C/qH2nrtO5CvGiZaO4BwQ/jZ9AIwkbNCAKy/WDcbAOW6Nl0cAtTUmzEbfJH++oFvQTsh
7BP6g2GP8aa1Efhb+Lv6hoB3i+eY9y5ktXF1zKkOpkkGm3QZDJfkMYZhkL3P1TowGiK2Oz60
usGx0b5fbApqB7GH4V3I3uFa6/0BTG4hPBgJwUmaRXgH9MNCgnwF5I3SWOlLMB029ZVnQeAH
X3/fNRCNQiRHILBI8QfXg+JRo5QjYG9kfE+OBvMV8zCnA6RT4lfyswCMQ/27p/l/X9bdXnd7
3e2/24vHx+D5g+cPng+ja4+uPbo2NLI2sjayQqWXKr1U6SWYtHHSxkkb//N+/E+7ryFChAjx
34VHFs5Pdg9vXGQA5NwQp4bFQvgsW2vHFnBWNnUJrodelbpHvjkYKlcu1b/n56BtismP3gnh
T5zzHdwOtoyYtAoOMD0bviDyHvgjgj8FB4DURjsfaAviVH26vADEuRw3HQS1vz5H/xiEKlgC
HcHYxfSueT14YlxqWgM49fknVz8qAeUWHOyaEQBbjSd2ltUg/GtDvbBYsNaoMKTMPlC8QUHJ
B2tm0SZF14L1mK2dyQVFrNG3ojMhvLH9RPgOcB1xJ+RtA3cr14+eZAjPjWmS0AeMJc2zrasg
0EStpIaBeYx5iDUK9L3CVv1TUJ8LXAvYwHLAUMHwHCgvyW/ZyoP5CWt6MBYootYLfAX+S/7j
3hpg7GF4Vv4YggODbZWmIPSWlsstwPCeNEJNB0Vig/ItiNN0l7AXDNXkeIsf9ASpk3YU6K23
9XYCIVLoJE8Bw6emWcbXwDjBcM6YBb5+rnvZGyBVvvdqSlUQ+xraGNeBbDdUMcWCyW6aYdwK
8ih5vbEHBMb6jnqGgpgqnTD+DJLbeM8UDYZWcl8xEuTZXFEugqGH+U3pJtBZP2LSwD9RGRQY
D5zS4qQeQEfxgv4aBJb79gcWg/iZXjfvMsS0Co80yyDeVB0MBsN02WvaA4YNRqyDwDsg0CNo
hWBrtWLwDsh1lVGiCIZ2Qh19BkhbjQkkgOJXB4jfg/6x9kMwGYQxYpKxOUS8FD0wpikEBvmn
qi+DfjzQU70DqihulmqBeanpiKkcWOeZP7ckgL5XXyrWBtMWw0JpKxhqCZWlVFAvK1cCSRA8
LmdTBoRbpt8sL4HX6t+vFAWryXCS5yF2Y8QTxiEQ0SK8T0Q5UIPBAUptYPffPcX/e1MkrUha
kbS/24vHR+x7se/FvgdLWMKSf9ShLnX5N1Li/lX+p93XECFChPjvwiML5zDkpLjF4BvtbJmf
BkVuFq8b7Aqd5z15Z2guJMwqnVkrGjz7hPHibRDLepe6z4DzTJke1aYCN8S5hq0QlPxxvq/A
sEvcaKoLwQr5ZW/uBbGNlaRWoKfwoTQAhM85FHgHeEOMl++Db5HH474N+4svffOb+WB9OefD
aAkS579jaKtDdv8L08+UA/RLde9GgrZfed/9GUgHLQvMRcBZJelYSRuYLxkqittAjnb0tLwL
5r6WpnY3GO5a5jpywe1x985cA7aqEUXiR4DxBfPUsKGQ0+X+sRu1gLe1NkIDMB+yLbf/ClpZ
dUfgI9BEJgglQLJQRdgOilldyHUIvqndV8uBHqsOVsKAu5TWSwNm4WvpJsjr9a1CNmhN9P3B
L0DwCSM1P0iz5V2WdLAsNR4TXwTfcx7R8z2II2iobAVxtTzEVgfU58Sh0nxQtcBEz28QGBu0
+9+BmM+Kdi5dF0ybpHeNX4EkczTgB6mh5lW+BqVxYIl7NUhDjO3UCAim+z9UN4J/nnes3whq
c/FD0QlhVR1YF4F+nvmsBk+q5yVfKqg1tLq+kmCrb/pRugPhaY7XwkqB4tXe8N8GeZDewFAT
pONChhAE603TAv0r8D3rXy56If3z3K3+XmBpZFyqvQPmzqKdM+CzBNJ950CP0XcJfcC8yhBj
fAvIEs+Ko0C/rlYxvg+Zh9N7pc0Fisgm4wxQ6gsdpCchPM0RbXofIny2slG7wRsMGH0HIfe4
J0G9BWJVYa53CchPit+F/QbeYd5j/hZg6m8ZJF8DpbywRDwNWQcygjm7IXx7WKTtPpg3iJs1
P5Q8WVwIN4F9rWOdIx7cce7qvjsAdPm7J3mIECFChAgR4vHwyML5bhPXAGN7iMhM6Ke2Bn9K
+vs3nwfvczmHMsdD/nGhpLcrmFZLdSx9QbnKZ/rHIOXrrZgFTFIbBKaCuFTsZRwJqq7sz6oJ
+lD1R/1rED4xvRUeD/rzGJQZwETtonYCTNON5cxr4VDng0sPZ8OxV0/2ytwBfTJenvtiGwib
/Wx2LROkr+z30YiW4FZcRTI7Q07+horLXwOH+Zl7z78Eposlt8evg5x62U3cReBO+dyXLQkQ
tyL+RsxCSG+b18A3FTzd8623doLnFbffXRvsQxy9nXfAOtV00zYb9IxgZ3cfUMOCu/T7YIg2
GR1Pgu4TnOJc0NcSr88B9WmlaOAKGHobJ8jHweCyDo0cBnoJ7SMxBbimzVMugRYIrnbvgOAw
/ynvZZB/NtQSR4M/y3fNMwT0if4EwQaBTVQw/QjW16yHnUXB3ttWRnwbtKB3v6sKWFLtZ7UN
4J6pyOYO4J7u6+k5B4aq8ufeDaA7g7HeOJCGSj20J8HuMA83twdmSJmWjZB7Qdjnrw4OUV5s
mgSBUcFBvA8+n6eH7yq4h+bvSd8FUTui4qw/grmpIVN8HzJj89a5voLcstnz8v0Q/rHzDXsU
qKLwrtgI1LXEiC+BwZK3XekBaotA0/zrYHrSetswGnJr5L6v3oFAl+AYfy3gc7EL+0E+IS83
vAPKufxxeSNAnmWoZJgHfKwt1XuB8Wnr95b94K8aiPIlguktSgS7gPhi8LjmBLmlXts/D8IG
GFfKGSBdtXQ2DoagQTlmeB+0ukIbtRoYArY14jYILlH76g3A11pJ8FYCc4oxRRwCvp75sTm/
QZnVJY7aJXgivfKYYj9AXnR2B/EY6PeF18K8f/f0DhEiRIgQIUI8Th5ZOFe+WqV5sTOQPP7s
GU9raPrj097eKyHhw1rmesuAEaayVh206soWToDwnbBI3AhsE7IMc0A3qJmBF0CYKpYVM0F/
22XIygPDWL2l9QgwW/xabAeB466S+RVBmCDMVYuA1io4gI1w+/KdCfJgaGJ4oUXDNIju8FTp
iingrnl/SsorIAg5O/P2Q/jJIidLJoApv+TzlY9C5pOfdl/SCRKksZ0HXoecyi5r8EUwfm2N
jp0BZaeW2l0qHG62vh+dVwVyZ+Um2ieD52heMH0RWL5x2IpXBkudsFERAhgGcTuvBYStdHSR
ZXD94j3sCYCjgu12WEWgprBfKgLy7ojqEZ9A4I4QY/wC1G3KIn8U+Crn7M4YDnp1vZ/yIpAg
XpEEkHZKE4UmIG4VokUniOPMomkomCvartvXgbOo0WJJA+ubljXmIhDId73pmgzqvMBW71eQ
8WT+MS0eXPUCc7QtoB+R4sXq4Djr/MxcFeTd4nvaDTDskIrqXYGd1AmYwF0uf4HSBdTW+kr9
CmiqYDBuA62Hpmq7wNRC3i6mQ0ljmVKJ90FurZ/RRsPV7il6fk+QMAyX4yFwVmurlYPAJf1t
BkLEC87fwsMha0NOI09xyPDmHs3PBstZ80RtESiXXB2VBqDbMOqxIB8zTpA/BT2LNEyg/qTO
UieCcZ/psMkJ2mxNUBqCoa9psjEBlE6qRasPwTTtR/0XsL5ozTbdheBO9ZgwBTIOZ7XK2AP2
sfa3HBfBeNQw1Pg+SNFyf/NF8IqePu47gKI7lE9B3aTfFtYBqqeiOxmC4VJAvAfmqoErucug
sqW4KToIUfctSx3JkDM6dVDgKjg7xdgd2cDYv3uKhwgRIkSIECEeF4++q8YYX/3b16DGpZKT
yhWFyjSLeb4iaIo1SuwIgbaZXbIbgviNeYMpGkSF95VkUOcKgxQbGGubc+wvgLpcrK8PB7Vd
7veeMhCso9+z9wPLcwlh+gbI75y3wV8EnFr4xfDZ4G0a+ClQD+qfaPxuWTMkdE5SI5qBX8kz
pPUAVc3tltMMjIlunVwQW8aWNn8Oho8jwmLbANdtE8MrQOBk7v3c8hA9OW5m/PMQu9X+sVoG
pOTYoZYosB8NOy6sA2P18HGxqeC6lF7kZmfwFvO2S9gIZrNldcQyEO3uV30OCC9v3GWeD7bx
wo9KI5CtanqqCMI54ZxUHbQ3vdPz3wP1G3W7ZAFxsTZFag3+e8IctTUox7Qa+kzQvw6s8seA
3MLS2vYrCLW0EooHdI9S370d1CLeDdJmEBOEycbtwBGhtO8r0ItqWe7fQKhn2GGbAOpa9cfA
YHCqlgZyMbCes163dQLrecNSvQFYX5Onh0WCOjo4zN8GgqcDk9RfwF477JCwBCIdprmGVyGv
d2CAOBMCz3obB1ZBiZKxi00SKPHKAuky5K53l/IdgiLRsW9Zw8HzomdqsCxkFdf6Ct1Bve1P
8/YG5XtXXsZ1KPq1daDaCFzrbbvD9kC6MW9RsCtoyUpVVz9w1LSIxuVgqG0oZ0wE9pPCKNB+
0mOE0hBUtDj9BATfVzLFAyDMFg6KZ8F22NJeLg0xg53DLDKYNXOSPR2UdcFkYRjoOlf8gD5E
9WheCGT5dvlKgLDfsFlJgfzRrui8YSD4dI/2Nvjrar+oCgi11MbKAvCeDvRRP4NS1xNOmMZC
+Nik+iWTIKh7u4plwfiqrZ/lGbC1ivwx7MLfPb1DhAgRIkSIEI8T8VEHkG7qjfJEePpsS62z
AlyxzTMsgjxnar877WHvpJ96r4wA9847Z5LXgGdkZnb2W6BUyI/LfwHSa5/cf2QlqE97vnSl
Qm7lnFdUQH3Kctb5HShHArsUKyj31auWPBCWytcFCZxb7JJxO8RnxLUOew38Ddxl3e+BeMox
JzYD9JKuQ9oaECdlVsn8BcQVhpFWH0jzwvo5j4DwrO2crTLou6S9higQcgMfuzpAaXPxjGK7
Ifxe5DdaXXBss6r+fHBanF1jnSDJxlzzcPBMz5qeMhbUOKmqaRJ4DwnDbO/C+XnJH2WPhbzh
/kitDph+du5Nug52k+2ryA6Q3SV/pA/wf+2elb8Xsltnpae0Bc9bntu5S0A9HRjqPgXm90xB
qTFYixrb0glM1UxWyxBQL+vHxYmgXAy+4K4I2ZdyyyZfh3yXe4FrGGTczUlQB0NKx8zueRUg
amFYtG0aWMqZ3jPsBf209qT3Iggn9BdFBzjmWzTzaxC20zE8fBIYYsxPWoaBGCPVdKyHnNJ5
n4urwPVyrtU/FZRTgQXuA+Dv7X3L/y74Xwh874oE6xYpW1Mg7uOwZyzzQPlRXauHg2ua/03P
FPBEqO21w2DTja/olUBL41nJDuJYNUKNBEN5oYM4D6JfdRoiskH+1LTe2hGsKdaPrdtAeoaR
8kjQFwpPEwTTK6IqDwNTKcOr0jwQukhJhEMgN3hdXQSB6/4VWhXQygfwS2AaLiewHkytxfcM
n4FxqfS6XAqEVsJ04zVwX8t7NdAC3FneZq5t4M+hpR4AyWncaKwKYntLacsKCL8ZNsC+E0od
LZVWtBRofeQM5wZIm5S3yTcL4l9K6hnlAdMZrb9Y9O+e3iFChAgRIkSIx8kjR5yLua2tG70K
iQ1LqrWNkGfK/D41ES5XPl7r8FzIuB6zXBwKP8/ce27t01Ai15RcbDE0mNMzvJsA7DaMN9iB
Ju592REQ3JKzPn0DmFxPLKtcDbI7piYd3gNSW72+5TwY9prerj4LAk2CmxQFGKBe0aeCfFLI
MXwJQjVhoHQRlGMpC9NvgdJP+tmSCuaEqLKxdhAqxJ9KNIDxm/DUsPYgXNWq6XXAkGyrb2oB
2V/Z6l2YAhmf59Y7thme+PWJ65Ht4P6B/L6BIeCoH/1NsTzIKnN3+dWG4Nvi6pX/LJifs5nD
3SB8Fcj3vAm5Pf3l9B9BG5bmcm+EsC+NnTQVIt+LHRmzFfR5WphWEcyTXY3zx0PUSuec8Dqg
n8Agvg7uLwI3vfch/6inXeAT8Bq8ZXy1QEiVBprbgnaHgYIIYm29vToY3IJvRb4RhPZUYwEk
9Ima65gATqfpVaERuIf7FmrbQHhX7CPsBst2Y0fpOvhLBdvq/SHnRHZe1kAIlFIuMge8nygJ
ru9Av6O94Z8J9s+Ms5TOELzo9weLg3dW4FMGQ3yD8JExJ+Bm/4zlma9Ddh/3PO1JCH6jFxe/
BMtM09hgFbCnGl+TywIj1G3Kh8AoY3epKuSv9FViHOQ28szx2cG4TIqSfoL4b8NrmCeCmCzu
lBqAMs3c1WQCY5XA7kBb0A4KG3gDxGFKslAK9Gyluj4RTG6TSHHwt/NN808BaZkwWUyBnF55
QfdWCFZVJ+n1IBirrVK+A8MG01GrFXxn/GnuY+B8yXk4YgEol5WA9gUo4/RNCiCu1WcafoFi
MeGnxKNQ+WpZQ4keYPnAUNY2AqTe8mZ7S4gsEZkZocDx5b/1vdQcqvP0dvb/3dM8RIgQIUKE
CPE4eOSI85OTms7t8hoEvGo3ZSFIJwwmiwyMivxK3gQ5nTwr8upAxjh5qrsshIUnLdArQ7BJ
xkfX0sH4TlSFqNHALO+xzGEQ/VxcMccNkOqapxiHQ1TlmJpPXIDoVfHPlu4PyknlR304CNFs
1GuD+IN+jtWgXxV8LAJtJ+gZoH+mlhPCgHW2Jo5NoNv8S7RXwDDIYDFsAslcYn74YmCjPlVc
BwHRc9fzKZTdXiQ++jPIn6Gn6E7wTM6alfElFHNGbhcrg2GTY2p0SzDXdESGXwf/xOxmaRVB
SNQ+NE4D83zbV7ZW4L3i7yb8DHlj9Q6yA3K8Qox5Bni/UMYL/UDbqnWSxoNhu3m7zQvaG9oo
NQ3cp9w33T1BOqtmBnZC4vMRMXYnFEuOvRLxHhiD2kK/BlJQPRpMB0d183zbN2DeaFxq6ACW
2YbD0i4w35MPG3rBjdZp2ZlHIWDTB6tfg62bdaqjNHgmuFv7wuHuKxlJmUshp6L7bN7H4HnO
VyN7Gnhne6LT64LyXbCfKx/cN71NtXCQYqST2gIoVj9mRXQanIu48WJ6JCQ3yw7z9Yfs3u6h
3rkgzNUVdT04TVJDcTXEzrU1FDuCsNbYWCoNWRZXLSkfAiuCP6rvQkxUeGvLOrAtNB8wWICg
/qq2AdLPZkl5DSF7Zu47bhv4anmt3s/Aty3fn/8deDa5W+V2Bel5PvV9CKrBlyGeAj1b7yS3
h+yzroX+tpA5zlXM2xbSruU0zMmF7NGusZ5lkH04t2VOZzCeMXqZA8Zy4mZhF4SttD1t/ATC
F9ojbFvAEDTkMAOS9hVPid4OCbfie8VHgnOtKcJ2D4peLnOh7FcQrOMZrpngmu+4+WLjv3t6
hwgRIkSIECEeJ48ccXaciA5PrAXa6/pSEkHUjZGGk5D+Ws6P2c+BW7tjuW+DWiMq3Kl+Eyp/
U21pkzGgHDfNle+C1FA7pFtAre3Lc/8IHBC60hL4Xl3uLgPa/fxfvG1ALB/ZLvEuSFODq5Tr
oP0qrmIrUEp8CR0Cn6ot/K+AaVRgQOAWqO2VY9Ii0HNN+fYRIGzwDJAnAfdB2g7G1Um14yoC
PyjJwc8g0C6j0d2ikDfA0S0tC8q3rGl8sh6cPXLuwHw/1OtQ9esKL4K9q74wdjn8ttK3oWhf
yDl8d8jFMuAdkfda6kqwtI94JfIwSEOCb/o/BS1JGaSNB22c8XJMVch7Uq+v/gDKO/5G7lZg
uK5+p+0H9wveQ56yYOtqXeg4DmFzhabSIbB+ZOho+AWkHczVDkCJQwmzooaA+6hfUJaAd0r+
spwWUGRK3LGYSHBV9DnV2iDWlT+SLVCkjf2LYrdANOj4VPBO91x2LQPXfW9q7hbwHfUu8/rA
vNV0wuQEZgt7TR+D/aJ1fZgNLINlp/AGWOZI1ZVFYJpg/MRqhKvT7l5zzQT3fC3HPxAsuwxv
ma5DzKawiqaFkDIxdfi9cIiZ7+hrfR7sLW0dnNXhXPDOxPvPgukDU7R9BDieM8w0lwfZoCS6
B4HWXUsT90CyKXeU0hL0ZHVd4CZo1XjO2A1ymqjDgimgib6uyirQ2igX3FvANU3+Vs8A0S7U
0HtDRDCmVvw7EJykNCQL5AjxvnoeHGmWT8RToOfqg/UkMK6Xd2lPQdhts4UioO4J3vL3BvN2
+54IE+jfB7boXSD857hS9hiIvlBmX/m14M3WdFM/iElPKBXbAiKMiWtjUuBIwpohv9ngxtr7
r9wJA7r+PRM7JycnJyfnz2/wK3gVdnh4eHh4+N/jW4gQIUKECPF/K48snPXLQpK+EFSbu27+
WMhS7s+8Egslp6k2S2UoP6ma/Ex/SCpSbdPTz4D2Y2yLpHIg3gjc8CeCeFUPExaA671bbU8N
BWt6nK9qBdBdnsH5rwMfegZm1wHuRX6bWA30S2ITPRP0+sI9ZJD26WnC96DXpkTwJPg+8ke4
+0Kw1vWVyVtBW6D1pxfk9JfteS+A49Sd7y/OAN+mY72PVQPLk0/sLHkOzFWqa2UOgn7fVyds
Ejz5ZpHPLF7wj2i28fY1qFSh4nvtoqDlp/UG+2pD6qnpT37XFU4t8oyI94Lnk8wrd0+A3NiS
7ngTTFPNx8J/Bf+d/F+yN4Fncs6R7I/A4DfZjW1BKC7ME3qD57BeQv4ELM8a3eEVwLdCXcJe
yGklLRFbgj8quI0+ELPR8ZxNAJPJXMH2PuS3d+V67kIw0jzZ1BycC6xPW09CXP2IznIa+Jr5
p+rjwEVefu4VkF4WbuofgPS5vZRhHNium9s5PwbfWH8Ty0Cgs/JJsBqIMQbdeA2yu3m2KT9A
cEFAEKYAO+WRYmU4+/HNpLR0CF6R47VPwWE0bTSVBT5V6maUh7ud0seKvcD+pOUbkxdIE9O8
AmSYsn42L4Lw38KnxQyHeGNEinUU5Mo5NfPuQ8AdqKC/ABljcu+4PgP/WvWEehmiV4b9am4K
JtH0vv462N4IDhIPQobGUXkfyPGSGnEJYvaGHTfFgamcvFjNgkDbQD1xB3ifZZtaHqSeRsGg
g7RZO2qpAXoVvXHwJ1A3aN302ZC/1FNFdYD0imm3cSHk9XDt840CxwnzJsP3kLg28VjsdhAq
iAesS0Ftp1aXL4L9SNzW+EsQHOde7H4bDvoPeI6Z4GSNm81u6H/fxG7cuHHjxo0LBXQBBUL6
5MmTJ0+e/Pv8CxEiRIj/KbhcbrffDzNnLlz4229w+fLNm9nZ/zl75cqVKBERAW+91b9//fpg
t9tsJtMf/fH7g0GYNm337gsX4PLlrCyf7z/pT2Sk2QzvvNO4cYUKYLebTAZD4XGfT9M0Dfbs
yczMy4PcXEVRlP+cP06nLMsyNGoUFRUWBmazKIqPnF9RyKPvqrHNvcG9Bnz5nks5i8FWO3xV
3HAo2qxt0bqVQJvKOf0wBMspb6mpoM/zqb5bQH8xXG8HqjH4ptsI5oiIV6Jqg1yr6IIKlUCa
aW8Q1gT0bbaoiHGgaapdeBv03sIPtAZhLueFWNAq0oMfwLRWcDhmgtrAZotYDxGb61RPrAOn
jtxt4gvA8TqxX1y6BD3GSlm3IuD+pgr63Y8g8WrJt4tFgO0t08sJr4BU1vx5+McgobcLfAjN
X28WGFMJ9M/0bPqB8G7iEd6CLrVaxF/sCDcHr2l3egXkRLoP5lQA1/tZTe5lQrgYV67o+2Aq
a4sKWwze3vnHs3dBcLa3hXYIhHbiPnaA8JvhU9EO4q3gJMs3oDjlqsaPwLPN3F9OAOl7/2fe
3uDPU19kBeQvcHfI/QjMp1RH3rOQPSzjzv2fgHnmbyIGArODbZUNII6SF6rTwPy9ZZVpPQgj
6CyfAD0/6PSdhrA+pjtSPdCMksPWGpR0McOcAJ5ozzilOrg7ew3e+sAqbYivH4hthCPWLRCe
G3nLbgD3E3nbcxzgve/5OncjJJhiDNHvQGZuRvUrvSGsa/jiEtXBucgxNu5tyL7r7xE4B4Gc
nDfVs5Dxli8rZRaYt1q+Nn0DWSfyf/PdBm8nX5y/BBTJSpgTeQYM+w21rJ8DL6hdfDEQccL5
jLkJqBMDLfMGQmqsO8LdDTI1YYU8CPSPSNM+Aq0PpWkGpm8NbmMSqAeFZ/UjEPxF+0ibC/6J
wc+1X0F5UnnN2wukytpnQi3Qh9HWK4JjjbWEfBJKVirmKqtB5IDoi1G1wfBR4CUtHSJ+jnHF
7ATTbXGJ6IQDB9euPrYMfj190XX5Y0hLUAzalf/cB8PD2L179+7du+HUqVOnTp2CGzdu3Lhx
o/B4yZIlS5YsWdivQGCHCBEiRIh/j2nTvvpqzx7IzMzLCwahbNnSpaOjQRAEQRAenx1d13Vd
h7S0jAyXq9DupEkjR7ZoUdhv0qRt286eBa9X0wQBnn66WLHIyN/9eZzX/bs3cONGZqbLVWh3
2rTnnqtRo7Dfjh0ZGTk5YLVKkiRB9epOp90Oj9cb0P9XsOruXa/X7y+027ZtbGxk5OOz88jC
2VPeVTz7KTBeMM43zwEpN2xSxD7wunztvcVAKKbdFlJBXSlvZQIIT4it9LEgxRNm2Aj6NvVt
zwtgbFP8h0rnwHjEtt1xDdQ6/Mx1IJYhYlEwmPQ+gacg+IzgZyNwUG8q5oLuEw7rd4B21FXD
QbwZ2GMoBtYKjV+v/Trkn80qsSUbcsom7wp0hrzm7PLsBnVG6SNFq8FvHS6f25sBLfaGnSz/
AvjC046aj8L9j29bMhUw1jMsyRoJ2d1TFt8/AdkL7w+6kgKn+t96PjkarO87moT9Cp7n+Lp8
J/ANv3ng2CbIH529N70dhN2KiozdBMaGFnOgLgRd/uK5L4I0QOwkDAd7H2tkWFtgpsFiHAHG
Z+VkcTI4c8X52jkwlDTedhyCuzfyJulx4O/i/s7/AmSd0gcZ8kBpYMyJ1qHI3LBSxo8gc0LW
Ys9IkOZzS8+BPLfnF90C/tJqQ78Z5JLyEiEdfBW00tqzILcSw3LfgHtazjn3HpBEY01HJTDW
NviNjcE0xVDZ8TxYj3PDtw/8971fZqWCepIZuhVMw8zbtDBQjqvvalWhyLNxlctNh4gGkXG2
M+B93n1Bngt5KdkXvZ3B3VubEOgKjpr2c5bj4GsaTNbKgq+PupXOEPd67ILo02Cda21nKQJ3
HfcmZnsgOCQ40HsMOKp/GlwJOQbf2oAbhC/ll6yNIbhYu009MH9u+cq4AowH5GzpOChjtQix
CyjG4H1fMbDNMowUVoNlkeyQy4D8k7Qy4grkbgycDnYF+1TjZrEjlB9etEFcKhQbWGx6sftg
+F64K70BcZFRwyOuQXRE1KLo7nDpjd9KXP4B1rXfVHq3E5Lv+su5c0HuIm6zv/m/JsnWx/vh
8F9RvXr16tWrF9Znz549e/bsf94vRIgQIUL8e5w7d+VKVhYkJCQlhYfDzZv37uXl/efs2e0W
i8FQaPdBzpxJScnNhTJl4uPDw+HAgdu3MzL+c/7Ex9tsZnOh3QdJTw8EFAVKlbLbDQa4cMHr
9f4HXxAWESFJsgzp6b8L6MfNIwvnlNevGq+/BH5r6p2sSVD9Rre1XTIgEOkvF3wJ9JOyme9A
Oqud4CgILYVBwnzQE8VTvA36Rf2cvwmIpcRo+QvQfhHuyEnAVa1fsBkILwgLBQ8EpwividNA
vKjdFRsBccJJRQdhhL5fPAJaGA7ZCnwtfB0sC2oFz4vKN1B2VOLrVT+BW6rPu/dDyIiQD+Tv
hCSTdtXRCVKeU7+Vv4CsWvdfvrcbPnG8df2TpXDTlGYIvg9R40xT82aDflD53DUaMmPdC72v
gPdL+/riNSChV9GfSyQCc8PaODdD+t3o3GKHwHcgvWtyHPjOGJ817wFHmPOtsNsg3OJLvQSY
s8X5QQnCgwZdvQr6u+pVlwuc3YwviqXBvEsKD0bD1bbJL+acBH8nLc/aANT9DJDcoHehljYC
5J+FbvpZSE3NDQvsBltTRwVze5CHyNUsA8FX05vpfQ+cmXJfVQIxyEvCdTCWk7vbToM53Bxh
jgXjPPsWbwYIRWjNDRC3CcnCE6AW1T4I/gC2ZXK6dA3MLxpLR88E39P+LrnVQOhAK+Nh8OcE
n1DmgH+765n8HAg2N621esBt9MzKnQz6fOEt5UMo7ot4WagJRrcQJU2EbLN3vnYPYrs7d1jy
wXnSlK6dgJwS+Yvze4NH1b7QPUA86YZPQMumL83BfNFWxZoDlpcMTxuOgtpcP6L2ADVW3SZ0
A7WffkS8AfJaSQ/WAVN/c0M5ABHrnZ86OoNvua+EfBk8H/lr+yuD7YjBLk2G4pvjzjrPQ5yx
2PLib4BeVPjIEgT7QbGH8RSUeL+0Jak1uIPZNz0zYPNzv2zYdwPudM+9daMuWIrzsS8elE91
hGjgmf/ch8M/oiB3efHixYsXL4a+ffv27du38HhBeyjHOUSIECEeD4qiaaoKubm/p2w8+njB
oM8HPp/b/cdUO7s9PDw+vtBOgd0HCQQCgWAQbt/OyXG5CttTU0+dOnCgsB4XV63aU089ur8F
dgrs/vl6VFXXISNDUf7R8R07tmw5ehT27Ttw4MYNaNDgqadKloSmTVu2rFXrX/enwE6B3cfN
I2d9ZAfUJhkTISNIh7z2IH8nKNJ1EHrou7QYoCSrOAbCZGGVsAVI1/cKh0H4SFgm1IBAkath
v5pA2Zmdl7MbxBtyshwELUroKb4B+la8QlkQbgtf0BsYI1TTrgGdGSZUAl2ksl4dhPFCS6EY
iMuJYQb4FeEdfR0UnVjmy8YXoXlS7ZldWoP9GXP5hFpweXOGfL4smM2Wk85s2Jd88OkDFeDm
RYv5zlsQsFpreXeAvVW5L8ucgurVn3uvTQ6UblK9bL0hMLzMwNrdu0MDR0U99kOIe49VeXPB
Oj+2eZGVIAfCf47qBN69Oc+mlgZPH09L33tgbGqvEdYJtExdlI+Bt493tncKGJ+U7wTzwYfv
E89PcD7hxmv3v4NkS/p3GbfAl+0d4y4N0j2jxfgLmP3WV2zdgVOCT+oP0jmD17gXlIFahmE3
5A1wV/VZwbTY/JxxIYRbwupYv4HoSmE1wlqA+bgYqRwChgT9rr4Qdsd8lqch4evIT8KTIfaG
LWCvB0kf2Xo5loJREFvYcyCwRZkdCIf8b3OfyU+ClEP3v0yeBqpDfTk4C/LDlHDfi3D9aOaU
kwtBbiDc8s0GdumXck+D57fAskBpuHck80amFQxfSFGBnWB/wlpSehNSjBnFXfPANcV7O7AD
/JV81X0/gPdz/+agC5T7rBLmg1Saz3QZjLHGnfJ4sFewx5hagq28+Xvb+yDXNGaKIgS76nvF
TMj8KC9LuwNX5tx8OT0RMjZm6kgXlQAANJlJREFUl8i8AsoO5QfvzxDzTfTz1mWQsKd4/cTr
IH4nDzO1Bt+OQBXtA3A0jm8T1w3yJrjShFdgy73NR45Ew+Ffr3x9oSuk783bk9YZXPWyut5v
B4FR3hn3f3z8E/avUrAI8K+2Pyq1atWqVavWPy+77+i+o/uOv+++PG66TOkypcuUwut72H0p
6PffhZWOlY6Vjr/+3ArKy6Muj7o86u/2vpApmVMyp2TCVwO/GvjVwH/9/Pye+T3ze8JTxqeM
TxkLr/NO6zut77T+u6/uv+/fT4j/HVVVFFUFVVVVTfv3S7/f5/N4YMqUYcOaNoX16+fNGzSo
sPzzeb/bfZBAwO8PBCAQCAYVpbDcv/+jj956q7B88Pijl7/bfZBgUNMANO13GftgeeDAqVOZ
mWA2R0UlJRXWH9b/r5YFdh83jxxxluuWscbOAHNGxPcRn4K+gycZB3pTevIqCDu1uEAiqN/q
t/U3QeggvmlYDeKzQhkpCcSDQi/DcpB22mNjl4L6jv4jCSB6eVKpAEJznpXMoB/Qx9EY9EYY
eRmIQRBagtBdeEp/Heig19FPg57BarE3iD+LmuUAKAflYsFPoahWVG90C8TVMtJlyMwUx1y+
BdddqWnXf4KL6dfPeOtA+e+bptR/Ds5+/FPXEwMhfHDxzo4UqBBTdmnlzfD8sZ43Xq4E1q22
YqY2sKvbzjLfFYOme2Jv54+DsBPHc7WNcLZS4PXSdyDrQ+2wMhn8CzOKpMwHY19pZtFyII+y
PxkRDf6PA7PyPoQcf97KvFngKRecJXSB7IO+u3oWmI4ZPjE0A8O3wrpgRRB7K0c9AgTDfW45
GczTLD+b2kBwRuAlvxVyDuW9kH0ObEUscyzjQKmvWSxnwHXJV0T6EIyl5eLGkxAw6nO0I6Cc
Dw73XgbbFMOntm3g7Zi/OjgNAl/722VdA/cHys3LRkg9lbY/YyVIv8hNuQSGZcJ0y1jwrfeJ
UjfQV0kx5nBgkVg1PwjuQKBb1kkQazPT/ivklc8fkRcDZ+/feM9dAkodTBgTrULsGet+RxKk
PJv2VP5+8PUgKzAeLLUZI68Bc1k5lWwIX+GsYl4IwgphnukYKHvFi9JSkPca1kvvgRofvCv+
ArkR+W9nZwK1iJbag3Wo9Zi1EsTODeuktwI1N9DHtAoMnczdjU9AkWkRa8P3QuTNYlL8fJA3
Weo6roFayzeU0RDzdYIl6jzIqq1vuA4HXvj110s1YG/S0Xannof0RmwI/gzal8bZ0TL4nqbn
3U9A6CQ1lyoB9/4T0/bhFOQs79mzZ8+ePX8+XpBz16hRo0aNGhXmOj8uolpEtYhqAa+99tpr
r7325+OOy47Ljsv/Z+/J38n4n8b/NP4nsNvtdrv97/amkHr16tWrVw/GLx2/dPzSwvaJ7Se2
n9j+4c8xfkX8ivgVf7f3haxpuablmpZQvHPxzsU7wyAGMehfOH/79u3bt2+HYNVg1WDVwvYt
XbZ02dIF+tOf/n/3RYb4b4+iFAjZAsn27zFt2htvNG8OpUsXKxYd/efjD45fYPdBAgGvNxiE
QMBq/a8W4QUCv6dQKIrX63YXtsuyxWKzga6rqqJAMOh25+f/3m61gigaDH9cjPig3QcJBn9f
HKiqhXnIf0SWLRaH48/1h/X/qxTYfdw8snDOst5NTH4Z4kdGbC37IQifqAl6FjCU17AAfj1X
ugDiOvFZ4XMgyCdSLGhfaK20fiC1Kjqy3GIQD1iHxuwFIVId6t8L2nr9hnwaGC2OZTEIFn29
PgL0FJyYQSiJm1pALf0jwQD6FUrqNuCebtR/BL0l57T+IHWW60qJoNRXv1B+Bem+YZp1Jzyx
O650o14Qmav/EnYSooMlD5u3w+rTi7M2x0PpjpVOR7qhRm71Q6bGkBx2N+5cZUhskHZM2w5R
b9jL2DtD2erhKy1vgNBBa5X4HKQskFMufQL3Eu0bnM+CXpvwcj+Aa+m9FedkyLNn/pLsh4gZ
UQuT1oM+2zrb4YOcqsGeWg1QR/scaSfB0EoeLn4HsWsji0c/D4bOpKjjIXV/VqM7FcFZ01kx
8hnQivpPSgfBGR2mh88G+w7LbWkHuH71/OoZCYHWviP5e0C4bOhqjAPS9T7+++DO8d7xzgDL
WNML8j5QRyiTfG7w3PHlu4uALy/YKtML2ibjDn9vkNcb2tqng2eE5+mcZ0DMNc+R2oN1sXkP
J0FuJLyrnwYRfZztKYiPiImpegTyp7jb5FyFIneimsZdB+lrcVl6f0jc7IwOmwxZ5TOXeL+H
u19nkvMLlH4p4Un7JgjGCfnB2iBOMs+yTAJlDt35GOwJTFN8YFomntIvgsEldpSrQeauvOYZ
KyAm0Z5gmAbxF6Pfjf0ZzG+bv5GPQUr9zF6eCnBzfGrLe8Oh3AtllhU5B45NRd6JKQWGBcbu
tpPg7ZR/LfgyRDeILRG7F8KWxc6Jbgw33j7X9q4fDr9+IuNkdbh/Ua+mHwF1lPxZ9DVgZiAm
5SAY51pnyjfB1MFSIuH5xz9h/xkFEeUCAT1x4sSJEycWHh8/fvz48eOhRIkSJUqUePz2CwRi
u8R2ie0S/0GHRBJJBG2eNk+bB4vqLqq7qC6sW7du3bp1kJGRkZGRAdHR0dHR0dCxY8eOHTtC
v0P9DvU7BOIQcYg4pDASVyCYfhzz45gfxxRG5m6tubXm1ho4evTo0aNHC80XnBcfHx8fHw+W
ZZZllmXgKu8q7yoPIy+OvDjyIjSPbB7ZPBKUqkpVpSrMyJ2ROyMXNhbdWHRjUShTpkyZMmXA
28nbydsJWMMa1vz5cgtyzIumFU0rmgZNljRZ0mTJ4/OjhlZDq6HB7Va3W91uBXd/uvvT3Z/+
fN0PUnJbyW0lt0FJSlLyD+0TmcjE/+o5vsVbvFXof7HJxSYXmwx1F9VdVHcRZHXN6prVFXbM
2DFjx4y//nyurbq26toqmF56eunppeHs2bNnz54tNFv+hfIvlH8Bhp8bfm74Ofh8/+f7P//D
i4UKxhuRNiJtRNrDc/sfZGPaxrSNaVD+k/KflP8EjEuMS4xL/iCca/av2b8mcJzjHH/0v6PP
/J/5P/PDpvRN6ZvSweVyuVwuqPllzS9rfgkTJ0ycMHECRN+Ovh19u9Cef79/v38/9JjRY0aP
GZA3K29W3iwYdnbY2WFnoXVs69jWsY9vXj3suU7vPr379O6P/3Pj/3YU5XeBqSiPJtTKlPnf
BXOnTiNHrl79z+0+SCDg9xdEgv8Yka5SZfDgSZMK65GRFSvWrg3x8T7fH3Ogb9zIzs7MBIPB
48nJgVq1ypYtWhQuXrxz58YNyMuzWqOjwWh0OCIi/mz3QYLB3wX/w75WyLLZbDb/uX369GnT
Nmx4+PXXrVurVpEi0LBh06Z/XIz4oN3HzSOnahjyA87gbYioZloaNhqCJagivA56Q+ED4RkQ
lokrDRuApwSflAmsFHZjAvoon3omgDY8t1XaOKCidls8DbTjbWEZCE3FAboHkGmhfw6IZBED
GAQzEpBKPrdAb0NnPRmE6kI13QF8RxvlW9AFbVhAAr0vM429QZonOKWWoPZVznlPQkQJh7XC
VahQtdT4tjPBd1v+wdAUzGLZdrb+0Nvx/KT2LcDRzDs6ciAE7t4fnrsfXMK5Q6nJEDbXcDt8
JxRfGhWM7wH6YHmAVAScI4quNPWHqJG2Knl2iBprXyQlg3lw/M7y28C43zDRshI8jbIcdyVQ
O3kv+F0QNjPsGWdzcLSOPV3kAsTVjr4emwpx8dGxMZMgyud0xuhQpn/RiDJnIfJn25mwvRC9
z9HHUAlMO/SRnk9Aaup7K2sTlEiJGiTvAWdPQ1llOths0he+jWBYQwVXEli/NpY2NwbfQK89
WAKyv81U074A737PDr8GmLVExwowxWtHq2gQftLUv1QYWJsYblr6A3dVu3kBOPaY9hbPh+wW
7mD6CAg8r8+gKGQ1Se3pVsDwlv5KWDPwfO9Lzm8KpVNjjxafB7b35bSIveBu4f/cdxTilkcm
WW+AfbdpoWkHJJSP7BgRD0mNwotavwBfy/yzQTs4NlhUcQwYW+kfKyUgo8r9V273h8BPgc2p
gyA3ybssoytc+T6twqnecDHxTkTyUsg9kHfWUxwqHqt4tkgilOxaRij5HZgOmF52KuAu5tmp
/QDWY47K4c0hnNh3o3Ph3vVb32aVhqNPHss+dRtulMrf5zkMvoa6V+wP3vHeDbmvgesL1920
JDBkWe5FLwPPNH2j+cvHN1ELto+bMGHChAkTHt6vQDg/rF+BkL558+bNmzcfPk7B+f/qtnUF
AuZhP/VvKrqp6KaisOzCsgvLLhT+xF5ud7nd5XbDzNyZuTNzC+sFx1eMXDFyxcjHdz9TP0z9
MPVD6Dq169SuUyFnR86OnB0wc9fMXTN3FfZb+szSZ5Y+A2ti1sSsiYEWN1rcaHGj8Kf9tA/T
Pkz78OF2cnfm7szdCfnl8svll/v3/Vi2fNnyZcsL/Wg5puWYlmOg3Kxys8rNKhTM/6dJTk5O
Tk4uFO7PDH9m+DPD//Vxpm6dunXqVjg+6Pig44Ng0sZJGydthOndpneb3g2S45LjkuMKI+KT
J02eNPkPAiBhQ8KGhA3wbot3W7zb4p/bu594P/F+IpyofaL2idqFArd5RPOI5hFwo/mN5jea
w9WrV69evfrwcf7q8/va8LXhawN86/jW8a0DmjiaOJo4YErxKcWnFIeLFy9evHgRPq38aeVP
Kz/cTscPO37Y8cP/4u/kMc2rx/Vc/1/h303VyMvLyrp3r7B8kAeP/9VUjWDQ7/f7fxfOv0ee
fy/PnPnyy3HjCsuC9u+/HzOmX7/C8uWX69UrWxY2b5406dVX4dNPBw/u1g22bJk8+bXXoE6d
uDiL5c/jF9h9kEDg91xjVf19H44HS0kymczmP5c2W1JSmTIPL0+evHrV73/4uAV2HzePLJyN
C80Zxicgop/zQGQsaG/okxQPCPlCmJAKpGHSGwPb9SrCMhDeFz+RJoHwsX9m7qegXsqrmxcG
4pfCPPNeUAcIGfoqEOro3zAbqKyPFiJB91ASAZAQAPQ8MvCBMIc5QiPQVyAJc0HPUmd4JRC7
eq94XwZe9vh96wATn2spINQQqpIFYgPpTabD/e+zaqTfA3H3taeupsN4S89Vw9+AqscqNmx3
Fao3qPt8247QNuuF5l0HgGFCxY+SIuDn73e23bEatnfcm3V6ExhPBedoeVCpqSMiohEkOPRE
77tQOmCKyX0SKjwde9nYAcJKxPcvK4C017LP0Qv8m7NeSTsDgRGui+6+YEyWLc5yoLcxmaLO
QNqGvEFaVbhbNXemvwlkbnOVVTtA6vbMgx4R0hdlD3EvgnutMrbkfAvm4+bqkguE24E0bQTI
3ZmqDofobOtLQhWI+c76pbkmOM7JNrUsWM+YXjcmQCBWeY2G4Buu3shNhVwxuOdEFKS9mlPr
3BnI2hHsc2kkuGr7v/HEgXSHHQYZPO2CYd6vgAhpoOEeePr4jTmVIH97cH/yAkgfkHPs5izI
+CDnG+89yFjrMqa9C4bnwq87+kOY4MiO3gKOjqZvsEO4IeywsSIILyrTTRMg/0J+ovcZMJ6Q
zihe4CnRTkdQe4l221rQPjc39w8BoZNtYE4y5F4KFk/vBpcb3nNei4f0KO+ZexehyOjS3cJn
QbHDxdqV6QeCIiRYB4KnWH7xYDpY4hxDwl4F5+rYO7FVIP2zZGfePjgTd+SbUwLcfD73YG44
qPUMIw2ngG6aX+gOrBaaCXVAei4itWg8KBtkZ4IAQpY4UvgL/8D/KgX7MRcI34KI0YP7NP8z
ClIzHsx1LhinYNwCO//q+AUCZvXq1atXr/5z2eBCgwsNLsD26dunb59eeN64cePGjRsHDVc0
XNFwBYxdM3bN2D9EcB/s/6gU6VCkQ5EOhRG8gshh1tSsqVlTC/vt6bWn155ehfXhy4YvG74M
Bh0ddHTQUYi4HnE94vp/3o8HU2qGmYeZh5nhtcWvLX5tMYS9FfZW2FuP7/78VZzPOp91Pguf
+z/3f+6Hdvfa3Wv3b6QnFVx3ATNnzZw1cxZsy96WvS0bhpmGmYaZYJl5mXmZGeJT4lPiUwr7
GxcbFxsXQ1ybuDZxbf65vc1TNk/Z/Iec4WbNmjVr1gyavt307aZvF7Zv6bql65b/4iVGf/X5
7ft136/7fi2sF6TANLnS5EqTK7DwxMITC09A7969e/fu/Wc7SROTJiZNhJ75PfN75hfayZuZ
NzNvZmG/xzWvHtdz/X+FB1M1/mq5Y8eSJa+/Xlg+yIPHHzz/4akav+/jXBBxfjDyXNjvH7d3
7Pj00zVqgMNhsfyjSHCvXg0aVKv25/EL7D5IYcT59/qDZUHE+V8tn3uuSZNKlR4+7n8q4vzI
qRrFP4/qW+xLMNw0H7U6QFupZ2vlQUjghn4bdKveQ9gMYiLTlEbAKGGe9TvwP5UzO+86BI57
JedhMBoMvaXeIHZTLweXAmv1cHkjsFzso/tA+ESfSz7o+/UL/AbCAKE7y0CN0ttriSD10EoJ
V8E/KP8tvwBCitfluwuCLpczzQeprWmdtgaEZ2RRbgX6Qu2IOgYMG3zfe+OgsfNJf6caEHHd
dqt0IvgjAtm+QWDvGTOi+ChwGIVGJRtDtK+ER/kZIr2Rb4Q/AXv67Rmx/UNYlXrpQGYliJ3h
baBfgNIXwifbOoAxQdzti4YiPcJFtRmsfUKrTB4csxnqlh4M2u6s/nfWQfDDvPXpe4G31D56
H7BUD2sacQC0hfI64XMIPBvopW0Bz/280ek5EIzyh+V3BHsNc2tpKES9bFPNm8B+1nDAWg68
n+hN9XCIrhex2DAVIgeFJ4XnQtrXGT94l4JtqPyFew2YNsqZ0j5IK5YlpO6AxHei+sf3hPQd
/uExwyF9kb/hlUFgj7I2dIwFfaL0rlmF9DUe7dY6EBbnxcknIOy45bu4oiD9bP3JswFsFR3t
nPNA7Kn8GPkZGH8T7xiTQZtOCffPcKvh3UkZ5cD/ii/dtRqKNo1dbC8FN/emVdVfAE+isip9
IBTJiWgt94PgHOVL8yHwtPI+G4yA7PuegdosiCpr/7bIOXC/EhxMabDFmOYbx0DJLrHbyp+A
IreLflzqEIS/FjEyYQkE2ganSo3BUztQ0e8E57GIzpFx4LgcUymyC2Q/lb7FtRRunj4Vd349
3HFkv5E6CLQZxijncGCe+pLwJmg9WO8/C2JFU9NwEwjTtSPBSNCe9lfMPgDS/aDujgVKPZ6J
+mBqxfr169evX18YEf6r+zEX5DY/SME4BeM+zO4/o0DAlBhTYkyJMf9FRy9e/rAdkXBMOCYc
A1rQghYgHBeOC3/4aVwboA3QBvx5mAfb1cPqYfXwP/dTHCwOFgf/ob5AXCAu+HM/fYA+QB8A
WLFi/YOfBRzjGMeAbnSj21+/T/+qH8FqwWrBaoV1abA0WBoMgl2wC3aQxkhjpDH/3N7jJmxl
2MqwlSCOEceI/8D+X30+HyR9kPRBEnT8suOXHb+Ew88dfu7wc3Co36F+h/rBxqSNSRuTYNn0
ZdOXTYdVrGLVv+NwTWpSEzbO3Dhz4x8EZ8EXxgcpSNkYWnNozaH/IGXjrz6/ghSKP/X7X6kv
/wypjlRHqvPP7TzIvzuv/tlzDfG/U5iq8Y+F7OO088fxH5aqEQz6fH9cHPgwHnZ8+fJDhy5f
hmXLjhy5cQPef79162rVoFu3WrXKlIE6dcqXL1Hi9/OPHfuz3T/b+d8jzg/ysFSNiRO7di1e
/OH+37mTl5efDx7PPx73v23E2XzU3UBuBoZq9JKKAuhzuQ1cFyoLV0H0y6/Kt0FFmKqvBUYI
h/QjoL7nmyVdBH8LqVbcpyAOkRagAGW1s8wHfbjwLjeA8/pKPQr0dLxEAntwcR70HnpdvgLD
QOmg/B0YmhtnGauCdMiRFFsPktf7JxmLwqXFmWP0eZAz019MGAbST2I72oOyUdkV2AlhRRKK
l/sRnPaYEkW7gO9Hxee5D8JnYkcGg/KmmulbCsH6wSW+kaCd9L2hzoPEvvEVaxyGjmvqSE9X
goafVakYmQfhw0rWNdQDZY1xkP8jKGmJ2RkZC+Wjy9UPOwHVdaszpyY8Mdooaa0gXIkJK74M
JMKbFmsNahP/jZx64E7IOZIyCbik1WQaOE84f40aA3HjkvwlciHpbtHXSg4Dp99WObI0CNcN
s+QK4NwfMz8yCA6TZZrpG0jdm9Yx5yqc2X6xXNqHkLvZFxZYDra+9laR2WD/yibZOkC1PiW2
Fl8MZXtHxheLBoOd9v5FUCw/+lDJX6DCkPDsBm9D0Uv2xkW/AdtVi8XSAMokljxfpRVE2sJf
jjoOkZOcpvjJIE+TpMjy4O2hHvMqoIzU7bl7wCSaZ5p7QsRa+/OEQ+JH8RvD9oEq4rZWh+g3
on9xfAtPnilXNvEsOCNsHzkHgDRViJJbgc1pSbb0AavH9rLRCmILUwfzYYi7HZ5Q4iso26N4
RjkZKhyoWL9Wc7Anh/2Q9Cvk9nRP1fMhZ5jPpNwHa92onKhaYJoY9XlUHuTqd/vnVoVbZ4+9
cOIEpB7I6nf9MKiR5mqWVNBfkmKM50FT9FV6WxBKCl9QBLivbvc1AMXmX+e6D0pl9Rn3dVCs
PKvsfnwTtUDAFi9evPgfP0gK/uE/+Grtv0rBeQ8KhwI7/6lc6KbfN/2+6feF9Q83fbjpw02w
r8K+CvsqwKRJkyb9MRevebPmzZo3K6wX5OCmbkzdmLoRVjVd1XRVU7g7/u74u+Mfn5/1h9Uf
Vn9YYX32i7NfnP0izBfmC/MFyO6W3S373xDM/yp1TtQ5UedEYf2zA58d+OwAzD0y98jcI//n
/Pir/KvP5w3bG7Y3bIU5zjWO1DhS4wgMqTOkzpA6YH3D+ob1jT9HWIUFwgJhQWGucEGKwcO4
4rzivOKE629ff/v624XjP/jLSEFEOGV8yviU8XD2m7PfnP3m378f9ZfWX1r/D4swP9738b6P
98HOHjt77OwBr8x9Ze4rc2Hl5ZWXVz7C4tlHnVch/j0KUyf+tYhzs2aDB3/7bWH5IA8e//M4
/1ioB4O/bwv34K4XD/Kw9t27r1xJTS08vnjxgQNXrjz8/IKywO6f+xUsDvzHKRWy/HtqxoPl
3r3Xr6ekwPnzbrfX++cyP//3/Zofnqrx33RxoO23qPHxC0HvLNU1XAJxOeN5D5SUwO7gy+B/
wrvKUxVMLzmxfwbGYsJY/QycnXMtN7MfOBuX6FWiHRjHMksbAb4PhA7ifBB+4RfdD/rbHNeS
QZwl9JIOg1CVjcJq0M9Sm7LgetWVl3MNVs9ac3aDBfxfqObI7VB921PtG24DvYjhLrtA6i2n
yWdBjNG2KSVBGyCeMLwMvEht4QsIPhW4oZ8FMSC1YzuwXu9BJggreVOcCswVS6gvAkW0obIV
gr1JE98E8fukt6uVhCqHxfft66Hka6b5pz+FrNIRqTmjQbyQd9RrA/HjpHee8ELlcZX3Bi9A
0uq0NNd0OFUiy6+sgzNzxcv2t+FOBXOzEndAu5m3M20M+LtmNk8dCFpR+yLnVrC/G7YoTAHT
L5bmpiQQP7Z/bT8DWlDpGmgOadtzYoQB4C7mPa/mgnuW/rxhJ4ixcin1BjBcW6RHw51X005n
+IBN6qsGJ4S3dBa3nAHleemMfz+U3hbWr/hzICca5kUWhbwzbq93MeizhK3+d8C8RRscvhNo
pzVlEJimyJ3Er8F4ibaRaWDob+ufcxG8P3ilrIuQacztxpegjg9MTj4PZUvHxlUIgnOitC/h
JbCtC5+FH5TK7lMuCe6PSlbdYyHtZVeq2wLmF82q6TSIzYWd6hFwpJmn2nqDs3xkg7B5YB/v
MISvBPMH9tmWSuDP95cSdoPrfdeQgADSO6a3TREQpcYtjl0C5m7mnYYxkD/59supn0D6mpsD
rpogr1mudqsMeDEaIj4DdTjjjK+BPk2bo/7+9zdEvQD6Hf2QXhm0UcTpVYBIIUtdB6KdGONb
wDO01qv/r0nS6fFN2ILc44L9mXNzc3NzcwvrBeXDIsv/bNeNB+38p3jR+6L3RS8E9IAe0GHd
qHWj1o2CURmjMkZlQMytmFsxt2BwscHFBheD3sHewd5/+EAeaRtpG2mD2ebZ5tlm+G70d6O/
Gw0xt2Nux9yGNNJIewx+9q3at2rfqnD/ufvP3X8OtkzeMnnLZCi2u9juYrshamrU1KipkLk1
c2vmf/BFNwP1gfpAHe6Nvjf63mjYkLIhZUMKVI6sHFk5sjBFoUCo/t38q8+nQMDOXDlz5cyV
MMo2yjbKBuoh9ZB6qHAx5qjio4qP+sMXx87pndM7p8NPPX/q+VPPwkWDD1vEVrCokvOc5zy0
fb/t+23f/3OqSMFiuy/4gi+ALVO2TNkyBSp/W/nbyt/yL9O/f//+/fuDa7Zrtms2bN69effm
3bDx1sZbG29BnUCdQJ1A4eLHf5dHnVch/j1U9fdXSD9MyP774/7X4xXYfZBgMBAIBECSft81
42EU7KrxIBcu3L37xxerPFh/2PkFdv/sz++R34clTthsdrvFAn6/ovyxx/btBw8mJ4OmBYOp
qX8+74knSpQwm6F69Sef/EcBngK7jxvh4MGDBw8e1PW6devWrVv3Xx/Ag7tRdi3gsuGkvQcI
WXygVQWtQeDLwCHwx3p6ev1gM0bMjVwI6mX9TX8/OD9ta9Tx3lAqqu7YGtfB+krEccMQUM+r
mXoJ4Kjq0rcB2/SV6isg9DE8aSgP10vcTT63HIpvjq1dph4o/ZSOejzsydjrOlIDXL+5LWoU
0NbxQ9FeUCqztL/Ir1DhXsI6QzJYu1uLsh/UCmor8R5InYUJnASlgrrZtwfEgNBLPgrCq1Jl
8VPQ39I6SfuANeLHWhD0ZxGERBD366LyDgRquirmdQZjiqG9ugDU59xTM14H7auMFzO/A8kd
NTO8G/juZG687wB9avr09NdB2iXrrARfqnTHmwZZJa7vzEmH1df2lLzfCo6PyP5ZSofAEt+E
rM8hkOlplT0VhOryaMtlCH8jrG7kJnC85dxg3ggmh+FV/R4wWO0VkMFXyb3e9y34swPbg5+B
sky/qI2AQFzgqi8d/IPdlpwDYHZZ1lmHQmR21Ovhb4Lvjmecrwd4i3myXL9AZrWsnNSmoM4U
Nrpug9ZJeNFSFFzdAtuz0yEsz7FSrAqBNM824QPIbejJdfeB8mkJE4p+BvIFMdpSBW5GZNy8
exQM9eTtlpchek24GtcJovaYz5vKgLZHH6N0h7tD7ozwbQPNZxzCOnBMckpWAcwvySusNyE2
N2GDTYHIllHFozPBMMR8LewcaO8ruw1vgDvVVUHJB1+muiE4EixK+LnwY+BcFjEn/B6IlbRf
DDvAFX0/53438K/IHnQnFbx+5YvcqZAdcL8VPAB52/Qx4T1ALyPOMx+D4CRmSc+C/77yHq9C
8OVgr2A7CB5QvvefBmVWsKvvHLBAveedDlJlfYm/DxxL3ffJhlOPf+IWCNuC3QMKBPS/i9Pp
dDqdMGLEiBEjRvznhXOIf42CXwZS2qW0S2kH7RPaJ7RPKMxtfmHPC3te2FNY39hhY4eNHf5u
r0OE+H+DKlXatJkxA6pWrVWrQoV/f5wVKz74oF27wnqvXu+//1/tKnH69NGjFy7AmTMbN44e
XdgeE9Ot27RpYDIVK5aQUNienPzRRy+9VFgvUmTUqKVLH97+IP+sn99/+/a9e5Ce/sMP77xT
2D506NGjN25A5cqJiVbrn8dNS7t/32CAEyfu3ftXvngEAvn5WVnQrl3Dhk7nn4+fPZuS4vHA
nDm1apUs+dfHfRiHDh06dOjQY4g4a6r3J99AMHxrbG45Alp77SO9C8jljN8aaoC8xKSYk0AN
00dqPwBLvOsDk8DxhWO/bRcYv7R8ZegL4mapnmgC8QnhovAMaB14Xv0RpBg5w/AapOZlf56S
D9dfvz7/0BYo3j6+e3wzyPzSU8czBFwu0yTTC1Ds+7ILKhWFQBHPm3jg1qz7L7qHQqInor/9
JliP2MsZskGvrQ1lOHBcb6mfB3GysEAMgLBE7Cp/CXpR/UttGmgD+dGXBVRS16kjQVosnrCM
Bv2IOMR4D+TPHeuiokELqB2DTtA7G2ao34OywFLN1RLkDpY7ce+BOTyqoflzoE9sUpn+wFRH
+9ipYLknmeUYiFxc41PfEXj9dM13z30Hvy3bc+HEz7Buzv6y6tdw71XTaWcJUA7ldU3fB9kH
Mqvcfw98eZ6NlsUQsS38ZmRDCD/tLGe3gaVV1C1LPuj19SXqINA3KL7AaghU9U8wbQf3CEsD
w2kwnZfjpCGQeTF7ke8H8D2j7A6+A/J548TgMchZ4uuXPQys7c17LJPBHmVZZ7sHpsOWjv7W
IK8xTNC2gPtOXphnNoQXi5wdXgLy6wSM/iOQszK/S05fEA5Lo8RNYPzSMMnwIlwed7PxtRyw
vWo9ZOgIzi3hTYwBiB5T7GKR9RA1IywqojlE3A73O7qCaZbJ5dTBUN623T4BgobgSmkEuCfm
/ux/EvLX+S8G24BktuYYxkPEsdircRJYdlgPOUygvJR30bcPMrLv3L41HDLW3K16YT0EE/Sm
efNA+1h/W3gP8kt4qmkrwNVLlfNqQjBbK6IthUB19Tt9FCjb9M76E6DuV/qrmyFQI/hGMAr0
idpWdTroJ9X+wfqgBoPN/O89+kR9GAXCtkDoFgjoAoF169atW7duPfz8glSMgkWCBeOE3ij4
35OCbed2rdi1YtcKGMAABgDMZCYzC7dreyPzjcw3Mv9ub0OE+H8LTfs9Mpyfn5WVnw8mk9X6
j/Y5/lcJBP5xzrDf7/H4/YV2HyQY/P3Nebqel+dygSj+40V+/2oKx8P6aZrX6/OBovzjNwP6
/b/7mZ3t8SgKOJ0Wi/wH9Vm6dHS01/v7/tBhYXDhQmamIMB/HS+Hp58uWTIh4fdItsdT2J6b
6/UqSqHdx80jC2dlqjtf/xkMDcJXiPGgLg1sVGuB/1P9q+AyMDY2NSMW5HZyY0MSeA8Fv/a3
APG8sESbA4Zl5m6Gt+H+uPu3b64DZbvyW+AHMCF9rfcBx1Hb8IiDkP9UTs88P9hfMV+LHAem
Mub19sEQHWHfbI4E12pXkTMaXFmZ0jF3ESRVjJoVnQa2HZYX1IaQ8m3a3kBZKNYkoojpFKjN
BT9FQBmrlAoeBmGK2EFsAhRlgRAOwnbuy9+DbhM92RNAqENNsRoQpbjUZ0C563LnPAWGpvbm
RdqBWkW4p14C2eW4Hl8TDGft4fFVQHtGOeLKBrW972B+RTA2MDeI+QXUHYbVtmdA/UJ7UZdA
s8ovmg+DrUaFYw3fhTblKvR7uh+Un1y2+oZvYH6PH78+XA8ub7XKpU+Cr5K7RcYq8A7Ov5Yb
B4EdaRvvDgP3V3mbzRPBuciRHx0DYclhK00HwXbZ+pL5O3C+E/ahQ4Ho89G11TQInPWucT8D
BsWWlFcegruV/mIZUJJ8mr4J5E9K5RfrAnn9ct/0aWBqZnjdXB2ku+qasFTwGDy1AvPBvt8y
UCgNCT9FVoo5DXYMzyROhbSZxrYpL0HYLvsB22SI3he2KmY3uLoWfcvbDwyfGq+xGxwpEVbb
ALBcM7vCvwZjY9lsHwrBgLZdegoCRYMmYiEnJ/1L33MQ/EbNYStovxm7mzuB5WvnaMs7YK8W
sTayDUjF/AdxQ27jm8fTN4C7Y9b95L6gnFUWpH8Etu72RdpX4N+iXLHMB1+5wJ5AT7CLlhLa
IZDWB+d5ioL/A6WiXgb0hnJF8kG5rfVXnaA/ZYrnA1D66yb9adCOaZs0EYRLgsEYAEVUVsqP
8JPrX6VA6BYI6Qe3kSvYx7WAglzm6tWrV69e/T/vX4jHQ7VXqr1S7RVYylKWAgxjGMMeddQQ
IUI8Dp54onTpyEi4cyclJSMD4uMTE6OjH5+ALqBAMN+//7udArsPUqlS8eKRkXD69K1bmZkg
ik5nWBiEhw8Z8tVXf+7/sPZ/1k/XvV6vFzQtNzcvD6pWLV48KurP5zmdRqMs//5q7kAAEhN/
T6AID7dYJAmyskRRkqB4caczLw/q1UtKstlAkgRB/C9W4t269bvd/Hxdl2XIyfF6VRVSUnJz
A4FCu4+bR07VuNfo4js3tkDU+iemFRsFwXRvV7UkKJlqXHAMmPoaWxuOgy4rbr8Nckfv7nEo
DPI+1b+Wq0GRy89Wq98esr053nsNwb9cGaGMBVO2cYVYHc6+fjnxtxTIvaS+mv8ilC0ds7x0
D0hUo9ZUyoXTXS+4jufBuffuBi5cgotn7p6W6kLVNyp92Po5qDupcmaxsfDEsegNQmsQShm6
iMVA3Khv0VeCPk1rod4GPVVsL6SB2FMobmgKQqq4R28Dqabs65cGQXp336c3ykHkiMiOYS+D
9onLnT0NIiwmV6X3wTnH8XL5BuDvqFX0XADeF2RRBmEXKfLLIH6pRQZHgDJL/0VrD6IuVjO8
DiTpMVoqCF/r8/TToKbrjYREoBL7pGiwfWmpKjeBVc5Z/T6+C+s6HDXe6Ad6om1m9EXwTPU1
DTYAdb2nZO5voF/0zs67BqKsnQosBeu7cp40C8y77N3t+eCwOCzWzyFslPUF82kwzzSbDDIY
Rslj1GdB+40UzQCBMupHig/0k1pppRdo87TTwZ4QNClPqxp4q/teC4wF4Xs5WWgD0lwhXqwF
0gxhvnAJtPlaK0EAk8f0nnEPaBuFltqvYKoq1je+AIZ888/WJ0GLYI1wDrQpwcZiKviq+Fpo
FcC111csEITgmODWYAaoDaSFwpsgxRqP2I6DcaIlwpgPMWXD6lmAIv64IbZLcCd4//WMXyBf
yamY/iVk10lNvNgNcvPTvIGZoB5jU/A3kOOV9loJEE3i96ZGwGqjWY4E+QNxnVQU9Ld5W3ob
ApPUcrwD+sfk6+MBgSbCSdAThV/FlcD74hbpK9Bl7ZReG7Q3hRviTtAzxHPyDPip5y+jf9j2
+CduiBAhQoT470FWVk6OywV9+7799jffwPnzV66kPY5FFg+hYsWyZWNjYfHi6dNffBEiI8PD
//hm0vT03FyXC557buzYBQvg5MkrV/7RPtGPi+rVy5ZNSICff548ecAAiIlxOv/oT3b277Hj
998/cyY5GdLSfo88/6eIjbVaZRk++KBKlSJFICLi8Qjox5aqIU9wfGdcC8GZOfXyPaC/lP1t
zi4QJrpT3FbQx5abV7o1qGU8/TzLwVV887nf3oJw8/NvdcwHYZ8lUTgOiZONLxUdBNlDPFXz
7HAi47h2YBZYyhmNzhfAu8+2Rr8F0TuspRIag+FtY/mIerAjbVfEnb5wb5Tw491u4ImU1gVv
wNZju87/cAH8XQP0+AZKJzVdX7wBWNym8/QBdb/2mugF4ZR4V5gD4mhhj9QFtFw+CCSCPJ8G
5jPgqZPnzxoIl1df6XO8NCiH9ZmGr0BfYBqp+SHmVGRU8kWotL3IF/4SEJNsbZq0C7CIQw1e
0FeIaI2BKcJmMQwEaG1sC8IHeg21Iujr6M0GYLuwVJgMYoRwm2KgzaarEoSgphTRDoJQKZCb
r4O4IaPZdUCeoM1V3wO5n7mHfQNoz4WXjLoEyq9h1SKvgvpyQHD9AIGB/s35nUGJCY7TakFw
Q9aMrIuQ48qqL3cCU0PjB+LbYLaYdlg6gamyYaSpDIgRpnnSBpBuSLJ8EKR6hvLWnWDcIzcT
O4HBHLaXICDzrJYCgo9J4hIQwnRJ3wBac/0W5UAZrqdq/UAtr0SxEPJbKmV5Cfxrc/r54sDX
NzhNESEoBksqF0A9yl7OgrzGlGyeB8al1pW26WDsbG5kPQjxY+zLjUuhZrfys6PXQM3var1Y
ZRbEf1biculpsPmdrZ9+UwpSX8+bcrMM1GhUy9+hPazetObeL8NA3+x9xVAKmn9XtXbDdLgS
f7ZzRjk49u2x8ucrwp2FWZFZ48DfRhmqdAfLeNMy88sgHzO8YhgAWiW1iP4OqLW1RcoJ0L8R
BonfgthS7yU6Qbus39UMoB3X96ljgJ7/uQ+HECFChAjx91MgXNev/+qrV1/9u70pFK6HDn3x
xRtv/N3eFArXzz//x4v4/m/jkYWz5StlaqAtBJffzLu3Hojyt/JWBa2+r0jgeTDuFtqXWgM4
3Z+6fwG2BK4Hl4Dp49iosOpgWM4MeSNkvulZmyHA8fXHR+77FBJnG7fFvwnuZHNLdwSEpwmj
HEkQtym+ZPGX4dSpa4vSRBBPhw1Nmg/6wsw1KU4oWqTCyKodIKXm9X5X5sKF+Vd91zLgyJYS
nSIT4dnulWbbX4bgquAy/xSQt5kiLc+Aelhb70sB4ZQwx1QU6K+XFSLA8L5lsmkXxJasqJUF
kg+f8l4ZAaV3S5Hx34P9kjvK0gGupW7evSoe7HPLpFVvD8I6oYtUAvTbrJc7gWFU0e1le4D8
dkx2yadB3643Zh6wUuhDNugL9PPoICQzhqMg1tJjhNJgaKwnqu+D8I22WO0B7q9dT2beB/kV
Zbe3DIhdzbsdG0COteyPjAFjnuVC1CUQa1rm2H4C0y9OT4QA2jTXwKw48KHEaXMh+J5+T8sB
7ZBeXNPB1dK71nscxBfdgfzLoEjqLv0i0FL3cAaEVcIZcQoYF/CEcB70nWI/+oH+irBQcIPQ
mMVCIuhf8bO4GvQpwgLCQBuoP6PsAz1ceFcsC/qrQlH5Lghrpe1yK5BOGo4ZDoJ8MqxR+C2w
zLDMsP0CZodxjfkgxGdaPdpOqNm8eB2LHaq3rVO1Wn2I311OrimBslA4Z46B4El9Njuh8TsN
Pd0ngKuIK9jkHYh8OfHVMl9AjKXXgnJ7wL7AUbasDM5L4X2LvwsVM2vNuDsASmyt0ePccPjB
s/zWhtsQeDc/55wXkrukfpNdCdQ+4gzJBUaHWbMeBUOStMTwFchmaYFYH+iJS+wG+io1QTsD
2mDluP4ZAOVp8ndP8xAhQoQIESLE4+CRhbO0QT4inQbd42ho+wmETbFpcWNA6MwFIROoLAfk
ZuBffif++g2Qu0e/EjEO5PdiI+O+BW9Y8H5+Dcgbm5d8bwjU2FqlXr0FEDMwYmaCDQ6kn2+6
YSxExNh6xU4BvaN83fAGnBt8vMaOXWCcbe1QfDEUn21bVCEGam8rd/UpG1xoFNWnFCC0URdp
T0O1jHLeKAH8Y93PpL8LwpveplmtQVslq7biIC63DrT5QW9iyDP+CNIl80YxBlIGn5CvVoaU
s7nvXugItvkJH5iyIDI1ummJ2VDhvSr+1sPAa65U/W4A9OSs2veKgH/+vW43fgS9hPvdnGqg
ShEVHGvB8ExkQkwe8IQwwlkdOMsAZR7obTjHWOAUyXwPWmvhJz4A/8eBznoL8OcHNuACbZB8
19ANfLeDCz3LAIPvsGc7CHm5qzJ/BVO+Kfu+Dayt7ePCA1BsS7Gk6BToFNO/YYuqcD/93u3s
F+D2ymsJd/Ph9sCMoe4+kPmZp2RwOuSfDCwQ6oInRz+nnAShnRqlj4agU0VLAM8JNV3rBTwh
TNDXgx4j7GEesJYPyAQxVhwuPgVitOF9w48gbJCiDCtAXmdoZ2wE0iw5Q54M8iiD1/geGEqI
b8rLgYl04xkwxKjWYDpoMzIa368BzxZv07l0S3j6mfZ0KgW+d8V20TfB/1VwvC8G9MPil/4W
IMZJl8VuID1vDrcthOgxckVLPujjqGZeDEnFiu5tNgGCJmW6shUCmYHLgeNgfM+229wKgufV
oeEd4OlXanSs6oeEOeEZxV6B5IOebfoLsP3clk/2uiFlTubrd3eB12w4K68Hi6B8bToOpu9N
tYwbQDwk7hOPghxpeFL+ffucUMw5RIgQIUKE+B/CI+c4hwgRIkSIECFChAjxP5mCHOdHfnNg
iBAhQoQIESJEiBD/LxASziFChAgRIkSIECFC/AVCwjlEiBAhQoQIESJEiL9ASDiHCBEiRIgQ
IUKECPEXCAnnECFChAgRIkSIECH+Av//dnQFqwVDhAgRIkSIECFChAjxZ/4/obLWe3CTKPsA
AAAASUVORK5CYII=
--------------050400080705000904000305--

--------------060401030506010908020406--

From tonynad@microsoft.com  Wed Aug 28 10:00:32 2013
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DAF521F9BF3 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.332
X-Spam-Level: 
X-Spam-Status: No, score=-2.332 tagged_above=-999 required=5 tests=[AWL=-1.034, BAYES_00=-2.599, HTML_MESSAGE=0.001, MANGLED_PREMTR=2.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUcX7E0Slcff for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:00:09 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0244.outbound.protection.outlook.com [207.46.163.244]) by ietfa.amsl.com (Postfix) with ESMTP id 0996921F9C06 for <oauth@ietf.org>; Wed, 28 Aug 2013 10:00:08 -0700 (PDT)
Received: from BY2PR03MB189.namprd03.prod.outlook.com (10.242.36.140) by BY2PR03MB190.namprd03.prod.outlook.com (10.242.36.141) with Microsoft SMTP Server (TLS) id 15.0.745.25; Wed, 28 Aug 2013 16:59:59 +0000
Received: from BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) by BY2PR03MB189.namprd03.prod.outlook.com ([169.254.6.221]) with mapi id 15.00.0745.000; Wed, 28 Aug 2013 16:59:58 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Phil Hunt <phil.hunt@oracle.com>, George Fletcher <gffletch@aol.com>
Thread-Topic: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
Thread-Index: AQHOpA9W5YKM54GUL0iLMsu5IS6W/pmq1vPA
Date: Wed, 28 Aug 2013 16:59:58 +0000
Message-ID: <c4ece3246efd4275b1bbb4055bc989d9@BY2PR03MB189.namprd03.prod.outlook.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com>	<521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com> <48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com>	<521E29AB.4070303@aol.com> <EEA753B5-C42A-4228-A8C7-B9A0FED0CB4F@oracle.com>
In-Reply-To: <EEA753B5-C42A-4228-A8C7-B9A0FED0CB4F@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:4898:80e0:ed43::3]
x-forefront-prvs: 09525C61DB
x-forefront-antispam-report: SFV:NSPM; SFS:(377424004)(479174003)(377454003)(52044002)(164054003)(24454002)(30513003)(199002)(189002)(81542001)(49866001)(47976001)(50986001)(47736001)(81342001)(76796001)(74316001)(76576001)(4396001)(76786001)(81686001)(56816003)(77096001)(69226001)(81816001)(74366001)(51856001)(83322001)(63696002)(19580405001)(19580395003)(33646001)(15975445006)(46102001)(74876001)(561944002)(80022001)(551544002)(65816001)(80976001)(74502001)(74662001)(74706001)(47446002)(31966008)(15202345003)(53806001)(54356001)(16236675002)(77982001)(16601075003)(16799955002)(54316002)(59766001)(15395725003)(56776001)(83072001)(19300405004)(79102001)(76482001)(42262001)(3826001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB190; H:BY2PR03MB189.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ed43::3; RD:InfoNoRecords; A:1; MX:1; LANG:en; 
Content-Type: multipart/alternative; boundary="_000_c4ece3246efd4275b1bbb4055bc989d9BY2PR03MB189namprd03pro_"
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-a84fc36a-4ed7-4e57-ab1c-3e967bcbad48.microsoft.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28	Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 17:00:33 -0000

--_000_c4ece3246efd4275b1bbb4055bc989d9BY2PR03MB189namprd03pro_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

>Now maybe your way is the better way but why not let the market make that =
decision?

So what is the hurry to get the dyn reg specification out the door, if we h=
ave the market data it will make the specification that much better. I agre=
e that most of this can be done today w/o any additional specifications, th=
at is what I question the complex, underspecified dyn reg specification tha=
t is being proposed.

From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of P=
hil Hunt
Sent: Wednesday, August 28, 2013 9:55 AM
To: George Fletcher
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28=
 Aug, 2pm PDT: Conference Bridge Details

That's what I'm trying to do. All I have been asking for is time to explore=
 the spec and to see how it can impact and simplify dyn reg -- which I beli=
eve is a significant amount.  It would be pre-mature at this point to move =
Dyn Reg forward without exploring this.

I still believe dyn reg is over-specified because it assumes *every* cllien=
t registration is different when in fact 99.9% of registrations are going t=
o fall in clusters of client applications.  Much of the paramaters can be m=
oved to step 1 of registration or at the least be bundled into the software=
 assertion. Thus the reg endpoint only has to deal with truly instance spec=
ific details (e.g. like credential management).

I don't pre-clude that most of dyn reg may remain intact, but it seems clea=
r there will be substantive breaking changes that simplify registration.

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>





On 2013-08-28, at 9:47 AM, George Fletcher <gffletch@aol.com<mailto:gffletc=
h@aol.com>> wrote:


So Phil... given that you can do all this today with the existing set of sp=
ecifications... why not write the software statements/client assertion regi=
stration spec so that it meets your use case and deployment needs. I'd much=
 rather have two straight forward ways to do something when the core use ca=
ses are so different than to try and munge everything into one and end up w=
ith unnecessary complexity in one or both of the solutions.

I see the use case you are trying to solve for as significantly different t=
han the one I'm trying to solve for. Now maybe your way is the better way b=
ut why not let the market make that decision? We will not confuse developer=
s by having two ways to do things as it will be very clear at the beginning=
 of development which way is needed for their use case:)

Thanks,
George
On 8/28/13 12:41 PM, Phil Hunt wrote:

Yes. A client could pass the software statement *directly* as its client cr=
edential.  Which is one of the *simple* solutions. 8-)



The other case is where the client instance needs its own credential as Geo=
rge indicates.  In that case it could swap the statement for a unique clien=
t assertion.



Phil



@independentid

www.independentid.com<http://www.independentid.com/>

phil.hunt@oracle.com<mailto:phil.hunt@oracle.com>















On 2013-08-28, at 9:38 AM, Sergey Beryozkin <sberyozkin@gmail.com><mailto:s=
beryozkin@gmail.com> wrote:



On 28/08/13 17:33, George Fletcher wrote:

So I understand that you'd rather that OAuth doesn't require a

client_secret and that's fine. However, I don't think we should impose

that thinking on the rest of the world who have already implemented it

and have it working and scaling without issues. If the core of this

discussion is around replacing client_id and client_secret with a

client_assertion then lets have that discussion separately and not bury

it in the dynamic registration discussion.



Could you not profile OAuth2 to support a flow that allows for retrieval

of access and refresh tokens using code + client_assertion? Doesn't seem

like that hard a profile and then the rest of this could fall out pretty

easily.



That is already supported AFAIK, something like



grant_type=3Dauthorization_code

&code=3D12345678

&client_assertion_type=3Durn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-typ=
e%3Asaml2-bearer

&client_assertion=3DBase64UrlEncoded-SAML2-Bearer-Assertion



probably the same works with JWT



Sergey





Thanks,

George



On 8/28/13 12:28 PM, Anthony Nadalin wrote:

I do think that this is the rare-edge use case, we would not want

require client-secret, we already have that mess today with OAuth and

trying not to continue the proliferation, we solve this today with our

STS and assertion swaps/transformations, it scales, performs and we

don't have the management debacle this specification creates



*From:*oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-=
bounces@ietf.org] *On

Behalf Of *George Fletcher

*Sent:* Wednesday, August 28, 2013 9:21 AM

*To:* Phil Hunt

*Cc:* oauth mailing list

*Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:

Wed 28 Aug, 2pm PDT: Conference Bridge Details



On 8/28/13 12:02 PM, Phil Hunt wrote:



   Please define the all in one case. I think this is the edge case and is =
in fact rare.







   I agree, in many cases step 1 can be made by simply approving a class of=
 software. But then step 2 is simplified.







   Dyn reg assumes every registration of an instance is unique which too me=
 is a very extreme



If you have a mobile app that needs to do the code flow... which

requires a client_secret in order to retrieve the access token and

refresh token, how does the app do this without per app instance

registration?



I'd argue that almost all user facing mobile apps will want the above

flow and that's not a small, rare edge case.



Thanks,

George



   position.







   Phil







   On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org><mailto:jricher@=
mitre.org>  <mailto:jricher@mitre.org><mailto:jricher@mitre.org>  wrote:







       Except for the cases where you want step 1 to happen in band. To me,=
 that is a vitally and fundamentally important use case that we can't disre=
gard, and we must have a solution that can accommodate that. The notions of=
 "publisher" and "product" fade very quickly once you get outside of the so=
ftware vendor world.







       This is, of course, not to stand in the way of other solutions or ap=
proaches (such as something assertion based like you're after). It's not a =
one-or-the-other proposition, especially when there are mutually exclusive =
aspects of each.







       Therefore I once again call for the WG to finish the current dynamic=
 registration spec *AND* pursue the assertion based process that Phil's tal=
king about. They're not mutually exclusive, let's please stop talking about=
 them like they are.







       -- Justin







       On 08/28/2013 11:17 AM, Phil Hunt wrote:



           Sorry. I meant also to say i think there are 2 registration step=
s



           1. Software registration/approval. This often happens out of ban=
d. But in this step policy is defined that approves software for use. Many =
of the reg params are known here.







           Federation techniques come into play as trust approvals can be b=
ased on developer, product or even publisher.







           2. Each instance associates in a stateless way. Only clients tha=
t need credential rotation need more.







           Phil







           On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com><mailto:p=
hil.hunt@oracle.com>  <mailto:phil.hunt@oracle.com><mailto:phil.hunt@oracle=
.com>  wrote:







               I have a conflict I cannot get out of for 2pacific.







               I think a certificate based approach is going to simplify ex=
changes in all cases. I encourage the group to explore the concept on the c=
all.







               I am not sure breaking dyn reg up helps. It creates yet anot=
her option. I would like to explore how federation concept in software stat=
ements can help with facilitating association and making many reg stateless=
.







               Phil







               On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)=
"<hannes.tschofenig@nsn.com><mailto:hannes.tschofenig@nsn.com>  <mailto:han=
nes.tschofenig@nsn.com><mailto:hannes.tschofenig@nsn.com>  wrote:







                   Here are the conference bridge / Webex details for the c=
all today.



                   We are going to complete the use case discussions from l=
ast time (Phil wasn't able to walk through all slides). Justin was also abl=
e to work out a strawman proposal based on the discussions last week and we=
 will have a look at it to see whether this is a suitable compromise. Here =
is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archi=
ve/web/oauth/current/msg12036.html







                   Phil, please feel free to make adjustments to your slide=
s given the Justin's recent proposal.







                   Topic: OAuth Dynamic Client Registration



                   Date: Wednesday, August 28, 2013



                   Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT=
-07:00)



                   Meeting Number: 703 230 586



                   Meeting Password: oauth







                   -------------------------------------------------------



                   To join the online meeting



                   -------------------------------------------------------



                   1. Go tohttps://nsn.webex.com/nsn/j.php?ED=3D269567657&U=
ID=3D0&PW=3DNNTI1ZWQzMDJk&RT=3DMiM0



                   2. Enter your name and email address.



                   3. Enter the meeting password: oauth



                   4. Click "Join Now".







                   To view in other time zones or languages, please click t=
he link:



                   https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&P=
W=3DNNTI1ZWQzMDJk&ORT=3DMiM0







                   To add this meeting to your calendar program (for exampl=
e Microsoft Outlook), click this link:



                   https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&I=
CS=3DMI&LD=3D1&RD=3D2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gy=
v1R8=3D&RT=3DMiM0







                   -------------------------------------------------------



                   To join the teleconference only



                   -------------------------------------------------------



                   Global dial-in Numbers:http://www.nokiasiemensnetworks.c=
om/nvc



                   Conference Code: 944 910 5485











                   _______________________________________________



                   OAuth mailing list



                   OAuth@ietf.org<mailto:OAuth@ietf.org>  <mailto:OAuth@iet=
f.org><mailto:OAuth@ietf.org>



                   https://www.ietf.org/mailman/listinfo/oauth



               _______________________________________________



               OAuth mailing list



               OAuth@ietf.org<mailto:OAuth@ietf.org>  <mailto:OAuth@ietf.or=
g><mailto:OAuth@ietf.org>



               https://www.ietf.org/mailman/listinfo/oauth



           _______________________________________________



           OAuth mailing list



           OAuth@ietf.org<mailto:OAuth@ietf.org>  <mailto:OAuth@ietf.org><m=
ailto:OAuth@ietf.org>



           https://www.ietf.org/mailman/listinfo/oauth







   _______________________________________________



   OAuth mailing list



   OAuth@ietf.org<mailto:OAuth@ietf.org>  <mailto:OAuth@ietf.org><mailto:OA=
uth@ietf.org>



   https://www.ietf.org/mailman/listinfo/oauth











--

George Fletcher <http://connect.me/gffletch><http://connect.me/gffletch>



--

George Fletcher <http://connect.me/gffletch><http://connect.me/gffletch>





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





--

Sergey Beryozkin



Talend Community Coders

http://coders.talend.com/



Blog: http://sberyozkin.blogspot.com<http://sberyozkin.blogspot.com/>

_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth





--
<XeC.png><http://connect.me/gffletch>


--_000_c4ece3246efd4275b1bbb4055bc989d9BY2PR03MB189namprd03pro_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Helvetica;
	panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.apple-style-span
	{mso-style-name:apple-style-span;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri","sans-serif";
	color:#1F497D;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"font-size:11.0pt;font-family:&quot;Ca=
libri&quot;,&quot;sans-serif&quot;;color:#1F497D">&gt;</span><span style=3D=
"font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;">Now maybe your w=
ay is the better way but why not let the market make that decision?
<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Helvetica&quot;,&qu=
ot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"font-family:&quot;Helvetica&quot;,&qu=
ot;sans-serif&quot;">So what is the hurry to get the dyn reg specification =
out the door, if we have the market data it will make the specification tha=
t much better. I agree that most of this can be done today
 w/o any additional specifications, that is what I question the complex, un=
derspecified dyn reg specification that is being proposed.</span><span styl=
e=3D"font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot=
;;color:#1F497D"><o:p></o:p></span></p>
<p class=3D"MsoNormal"><a name=3D"_MailEndCompose"><span style=3D"font-size=
:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1F497=
D"><o:p>&nbsp;</o:p></span></a></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"font-size:11.0pt;font-family:&quot=
;Calibri&quot;,&quot;sans-serif&quot;">From:</span></b><span style=3D"font-=
size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;"> oauth-=
bounces@ietf.org [mailto:oauth-bounces@ietf.org]
<b>On Behalf Of </b>Phil Hunt<br>
<b>Sent:</b> Wednesday, August 28, 2013 9:55 AM<br>
<b>To:</b> George Fletcher<br>
<b>Cc:</b> oauth@ietf.org<br>
<b>Subject:</b> Re: [OAUTH-WG] Dynamic Client Registration Conference Call:=
 Wed 28 Aug, 2pm PDT: Conference Bridge Details<o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">That's what I'm trying to do.&nbsp;All I have been a=
sking for is time to explore the spec and to see how it can impact and simp=
lify dyn reg -- which I believe is a significant amount. &nbsp;It would be =
pre-mature at this point to move Dyn Reg forward
 without exploring this.<o:p></o:p></p>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">I still believe dyn reg is over-specified because it=
 assumes *every* cllient registration is different when in fact 99.9% of re=
gistrations are going to fall in clusters of client applications. &nbsp;Muc=
h of the paramaters can be moved to step
 1 of registration or at the least be bundled into the software assertion. =
Thus the reg endpoint only has to deal with truly instance specific details=
 (e.g. like credential management).<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<p class=3D"MsoNormal">I don't pre-clude that most of dyn reg may remain in=
tact, but it seems clear there will be substantive breaking changes that si=
mplify registration.<o:p></o:p></p>
</div>
<div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;;color:black">Phil<o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span></=
p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;;color:black">@independentid<o:p></o:p><=
/span></p>
</div>
<div>
<p class=3D"MsoNormal"><span style=3D"font-size:9.0pt;font-family:&quot;Hel=
vetica&quot;,&quot;sans-serif&quot;;color:black"><a href=3D"http://www.inde=
pendentid.com">www.independentid.com</a><o:p></o:p></span></p>
</div>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;;color:black"><a href=3D"mailto:phil.hu=
nt@oracle.com">phil.hunt@oracle.com</a><o:p></o:p></span></p>
</div>
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:13.5pt"><span style=3D"font-s=
ize:13.5pt;font-family:&quot;Helvetica&quot;,&quot;sans-serif&quot;;color:b=
lack"><o:p>&nbsp;</o:p></span></p>
</div>
<p class=3D"MsoNormal"><span style=3D"font-size:13.5pt;font-family:&quot;He=
lvetica&quot;,&quot;sans-serif&quot;;color:black"><o:p>&nbsp;</o:p></span><=
/p>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><o:p>&nbsp;</o:p></p>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div>
<p class=3D"MsoNormal">On 2013-08-28, at 9:47 AM, George Fletcher &lt;<a hr=
ef=3D"mailto:gffletch@aol.com">gffletch@aol.com</a>&gt; wrote:<o:p></o:p></=
p>
</div>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt"><span style=3D"font-f=
amily:&quot;Helvetica&quot;,&quot;sans-serif&quot;">So Phil... given that y=
ou can do all this today with the existing set of specifications... why not=
 write the software statements/client assertion registration
 spec so that it meets your use case and deployment needs. I'd much rather =
have two straight forward ways to do something when the core use cases are =
so different than to try and munge everything into one and end up with unne=
cessary complexity in one or both
 of the solutions.<br>
<br>
I see the use case you are trying to solve for as significantly different t=
han the one I'm trying to solve for. Now maybe your way is the better way b=
ut why not let the market make that decision? We will not confuse developer=
s by having two ways to do things
 as it will be very clear at the beginning of development which way is need=
ed for their use case:)<br>
<br>
Thanks,<br>
George</span><o:p></o:p></p>
<div>
<p class=3D"MsoNormal">On 8/28/13 12:41 PM, Phil Hunt wrote:<o:p></o:p></p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Yes. A client could pass the software statement *directly* as its clie=
nt credential.&nbsp; Which is one of the *simple* solutions. 8-)<o:p></o:p>=
</pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>The other case is where the client instance needs its own credential a=
s George indicates.&nbsp; In that case it could swap the statement for a un=
ique client assertion.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Phil<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>@independentid<o:p></o:p></pre>
<pre><a href=3D"http://www.independentid.com/">www.independentid.com</a><o:=
p></o:p></pre>
<pre><a href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a><o:p><=
/o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 2013-08-28, at 9:38 AM, Sergey Beryozkin <a href=3D"mailto:sberyozk=
in@gmail.com">&lt;sberyozkin@gmail.com&gt;</a> wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>On 28/08/13 17:33, George Fletcher wrote:<o:p></o:p></pre>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>So I understand that you'd rather that OAuth doesn't require a<o:p></o=
:p></pre>
<pre>client_secret and that's fine. However, I don't think we should impose=
<o:p></o:p></pre>
<pre>that thinking on the rest of the world who have already implemented it=
<o:p></o:p></pre>
<pre>and have it working and scaling without issues. If the core of this<o:=
p></o:p></pre>
<pre>discussion is around replacing client_id and client_secret with a<o:p>=
</o:p></pre>
<pre>client_assertion then lets have that discussion separately and not bur=
y<o:p></o:p></pre>
<pre>it in the dynamic registration discussion.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Could you not profile OAuth2 to support a flow that allows for retriev=
al<o:p></o:p></pre>
<pre>of access and refresh tokens using code &#43; client_assertion? Doesn'=
t seem<o:p></o:p></pre>
<pre>like that hard a profile and then the rest of this could fall out pret=
ty<o:p></o:p></pre>
<pre>easily.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
</blockquote>
<pre>That is already supported AFAIK, something like<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>grant_type=3Dauthorization_code<o:p></o:p></pre>
<pre>&amp;code=3D12345678<o:p></o:p></pre>
<pre>&amp;client_assertion_type=3Durn%3Aietf%3Aparams%3Aoauth%3Aclient-asse=
rtion-type%3Asaml2-bearer<o:p></o:p></pre>
<pre>&amp;client_assertion=3DBase64UrlEncoded-SAML2-Bearer-Assertion<o:p></=
o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>probably the same works with JWT<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Sergey<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>Thanks,<o:p></o:p></pre>
<pre>George<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 8/28/13 12:28 PM, Anthony Nadalin wrote:<o:p></o:p></pre>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<pre>I do think that this is the rare-edge use case, we would not want<o:p>=
</o:p></pre>
<pre>require client-secret, we already have that mess today with OAuth and<=
o:p></o:p></pre>
<pre>trying not to continue the proliferation, we solve this today with our=
<o:p></o:p></pre>
<pre>STS and assertion swaps/transformations, it scales, performs and we<o:=
p></o:p></pre>
<pre>don&#8217;t have the management debacle this specification creates<o:p=
></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>*From:*<a href=3D"mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.or=
g</a> [<a href=3D"mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.=
org</a>] *On<o:p></o:p></pre>
<pre>Behalf Of *George Fletcher<o:p></o:p></pre>
<pre>*Sent:* Wednesday, August 28, 2013 9:21 AM<o:p></o:p></pre>
<pre>*To:* Phil Hunt<o:p></o:p></pre>
<pre>*Cc:* oauth mailing list<o:p></o:p></pre>
<pre>*Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:=
<o:p></o:p></pre>
<pre>Wed 28 Aug, 2pm PDT: Conference Bridge Details<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>On 8/28/13 12:02 PM, Phil Hunt wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; Please define the all in one case. I think this is the ed=
ge case and is in fact rare.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; I agree, in many cases step 1 can be made by simply appro=
ving a class of software. But then step 2 is simplified.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; Dyn reg assumes every registration of an instance is uniq=
ue which too me is a very extreme<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>If you have a mobile app that needs to do the code flow... which<o:p><=
/o:p></pre>
<pre>requires a client_secret in order to retrieve the access token and<o:p=
></o:p></pre>
<pre>refresh token, how does the app do this without per app instance<o:p><=
/o:p></pre>
<pre>registration?<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>I'd argue that almost all user facing mobile apps will want the above<=
o:p></o:p></pre>
<pre>flow and that's not a small, rare edge case.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Thanks,<o:p></o:p></pre>
<pre>George<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; position.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; Phil<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; On 2013-08-28, at 8:41, Justin Richer<a href=3D"mailto:jr=
icher@mitre.org">&lt;jricher@mitre.org&gt;</a>&nbsp; <a href=3D"mailto:jric=
her@mitre.org">&lt;mailto:jricher@mitre.org&gt;</a>&nbsp; wrote:<o:p></o:p>=
</pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Except for the cases where you wa=
nt step 1 to happen in band. To me, that is a vitally and fundamentally imp=
ortant use case that we can't disregard, and we must have a solution that c=
an accommodate that. The notions of &quot;publisher&quot; and &quot;product=
&quot; fade very quickly once you get outside of the software vendor world.=
<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;This is, of course, not to stand =
in the way of other solutions or approaches (such as something assertion ba=
sed like you're after). It's not a one-or-the-other proposition, especially=
 when there are mutually exclusive aspects of each.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Therefore I once again call for t=
he WG to finish the current dynamic registration spec *AND* pursue the asse=
rtion based process that Phil's talking about. They're not mutually exclusi=
ve, let's please stop talking about them like they are.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; -- Justin<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;On 08/28/2013 11:17 AM, Phil Hunt=
 wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sorry. I =
meant also to say i think there are 2 registration steps<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1. Softwa=
re registration/approval. This often happens out of band. But in this step =
policy is defined that approves software for use. Many of the reg params ar=
e known here.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Federatio=
n techniques come into play as trust approvals can be based on developer, p=
roduct or even publisher.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2. Each i=
nstance associates in a stateless way. Only clients that need credential ro=
tation need more.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Phil<o:p>=
</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; On 2013-0=
8-28, at 8:04, Phil Hunt<a href=3D"mailto:phil.hunt@oracle.com">&lt;phil.hu=
nt@oracle.com&gt;</a>&nbsp; <a href=3D"mailto:phil.hunt@oracle.com">&lt;mai=
lto:phil.hunt@oracle.com&gt;</a>&nbsp; wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; I have a conflict I cannot get out of for 2pacific.<o:p></o:=
p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; I think a certificate based approach is going to simplify ex=
changes in all cases. I encourage the group to explore the concept on the c=
all.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; I am not sure breaking dyn reg up helps. It creates yet anot=
her option. I would like to explore how federation concept in software stat=
ements can help with facilitating association and making many reg stateless=
.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; Phil<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; On 2013-08-28, at 5:43, &quot;Tschofenig, Hannes (NSN - FI/E=
spoo)&quot;<a href=3D"mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofen=
ig@nsn.com&gt;</a>&nbsp; <a href=3D"mailto:hannes.tschofenig@nsn.com">&lt;m=
ailto:hannes.tschofenig@nsn.com&gt;</a>&nbsp; wrote:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Here are the conference bridge / Web=
ex details for the call today.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; We are going to complete the use cas=
e discussions from last time (Phil wasn't able to walk through all slides).=
 Justin was also able to work out a strawman proposal based on the discussi=
ons last week and we will have a look at it to see whether this is a suitab=
le compromise. Here is Justin's mail, in case you have missed it:<a href=3D=
"http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://w=
ww.ietf.org/mail-archive/web/oauth/current/msg12036.html</a><o:p></o:p></pr=
e>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Phil, please feel free to make adjus=
tments to your slides given the Justin's recent proposal.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Topic: OAuth Dynamic Client Registra=
tion<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Date: Wednesday, August 28, 2013<o:p=
></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Time: 2:00 pm, Pacific Daylight Time=
 (San Francisco, GMT-07:00)<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Meeting Number: 703 230 586<o:p></o:=
p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Meeting Password: oauth<o:p></o:p></=
pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ------------------------------------=
-------------------<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To join the online meeting<o:p></o:p=
></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ------------------------------------=
-------------------<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1. Go <a href=3D"tohttps://nsn.webex=
.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;RT=3DM=
iM0">tohttps://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3D=
NNTI1ZWQzMDJk&amp;RT=3DMiM0</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2. Enter your name and email address=
.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3. Enter the meeting password: oauth=
<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4. Click &quot;Join Now&quot;.<o:p><=
/o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To view in other time zones or langu=
ages, please click the link:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=3D"https://nsn.webex.com/nsn=
/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;ORT=3DMiM0">ht=
tps://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3DNNTI1ZWQz=
MDJk&amp;ORT=3DMiM0</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To add this meeting to your calendar=
 program (for example Microsoft Outlook), click this link:<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=3D"https://nsn.webex.com/nsn=
/j.php?ED=3D269567657&amp;UID=3D0&amp;ICS=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=
=3D1&amp;SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM=
0">https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;ICS=3DMI&=
amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMse=
qu5n95Gyv1R8=3D&amp;RT=3DMiM0</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ------------------------------------=
-------------------<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To join the teleconference only<o:p>=
</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ------------------------------------=
-------------------<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Global dial-in Numbers:<a href=3D"ht=
tp://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/=
nvc</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Conference Code: 944 910 5485<o:p></=
o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ____________________________________=
___________<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OAuth mailing list<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=3D"mailto:OAuth@ietf.org">OA=
uth@ietf.org</a>&nbsp; <a href=3D"mailto:OAuth@ietf.org">&lt;mailto:OAuth@i=
etf.org&gt;</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=3D"https://www.ietf.org/mail=
man/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><o:p></o=
:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; _______________________________________________<o:p></o:p></=
pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; OAuth mailing list<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>&nbsp; <=
a href=3D"mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a><o:p></o:=
p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;<a href=3D"https://www.ietf.org/mailman/listinfo/oauth">http=
s://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; _________=
______________________________________<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OAuth mai=
ling list<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=
=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>&nbsp; <a href=3D"mailto:OAuth=
@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <a href=
=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailm=
an/listinfo/oauth</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; _______________________________________________<o:p></o:p=
></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; OAuth mailing list<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; <a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>&nbsp=
; <a href=3D"mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a><o:p><=
/o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>&nbsp;&nbsp; <a href=3D"https://www.ietf.org/mailman/listinfo/oauth">h=
ttps://www.ietf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>--<o:p></o:p></pre>
<pre>George Fletcher <a href=3D"http://connect.me/gffletch">&lt;http://conn=
ect.me/gffletch&gt;</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
</blockquote>
<pre>--<o:p></o:p></pre>
<pre>George Fletcher <a href=3D"http://connect.me/gffletch">&lt;http://conn=
ect.me/gffletch&gt;</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
</blockquote>
<pre><o:p>&nbsp;</o:p></pre>
<pre>-- <o:p></o:p></pre>
<pre>Sergey Beryozkin<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Talend Community Coders<o:p></o:p></pre>
<pre><a href=3D"http://coders.talend.com/">http://coders.talend.com/</a><o:=
p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Blog: <a href=3D"http://sberyozkin.blogspot.com/">http://sberyozkin.bl=
ogspot.com</a><o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
</blockquote>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OAuth mailing list<o:p></o:p></pre>
<pre><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><o:p></o:p></pre>
<pre><a href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ie=
tf.org/mailman/listinfo/oauth</a><o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
</blockquote>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">-- <br>
<a href=3D"http://connect.me/gffletch" title=3D"View full card on
        Connect.Me">&lt;XeC.png&gt;</a><o:p></o:p></p>
</div>
</div>
</blockquote>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</div>
</body>
</html>

--_000_c4ece3246efd4275b1bbb4055bc989d9BY2PR03MB189namprd03pro_--

From sberyozkin@gmail.com  Wed Aug 28 10:01:56 2013
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72C4F11E81A9 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:01:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.513
X-Spam-Level: 
X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.086,  BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zIuomvVmAlfq for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:01:55 -0700 (PDT)
Received: from mail-wg0-x234.google.com (mail-wg0-x234.google.com [IPv6:2a00:1450:400c:c00::234]) by ietfa.amsl.com (Postfix) with ESMTP id 4538211E823C for <oauth@ietf.org>; Wed, 28 Aug 2013 10:01:52 -0700 (PDT)
Received: by mail-wg0-f52.google.com with SMTP id l18so4847454wgh.31 for <oauth@ietf.org>; Wed, 28 Aug 2013 10:01:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=BGVYGFgJlO3lgt4GRicCwX7K5HdIcD5T963chf4yIk8=; b=UrH39BhM+P04zvUQssjUrzB6QaNNXibrF+3dwo1pCkH2Oj1TbRSSP3tG4vMHJ9vdTh dXnWD8FhLOHmtUkdnL9JU7gqeJMSMw98bChaWj9KYqA0B226JmqRWltaKX+dXKT5tTwE snb7SEdx2p7tUcx0lZMYelXJrREwyTORzYnVNfBor00Bd9JTtkpY19bzMIbAESkoT/QU Vliv5+s/6hrtEWCNC34jRca8Q2jRE0swUwlKvMMWTSDbg6g2VSX6jlDa/iIYUPeYbFTU r0UNDFOMrka8V+DtuyA+03D3AlK6sFo2DYOxwRSKYuGR8ddQrazA7t0MQmrn1j3q7c3w PSOA==
X-Received: by 10.194.205.164 with SMTP id lh4mr4420006wjc.46.1377709305890; Wed, 28 Aug 2013 10:01:45 -0700 (PDT)
Received: from [192.168.2.5] ([89.100.141.107]) by mx.google.com with ESMTPSA id mb7sm6443594wic.10.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 28 Aug 2013 10:01:45 -0700 (PDT)
Message-ID: <521E2CF6.70201@gmail.com>
Date: Wed, 28 Aug 2013 18:01:42 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130623 Thunderbird/17.0.7
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>
References: <20130730095129.29309.12243.idtracker@ietfa.amsl.com> <CABzCy2CC3Oi2J7GZJVBa07=xtjMXvy9ah_h_ZwwZQXDd4qtSzw@mail.gmail.com> <CABzCy2Ax56ithEc2AvKCqybzK9RjV1cDYPoKdj7DBu6euj8F7w@mail.gmail.com> <521E2183.1010007@gmail.com> <E6AC8378-BC52-42DC-9E4E-25423336EB71@ve7jtb.com>
In-Reply-To: <E6AC8378-BC52-42DC-9E4E-25423336EB71@ve7jtb.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] New Version Notification for draft-sakimura-oauth-tcse-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 17:01:56 -0000

On 28/08/13 17:51, John Bradley wrote:
> We probably don't want this secret that is used as confirmation of the code to be confused with a client secret that is bound to a client.
> They are verified by different levels of the stack.   One client_id may have many instances all using different values of the code proof of possession simultaneously.
>
> So I prefer to eliminate the term client secret entirely.
OK

thanks, Sergey

>
>
> On 2013-08-28, at 12:12 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>
>> Hi,
>>
>> can you consider replacing "tcs" and "tcsh" with "temp_client_secret" and "temp_client_secret_hash" ? in OAuth2 we have "client_id", "client_secret" (ex, in dyn reg), and having a temp variant of "client_secret" called as "tcs" seems a bit cryptic to me :-), not a bit issue though
>>
>> Sergey
>>
>> On 30/07/13 16:36, Nat Sakimura wrote:
>>> Hi.
>>>
>>> I had to fix a few issues with the previous draft text.
>>> No normative changes, but just removed some extra text.
>>>
>>> Nat
>>>
>>> ---------- Forwarded message ----------
>>> From: **<internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
>>> Date: 2013/7/31
>>> Subject: New Version Notification for draft-sakimura-oauth-tcse-01.txt
>>> To: Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>, John
>>> Bradley <jbradley@pingidentity.com <mailto:jbradley@pingidentity.com>>,
>>> Naveen Agarwal <naa@google.com <mailto:naa@google.com>>
>>>
>>>
>>>
>>> A new version of I-D, draft-sakimura-oauth-tcse-01.txt
>>> has been successfully submitted by Nat Sakimura and posted to the
>>> IETF repository.
>>>
>>> Filename:        draft-sakimura-oauth-tcse
>>> Revision:        01
>>> Title:           OAuth Transient Client Secret Extension for Public Clients
>>> Creation date:   2013-07-30
>>> Group:           Individual Submission
>>> Number of pages: 7
>>> URL: http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-01.txt
>>> Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
>>> Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-01
>>> Diff: http://www.ietf.org/rfcdiff?url2=draft-sakimura-oauth-tcse-01
>>>
>>> Abstract:
>>>     The OAuth 2.0 public client utilizing authorization code grant is
>>>     susceptible to the code interception attack.  This specification
>>>     describe a mechanism that acts as a control against this threat.
>>>
>>>
>>>
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of submission
>>> until the htmlized version and diff are available at tools.ietf.org
>>> <http://tools.ietf.org/>.
>>>
>>> The IETF Secretariat
>>>
>>>
>>>
>>>
>>> --
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>>
>>>
>>> 2013/7/30 Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>
>>>
>>>     As some of you know, passing the authorization code securely to a
>>>     native app on iOS platform is next to impossible. Malicious
>>>     application may register the same custom scheme as the victim
>>>     application and hope to obtain the code, whose success rate is
>>>     rather high.
>>>
>>>     We have discussed about it during the OpenID Conenct Meeting at IETF
>>>     87 on Sunday, and over a lengthy thread on the OpenID AB/Connect
>>>     work group list. I have captured the discussion in the form of I-D.
>>>     It is pretty short and hopefully easy to read.
>>>
>>>     IMHO, although it came up as an issue in OpenID Connect, this is a
>>>     quite useful extension to OAuth 2.0 in general.
>>>
>>>     Best,
>>>
>>>     Nat Sakimura
>>>
>>>     ---------- Forwarded message ----------
>>>     From: ** <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
>>>     Date: 2013/7/30
>>>     Subject: New Version Notification for draft-sakimura-oauth-tcse-00.txt
>>>     To: Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>,
>>>     John Bradley <jbradley@pingidentity.com
>>>     <mailto:jbradley@pingidentity.com>>, Naveen Agarwal <naa@google.com
>>>     <mailto:naa@google.com>>
>>>
>>>
>>>
>>>     A new version of I-D, draft-sakimura-oauth-tcse-00.txt
>>>     has been successfully submitted by Nat Sakimura and posted to the
>>>     IETF repository.
>>>
>>>     Filename:        draft-sakimura-oauth-tcse
>>>     Revision:        00
>>>     Title:           OAuth Transient Client Secret Extension for Public
>>>     Clients
>>>     Creation date:   2013-07-29
>>>     Group:           Individual Submission
>>>     Number of pages: 7
>>>     URL:
>>>     http://www.ietf.org/internet-drafts/draft-sakimura-oauth-tcse-00.txt
>>>     Status: http://datatracker.ietf.org/doc/draft-sakimura-oauth-tcse
>>>     Htmlized: http://tools.ietf.org/html/draft-sakimura-oauth-tcse-00
>>>
>>>
>>>     Abstract:
>>>         The OAuth 2.0 public client utilizing code flow is susceptible
>>>     to the
>>>         code interception attack.  This specification describe a mechanism
>>>         that acts as a control against this threat.
>>>
>>>
>>>
>>>
>>>
>>>     Please note that it may take a couple of minutes from the time of
>>>     submission
>>>     until the htmlized version and diff are available at tools.ietf.org
>>>     <http://tools.ietf.org>.
>>>
>>>     The IETF Secretariat
>>>
>>>
>>>
>>>
>>>     --
>>>     Nat Sakimura (=nat)
>>>     Chairman, OpenID Foundation
>>>     http://nat.sakimura.org/
>>>     @_nat_en
>>>
>>>
>>>
>>>
>>> --
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>


From phil.hunt@oracle.com  Wed Aug 28 10:04:01 2013
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E42811E81A9 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:03:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.217
X-Spam-Level: 
X-Spam-Status: No, score=-5.217 tagged_above=-999 required=5 tests=[AWL=-0.015, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rsAfGDHhpa1M for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:03:54 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) by ietfa.amsl.com (Postfix) with ESMTP id 67FEB11E828F for <oauth@ietf.org>; Wed, 28 Aug 2013 10:03:53 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id r7SH3oKV023728 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Aug 2013 17:03:51 GMT
Received: from userz7021.oracle.com (userz7021.oracle.com [156.151.31.85]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SH3nje013219 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 28 Aug 2013 17:03:49 GMT
Received: from abhmt120.oracle.com (abhmt120.oracle.com [141.146.116.72]) by userz7021.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id r7SH3mZr013196; Wed, 28 Aug 2013 17:03:49 GMT
Received: from [192.168.1.89] (/24.86.29.34) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Aug 2013 10:03:47 -0700
Content-Type: multipart/alternative; boundary="Apple-Mail=_9A79775F-0E16-4DC3-BD4C-D75FF48C8663"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <521E2B74.9080104@aol.com>
Date: Wed, 28 Aug 2013 10:03:57 -0700
Message-Id: <0D768920-8000-4176-A55B-1B2BE9791E08@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com> <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com> <521E27BF.3030408@mitre.org> <5B2C7096-939A-4EA2-81FF-F15BDDFB7ABB@ve7jtb.com> <146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com> <521E2B74.9080104@aol.com>
To: George Fletcher <gffletch@aol.com>
X-Mailer: Apple Mail (2.1508)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 17:04:03 -0000
X-List-Received-Date: Wed, 28 Aug 2013 17:04:03 -0000

--Apple-Mail=_9A79775F-0E16-4DC3-BD4C-D75FF48C8663
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1

I think many of the parameters in dyn reg need to be specified in the =
statement -- the main change is we're moving dyn reg parameters into the =
statement and locking them down between instances.  It keeps hackers =
from changing individual instances and it minimizes state in per =
instance registration.

The reason OAuth doesn't have to define token formats is they are =
largely "local".  Federated token scenarios (like UMA) obviously have to =
have some OOB agreement on format.  Given that registration in most of =
these cases is federated, it seems appropriate to define these =
assertions. (In the non-federated cases (e.g. like Google), they can do =
registration using workflows with the developer directly.)

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com







On 2013-08-28, at 9:55 AM, George Fletcher <gffletch@aol.com> wrote:

> OAuth has never specified anything regarding the format the "tokens" =
that the AS has to accept and that's one of it's virtues. It allows for =
many implementations from local only to federated.=20
>=20
> I fully believe there is value in defining profiles of OAuth for =
particular problem domains that put restrictions on client_id format, =
access_token format etc (e.g. the assertion set of specs). However, =
those should be layered on top of OAuth as a profile and not be forced =
into the core. Otherwise, we are forcing all implementations down a much =
narrower path than is supported today. I definitely don't want to see =
that happen.
>=20
> Thanks,
> George
>=20
> On 8/28/13 12:48 PM, Phil Hunt wrote:
>> You can pass anything as a client_id.  It just has to be accepted. =
That's the point of us writing a draft here isn't it?
>>=20
>> Phil
>>=20
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>> On 2013-08-28, at 9:45 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>=20
>>> That is my concern as well, sending an assertion to the =
authorization endpoint requires a extension of OAuth to add another =
parameter or placing it in the client_id which you can do now with the =
dynamic reg spec if the AS wants to.=20
>>>=20
>>> Holding up client registration for something that will require an =
extension to OAuth is overdoing it.   We need something for the OAuth =
spec we have now without requiring clients implement the assertion flow =
and other extensions.
>>>=20
>>> John B.
>>>=20
>>> On 2013-08-28, at 12:39 PM, Justin Richer <jricher@mitre.org> wrote:
>>>=20
>>>> The initial_access_token doesn't assume that it's from the local =
domain. It merely assumes that the authorization server accepts the =
token, which would be true in the UMA case due to the federation. It =
could also be the exact same kinds of mechanisms that the software =
statement would use to achieve federation.
>>>>=20
>>>> I still don't see how an auth server is going to know about a =
client's configuration state with the assertion swap method, since =
there's no defined mechanism for sending a JWT assertion to the =
authorization endpoint.=20
>>>>=20
>>>>  -- Justin
>>>>=20
>>>> On 08/28/2013 12:35 PM, Phil Hunt wrote:
>>>>> George,
>>>>>=20
>>>>> It would be reasonable for a client to submit an assertion, and =
obtain its own client assertion in return.  This is very close to what =
is happening per 2.1, 2.2 of =
http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06
>>>>>=20
>>>>> In this case, the Software Statement is an authorization that is =
exchanged for a client assertion in return. Then the clients =
authenticate per section 2.2 of the JWT spec.
>>>>>=20
>>>>> Regarding initial_access_token.  This does have some of the =
characteristics I am speaking of. But it is unspecified and the =
assumption is that it is issued by the local domain.  This doesn't work =
in the UMA case because that's more like a federated model. Thus the =
specified software statement works because the AS can approve the client =
software based on name, and/or developer, and/or publisher -- whatever =
trust requires.
>>>>>=20
>>>>> Phil
>>>>>=20
>>>>> @independentid
>>>>> www.independentid.com
>>>>> phil.hunt@oracle.com
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>>=20
>>>>> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com> =
wrote:
>>>>>=20
>>>>>> I can't say I understand what you mean by a simple assertion =
swap... but if you are wanting to use a client_assertion flow instead of =
the code flow then that's something completely different. If you are =
saying that you want the client_id to represent an "instance" in a =
stateless way using an "assertion" then that's already possible today.
>>>>>>=20
>>>>>> George
>>>>>>=20
>>>>>> On 8/28/13 12:23 PM, Phil Hunt wrote:
>>>>>>> George
>>>>>>>=20
>>>>>>> That case can be solved with a simple assertion swap. We just =
have to profile it.=20
>>>>>>>=20
>>>>>>> Phil
>>>>>>>=20
>>>>>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com> =
wrote:
>>>>>>>=20
>>>>>>>>=20
>>>>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>>>>> Please define the all in one case. I think this is the edge =
case and is in fact rare.=20
>>>>>>>>>=20
>>>>>>>>> I agree, in many cases step 1 can be made by simply approving =
a class of software. But then step 2 is simplified.=20
>>>>>>>>>=20
>>>>>>>>> Dyn reg assumes every registration of an instance is unique =
which too me is a very extreme=20
>>>>>>>> If you have a mobile app that needs to do the code flow... =
which requires a client_secret in order to retrieve the access token and =
refresh token, how does the app do this without per app instance =
registration?=20
>>>>>>>>=20
>>>>>>>> I'd argue that almost all user facing mobile apps will want the =
above flow and that's not a small, rare edge case.
>>>>>>>>=20
>>>>>>>> Thanks,
>>>>>>>> George
>>>>>>>>> position.=20
>>>>>>>>>=20
>>>>>>>>> Phil
>>>>>>>>>=20
>>>>>>>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org> =
wrote:
>>>>>>>>>=20
>>>>>>>>>> Except for the cases where you want step 1 to happen in band. =
To me, that is a vitally and fundamentally important use case that we =
can't disregard, and we must have a solution that can accommodate that. =
The notions of "publisher" and "product" fade very quickly once you get =
outside of the software vendor world.
>>>>>>>>>>=20
>>>>>>>>>> This is, of course, not to stand in the way of other =
solutions or approaches (such as something assertion based like you're =
after). It's not a one-or-the-other proposition, especially when there =
are mutually exclusive aspects of each.
>>>>>>>>>>=20
>>>>>>>>>> Therefore I once again call for the WG to finish the current =
dynamic registration spec *AND* pursue the assertion based process that =
Phil's talking about. They're not mutually exclusive, let's please stop =
talking about them like they are.
>>>>>>>>>>=20
>>>>>>>>>> -- Justin
>>>>>>>>>>=20
>>>>>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>>>>>> Sorry. I meant also to say i think there are 2 registration =
steps.
>>>>>>>>>>>=20
>>>>>>>>>>> 1. Software registration/approval. This often happens out of =
band. But in this step policy is defined that approves software for use. =
Many of the reg params are known here.
>>>>>>>>>>>=20
>>>>>>>>>>> Federation techniques come into play as trust approvals can =
be based on developer, product or even publisher.
>>>>>>>>>>>=20
>>>>>>>>>>> 2. Each instance associates in a stateless way. Only clients =
that need credential rotation need more.
>>>>>>>>>>>=20
>>>>>>>>>>> Phil
>>>>>>>>>>>=20
>>>>>>>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> =
wrote:
>>>>>>>>>>>=20
>>>>>>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>>>>>>=20
>>>>>>>>>>>> I think a certificate based approach is going to simplify =
exchanges in all cases. I encourage the group to explore the concept on =
the call.
>>>>>>>>>>>>=20
>>>>>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet =
another option. I would like to explore how federation concept in =
software statements can help with facilitating association and making =
many reg stateless.
>>>>>>>>>>>>=20
>>>>>>>>>>>> Phil
>>>>>>>>>>>>=20
>>>>>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - =
FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>>>>>>>>>>=20
>>>>>>>>>>>>> Here are the conference bridge / Webex details for the =
call today.
>>>>>>>>>>>>> We are going to complete the use case discussions from =
last time (Phil wasn't able to walk through all slides). Justin was also =
able to work out a strawman proposal based on the discussions last week =
and we will have a look at it to see whether this is a suitable =
compromise. Here is Justin's mail, in case you have missed it: =
http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> Phil, please feel free to make adjustments to your slides =
given the Justin's recent proposal.
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, =
GMT-07:00)
>>>>>>>>>>>>> Meeting Number: 703 230 586
>>>>>>>>>>>>> Meeting Password: oauth
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>> To join the online meeting
>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>> 1. Go to =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
RT=3DMiM0
>>>>>>>>>>>>> 2. Enter your name and email address.
>>>>>>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>>>>>>> 4. Click "Join Now".
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> To view in other time zones or languages, please click the =
link:
>>>>>>>>>>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQzMDJk&=
ORT=3DMiM0
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> To add this meeting to your calendar program (for example =
Microsoft Outlook), click this link:
>>>>>>>>>>>>> =
https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D1&RD=3D=
2&ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM0
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>> To join the teleconference only
>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>> Global dial-in Numbers: =
http://www.nokiasiemensnetworks.com/nvc
>>>>>>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>>>>>>=20
>>>>>>>>>>>>>=20
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>=20
>>>>>>>>>=20
>>>>>>>>=20
>>>>>>>> --=20
>>>>>>>> <XeC>
>>>>>>=20
>>>>>> --=20
>>>>>> <XeC.png>
>>>>>=20
>>>>=20
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>=20
>>=20
>>=20
>>=20
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>=20
> --=20
> <XeC.png>


--Apple-Mail=_9A79775F-0E16-4DC3-BD4C-D75FF48C8663
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=iso-8859-1

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Diso-8859-1"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I =
think many of the parameters in dyn reg need to be specified in the =
statement -- the main change is we're moving dyn reg parameters into the =
statement and locking them down between instances. &nbsp;It keeps =
hackers from changing individual instances and it minimizes state in per =
instance registration.<div><br></div><div>The reason OAuth doesn't have =
to define token formats is they are largely "local". &nbsp;Federated =
token scenarios (like UMA) obviously have to have some OOB agreement on =
format. &nbsp;Given that registration in most of these cases is =
federated, it seems appropriate to define these assertions. (In the =
non-federated cases (e.g. like Google), they can do registration using =
workflows with the developer directly.)</div><div><br></div><div><span =
style=3D"font-size: 12px; ">Phil</span></div><div><div =
apple-content-edited=3D"true"><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px; "><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: medium; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; color: rgb(0, 0, 0); font-family: =
Helvetica; font-size: 12px; font-style: normal; font-variant: normal; =
font-weight: normal; letter-spacing: normal; line-height: normal; =
orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; =
widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; "><div style=3D"word-wrap: =
break-word; -webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space; "><div><br></div><div>@independentid</div><div><a =
href=3D"http://www.independentid.com">www.independentid.com</a></div></div=
></span><a =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><br><br></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"></div></span><br =
class=3D"Apple-interchange-newline"><br =
class=3D"Apple-interchange-newline">
</div>
<br><div><div>On 2013-08-28, at 9:55 AM, George Fletcher &lt;<a =
href=3D"mailto:gffletch@aol.com">gffletch@aol.com</a>&gt; =
wrote:</div><br class=3D"Apple-interchange-newline"><blockquote =
type=3D"cite">
 =20
    <meta content=3D"text/html; charset=3DISO-8859-1" =
http-equiv=3D"Content-Type">
 =20
  <div bgcolor=3D"#FFFFFF" text=3D"#000000">
    <font face=3D"Helvetica, Arial, sans-serif">OAuth has never =
specified
      anything regarding the format the "tokens" that the AS has to
      accept and that's one of it's virtues. It allows for many
      implementations from local only to federated. <br>
      <br>
      I fully believe there is value in defining profiles of OAuth for
      particular problem domains that put restrictions on client_id
      format, access_token format etc (e.g. the assertion set of specs).
      However, those should be layered on top of OAuth as a profile and
      not be forced into the core. Otherwise, we are forcing all
      implementations down a much narrower path than is supported today.
      I definitely don't want to see that happen.<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class=3D"moz-cite-prefix">On 8/28/13 12:48 PM, Phil Hunt =
wrote:<br>
    </div>
    <blockquote =
cite=3D"mid:146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com" =
type=3D"cite">
      <meta http-equiv=3D"Content-Type" content=3D"text/html;
        charset=3DISO-8859-1">
      You can pass anything as a client_id. &nbsp;It just has to be =
accepted.
      That's the point of us writing a draft here isn't it?
      <div><br>
        <div apple-content-edited=3D"true">
          <span class=3D"Apple-style-span" style=3D"border-collapse: =
separate; font-family: Helvetica; font-style: normal; font-variant: =
normal; font-weight: normal; letter-spacing: normal; line-height: =
normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: =
normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; font-size: medium; ">
            <div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space;
              -webkit-line-break: after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; ">
                <div style=3D"word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-size: medium; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; ">
                    <div style=3D"word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
font-family: Helvetica; font-size: 12px; font-style: normal; =
font-variant: normal; font-weight: normal; letter-spacing: normal; =
line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; =
white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; =
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: =
auto; -webkit-text-stroke-width: 0px; ">
                        <div style=3D"word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div>Phil</div>
                          <div><br>
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send=3D"true" =
href=3D"http://www.independentid.com/">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send=3D"true" =
href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style=3D"word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br>
                      <br>
                    </div>
                  </span><br class=3D"Apple-interchange-newline">
                </div>
              </span><br class=3D"Apple-interchange-newline">
            </div>
          </span><br class=3D"Apple-interchange-newline">
          <br class=3D"Apple-interchange-newline">
        </div>
        <br>
        <div>
          <div>On 2013-08-28, at 9:45 AM, John Bradley &lt;<a =
moz-do-not-send=3D"true" =
href=3D"mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt;
            wrote:</div>
          <br class=3D"Apple-interchange-newline">
          <blockquote type=3D"cite">
            <meta http-equiv=3D"Content-Type" content=3D"text/html;
              charset=3DISO-8859-1">
            <div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space;
              -webkit-line-break: after-white-space; ">That is my
              concern as well, sending an assertion to the authorization
              endpoint requires a extension of OAuth to add another
              parameter or placing it in the client_id which you can do
              now with the dynamic reg spec if the AS wants to.&nbsp;
              <div><br>
              </div>
              <div>Holding up client registration for something that
                will require an extension to OAuth is overdoing it. =
&nbsp; We
                need something for the OAuth spec we have now without
                requiring clients implement the assertion flow and other
                extensions.</div>
              <div><br>
              </div>
              <div>John B.</div>
              <div><br>
                <div>
                  <div>On 2013-08-28, at 12:39 PM, Justin Richer &lt;<a =
moz-do-not-send=3D"true" =
href=3D"mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
                    wrote:</div>
                  <br class=3D"Apple-interchange-newline">
                  <blockquote type=3D"cite">
                    <meta content=3D"text/html; charset=3DISO-8859-1" =
http-equiv=3D"Content-Type">
                    <div bgcolor=3D"#FFFFFF" text=3D"#000000"> The
                      initial_access_token doesn't assume that it's from
                      the local domain. It merely assumes that the
                      authorization server accepts the token, which
                      would be true in the UMA case due to the
                      federation. It could also be the exact same kinds
                      of mechanisms that the software statement would
                      use to achieve federation.<br>
                      <br>
                      I still don't see how an auth server is going to
                      know about a client's configuration state with the
                      assertion swap method, since there's no defined
                      mechanism for sending a JWT assertion to the
                      authorization endpoint. <br>
                      <br>
                      &nbsp;-- Justin<br>
                      <br>
                      <div class=3D"moz-cite-prefix">On 08/28/2013 12:35
                        PM, Phil Hunt wrote:<br>
                      </div>
                      <blockquote =
cite=3D"mid:9F232504-FC58-41FD-B040-31F898034AD2@oracle.com" =
type=3D"cite">
                        <meta http-equiv=3D"Content-Type" =
content=3D"text/html; charset=3DISO-8859-1">
                        George,
                        <div><br>
                        </div>
                        <div>It would be reasonable for a client to
                          submit an assertion, and obtain its own client
                          assertion in return. &nbsp;This is very close =
to
                          what is happening per 2.1, 2.2 of&nbsp;<a =
moz-do-not-send=3D"true" =
href=3D"http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06">http://=
tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06</a></div>
                        <div><br>
                        </div>
                        <div>In this case, the Software Statement is an
                          authorization that is exchanged for a client
                          assertion in return. Then the clients
                          authenticate per section 2.2 of the JWT =
spec.</div>
                        <div><br>
                        </div>
                        <div>Regarding initial_access_token. &nbsp;This =
does
                          have some of the characteristics I am speaking
                          of. But it is unspecified and the assumption
                          is that it is issued by the local domain.
                          &nbsp;This doesn't work in the UMA case =
because
                          that's more like a federated model. Thus the
                          specified software statement works because the
                          AS can approve the client software based on
                          name, and/or developer, and/or publisher --
                          whatever trust requires.</div>
                        <div><br>
                          <div apple-content-edited=3D"true"> <span =
class=3D"Apple-style-span" style=3D"border-collapse: separate;
                              font-family: Helvetica; font-style:
                              normal; font-variant: normal; font-weight:
                              normal; letter-spacing: normal;
                              line-height: normal; orphans: 2;
                              text-indent: 0px; text-transform: none;
                              white-space: normal; widows: 2;
                              word-spacing: 0px; border-spacing: 0px;
                              -webkit-text-decorations-in-effect: none;
                              -webkit-text-size-adjust: auto;
                              -webkit-text-stroke-width: 0px; font-size:
                              medium; ">
                              <div style=3D"word-wrap: break-word;
                                -webkit-nbsp-mode: space;
                                -webkit-line-break: after-white-space; =
"><span class=3D"Apple-style-span" style=3D"border-collapse: separate;
                                  font-family: Helvetica; font-size:
                                  medium; font-style: normal;
                                  font-variant: normal; font-weight:
                                  normal; letter-spacing: normal;
                                  line-height: normal; orphans: 2;
                                  text-indent: 0px; text-transform:
                                  none; white-space: normal; widows: 2;
                                  word-spacing: 0px; border-spacing:
                                  0px;
                                  -webkit-text-decorations-in-effect:
                                  none; -webkit-text-size-adjust: auto;
                                  -webkit-text-stroke-width: 0px; ">
                                  <div style=3D"word-wrap: break-word;
                                    -webkit-nbsp-mode: space;
                                    -webkit-line-break:
                                    after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate;
                                      font-family: Helvetica; font-size:
                                      medium; font-style: normal;
                                      font-variant: normal; font-weight:
                                      normal; letter-spacing: normal;
                                      line-height: normal; orphans: 2;
                                      text-indent: 0px; text-transform:
                                      none; white-space: normal; widows:
                                      2; word-spacing: 0px;
                                      border-spacing: 0px;
                                      =
-webkit-text-decorations-in-effect:
                                      none; -webkit-text-size-adjust:
                                      auto; -webkit-text-stroke-width:
                                      0px; ">
                                      <div style=3D"word-wrap: =
break-word;
                                        -webkit-nbsp-mode: space;
                                        -webkit-line-break:
                                        after-white-space; "><span =
class=3D"Apple-style-span" style=3D"border-collapse:
                                          separate; font-family:
                                          Helvetica; font-size: 12px;
                                          font-style: normal;
                                          font-variant: normal;
                                          font-weight: normal;
                                          letter-spacing: normal;
                                          line-height: normal; orphans:
                                          2; text-indent: 0px;
                                          text-transform: none;
                                          white-space: normal; widows:
                                          2; word-spacing: 0px;
                                          border-spacing: 0px;
                                          =
-webkit-text-decorations-in-effect:
                                          none;
                                          -webkit-text-size-adjust:
                                          auto;
                                          -webkit-text-stroke-width:
                                          0px; ">
                                          <div style=3D"word-wrap:
                                            break-word;
                                            -webkit-nbsp-mode: space;
                                            -webkit-line-break:
                                            after-white-space; ">
                                            <div>Phil</div>
                                            <div><br>
                                            </div>
                                            <div>@independentid</div>
                                            <div><a =
moz-do-not-send=3D"true" =
href=3D"http://www.independentid.com/">www.independentid.com</a></div>
                                          </div>
                                        </span><a moz-do-not-send=3D"true"=
 href=3D"mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                                      <div style=3D"word-wrap: =
break-word;
                                        -webkit-nbsp-mode: space;
                                        -webkit-line-break:
                                        after-white-space; "><br>
                                        <br>
                                      </div>
                                    </span><br =
class=3D"Apple-interchange-newline">
                                  </div>
                                </span><br =
class=3D"Apple-interchange-newline">
                              </div>
                            </span><br =
class=3D"Apple-interchange-newline">
                            <br class=3D"Apple-interchange-newline">
                          </div>
                          <br>
                          <div>
                            <div>On 2013-08-28, at 9:29 AM, George
                              Fletcher &lt;<a moz-do-not-send=3D"true" =
href=3D"mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;

                              wrote:</div>
                            <br class=3D"Apple-interchange-newline">
                            <blockquote type=3D"cite">
                              <div bgcolor=3D"#FFFFFF" text=3D"#000000"> =
<font face=3D"Helvetica, Arial, sans-serif">I
                                  can't say I understand what you mean
                                  by a simple assertion swap... but if
                                  you are wanting to use a
                                  client_assertion flow instead of the
                                  code flow then that's something
                                  completely different. If you are
                                  saying that you want the client_id to
                                  represent an "instance" in a stateless
                                  way using an "assertion" then that's
                                  already possible today.<br>
                                  <br>
                                  George<br>
                                  <br>
                                </font>
                                <div class=3D"moz-cite-prefix">On =
8/28/13
                                  12:23 PM, Phil Hunt wrote:<br>
                                </div>
                                <blockquote =
cite=3D"mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com" =
type=3D"cite">
                                  <div>George</div>
                                  <div><br>
                                  </div>
                                  <div>That case can be solved with a
                                    simple assertion swap. We just have
                                    to profile it.&nbsp;<br>
                                    <br>
                                    Phil</div>
                                  <div><br>
                                    On 2013-08-28, at 9:20, George
                                    Fletcher &lt;<a =
moz-do-not-send=3D"true" =
href=3D"mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;


                                    wrote:<br>
                                    <br>
                                  </div>
                                  <blockquote type=3D"cite">
                                    <div> <br>
                                      <div class=3D"moz-cite-prefix">On
                                        8/28/13 12:02 PM, Phil Hunt
                                        wrote:<br>
                                      </div>
                                      <blockquote =
cite=3D"mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" =
type=3D"cite">
                                        <pre wrap=3D"">Please define the =
all in one case. I think this is the edge case and is in fact rare.=20

I agree, in many cases step 1 can be made by simply approving a class of =
software. But then step 2 is simplified.=20

Dyn reg assumes every registration of an instance is unique which too me =
is a very extreme </pre>
                                      </blockquote>
                                      If you have a mobile app that
                                      needs to do the code flow... which
                                      requires a client_secret in order
                                      to retrieve the access token and
                                      refresh token, how does the app do
                                      this without per app instance
                                      registration? <br>
                                      <br>
                                      I'd argue that almost all user
                                      facing mobile apps will want the
                                      above flow and that's not a small,
                                      rare edge case.<br>
                                      <br>
                                      Thanks,<br>
                                      George<br>
                                      <blockquote =
cite=3D"mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" =
type=3D"cite">
                                        <pre wrap=3D"">position.=20

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
                                        <blockquote type=3D"cite">
                                          <pre wrap=3D"">Except for the =
cases where you want step 1 to happen in band. To me, that is a vitally =
and fundamentally important use case that we can't disregard, and we =
must have a solution that can accommodate that. The notions of =
"publisher" and "product" fade very quickly once you get outside of the =
software vendor world.

This is, of course, not to stand in the way of other solutions or =
approaches (such as something assertion based like you're after). It's =
not a one-or-the-other proposition, especially when there are mutually =
exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic =
registration spec *AND* pursue the assertion based process that Phil's =
talking about. They're not mutually exclusive, let's please stop talking =
about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
                                          <blockquote type=3D"cite">
                                            <pre wrap=3D"">Sorry. I =
meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But =
in this step policy is defined that approves software for use. Many of =
the reg params are known here.

Federation techniques come into play as trust approvals can be based on =
developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need =
credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> =
wrote:

</pre>
                                            <blockquote type=3D"cite">
                                              <pre wrap=3D"">I have a =
conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in =
all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. =
I would like to explore how federation concept in software statements =
can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a =
moz-do-not-send=3D"true" class=3D"moz-txt-link-rfc2396E" =
href=3D"mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt=
;</a> wrote:

</pre>
                                              <blockquote type=3D"cite">
                                                <pre wrap=3D"">Here are =
the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil =
wasn't able to walk through all slides). Justin was also able to work =
out a strawman proposal based on the discussions last week and we will =
have a look at it to see whether this is a suitable compromise. Here is =
Justin's mail, in case you have missed it: <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-freetext" =
href=3D"http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">=
http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the =
Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3D=
NNTI1ZWQzMDJk&amp;RT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D26956765=
7&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;RT=3DMiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;PW=3D=
NNTI1ZWQzMDJk&amp;ORT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D2695676=
57&amp;UID=3D0&amp;PW=3DNNTI1ZWQzMDJk&amp;ORT=3DMiM0</a>

To add this meeting to your calendar program (for example Microsoft =
Outlook), click this link:
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://nsn.webex.com/nsn/j.php?ED=3D269567657&amp;UID=3D0&amp;ICS=
=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SHA2=3DC6-AjLGvhdYjmpVdx75M6UsA=
wrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0">https://nsn.webex.com/nsn/j.php?ED=3D=
269567657&amp;UID=3D0&amp;ICS=3DMI&amp;LD=3D1&amp;RD=3D2&amp;ST=3D1&amp;SH=
A2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&amp;RT=3DMiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send=3D"true" =
class=3D"moz-txt-link-freetext" =
href=3D"http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensne=
tworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
                                              </blockquote>
                                              <pre =
wrap=3D"">_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
                                            </blockquote>
                                            <pre =
wrap=3D"">_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
                                          </blockquote>
                                        </blockquote>
                                        <pre =
wrap=3D"">_______________________________________________
OAuth mailing list
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send=3D"true" class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>


</pre>
                                      </blockquote>
                                      <br>
                                      <div class=3D"moz-signature">-- =
<br>
                                        <a moz-do-not-send=3D"true" =
href=3D"http://connect.me/gffletch" title=3D"View full card on
                                          =
Connect.Me">&lt;XeC&gt;</a></div>
                                    </div>
                                  </blockquote>
                                </blockquote>
                                <br>
                                <div class=3D"moz-signature">-- <br>
                                  <a moz-do-not-send=3D"true" =
href=3D"http://connect.me/gffletch" title=3D"View full card on =
Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
                              </div>
                            </blockquote>
                          </div>
                          <br>
                        </div>
                      </blockquote>
                      <br>
                    </div>
                    _______________________________________________<br>
                    OAuth mailing list<br>
                    <a moz-do-not-send=3D"true" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                    <a moz-do-not-send=3D"true" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a><br>
                  </blockquote>
                </div>
                <br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class=3D"mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap=3D"">_______________________________________________
OAuth mailing list
<a class=3D"moz-txt-link-abbreviated" =
href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class=3D"moz-txt-link-freetext" =
href=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/=
mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br>
    <div class=3D"moz-signature">-- <br>
      <a href=3D"http://connect.me/gffletch" title=3D"View full card on
        Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
  </div>

</blockquote></div><br></div></body></html>=

--Apple-Mail=_9A79775F-0E16-4DC3-BD4C-D75FF48C8663--

From gffletch@aol.com  Wed Aug 28 10:08:05 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96F2F11E827F for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:08:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.315
X-Spam-Level: 
X-Spam-Status: No, score=-1.315 tagged_above=-999 required=5 tests=[AWL=-1.017, BAYES_00=-2.599, HTML_MESSAGE=0.001, MANGLED_PREMTR=2.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hly+mOrA1Vqs for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:08:01 -0700 (PDT)
Received: from omr-d01.mx.aol.com (omr-d01.mx.aol.com [205.188.252.208]) by ietfa.amsl.com (Postfix) with ESMTP id 877F611E8274 for <oauth@ietf.org>; Wed, 28 Aug 2013 10:08:00 -0700 (PDT)
Received: from mtaout-mb05.r1000.mx.aol.com (mtaout-mb05.r1000.mx.aol.com [172.29.41.69]) by omr-d01.mx.aol.com (Outbound Mail Relay) with ESMTP id 401BE700000A2; Wed, 28 Aug 2013 13:08:00 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-mb05.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id EAAD6E000093; Wed, 28 Aug 2013 13:07:59 -0400 (EDT)
Message-ID: <521E2E6F.4010000@aol.com>
Date: Wed, 28 Aug 2013 13:07:59 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com>	<521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <23dda71eaefa47fb848fd2d6e4cd7499@BY2PR03MB189.namprd03.prod.outlook.com> <521E2657.1060506@aol.com> <521E276F.3010804@gmail.com> <48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com> <521E29AB.4070303@aol.com> <EEA753B5-C42A-4228-A8C7-B9A0FED0CB4F@oracle.com>
In-Reply-To: <EEA753B5-C42A-4228-A8C7-B9A0FED0CB4F@oracle.com>
Content-Type: multipart/alternative; boundary="------------020000050206010003040005"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93305
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377709680; bh=lSatC213A+vJwP+TkpurLXJwph6k5Pzq2iwcEkB8PPQ=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=C/Y+G4qYAQzompNwLqdJ0La3lF0BTryKkW7wkXVSgbSYaSa6DwDb56/CGz3p/ba0A ACejE0BuY188Xyajf/s9ehCwfSsNO3U3iST7k0tno4LfVX02PvUMU/5RDN9kQx0IYA v+hLAeRCOGiiKzBkYrVyCcx/3j69AwgFCrwgEZjA=
x-aol-sid: 3039ac1d2945521e2e6f5bcd
X-AOL-IP: 10.181.176.48
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 17:08:06 -0000
X-List-Received-Date: Wed, 28 Aug 2013 17:08:06 -0000

This is a multi-part message in MIME format.
--------------020000050206010003040005
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Could I propose you take a slightly different perspective? Can you build 
a profile using the existing dyn reg spec that provides the capabilities 
you desire and from there determine what doesn't work?

For instance...
    1. initial_access_token contains all non-changing client meta-data
    2. calling the client registration endpoint with the 
initial_access_token causes the AS to recognize the potentially new 
class and store the client class meta-data in the AS (again support for 
local or federated initial_access_token is supported). The client 
specific parameters (possibly redirect URIs or otherwise) are encoded 
into an encrypted assertion and returned as the client_id, no 
client_secret is provided and the registration access token value (which 
again is an encrypted assertion)
    3.  client uses the client_id with either the assertion profile (if 
you want) or the normal OAuth2 core flows (just no secret).

I think that covers what you want to do. This profile of the current 
dyn-reg spec could explicitly disallow certain functions such as the 
update and delete options.

If this spec is much simpler and everyone want to use it, it will be the 
defacto standard anyway. A clean profile is much better than polluting 
the core.

Thanks,
George

On 8/28/13 12:54 PM, Phil Hunt wrote:
> That's what I'm trying to do. All I have been asking for is time to 
> explore the spec and to see how it can impact and simplify dyn reg -- 
> which I believe is a significant amount.  It would be pre-mature at 
> this point to move Dyn Reg forward without exploring this.
>
> I still believe dyn reg is over-specified because it assumes *every* 
> cllient registration is different when in fact 99.9% of registrations 
> are going to fall in clusters of client applications.  Much of the 
> paramaters can be moved to step 1 of registration or at the least be 
> bundled into the software assertion. Thus the reg endpoint only has to 
> deal with truly instance specific details (e.g. like credential 
> management).
>
> I don't pre-clude that most of dyn reg may remain intact, but it seems 
> clear there will be substantive breaking changes that simplify 
> registration.
>
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>
>
>
>
>
>
> On 2013-08-28, at 9:47 AM, George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>> So Phil... given that you can do all this today with the existing set 
>> of specifications... why not write the software statements/client 
>> assertion registration spec so that it meets your use case and 
>> deployment needs. I'd much rather have two straight forward ways to 
>> do something when the core use cases are so different than to try and 
>> munge everything into one and end up with unnecessary complexity in 
>> one or both of the solutions.
>>
>> I see the use case you are trying to solve for as significantly 
>> different than the one I'm trying to solve for. Now maybe your way is 
>> the better way but why not let the market make that decision? We will 
>> not confuse developers by having two ways to do things as it will be 
>> very clear at the beginning of development which way is needed for 
>> their use case:)
>>
>> Thanks,
>> George
>>
>> On 8/28/13 12:41 PM, Phil Hunt wrote:
>>> Yes. A client could pass the software statement *directly* as its client credential.  Which is one of the *simple* solutions. 8-)
>>>
>>> The other case is where the client instance needs its own credential as George indicates.  In that case it could swap the statement for a unique client assertion.
>>>
>>> Phil
>>>
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 2013-08-28, at 9:38 AM, Sergey Beryozkin<sberyozkin@gmail.com>  wrote:
>>>
>>>> On 28/08/13 17:33, George Fletcher wrote:
>>>>> So I understand that you'd rather that OAuth doesn't require a
>>>>> client_secret and that's fine. However, I don't think we should impose
>>>>> that thinking on the rest of the world who have already implemented it
>>>>> and have it working and scaling without issues. If the core of this
>>>>> discussion is around replacing client_id and client_secret with a
>>>>> client_assertion then lets have that discussion separately and not bury
>>>>> it in the dynamic registration discussion.
>>>>>
>>>>> Could you not profile OAuth2 to support a flow that allows for retrieval
>>>>> of access and refresh tokens using code + client_assertion? Doesn't seem
>>>>> like that hard a profile and then the rest of this could fall out pretty
>>>>> easily.
>>>>>
>>>> That is already supported AFAIK, something like
>>>>
>>>> grant_type=authorization_code
>>>> &code=12345678
>>>> &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer
>>>> &client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion
>>>>
>>>> probably the same works with JWT
>>>>
>>>> Sergey
>>>>
>>>>
>>>>> Thanks,
>>>>> George
>>>>>
>>>>> On 8/28/13 12:28 PM, Anthony Nadalin wrote:
>>>>>> I do think that this is the rare-edge use case, we would not want
>>>>>> require client-secret, we already have that mess today with OAuth and
>>>>>> trying not to continue the proliferation, we solve this today with our
>>>>>> STS and assertion swaps/transformations, it scales, performs and we
>>>>>> don't have the management debacle this specification creates
>>>>>>
>>>>>> *From:*oauth-bounces@ietf.org  <mailto:oauth-bounces@ietf.org>  [mailto:oauth-bounces@ietf.org] *On
>>>>>> Behalf Of *George Fletcher
>>>>>> *Sent:* Wednesday, August 28, 2013 9:21 AM
>>>>>> *To:* Phil Hunt
>>>>>> *Cc:* oauth mailing list
>>>>>> *Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>>>>>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>>>>>
>>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>>
>>>>>>     Please define the all in one case. I think this is the edge case and is in fact rare.
>>>>>>
>>>>>>
>>>>>>
>>>>>>     I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>>>>
>>>>>>
>>>>>>
>>>>>>     Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>>>>>
>>>>>> If you have a mobile app that needs to do the code flow... which
>>>>>> requires a client_secret in order to retrieve the access token and
>>>>>> refresh token, how does the app do this without per app instance
>>>>>> registration?
>>>>>>
>>>>>> I'd argue that almost all user facing mobile apps will want the above
>>>>>> flow and that's not a small, rare edge case.
>>>>>>
>>>>>> Thanks,
>>>>>> George
>>>>>>
>>>>>>     position.
>>>>>>
>>>>>>
>>>>>>
>>>>>>     Phil
>>>>>>
>>>>>>
>>>>>>
>>>>>>     On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>   <mailto:jricher@mitre.org>   wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>         Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>>>
>>>>>>
>>>>>>
>>>>>>         This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>>>
>>>>>>
>>>>>>
>>>>>>         Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>>>
>>>>>>
>>>>>>
>>>>>>         -- Justin
>>>>>>
>>>>>>
>>>>>>
>>>>>>         On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>
>>>>>>             Sorry. I meant also to say i think there are 2 registration steps
>>>>>>
>>>>>>             1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>>
>>>>>>
>>>>>>
>>>>>>             Phil
>>>>>>
>>>>>>
>>>>>>
>>>>>>             On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>   <mailto:phil.hunt@oracle.com>   wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>                 I have a conflict I cannot get out of for 2pacific.
>>>>>>
>>>>>>
>>>>>>
>>>>>>                 I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>>
>>>>>>
>>>>>>
>>>>>>                 I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>>
>>>>>>
>>>>>>
>>>>>>                 Phil
>>>>>>
>>>>>>
>>>>>>
>>>>>>                 On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>   <mailto:hannes.tschofenig@nsn.com>   wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     Here are the conference bridge / Webex details for the call today.
>>>>>>
>>>>>>                     We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     Topic: OAuth Dynamic Client Registration
>>>>>>
>>>>>>                     Date: Wednesday, August 28, 2013
>>>>>>
>>>>>>                     Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>
>>>>>>                     Meeting Number: 703 230 586
>>>>>>
>>>>>>                     Meeting Password: oauth
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     -------------------------------------------------------
>>>>>>
>>>>>>                     To join the online meeting
>>>>>>
>>>>>>                     -------------------------------------------------------
>>>>>>
>>>>>>                     1. Gotohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>
>>>>>>                     2. Enter your name and email address.
>>>>>>
>>>>>>                     3. Enter the meeting password: oauth
>>>>>>
>>>>>>                     4. Click "Join Now".
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     To view in other time zones or languages, please click the link:
>>>>>>
>>>>>>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>>
>>>>>>                     https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     -------------------------------------------------------
>>>>>>
>>>>>>                     To join the teleconference only
>>>>>>
>>>>>>                     -------------------------------------------------------
>>>>>>
>>>>>>                     Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>>>
>>>>>>                     Conference Code: 944 910 5485
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>                     _______________________________________________
>>>>>>
>>>>>>                     OAuth mailing list
>>>>>>
>>>>>>                     OAuth@ietf.org   <mailto:OAuth@ietf.org>
>>>>>>
>>>>>>                     https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>                 _______________________________________________
>>>>>>
>>>>>>                 OAuth mailing list
>>>>>>
>>>>>>                 OAuth@ietf.org   <mailto:OAuth@ietf.org>
>>>>>>
>>>>>>                 https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>             _______________________________________________
>>>>>>
>>>>>>             OAuth mailing list
>>>>>>
>>>>>>             OAuth@ietf.org   <mailto:OAuth@ietf.org>
>>>>>>
>>>>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>
>>>>>>
>>>>>>     _______________________________________________
>>>>>>
>>>>>>     OAuth mailing list
>>>>>>
>>>>>>     OAuth@ietf.org   <mailto:OAuth@ietf.org>
>>>>>>
>>>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> George Fletcher<http://connect.me/gffletch>
>>>>>>
>>>>> --
>>>>> George Fletcher<http://connect.me/gffletch>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>> -- 
>>>> Sergey Beryozkin
>>>>
>>>> Talend Community Coders
>>>> http://coders.talend.com/
>>>>
>>>> Blog:http://sberyozkin.blogspot.com
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>> -- 
>> <XeC.png> <http://connect.me/gffletch>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------020000050206010003040005
Content-Type: multipart/related;
 boundary="------------090309060100040406000806"


--------------090309060100040406000806
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">Could I propose you take a
      slightly different perspective? Can you build a profile using the
      existing dyn reg spec that provides the capabilities you desire
      and from there determine what doesn't work?<br>
      <br>
      For instance...<br>
      &nbsp;&nbsp; 1. initial_access_token contains all non-changing client meta-data<br>
      &nbsp;&nbsp; 2. calling the client registration endpoint with the
      initial_access_token causes the AS to recognize the potentially
      new class and store the client class meta-data in the AS (again
      support for local or federated initial_access_token is supported).
      The client specific parameters (possibly redirect URIs or
      otherwise) are encoded into an encrypted assertion and returned as
      the client_id, no client_secret is provided and the registration
      access token value (which again is an encrypted assertion)<br>
      &nbsp;&nbsp; 3.&nbsp; client uses the client_id with either the assertion profile
      (if you want) or the normal OAuth2 core flows (just no secret).<br>
      <br>
      I think that covers what you want to do. This profile of the
      current dyn-reg spec could explicitly disallow certain functions
      such as the update and delete options. <br>
      <br>
      If this spec is much simpler and everyone want to use it, it will
      be the defacto standard anyway. A clean profile is much better
      than polluting the core.<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/28/13 12:54 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:EEA753B5-C42A-4228-A8C7-B9A0FED0CB4F@oracle.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      That's what I'm trying to do.&nbsp;All I have been asking for is time
      to explore the spec and to see how it can impact and simplify dyn
      reg -- which I believe is a significant amount. &nbsp;It would be
      pre-mature at this point to move Dyn Reg forward without exploring
      this.
      <div><br>
      </div>
      <div>I still believe dyn reg is over-specified because it assumes
        *every* cllient registration is different when in fact 99.9% of
        registrations are going to fall in clusters of client
        applications. &nbsp;Much of the paramaters can be moved to step 1 of
        registration or at the least be bundled into the software
        assertion. Thus the reg endpoint only has to deal with truly
        instance specific details (e.g. like credential management).</div>
      <div><br>
      </div>
      <div>I don't pre-clude that most of dyn reg may remain intact, but
        it seems clear there will be substantive breaking changes that
        simplify registration.</div>
      <div><br>
      </div>
      <div>
        <div apple-content-edited="true">
          <span class="Apple-style-span" style="border-collapse:
            separate; border-spacing: 0px; ">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; "><span
                class="Apple-style-span" style="border-collapse:
                separate; color: rgb(0, 0, 0); font-family: Helvetica;
                font-size: medium; font-style: normal; font-variant:
                normal; font-weight: normal; letter-spacing: normal;
                line-height: normal; orphans: 2; text-indent: 0px;
                text-transform: none; white-space: normal; widows: 2;
                word-spacing: 0px; border-spacing: 0px;
                -webkit-text-decorations-in-effect: none;
                -webkit-text-size-adjust: auto;
                -webkit-text-stroke-width: 0px; ">
                <div style="word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span
                    class="Apple-style-span" style="border-collapse:
                    separate; color: rgb(0, 0, 0); font-family:
                    Helvetica; font-size: medium; font-style: normal;
                    font-variant: normal; font-weight: normal;
                    letter-spacing: normal; line-height: normal;
                    orphans: 2; text-indent: 0px; text-transform: none;
                    white-space: normal; widows: 2; word-spacing: 0px;
                    border-spacing: 0px;
                    -webkit-text-decorations-in-effect: none;
                    -webkit-text-size-adjust: auto;
                    -webkit-text-stroke-width: 0px; ">
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span
                        class="Apple-style-span" style="border-collapse:
                        separate; color: rgb(0, 0, 0); font-family:
                        Helvetica; font-size: 12px; font-style: normal;
                        font-variant: normal; font-weight: normal;
                        letter-spacing: normal; line-height: normal;
                        orphans: 2; text-indent: 0px; text-transform:
                        none; white-space: normal; widows: 2;
                        word-spacing: 0px; border-spacing: 0px;
                        -webkit-text-decorations-in-effect: none;
                        -webkit-text-size-adjust: auto;
                        -webkit-text-stroke-width: 0px; ">
                        <div style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div>Phil</div>
                          <div><br>
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send="true"
                              href="http://www.independentid.com">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send="true"
                        href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br>
                      <br>
                    </div>
                  </span><br class="Apple-interchange-newline">
                </div>
              </span><br class="Apple-interchange-newline">
            </div>
          </span><br class="Apple-interchange-newline">
          <br class="Apple-interchange-newline">
        </div>
        <br>
        <div>
          <div>On 2013-08-28, at 9:47 AM, George Fletcher &lt;<a
              moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <meta content="text/html; charset=ISO-8859-1"
              http-equiv="Content-Type">
            <div bgcolor="#FFFFFF" text="#000000"> <font
                face="Helvetica, Arial, sans-serif">So Phil... given
                that you can do all this today with the existing set of
                specifications... why not write the software
                statements/client assertion registration spec so that it
                meets your use case and deployment needs. I'd much
                rather have two straight forward ways to do something
                when the core use cases are so different than to try and
                munge everything into one and end up with unnecessary
                complexity in one or both of the solutions.<br>
                <br>
                I see the use case you are trying to solve for as
                significantly different than the one I'm trying to solve
                for. Now maybe your way is the better way but why not
                let the market make that decision? We will not confuse
                developers by having two ways to do things as it will be
                very clear at the beginning of development which way is
                needed for their use case:)<br>
                <br>
                Thanks,<br>
                George<br>
                <br>
              </font>
              <div class="moz-cite-prefix">On 8/28/13 12:41 PM, Phil
                Hunt wrote:<br>
              </div>
              <blockquote
                cite="mid:48AAD6B2-28E2-4B55-AE3E-C890216961C3@oracle.com"
                type="cite">
                <pre wrap="">Yes. A client could pass the software statement *directly* as its client credential.  Which is one of the *simple* solutions. 8-)

The other case is where the client instance needs its own credential as George indicates.  In that case it could swap the statement for a unique client assertion.

Phil

@independentid
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.independentid.com/">www.independentid.com</a>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a>







On 2013-08-28, at 9:38 AM, Sergey Beryozkin <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:sberyozkin@gmail.com">&lt;sberyozkin@gmail.com&gt;</a> wrote:

</pre>
                <blockquote type="cite">
                  <pre wrap="">On 28/08/13 17:33, George Fletcher wrote:
</pre>
                  <blockquote type="cite">
                    <pre wrap="">So I understand that you'd rather that OAuth doesn't require a
client_secret and that's fine. However, I don't think we should impose
that thinking on the rest of the world who have already implemented it
and have it working and scaling without issues. If the core of this
discussion is around replacing client_id and client_secret with a
client_assertion then lets have that discussion separately and not bury
it in the dynamic registration discussion.

Could you not profile OAuth2 to support a flow that allows for retrieval
of access and refresh tokens using code + client_assertion? Doesn't seem
like that hard a profile and then the rest of this could fall out pretty
easily.

</pre>
                  </blockquote>
                  <pre wrap="">That is already supported AFAIK, something like

grant_type=authorization_code
&amp;code=12345678
&amp;client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Asaml2-bearer
&amp;client_assertion=Base64UrlEncoded-SAML2-Bearer-Assertion

probably the same works with JWT

Sergey


</pre>
                  <blockquote type="cite">
                    <pre wrap="">Thanks,
George

On 8/28/13 12:28 PM, Anthony Nadalin wrote:
</pre>
                    <blockquote type="cite">
                      <pre wrap="">I do think that this is the rare-edge use case, we would not want
require client-secret, we already have that mess today with OAuth and
trying not to continue the proliferation, we solve this today with our
STS and assertion swaps/transformations, it scales, performs and we
don&#8217;t have the management debacle this specification creates

*From:*<a moz-do-not-send="true" href="mailto:oauth-bounces@ietf.org">oauth-bounces@ietf.org</a> [<a moz-do-not-send="true" class="moz-txt-link-freetext" href="mailto:oauth-bounces@ietf.org">mailto:oauth-bounces@ietf.org</a>] *On
Behalf Of *George Fletcher
*Sent:* Wednesday, August 28, 2013 9:21 AM
*To:* Phil Hunt
*Cc:* oauth mailing list
*Subject:* Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
Wed 28 Aug, 2pm PDT: Conference Bridge Details

On 8/28/13 12:02 PM, Phil Hunt wrote:

   Please define the all in one case. I think this is the edge case and is in fact rare.



   I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.



   Dyn reg assumes every registration of an instance is unique which too me is a very extreme

If you have a mobile app that needs to do the code flow... which
requires a client_secret in order to retrieve the access token and
refresh token, how does the app do this without per app instance
registration?

I'd argue that almost all user facing mobile apps will want the above
flow and that's not a small, rare edge case.

Thanks,
George

   position.



   Phil



   On 2013-08-28, at 8:41, Justin Richer<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;mailto:jricher@mitre.org&gt;</a>  wrote:



       Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.



       This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.



       Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.



       -- Justin



       On 08/28/2013 11:17 AM, Phil Hunt wrote:

           Sorry. I meant also to say i think there are 2 registration steps

           1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.



           Federation techniques come into play as trust approvals can be based on developer, product or even publisher.



           2. Each instance associates in a stateless way. Only clients that need credential rotation need more.



           Phil



           On 2013-08-28, at 8:04, Phil Hunt<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;mailto:phil.hunt@oracle.com&gt;</a>  wrote:



               I have a conflict I cannot get out of for 2pacific.



               I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.



               I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.



               Phil



               On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;mailto:hannes.tschofenig@nsn.com&gt;</a>  wrote:



                   Here are the conference bridge / Webex details for the call today.

                   We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>



                   Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.



                   Topic: OAuth Dynamic Client Registration

                   Date: Wednesday, August 28, 2013

                   Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)

                   Meeting Number: 703 230 586

                   Meeting Password: oauth



                   -------------------------------------------------------

                   To join the online meeting

                   -------------------------------------------------------

                   1. Go <a moz-do-not-send="true" href="tohttps://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">tohttps://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>

                   2. Enter your name and email address.

                   3. Enter the meeting password: oauth

                   4. Click "Join Now".



                   To view in other time zones or languages, please click the link:

                   <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>



                   To add this meeting to your calendar program (for example Microsoft Outlook), click this link:

                   <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>



                   -------------------------------------------------------

                   To join the teleconference only

                   -------------------------------------------------------

                   Global dial-in Numbers:<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>

                   Conference Code: 944 910 5485





                   _______________________________________________

                   OAuth mailing list

                   <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

                   <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

               _______________________________________________

               OAuth mailing list

               <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

               <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

           _______________________________________________

           OAuth mailing list

           <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

           <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>



   _______________________________________________

   OAuth mailing list

   <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>  <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:OAuth@ietf.org">&lt;mailto:OAuth@ietf.org&gt;</a>

   <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>





--
George Fletcher <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="http://connect.me/gffletch">&lt;http://connect.me/gffletch&gt;</a>

</pre>
                    </blockquote>
                    <pre wrap="">--
George Fletcher <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="http://connect.me/gffletch">&lt;http://connect.me/gffletch&gt;</a>


_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>

</pre>
                  </blockquote>
                  <pre wrap="">-- 
Sergey Beryozkin

Talend Community Coders
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://coders.talend.com/">http://coders.talend.com/</a>

Blog: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://sberyozkin.blogspot.com/">http://sberyozkin.blogspot.com</a>
_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                </blockquote>
                <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
              </blockquote>
              <br>
              <div class="moz-signature">-- <br>
                <a moz-do-not-send="true"
                  href="http://connect.me/gffletch" title="View full
                  card on Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part43.06050709.05010208@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------090309060100040406000806
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part43.06050709.05010208@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------090309060100040406000806--

--------------020000050206010003040005--

From gffletch@aol.com  Wed Aug 28 10:14:31 2013
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 154FA21F9B8C for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:14:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Level: 
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.075,  BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BWa1pRp-DhDU for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:14:27 -0700 (PDT)
Received: from omr-m01.mx.aol.com (omr-m01.mx.aol.com [64.12.143.75]) by ietfa.amsl.com (Postfix) with ESMTP id 8EEDE21F9AA8 for <oauth@ietf.org>; Wed, 28 Aug 2013 10:14:26 -0700 (PDT)
Received: from mtaout-db06.r1000.mx.aol.com (mtaout-db06.r1000.mx.aol.com [172.29.51.198]) by omr-m01.mx.aol.com (Outbound Mail Relay) with ESMTP id 4D194700EE05E; Wed, 28 Aug 2013 13:14:25 -0400 (EDT)
Received: from palantir.local (unknown [10.181.176.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaout-db06.r1000.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id E7715E0000C8; Wed, 28 Aug 2013 13:14:24 -0400 (EDT)
Message-ID: <521E2FF0.9050205@aol.com>
Date: Wed, 28 Aug 2013 13:14:24 -0400
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com> <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com> <521E27BF.3030408@mitre.org> <5B2C7096-939A-4EA2-81FF-F15BDDFB7ABB@ve7jtb.com> <146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com> <521E2B74.9080104@aol.com> <0D768920-8000-4176-A55B-1B2BE9791E08@oracle.com>
In-Reply-To: <0D768920-8000-4176-A55B-1B2BE9791E08@oracle.com>
Content-Type: multipart/alternative; boundary="------------070805090301010504070406"
x-aol-global-disposition: G
X-AOL-VSS-INFO: 5400.1158/93305
X-AOL-VSS-CODE: clean
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20121107; t=1377710065; bh=eSSeDAyw1+xBoTtsYrHEd6UYo8EgKXKEuhd3G/kC0Es=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=XS+UjJYmxX3Pf+WV5qca9wuPf/LttHaYrkqw/nU19ry+I623HXv4GRZMKSKqpFSVN FVIBbC3ilGFd3PDuziW5z4ASw8MhAXo/ApKDR7I6KnkF0L7ZKUhz8Q+8rQtpjBnZm5 T7IM/xSWMizpj9mPECE1KfNUU19d5SPK4Nz5iL50=
x-aol-sid: 3039ac1d33c6521e2ff038b6
X-AOL-IP: 10.181.176.48
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 17:14:31 -0000

This is a multi-part message in MIME format.
--------------070805090301010504070406
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

So, if we take the current OAuth model that I think I hear you 
espousing... OAuth core is "local"  and "federated" scenarios need to be 
profiled to be "locked down" ... then shouldn't we do the same thing 
with the dyn reg spec? Consider what's proposed as "local" and the 
"federated" model is a profile (see my other post).

In the UMA case (as I'm actively involved in that effort) I would want 
the UMA spec to define where agreed upon formats are required. I 
wouldn't want that done in the OAuth core specs. The reason is that the 
specification narrows the scope of the applicabillity of the solution to 
the problem domain being solved. So UMA, which defines the problem space 
it's trying to solve, should be the spec to define the required formats. 
This is clean layering.

In this case of federated app deployments that you are discussing it 
seems like it requires a special profile for that problem domains space 
just as UMA defines it's own profile of OAuth2 for it's problem space 
and OpenID Connect defines it's profile for it's problem domain space.

Thanks,
George

On 8/28/13 1:03 PM, Phil Hunt wrote:
> I think many of the parameters in dyn reg need to be specified in the 
> statement -- the main change is we're moving dyn reg parameters into 
> the statement and locking them down between instances.  It keeps 
> hackers from changing individual instances and it minimizes state in 
> per instance registration.
>
> The reason OAuth doesn't have to define token formats is they are 
> largely "local".  Federated token scenarios (like UMA) obviously have 
> to have some OOB agreement on format.  Given that registration in most 
> of these cases is federated, it seems appropriate to define these 
> assertions. (In the non-federated cases (e.g. like Google), they can 
> do registration using workflows with the developer directly.)
>
> Phil
>
> @independentid
> www.independentid.com <http://www.independentid.com>
> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>
>
>
>
>
>
>
> On 2013-08-28, at 9:55 AM, George Fletcher <gffletch@aol.com 
> <mailto:gffletch@aol.com>> wrote:
>
>> OAuth has never specified anything regarding the format the "tokens" 
>> that the AS has to accept and that's one of it's virtues. It allows 
>> for many implementations from local only to federated.
>>
>> I fully believe there is value in defining profiles of OAuth for 
>> particular problem domains that put restrictions on client_id format, 
>> access_token format etc (e.g. the assertion set of specs). However, 
>> those should be layered on top of OAuth as a profile and not be 
>> forced into the core. Otherwise, we are forcing all implementations 
>> down a much narrower path than is supported today. I definitely don't 
>> want to see that happen.
>>
>> Thanks,
>> George
>>
>> On 8/28/13 12:48 PM, Phil Hunt wrote:
>>> You can pass anything as a client_id.  It just has to be accepted. 
>>> That's the point of us writing a draft here isn't it?
>>>
>>> Phil
>>>
>>> @independentid
>>> www.independentid.com <http://www.independentid.com/>
>>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 2013-08-28, at 9:45 AM, John Bradley <ve7jtb@ve7jtb.com 
>>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>
>>>> That is my concern as well, sending an assertion to the 
>>>> authorization endpoint requires a extension of OAuth to add another 
>>>> parameter or placing it in the client_id which you can do now with 
>>>> the dynamic reg spec if the AS wants to.
>>>>
>>>> Holding up client registration for something that will require an 
>>>> extension to OAuth is overdoing it.   We need something for the 
>>>> OAuth spec we have now without requiring clients implement the 
>>>> assertion flow and other extensions.
>>>>
>>>> John B.
>>>>
>>>> On 2013-08-28, at 12:39 PM, Justin Richer <jricher@mitre.org 
>>>> <mailto:jricher@mitre.org>> wrote:
>>>>
>>>>> The initial_access_token doesn't assume that it's from the local 
>>>>> domain. It merely assumes that the authorization server accepts 
>>>>> the token, which would be true in the UMA case due to the 
>>>>> federation. It could also be the exact same kinds of mechanisms 
>>>>> that the software statement would use to achieve federation.
>>>>>
>>>>> I still don't see how an auth server is going to know about a 
>>>>> client's configuration state with the assertion swap method, since 
>>>>> there's no defined mechanism for sending a JWT assertion to the 
>>>>> authorization endpoint.
>>>>>
>>>>>  -- Justin
>>>>>
>>>>> On 08/28/2013 12:35 PM, Phil Hunt wrote:
>>>>>> George,
>>>>>>
>>>>>> It would be reasonable for a client to submit an assertion, and 
>>>>>> obtain its own client assertion in return.  This is very close to 
>>>>>> what is happening per 2.1, 2.2 of 
>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06
>>>>>>
>>>>>> In this case, the Software Statement is an authorization that is 
>>>>>> exchanged for a client assertion in return. Then the clients 
>>>>>> authenticate per section 2.2 of the JWT spec.
>>>>>>
>>>>>> Regarding initial_access_token.  This does have some of the 
>>>>>> characteristics I am speaking of. But it is unspecified and the 
>>>>>> assumption is that it is issued by the local domain.  This 
>>>>>> doesn't work in the UMA case because that's more like a federated 
>>>>>> model. Thus the specified software statement works because the AS 
>>>>>> can approve the client software based on name, and/or developer, 
>>>>>> and/or publisher -- whatever trust requires.
>>>>>>
>>>>>> Phil
>>>>>>
>>>>>> @independentid
>>>>>> www.independentid.com <http://www.independentid.com/>
>>>>>> phil.hunt@oracle.com <mailto:phil.hunt@oracle.com>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com 
>>>>>> <mailto:gffletch@aol.com>> wrote:
>>>>>>
>>>>>>> I can't say I understand what you mean by a simple assertion 
>>>>>>> swap... but if you are wanting to use a client_assertion flow 
>>>>>>> instead of the code flow then that's something completely 
>>>>>>> different. If you are saying that you want the client_id to 
>>>>>>> represent an "instance" in a stateless way using an "assertion" 
>>>>>>> then that's already possible today.
>>>>>>>
>>>>>>> George
>>>>>>>
>>>>>>> On 8/28/13 12:23 PM, Phil Hunt wrote:
>>>>>>>> George
>>>>>>>>
>>>>>>>> That case can be solved with a simple assertion swap. We just 
>>>>>>>> have to profile it.
>>>>>>>>
>>>>>>>> Phil
>>>>>>>>
>>>>>>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com 
>>>>>>>> <mailto:gffletch@aol.com>> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>>>>>> Please define the all in one case. I think this is the edge case and is in fact rare.
>>>>>>>>>>
>>>>>>>>>> I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified.
>>>>>>>>>>
>>>>>>>>>> Dyn reg assumes every registration of an instance is unique which too me is a very extreme
>>>>>>>>> If you have a mobile app that needs to do the code flow... 
>>>>>>>>> which requires a client_secret in order to retrieve the access 
>>>>>>>>> token and refresh token, how does the app do this without per 
>>>>>>>>> app instance registration?
>>>>>>>>>
>>>>>>>>> I'd argue that almost all user facing mobile apps will want 
>>>>>>>>> the above flow and that's not a small, rare edge case.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> George
>>>>>>>>>> position.
>>>>>>>>>>
>>>>>>>>>> Phil
>>>>>>>>>>
>>>>>>>>>> On 2013-08-28, at 8:41, Justin Richer<jricher@mitre.org>  wrote:
>>>>>>>>>>
>>>>>>>>>>> Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.
>>>>>>>>>>>
>>>>>>>>>>> This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.
>>>>>>>>>>>
>>>>>>>>>>> Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.
>>>>>>>>>>>
>>>>>>>>>>> -- Justin
>>>>>>>>>>>
>>>>>>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>>>>>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>>>>>>>>>>
>>>>>>>>>>>> 1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.
>>>>>>>>>>>>
>>>>>>>>>>>> Federation techniques come into play as trust approvals can be based on developer, product or even publisher.
>>>>>>>>>>>>
>>>>>>>>>>>> 2. Each instance associates in a stateless way. Only clients that need credential rotation need more.
>>>>>>>>>>>>
>>>>>>>>>>>> Phil
>>>>>>>>>>>>
>>>>>>>>>>>> On 2013-08-28, at 8:04, Phil Hunt<phil.hunt@oracle.com>  wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Phil
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"<hannes.tschofenig@nsn.com>  wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here are the conference bridge / Webex details for the call today.
>>>>>>>>>>>>>> We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it:http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>>>>>>>>>>> Meeting Number: 703 230 586
>>>>>>>>>>>>>> Meeting Password: oauth
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>>> To join the online meeting
>>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>>> 1. Go tohttps://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>>>>>>>>> 2. Enter your name and email address.
>>>>>>>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>>>>>>>> 4. Click "Join Now".
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> To view in other time zones or languages, please click the link:
>>>>>>>>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
>>>>>>>>>>>>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>>> To join the teleconference only
>>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>>> Global dial-in Numbers:http://www.nokiasiemensnetworks.com/nvc
>>>>>>>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> <XeC> <http://connect.me/gffletch>
>>>>>>>
>>>>>>> -- 
>>>>>>> <XeC.png> <http://connect.me/gffletch>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> -- 
>> <XeC.png> <http://connect.me/gffletch>
>

-- 
George Fletcher <http://connect.me/gffletch>

--------------070805090301010504070406
Content-Type: multipart/related;
 boundary="------------020309090105000709050303"


--------------020309090105000709050303
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">So, if we take the current
      OAuth model that I think I hear you espousing... OAuth core is
      "local"&nbsp; and "federated" scenarios need to be profiled to be
      "locked down" ... then shouldn't we do the same thing with the dyn
      reg spec? Consider what's proposed as "local" and the "federated"
      model is a profile (see my other post).<br>
      <br>
      In the UMA case (as I'm actively involved in that effort) I would
      want the UMA spec to define where agreed upon formats are
      required. I wouldn't want that done in the OAuth core specs. The
      reason is that the specification narrows the scope of the
      applicabillity of the solution to the problem domain being solved.
      So UMA, which defines the problem space it's trying to solve, should
      be the spec to define the required formats. This is clean
      layering.<br>
      <br>
      In this case of federated app deployments that you are discussing
      it seems like it requires a special profile for that problem
      domains space just as UMA defines it's own profile of OAuth2 for
      it's problem space and OpenID Connect defines it's profile for
      it's problem domain space.<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 8/28/13 1:03 PM, Phil Hunt wrote:<br>
    </div>
    <blockquote
      cite="mid:0D768920-8000-4176-A55B-1B2BE9791E08@oracle.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      I think many of the parameters in dyn reg need to be specified in
      the statement -- the main change is we're moving dyn reg
      parameters into the statement and locking them down between
      instances. &nbsp;It keeps hackers from changing individual instances
      and it minimizes state in per instance registration.
      <div><br>
      </div>
      <div>The reason OAuth doesn't have to define token formats is they
        are largely "local". &nbsp;Federated token scenarios (like UMA)
        obviously have to have some OOB agreement on format. &nbsp;Given that
        registration in most of these cases is federated, it seems
        appropriate to define these assertions. (In the non-federated
        cases (e.g. like Google), they can do registration using
        workflows with the developer directly.)</div>
      <div><br>
      </div>
      <div><span style="font-size: 12px; ">Phil</span></div>
      <div>
        <div apple-content-edited="true"><span class="Apple-style-span"
            style="border-collapse: separate; border-spacing: 0px; ">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; "><span
                class="Apple-style-span" style="border-collapse:
                separate; color: rgb(0, 0, 0); font-family: Helvetica;
                font-size: medium; font-style: normal; font-variant:
                normal; font-weight: normal; letter-spacing: normal;
                line-height: normal; orphans: 2; text-indent: 0px;
                text-transform: none; white-space: normal; widows: 2;
                word-spacing: 0px; border-spacing: 0px;
                -webkit-text-decorations-in-effect: none;
                -webkit-text-size-adjust: auto;
                -webkit-text-stroke-width: 0px; ">
                <div style="word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span
                    class="Apple-style-span" style="border-collapse:
                    separate; color: rgb(0, 0, 0); font-family:
                    Helvetica; font-size: medium; font-style: normal;
                    font-variant: normal; font-weight: normal;
                    letter-spacing: normal; line-height: normal;
                    orphans: 2; text-indent: 0px; text-transform: none;
                    white-space: normal; widows: 2; word-spacing: 0px;
                    border-spacing: 0px;
                    -webkit-text-decorations-in-effect: none;
                    -webkit-text-size-adjust: auto;
                    -webkit-text-stroke-width: 0px; ">
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span
                        class="Apple-style-span" style="border-collapse:
                        separate; color: rgb(0, 0, 0); font-family:
                        Helvetica; font-size: 12px; font-style: normal;
                        font-variant: normal; font-weight: normal;
                        letter-spacing: normal; line-height: normal;
                        orphans: 2; text-indent: 0px; text-transform:
                        none; white-space: normal; widows: 2;
                        word-spacing: 0px; border-spacing: 0px;
                        -webkit-text-decorations-in-effect: none;
                        -webkit-text-size-adjust: auto;
                        -webkit-text-stroke-width: 0px; ">
                        <div style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div><br>
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send="true"
                              href="http://www.independentid.com">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send="true"
                        href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br>
                      <br>
                    </div>
                  </span><br class="Apple-interchange-newline">
                </div>
              </span><br class="Apple-interchange-newline">
            </div>
          </span><br class="Apple-interchange-newline">
          <br class="Apple-interchange-newline">
        </div>
        <br>
        <div>
          <div>On 2013-08-28, at 9:55 AM, George Fletcher &lt;<a
              moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <meta content="text/html; charset=ISO-8859-1"
              http-equiv="Content-Type">
            <div bgcolor="#FFFFFF" text="#000000"> <font
                face="Helvetica, Arial, sans-serif">OAuth has never
                specified anything regarding the format the "tokens"
                that the AS has to accept and that's one of it's
                virtues. It allows for many implementations from local
                only to federated. <br>
                <br>
                I fully believe there is value in defining profiles of
                OAuth for particular problem domains that put
                restrictions on client_id format, access_token format
                etc (e.g. the assertion set of specs). However, those
                should be layered on top of OAuth as a profile and not
                be forced into the core. Otherwise, we are forcing all
                implementations down a much narrower path than is
                supported today. I definitely don't want to see that
                happen.<br>
                <br>
                Thanks,<br>
                George<br>
                <br>
              </font>
              <div class="moz-cite-prefix">On 8/28/13 12:48 PM, Phil
                Hunt wrote:<br>
              </div>
              <blockquote
                cite="mid:146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com"
                type="cite">
                <meta http-equiv="Content-Type" content="text/html;
                  charset=ISO-8859-1">
                You can pass anything as a client_id. &nbsp;It just has to be
                accepted. That's the point of us writing a draft here
                isn't it?
                <div><br>
                  <div apple-content-edited="true"> <span
                      class="Apple-style-span" style="border-collapse:
                      separate; font-family: Helvetica; font-style:
                      normal; font-variant: normal; font-weight: normal;
                      letter-spacing: normal; line-height: normal;
                      orphans: 2; text-indent: 0px; text-transform:
                      none; white-space: normal; widows: 2;
                      word-spacing: 0px; border-spacing: 0px;
                      -webkit-text-decorations-in-effect: none;
                      -webkit-text-size-adjust: auto;
                      -webkit-text-stroke-width: 0px; font-size: medium;
                      ">
                      <div style="word-wrap: break-word;
                        -webkit-nbsp-mode: space; -webkit-line-break:
                        after-white-space; "><span
                          class="Apple-style-span"
                          style="border-collapse: separate; font-family:
                          Helvetica; font-size: medium; font-style:
                          normal; font-variant: normal; font-weight:
                          normal; letter-spacing: normal; line-height:
                          normal; orphans: 2; text-indent: 0px;
                          text-transform: none; white-space: normal;
                          widows: 2; word-spacing: 0px; border-spacing:
                          0px; -webkit-text-decorations-in-effect: none;
                          -webkit-text-size-adjust: auto;
                          -webkit-text-stroke-width: 0px; ">
                          <div style="word-wrap: break-word;
                            -webkit-nbsp-mode: space;
                            -webkit-line-break: after-white-space; "><span
                              class="Apple-style-span"
                              style="border-collapse: separate;
                              font-family: Helvetica; font-size: medium;
                              font-style: normal; font-variant: normal;
                              font-weight: normal; letter-spacing:
                              normal; line-height: normal; orphans: 2;
                              text-indent: 0px; text-transform: none;
                              white-space: normal; widows: 2;
                              word-spacing: 0px; border-spacing: 0px;
                              -webkit-text-decorations-in-effect: none;
                              -webkit-text-size-adjust: auto;
                              -webkit-text-stroke-width: 0px; ">
                              <div style="word-wrap: break-word;
                                -webkit-nbsp-mode: space;
                                -webkit-line-break: after-white-space; "><span
                                  class="Apple-style-span"
                                  style="border-collapse: separate;
                                  font-family: Helvetica; font-size:
                                  12px; font-style: normal;
                                  font-variant: normal; font-weight:
                                  normal; letter-spacing: normal;
                                  line-height: normal; orphans: 2;
                                  text-indent: 0px; text-transform:
                                  none; white-space: normal; widows: 2;
                                  word-spacing: 0px; border-spacing:
                                  0px;
                                  -webkit-text-decorations-in-effect:
                                  none; -webkit-text-size-adjust: auto;
                                  -webkit-text-stroke-width: 0px; ">
                                  <div style="word-wrap: break-word;
                                    -webkit-nbsp-mode: space;
                                    -webkit-line-break:
                                    after-white-space; ">
                                    <div>Phil</div>
                                    <div><br>
                                    </div>
                                    <div>@independentid</div>
                                    <div><a moz-do-not-send="true"
                                        href="http://www.independentid.com/">www.independentid.com</a></div>
                                  </div>
                                </span><a moz-do-not-send="true"
                                  href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                              <div style="word-wrap: break-word;
                                -webkit-nbsp-mode: space;
                                -webkit-line-break: after-white-space; "><br>
                                <br>
                              </div>
                            </span><br class="Apple-interchange-newline">
                          </div>
                        </span><br class="Apple-interchange-newline">
                      </div>
                    </span><br class="Apple-interchange-newline">
                    <br class="Apple-interchange-newline">
                  </div>
                  <br>
                  <div>
                    <div>On 2013-08-28, at 9:45 AM, John Bradley &lt;<a
                        moz-do-not-send="true"
                        href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt;

                      wrote:</div>
                    <br class="Apple-interchange-newline">
                    <blockquote type="cite">
                      <meta http-equiv="Content-Type"
                        content="text/html; charset=ISO-8859-1">
                      <div style="word-wrap: break-word;
                        -webkit-nbsp-mode: space; -webkit-line-break:
                        after-white-space; ">That is my concern as well,
                        sending an assertion to the authorization
                        endpoint requires a extension of OAuth to add
                        another parameter or placing it in the client_id
                        which you can do now with the dynamic reg spec
                        if the AS wants to.&nbsp;
                        <div><br>
                        </div>
                        <div>Holding up client registration for
                          something that will require an extension to
                          OAuth is overdoing it. &nbsp; We need something for
                          the OAuth spec we have now without requiring
                          clients implement the assertion flow and other
                          extensions.</div>
                        <div><br>
                        </div>
                        <div>John B.</div>
                        <div><br>
                          <div>
                            <div>On 2013-08-28, at 12:39 PM, Justin
                              Richer &lt;<a moz-do-not-send="true"
                                href="mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;

                              wrote:</div>
                            <br class="Apple-interchange-newline">
                            <blockquote type="cite">
                              <meta content="text/html;
                                charset=ISO-8859-1"
                                http-equiv="Content-Type">
                              <div bgcolor="#FFFFFF" text="#000000"> The
                                initial_access_token doesn't assume that
                                it's from the local domain. It merely
                                assumes that the authorization server
                                accepts the token, which would be true
                                in the UMA case due to the federation.
                                It could also be the exact same kinds of
                                mechanisms that the software statement
                                would use to achieve federation.<br>
                                <br>
                                I still don't see how an auth server is
                                going to know about a client's
                                configuration state with the assertion
                                swap method, since there's no defined
                                mechanism for sending a JWT assertion to
                                the authorization endpoint. <br>
                                <br>
                                &nbsp;-- Justin<br>
                                <br>
                                <div class="moz-cite-prefix">On
                                  08/28/2013 12:35 PM, Phil Hunt wrote:<br>
                                </div>
                                <blockquote
                                  cite="mid:9F232504-FC58-41FD-B040-31F898034AD2@oracle.com"
                                  type="cite">
                                  <meta http-equiv="Content-Type"
                                    content="text/html;
                                    charset=ISO-8859-1">
                                  George,
                                  <div><br>
                                  </div>
                                  <div>It would be reasonable for a
                                    client to submit an assertion, and
                                    obtain its own client assertion in
                                    return. &nbsp;This is very close to what
                                    is happening per 2.1, 2.2 of&nbsp;<a
                                      moz-do-not-send="true"
                                      href="http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06">http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06</a></div>
                                  <div><br>
                                  </div>
                                  <div>In this case, the Software
                                    Statement is an authorization that
                                    is exchanged for a client assertion
                                    in return. Then the clients
                                    authenticate per section 2.2 of the
                                    JWT spec.</div>
                                  <div><br>
                                  </div>
                                  <div>Regarding initial_access_token.
                                    &nbsp;This does have some of the
                                    characteristics I am speaking of.
                                    But it is unspecified and the
                                    assumption is that it is issued by
                                    the local domain. &nbsp;This doesn't work
                                    in the UMA case because that's more
                                    like a federated model. Thus the
                                    specified software statement works
                                    because the AS can approve the
                                    client software based on name,
                                    and/or developer, and/or publisher
                                    -- whatever trust requires.</div>
                                  <div><br>
                                    <div apple-content-edited="true"> <span
                                        class="Apple-style-span"
                                        style="border-collapse:
                                        separate; font-family:
                                        Helvetica; font-style: normal;
                                        font-variant: normal;
                                        font-weight: normal;
                                        letter-spacing: normal;
                                        line-height: normal; orphans: 2;
                                        text-indent: 0px;
                                        text-transform: none;
                                        white-space: normal; widows: 2;
                                        word-spacing: 0px;
                                        border-spacing: 0px;
                                        -webkit-text-decorations-in-effect:
                                        none; -webkit-text-size-adjust:
                                        auto; -webkit-text-stroke-width:
                                        0px; font-size: medium; ">
                                        <div style="word-wrap:
                                          break-word; -webkit-nbsp-mode:
                                          space; -webkit-line-break:
                                          after-white-space; "><span
                                            class="Apple-style-span"
                                            style="border-collapse:
                                            separate; font-family:
                                            Helvetica; font-size:
                                            medium; font-style: normal;
                                            font-variant: normal;
                                            font-weight: normal;
                                            letter-spacing: normal;
                                            line-height: normal;
                                            orphans: 2; text-indent:
                                            0px; text-transform: none;
                                            white-space: normal; widows:
                                            2; word-spacing: 0px;
                                            border-spacing: 0px;
                                            -webkit-text-decorations-in-effect:
                                            none;
                                            -webkit-text-size-adjust:
                                            auto;
                                            -webkit-text-stroke-width:
                                            0px; ">
                                            <div style="word-wrap:
                                              break-word;
                                              -webkit-nbsp-mode: space;
                                              -webkit-line-break:
                                              after-white-space; "><span
                                                class="Apple-style-span"
                                                style="border-collapse:
                                                separate; font-family:
                                                Helvetica; font-size:
                                                medium; font-style:
                                                normal; font-variant:
                                                normal; font-weight:
                                                normal; letter-spacing:
                                                normal; line-height:
                                                normal; orphans: 2;
                                                text-indent: 0px;
                                                text-transform: none;
                                                white-space: normal;
                                                widows: 2; word-spacing:
                                                0px; border-spacing:
                                                0px;
                                                -webkit-text-decorations-in-effect:
                                                none;
                                                -webkit-text-size-adjust:
                                                auto;
                                                -webkit-text-stroke-width:
                                                0px; ">
                                                <div style="word-wrap:
                                                  break-word;
                                                  -webkit-nbsp-mode:
                                                  space;
                                                  -webkit-line-break:
                                                  after-white-space; "><span
class="Apple-style-span" style="border-collapse: separate; font-family:
                                                    Helvetica;
                                                    font-size: 12px;
                                                    font-style: normal;
                                                    font-variant:
                                                    normal; font-weight:
                                                    normal;
                                                    letter-spacing:
                                                    normal; line-height:
                                                    normal; orphans: 2;
                                                    text-indent: 0px;
                                                    text-transform:
                                                    none; white-space:
                                                    normal; widows: 2;
                                                    word-spacing: 0px;
                                                    border-spacing: 0px;
                                                    -webkit-text-decorations-in-effect:

                                                    none;
                                                    -webkit-text-size-adjust:
                                                    auto;
                                                    -webkit-text-stroke-width:
                                                    0px; ">
                                                    <div
                                                      style="word-wrap:
                                                      break-word;
                                                      -webkit-nbsp-mode:
                                                      space;
                                                      -webkit-line-break:
                                                      after-white-space;
                                                      ">
                                                      <div>Phil</div>
                                                      <div><br>
                                                      </div>
                                                      <div>@independentid</div>
                                                      <div><a
                                                          moz-do-not-send="true"
href="http://www.independentid.com/">www.independentid.com</a></div>
                                                    </div>
                                                  </span><a
                                                    moz-do-not-send="true"
href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                                                <div style="word-wrap:
                                                  break-word;
                                                  -webkit-nbsp-mode:
                                                  space;
                                                  -webkit-line-break:
                                                  after-white-space; "><br>
                                                  <br>
                                                </div>
                                              </span><br
                                                class="Apple-interchange-newline">
                                            </div>
                                          </span><br
                                            class="Apple-interchange-newline">
                                        </div>
                                      </span><br
                                        class="Apple-interchange-newline">
                                      <br
                                        class="Apple-interchange-newline">
                                    </div>
                                    <br>
                                    <div>
                                      <div>On 2013-08-28, at 9:29 AM,
                                        George Fletcher &lt;<a
                                          moz-do-not-send="true"
                                          href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;


                                        wrote:</div>
                                      <br
                                        class="Apple-interchange-newline">
                                      <blockquote type="cite">
                                        <div bgcolor="#FFFFFF"
                                          text="#000000"> <font
                                            face="Helvetica, Arial,
                                            sans-serif">I can't say I
                                            understand what you mean by
                                            a simple assertion swap...
                                            but if you are wanting to
                                            use a client_assertion flow
                                            instead of the code flow
                                            then that's something
                                            completely different. If you
                                            are saying that you want the
                                            client_id to represent an
                                            "instance" in a stateless
                                            way using an "assertion"
                                            then that's already possible
                                            today.<br>
                                            <br>
                                            George<br>
                                            <br>
                                          </font>
                                          <div class="moz-cite-prefix">On
                                            8/28/13 12:23 PM, Phil Hunt
                                            wrote:<br>
                                          </div>
                                          <blockquote
                                            cite="mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com"
                                            type="cite">
                                            <div>George</div>
                                            <div><br>
                                            </div>
                                            <div>That case can be solved
                                              with a simple assertion
                                              swap. We just have to
                                              profile it.&nbsp;<br>
                                              <br>
                                              Phil</div>
                                            <div><br>
                                              On 2013-08-28, at 9:20,
                                              George Fletcher &lt;<a
                                                moz-do-not-send="true"
                                                href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;



                                              wrote:<br>
                                              <br>
                                            </div>
                                            <blockquote type="cite">
                                              <div> <br>
                                                <div
                                                  class="moz-cite-prefix">On

                                                  8/28/13 12:02 PM, Phil
                                                  Hunt wrote:<br>
                                                </div>
                                                <blockquote
                                                  cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
                                                  type="cite">
                                                  <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare. 

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. 

Dyn reg assumes every registration of an instance is unique which too me is a very extreme </pre>
                                                </blockquote>
                                                If you have a mobile app
                                                that needs to do the
                                                code flow... which
                                                requires a client_secret
                                                in order to retrieve the
                                                access token and refresh
                                                token, how does the app
                                                do this without per app
                                                instance registration? <br>
                                                <br>
                                                I'd argue that almost
                                                all user facing mobile
                                                apps will want the above
                                                flow and that's not a
                                                small, rare edge case.<br>
                                                <br>
                                                Thanks,<br>
                                                George<br>
                                                <blockquote
                                                  cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com"
                                                  type="cite">
                                                  <pre wrap="">position. 

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
                                                  <blockquote
                                                    type="cite">
                                                    <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
                                                    <blockquote
                                                      type="cite">
                                                      <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
                                                      <blockquote
                                                        type="cite">
                                                        <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
                                                        <blockquote
                                                          type="cite">
                                                          <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                                                        </blockquote>
                                                        <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                                                      </blockquote>
                                                      <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                                                    </blockquote>
                                                  </blockquote>
                                                  <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
                                                </blockquote>
                                                <br>
                                                <div
                                                  class="moz-signature">--
                                                  <br>
                                                  <a
                                                    moz-do-not-send="true"
href="http://connect.me/gffletch" title="View full card on Connect.Me">&lt;XeC&gt;</a></div>
                                              </div>
                                            </blockquote>
                                          </blockquote>
                                          <br>
                                          <div class="moz-signature">--
                                            <br>
                                            <a moz-do-not-send="true"
                                              href="http://connect.me/gffletch"
                                              title="View full card on
                                              Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
                                        </div>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
_______________________________________________<br>
                              OAuth mailing list<br>
                              <a moz-do-not-send="true"
                                href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br>
                              <a moz-do-not-send="true"
                                href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br>
                            </blockquote>
                          </div>
                          <br>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                </div>
                <br>
                <fieldset class="mimeAttachmentHeader"></fieldset>
                <br>
                <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
              </blockquote>
              <br>
              <div class="moz-signature">-- <br>
                <a moz-do-not-send="true"
                  href="http://connect.me/gffletch" title="View full
                  card on Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part36.00070407.05050207@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>

--------------020309090105000709050303
Content-Type: image/png;
 name="XeC"
Content-Transfer-Encoding: base64
Content-ID: <part36.00070407.05050207@aol.com>
Content-Disposition: inline;
 filename="XeC"

iVBORw0KGgoAAAANSUhEUgAAAWcAAABxEAYAAABZ0L78AAAABmJLR0TIyMjIyMhnRJJpAAAA
CXBIWXMAAABIAAAASABGyWs+AACAAElEQVR42uzddYAUV77w/W9VtY67wuDu7u5uQYMEhxAk
ENxCggWCJ0EDJLgmEDQwuLszOAMzzDBuPa1V5/3jXnb22b25m92wN/d53v78M3R11a/Oqa7T
/OrUqdPSpUuXLl26JARubm5ubm5ubm5ubr9J9+4fNWrUqFGjxp9dHDc3Nzc3Nzc3N7f/XS5f
vnz58mWQ/+yCuLm5ubm5ubm5uf3fwJ04u7m5ubm5ubm5uf0O7sTZzc3Nzc3Nzc3N7XdwJ85u
bm5ubm5ubm5uv4M7cXZzc3Nzc3Nzc3P7HXR/NIDVarfbbP/5QgYc6EgCKZRdUgMQY6QwyQ+0
X5zFHWFAjKWodQOI0pauqeXBVvNt0isv0K8N8Pc7CsbcoKuRM8HV0XzYfAGUzzhvPAbSd6Sz
A9TFcjH9a5AO5f6c8RU4O1rTsoaA8Wzw1agfQIy1xVqSwPHxs4O3Z4FYLTdQfgHuub5VB4P2
OntlxlJQD0qjlI6g5aoPzQXB+lHmfGcs5A7LLp15AHKL5kRmD4XcJFs/NQss3o5020WwPLfm
z94I9oH2KdaeoH/mvcHPBtIE7xC/NLAkZJzMzIScbzNJ6QGuTtJauQKIqnTSVQVtpuf6gPxg
O5Cbm3sUFH9TYfM9yJyU7pH+DXicCrkdkQlavPKj10swe3lGee8EYeKpsSLoVxg3ywdA/dJV
X/sVagyq9WG5RlBDqlgs/DlopVyLXPdA2iDaEgnCXwoWF0FqjJkgELm4cAEg/R8fpMJ/TEl4
DwkZCGA840E3R1qiDITXVxMfpm6EgxtPd7i0AYRR/9w1CnpNaTKrYWNwTpKXSJGg7RGz8ATf
557fGPOBvFTyl/eC7qqpu/k4RM84kXSwAWTks9rUdvAkIWnxxaXg9TZ4Vk4vsD9M8FDuwsOY
N6WfrwPpqq6dbTNkNU2ZLq5A1sCcsT7jwfum7ivDHQhe5p9U4BoU31Uou/QGsHazT9AtgtTw
pMDcUIhqFPqtGArWz9Rsy2QoeNgjN7I6+PUr8HnkDMhtan2a+gX4+Xt0DNwPFxvHfP7LLrB+
q3ZNaQwDIloMnDEHHD/I3ZSPoeyW4h+HbobHnz9bkV0eDo65GL1sFmT5WC3XuoNXe3mkrx8k
30+q6OMN8+9Njlo5889u5m5ubm5ubm7vw/vrcZYRaECmZMIPqI0mzoO0VLwRKkjDxU3ZF7Dp
t4oL4HyYuiSxORgDfPJ5nQfNX/tYqwo00ZU0fw3687LqdQY0PxGjLgdhETOcgaBckyJEbeCc
12v/zmD40js+8CPQJrs+clwAokVdrSoI2bXL3hicPkl+sXtB/Tj3o/SOoA53NrN9CmJ+ZlL2
JHAMyzycdh2kC8ozdRaIBN01uTsoawx3DEPBUN+UqV8Ank7Pa+ZDYD5qXu1RFQwf6yboX4Hi
6UpzfAJ6p1Ccw8G01nRRXwKUD6QwOQjkTa4TrgDQKjor2YqC0ln9xF4X9IlMdAWBqZe+izYJ
jKkeNq8NII101LF3A++hnkfMk0H8opZzNoOg1SFdA06D5zKfw2Em0Hnpdfpb8Hh4TM7LI2CZ
aqls00D+UBkn7oI2QPpCCgFpPrsIA5EoBWIBQPxNyvwfVEAARaVQBEg1qSNtBGdr8cr1DPLN
Cvf2qwf9LO27NT0I9Q9USC7zPQT9FESAES4Ovq6/8zk8HPa89b2qkJU/faDFD7guL5I7g6ET
Y6UVYG7k/SZiFChhSim7DkLe+n1ttYBNyRJ6T6jap8T2dq3AL0dKKHICMo+k7g9MA9+hHtUC
y0Oh9oHdiqwGZ7ajaFEJss5l5/IU7hd+odzWQ6GF4XW82kBhR4SlbHm4MfnBoYyR8NaeviVj
Buj2SyNe1wWvHXJ157fwpkbSwafr4Wa5+zV/mgXat5bW/oUgLNyjYadtoGtu7KMbBF6nzKN0
UZDkTPo24yXc/fSZ77HLkNkss8+jaHC1zk7LyYG0OwmjMgpB7ijbS1f0n9283dzc3Nzc3N6n
P9zj/BdOJARIhYRNCgJxkSdiCWh1pTviS5Ar6ZcqZ0HdaYm3VgKuyN8bZoM819BeNw+UicpQ
9RKIO3JvURO0gXI/rTRIYWKVbgwIf0049SCNcS60DAGplH6yxyBQvxSfuayglY1v8Kg6aIn2
W85tIN2VF+jWgeGM51D/qeA8aDlrSQbptKugEgcuf2cf5wRwfWpvYP8c1AiluagLhoX6lnoP
MGzzMnvXBTnKNtwxA1Dst21twGuB1Eo6CdI52SoZQZ3nmmQvBfpH8iUCwLFdHqP1B/MYD7M5
BhiXnc/yM6iVtKnaDBBLbebsXiBt0oKU5eBULaas8eBZxDDAcyWgYHd9AtoJ66a0LwGDfEUf
BdYhOfLb6qBf4nEoOAB8kwKK+M+CzDvptvTF8GLsq8/Tg6Di8dItQn3B9dI1SAPoJ3/CfEAT
qdJiQEIWsfxHkvx/JtASBkATsVwB8Ugqy08g3RcrFAtoOWpDbTZYn1BTewXFbAVH5TdDQrfU
Q0lloEaPcruLdoGwngGpoUlg09SDrjOQ8WvWPcfX8GBUaqFnP0DaV7afXpeCW1diI+93hJRv
LAkp3qDez56fnQo+ofqit9JBn+K3ybkOGi0t1LF8dXCV0wrKCXBm9J0zT0wgb9OtD6kEUmmS
jPHQcGulMo1/hkrzCnpXeQNZdyKPJlyA+l/Wkrr1hPtfxLx9+gYeN3pg2fEangfaNzguQsZL
feDzIeA9D9U0E6oVK3u+YTXw/zQyxT8W/FsH+nt3grQlb4dmfgYpazONYgU8W/P448QqIBpo
R8yTwFYnMyP/HHAlqD7ZCZBRihuvPwWg/p/dyN3c3Nzc3Nzej/eXOMv8RzLmRxYm4IDUlOeg
ayFG0ANcwdo1pwGUleKMuA7KzSLli+WA+rVY4LwFyklnz8wPQXym72/yBfm5liI6g6glt9H1
AamfHM9s0OJypqQroF3M7ZDUEXT79JU8csD2So0VI0Drkzwsvhm4cqwLbBnAVGmFch3kvkoT
jgP5DWO974DugXRMXwa893qNVgqDo61jr9QNnIW04WoncC1Si+INhnVipzEVXH20geImaHaC
pSngVdSriq432LOsK7O+A/mac5crBTxLKr/Iz0G+Y75ijAS5oJoulQBpjb2GsyFY9zpb2IoA
W6TeSguwT87RW26DPlmvZh8CbnucDSoHxm6uXtlDwHnc/opnkOnK/jC1G3hWDuyf+iXoS4dp
JQ+D9zzfTX4/w4Nlj+PjW0HJFYV3BJUA3Zc6L9Ee1MniE9kIch3JU/wK4o7IRQEUJLT/4xMU
OAGBL4WAGaKueAVyU1lhIOTE5ky21YDLU25WutkFEkpnnI67Bzm1c95oHaHy2wofl5gMph4e
DYJC4eWShF7Pe8H31oM/7NwHuqq6g7nbwTVF/01KHyhyN7B3/iS4P+f5fZ/F4NjnKmR9Bd7X
E6vfqwgRwf6tS30OGcftzVN9oNC4gOUNvoXXI97WPDQNPlzXzNW8F/ik2LcaxkKZqFKehVdD
TPH41Mc+8Doxfn9sOlhu2b639IQX1reFj14G1wYxX4kG/7LWlISLILZYN4Z/CaXqlM5fbiUE
BQaN8DkDnr/qNOtjSNwYfy1FB4nbMla8ioZXckLEszkQFBt2ibuQuep5WNoa4KDeLh2GzFIZ
J42dQb7j08lzIlCdMX92I3dzc3Nzc3N7P95v4iyDeIpLvAGpLJGkgLAxXQ4B+RN6SvNBVPbq
Yd4J0iWO6CeBPFC2Sg6QHxvaRASCFIBelwViNr7sBMkljol9oI3LjUteBDzTBXn7gXzJ41LA
V6D6Z3V9PRQki1RNrQOKGlAufCZoPyRYXmaC1tTVSJ0Myj1Pa0gscNOketwAkZb7nToBRDn1
c3kxGKzSKy0GpAgtW0sEKcde0GUBVz55qHM5KA2U8nI66A5rucpUkF6KJ2IuCEmZqR8OnKaW
aAXmdNFJaw1qAl3lkiD3Mj823QN5vvKdzgtwWcNEbbC2dbVVZ4KWLG1SPgdbgiXYNh8Mp3Bl
rgVlo+4zXoD5meGpuQuk5U9fYykMuvW81DZCllXqbIwEn8Dgp1ES5Ay1tnFdhtf6ODltLhRr
Xax/cEVQU+y/qqEgnkkL8QdswH/1A+sSoAEqmlQIpL18KVaDOKr1EN+D+bhpsdEEzYPrPKm5
Do40O//L7RGw+/C5NTsOwFHuLT3dDWpcLzq81BbQNZNUXyvkH+FbKCwayuwpXKvickgumjvn
1WV4I6cG/1oTguv7v3YWBscFqaF1GfjXNo80fwyKd/a9zBSIOfl2qKs3WDytpU/fgjLL8xUI
vwdx+9Iu30+FgafaftwnBNZEb9X/HAIpPW3rHg2A2rElSnYaBU8+e5F6/wHkVBAHPI9C5CCv
vrrLYGuSVcXzNZTyLHqs6q9QaUUBU4k1YP7BqPPMhbfLEmukP4eXJRL33dgDB69fn7T3IIQ8
9NU5y0KDk0WCWkyHiCT/8bUtYPzVVEqqDpmv/btbVsPbCrln42r+G1psZSpTGY7MPTL3yFzY
6b/Tf6c/PGn0pNGTRqCuVFeqK6HIV0W+KvIVtD/Q/kD7A9A5pXNK5xRQqivVler/hnK5/beq
Vq1atWrVf367yc0nN5/cHLrM7TK3y9y/j3P8+PHjx4+Dn5+fn5/fHy/ns53Pdj7bmfe6YMGC
BQsWfP/nzb+7Hm5ubm7/Lu8vcRYIZMAohZACIk48lj4FjjFXjAepj3Jerg5MlCb7BIN2Ve2c
swWUHKmOUgsYKdU1jQDxQqRIM4Fm0hnWgLgjbdbOgRRmOOZZDfhE2W4qBtplx5dZPwHztGDx
CcgFfEWgJ8iWcE9zKsir9S75NLDJNNNzHUjn5C3mkuD6KuNLy2IQA+1e9oYg9TfGKgkgqfZj
rhBQfrVb1c1gD3fkd3qD6rRfc4wGFqlbRXnQTZZKKmaQvtRNlHqC1MeU69UbRIpor70AVwM1
1JUJ5tXqcTkXXLf0hZSFoCzUXVQfgHxUaizpQSuX29XeG9Qnjr3sAeNnuhzzRFBjnJXtIyB7
R/bw1KZgVr0G+TUA3/m+Ts8dkDM9q2P6F0DxlNCXo8A+3VjZ6A2Gl775I7fB0zWvIlO/h8Kn
Cu8LDgPpB+maqAJcETFyOaAskngFeKDDD7DhwAoINEwgRUh6NBCHxB0EkJ9+8gNQqug+FrPB
uceZz3EXAgf6SmolaORVoWHUBrCMNqx8Fg26WtrxmJEgNc5MrpgOVfqX3VmjIvwQ9mvzn65C
6OjQ/qZqUGNE6U/qDobWX5Y9nW8uPC6cOelNEuz56OjF9VXBME65mVQMrI3VQN+ZcCvhsWfA
A/DrYUj1XQ0xns+ly/thRfdtmw0OCOpu6ChPBWu/jJeBu0EtqYjUkxDxJmBtkWjIGWg5F3UE
LLKl/vnmYGrvIUt14EbBx80vbYAndWINMcVBbmHO8DBD/I23txI2Qniq57PAh1AuJeBQ02vg
WySoUlxf8Hfma19yCWhNdSWTXkBuO3WtxQ/0IWLfw22QUjYlPvECAMXeZ4NdcHLByQUnYWeT
nU12NslbrnfpXXoXf0msH3o89HjoAQ+7Pez2sBtcb3q96fWmMH/Y/GHzhwE3uMGN9/xt4va7
hUwPmR4yHZThynBl+G+v5zHGY4zHmP+5cnVf0H1B9wV5r/+S0OKH3591sNzc3Nz+F3l/iTP8
R0+mXgi8gHSecwt4iUWsBsoRJplBhGpp2hjQFrm8c0eCNFE+ZLaANNN4kK9BWiyWqgtApBEs
AkEY5Eq6yiBVtfbKygGXTItcIyizPUb69gWptd8l316guy53lfuB2OyaqW0DaU+RymFlQCql
K6krBPRQN7osoFSTia8D9qPO2SkfgDM8s192DLhSLIddgWCtar1u6wO5K6zf5r4Cl58rTWSD
tELaqWsByjL5rLwQjPUMFY39QZQx9JYGgH2CM9m5AaSj6jxXbVDLa8WVEJBqaR1FfZAd0iNX
I3ANcQxXJPD0MdmMdnBtt2+17wHtiKug8y7Iu3Sz9AvBFmv7Xj0Gdr0IyS4JphM+6bo3YCyj
v6ubDIq3U7FvB/vg9Inxz8Drqu/8gB1gPWWtbioNWXOyL9jSwCfTO95wG9Q96izxGmiIgzog
CosZ2nqQcqUt0kvghLRMygGRQbi4B2jcphhwjqau4aCdEbHKSZDPs9ZYBFI7vU3PtIBvcXm2
wwDqB1KDjGxIC8tQqQCqPnPE/XQ4lH311OPzYHptklPqgOGRPi2sIKQXz55nngSnWycdsKZB
4tLUr27thuRsZ7sUM6gdcj4XXmB6qFVPqwXaBdugxJsgbgf3DKkA5VMiB9ScD46T1j2uTZDZ
WXY5O0DBIxEDaw+Dx4GP98X/CGGhgcv8m0DSgOyFaWMhuZolLKUlGLrmHnNMh2ptS3dvbAL7
k+yEQC94G5PZKqY7TG3QwzTAF3Rt9JPMn8BrZ3LLrPIQY3h57Nhp+PXCpUnbLkHTOVW7fDAM
fL6xR4c8geN1r864UROyF2uvPb8H9vL1+2hap06dOnXqFOz8bOdnOz8DY21jbWNtmBk/M35m
PDT5rsl3Tb4D6Zx0TjoHpzNPZ57OhOmh00Onh+YlQGetZ61nrVCPetT7n/mOcfsvbG2wtcHW
BuD3xu+N35s/uzRubm5ubr/X+5zHWfrPW/0WqQDgIZUV3QAz96U5IL2ilNIf1FDHjNTawFCL
KetjkAXpuuOg9aWlHA7SaTGUrwEP6aByFChs65X1EIjTWc3PQFnt6e3fEaS6uinG3iAdpYmi
gpZPy3FeAfWZ/NbxAOTN2hk2Axsdsx0TQFTB37kenCH2V7kxIFUXD9SpoMuvu2NoCrarOT0t
2ZBZNzUrYyHYNcsYhwbigZol7oBugpyulAcPH8NdczJ4fmwY7FEM9C2lnnI8aJfETRYA/ZTN
+l9BF2IIMxUG2kofyQvANduV4fwA9J/oz8m/grGR0aQ0Ba8J5gTP+6D/VSlkCACxWl2gNgD9
fmWN7Afadpfdrge7l8UjxQayU77pMoN2UGqkHQXbpqye6Ych7U5csQd7Qc1ybLPuhZwvLQ8d
L0DaImVKLUFbJs6rF0H3kxKvbAazwTDKozoo82STcTmwVQRJHiCVE/OlX4BTtCUXGChC5U+B
JdJQqT9kVsk+kB4H5vPm6vhAdkG9SDJCxlCHKe0CvEx7czR+KbjmyZNz+0D6HGexxHNQYJPf
kPz7wDUtt6KvBA8+jL17PRiOPL/RatOn8GpG8o5nhaBJmWIbG30MhkjJ7NsJpLuGGVpDMGX4
ttAbwbs6Y6seBdcZqmQmQPZU57QnZ+DlNwktkyKhYZWKlrArUOK8X5FgGXRHlA9uTYPI0IAr
hmgwjrN7Bo6EtiVqZ7TwgLHegwoNXgqBb0K+91oNTabUKFj5AEgOr7ViLBzqe+n4wS3w88no
Zt/+CI8KvzK9XgOF54ZWCzwKT3Y9fnn6NCTaEr+51Qiq3y4+pVQrKHg8YMurZ++vcW3fvn37
9u15r4cNGzZs2DBovqf5nuZ78m6ly8Pl4fJwaPSk0ZNGT2Dizok7J+6EViGtQlqFQM7pnNM5
p/8+fvz++P3x+2Hc1nFbx22Feg/rPaz3EOp51POo5wHjG49vPL4xJLRLaJfQ7r8o4H/2dL/r
Ce/YsWPHjh2hZs2aNWvWhA5fdPiiwxewY8KOCTsm5K3/TkZGRkZGRt4t/Hd/H9Z7WO9hPeia
3jW9azpserDpwaYHf7/fzZs3b968Oe94NAtoFtAsAE4WO1nsZLG/j/tuf++t/v9L/LP1UK+o
V9Qrvz2UpGnTpk2bNoV7hnuGe4a/P+77ZuybsW8GdC3ctXDXwnmfd7MXzV40ewELTyw8sfAE
2ErbSttK/3a5b8o35Zvy38cZcHnA5QGX4UWzF81eNPvj9f3D55ubm9v/772/Hud3Y2SzgBCQ
6mJnFzCUHqITqJ2llvIikOEpS0C9nfT86WvQXpozQ7qC7GmaI5UFrR4VKQ30Fzek/iBV1Xf0
BCRPwwGpB0iPtS+0l4BdC1B3gWgin9QVADy081JfkNpTRXkIJMqVpQxguBipGwyMVp3aMJC2
efUL2A36QX4ZoXYQH4l+6lbwnxDcJmQnmGemtszID9ph60prR5ATpSlkAMUd8bZ9oGsjF1XW
gc3TFSW8IGecvb2zEXDDWcXlD64t2lhHDDgd6mW1KvBUbFWjQSnHND4A6SvlR0MjMOyntbYK
sJiDiQBXD8d5fWGgNw1MGeCo5FzvmA/afDHKUQ5ctxxLrSGg/eC87PIF6YSuuKE0GLuaM3zO
gu1JeomkvmB5nVYs3gMyv8mKj+gDBQvlaxY4ApRbTNZ/Aa9uZ/jFbYfcTrmt456B3xWPy77z
IWiad/miP4OrG/tdISCVFfFyEUBII+gLUl0tmGVgqG7SGfwhamVYQlEvsHwrjomPIPF6zK+v
BkNwQb/V1oJgaOTZN1mDrKC0STY/uLj48cDkXWAcYqyR+Qw8iyttPN+A+aw2Vf81BLUynan8
IYhPlLmSHgJ+8egZ8DV47FMy8h8F9YYry7gCKi+uXLrUY1AipM0Fz8PZAedLnZ8MnbyqJjbv
BmVaVD1a8md4YXl9IWsopOS+Ki98we9M6K+Rk8An1OPoYwcYhpmGeKrww6PdzoOn4N7m2FqX
D0NGUuYCv+2woe3BjJ0FwN/Pv5N3LyiWGdXadwRow3JqaA4wN/U4EPYcdAf11+xp8GvUlZbH
K4E50U/2XQrmGroN/g3+eLMSg8VgMRhu/3D7h9s/AOUpT/m8xPAfaRfRLqJdBLQ71O5Qu0N/
/37uktwluUtgaPTQ6KHRkJiYmJiYCHVG1RlVZxQ4yjrKOsrCyayTWSez8oaAbM/ZnrM9B7y8
vLy8vGDX7l27d+2GBd0WdFvQDfRL9Uv1S6GyVlmrrOUlRgv7L+y/sD/Iu+Xd8m7oSle6/jfl
n7Bzws4JOyGhWUKzhGbAj/zIj3nv/5LwS8IvCbB06dKlS5fmXUAUji0cWzgWZu6fuX/mfmAJ
S1jy76v/P+ujjz766KOPfnvscMmSJUuWLAlzOs/pPKfzP473r9ZjS9EtRbcUhQKdC3Qu0Bli
98bujd2bFzdfvnz58uUDQwNDA8Nfnc8//fzTzz/9nFc+w0zDTMNMqKJWUauo8LzG8xrPa8CO
qB1RO6Ig+1j2sexj8AVf8MV/Uf5p06ZNmzYNIogggrwLwDsj7oy4MwK+cHzh+MIBG9jAhvfw
uf2r55ubm5vb++tx1gAJpHy4yAHxHQVoA6I6C6XtIH9IiOsSyBvkfeab4FiYWyh3MojrqskZ
AHIP6alUBcQ2EjgMREpVxDSQjssvlCcgnopK4mfQmmjfa78AC0mRckCycI00oI5cW1cIpCLS
ckMEaPHaQEkDqZworoWCEiBFGseAMst/nWdroLSHv/oRyJV96hjsYNZCTpoiwbzAvMG1ErxH
BfZRksH42OtrrRjYGjhHWYZA+qT08slHwfI8c9LbrqC+FoWcBUBbxTZ1ODiX2Yc4vwLXF+ot
0Q8cA4VJKgvic7mo3BWUm/Jq3XIwf23cYWgLfl94tfMcB75nfFJ9JoCphbGa2RsMw30KBfwE
2jptlfQW5N2iJLGgWyvfxwPESld3hw7USvb12TnAeGW0qR5k3E3QPxkIqXtT66ZVhxdJr9cm
LoVjU+9++H0L2HzqaL9lW2DZ+u1H11+BH6Kjp+6oAK8GJI1JTAL9AbFF9x2oOaKf9DlorbUk
ioKpnu6KrhycDb6debUP3KwS1/NxG2C6K135GTxDlFF+q8Hs7VnE+BkYCunDFSukTkvflBIN
ym5luuEIeE7RN8zXBXKnWaZ7DoPwDJOUfyv4b/eZqo8F49fmTjmnoc2y6hOq9gU1hBu5N6HM
kaJ9/NrDifrnQq4fgyPHrnx87hTUmVn+xx5X4eyA24Xefgbrvtx46PA4eOkfOylmAhiDjQ28
vEEtI39r3wZVlpYY2WoqpKS9XJSjwsWcm23ONYX6qZVzihyGgFGBrmJLwNzPuMcxGywVrD3T
B8KzGS9GxU+FGGtK10fBcP76wxt7TsGlES9de+eDPVKUVM+As7+1UPo1eLkoUa/8+seblWWJ
ZYllCTjLO8s7y+ctDwoKCgoK+vv1F1sWWxZb8h4m+9u/33zzzTfffJO3/uHkw8mHk/MSjw8+
+OCDDz6AZX2X9V3WF1ZeWXll5ZW85e/WO/jFwS8O/lUGtOnhpoebHua9fjeE5LsK31X4rgLM
CJ0ROiM07/2tDbc23NrwH9e/7ui6o+uOhv1t9rfZ3wa6HO1ytMvRvPd/fPDjgx//qkfwXQK2
zXub9zZvGCKGiCHit+O/r/r/s+Li4uLi4vIS1b/9+24/v9e/Wo8j84/MPzIf9kzZM2XPlL+P
u3Hjxo0bN0LxRcUXFV/0V8e97o91f6yb93pWu1ntZrWDbwd8O+DbAXl3APR39Hf0d+DonKNz
js4Bm81m+8sPZv2Vdw9B7nq+6/mu57C8zPIyy8vkvf+g7oO6D/5qf/+uz+0fnW9ubm5u73eM
swy4UMRzIIh0bIDCPtJBvNCOqctATBczHB3AMNtnZshAUD5X2sjlQCwWfcRnICVJaXJlYKC4
J2wgnotHohtwjSbyGZCDFBuBwDw2ikGATTzTKgKRCGUQSEVEPdECeCh/pI4FrTPl5J0graSH
GAHUzyger0Gu9rzH/YfgyE3flFkPLPVet035BLRWunBPb9C+MqV7nofcD7PbqCtAnNfGGAqA
bNB1N8aBc5ha1fEayJCu27zAeZoQpQ5Ip/30Xn0h5UK2lJsD2eFZGamDwDYne2XWcfD+wjTA
YyxIleXFcgkw+SvLdB+A3E13WmkEeln91TUdbD30Dn0hcO3gG3EDjJtcsx0tgZpKGSJB5He9
kjuB/Y7jUe4EMH2qX2iMAiVWSzPugZyRGdHZ22DHqoMvLpyAe1fTrq2rCR6nDNWL3AWlhzo/
qhXc7HW/3OXxkDvWlmP/FiYe6D5oVhEwtJXHKF1Aaa7roW2EByXjk57MBt04Y4m0eJBdmnfG
Lrg39+Wmmzch+ZLNM3kRhLbUefvHgG1SzpTcaDB+53XHuAb8sj32OmeBRy31oH4b2M/rDtnG
g+lUiF3qD4bZpklqHCR6Wo7GV4asOFfym1dQ3auo2mofeG7S/eJxHmp1KNf1/lG41vnuIetN
qDKpegFDfXD0ZUqJIPDzNu1P8oViC8sWr5EO+19EP9/UBHTjiUyJg8yPDU8bG8HZw3pXvIWC
F0PrFa4Ksd7xJ3J7wdmExyVveIBvkPmMcTrYr1kLJc8A7ZA6yzAdfHt4HbE0AFfZ9Jmu0ZC6
wmk0zQDnJd007ThkdLJfSC8LOQVyyxlbApDxR5qU+YH5gfkBSGultdLavB7o9K7pXdO7QvBP
wT8F/5S3fkpUSlRKFMQWii0UW+jv46W0TWmb0jbv9f0f7v9w/wcgnHDCYffu3bt37877+1ve
bWdNsCZYE+DNwzcP3/xV4txwbMOxDccCLWlJS2iwpcGWBlvy3n8d8jrkdchvJ1LvjFg/Yv2I
9X/fs/tuu7+9hd90YtOJTScCm9jEprwe96UsZel/U49/tf4sYAEL+Ke971kk/qfq8W7IxbvP
751ahlqGWn81lCOweWDzwOZw0XHRcdHxj+PWvlv7bu27QFva0haKdivarWg3IIAAAvKGlLyv
+raY0mJKi//iQuG3zjc3Nze3d97ndHQCGcQLKYx4kD4X30ndQRSQ2oltoEXQWI4D6UutWG4C
yCMC7kf6g9pDtFAPgG4YO1gM4jSZOIFDJIvHIO1mopQC4iPJKHQgIqgvBwJFxQBtLkhrqMoj
IIal4iBQSV7BYhAlbQuydwE39K88C4GsKoPlPpBd+Fngk9KQpDvZ86IvWDc5TGIF2FYbfjaP
Bdev8o/WhmBQFW9LfjAd9vzU3xfk2vpR0jyQ/CSd9hIUp9RUdxlc69T1hm/BVMjnO/M3kJ7f
Gp/RE3SlcoZk9oewxcYb5nNgLe/6ROQD6QelkO4yaC9FMHGQO9DimVMFbN0y62dOg+yR2V+l
PAPrYo8t3m3B/oGrm+sliEFOXU4P8DhnjPB9CSJKlFMHgG4uXnwOxlH2J7mA0kpe5vQHXWFb
35w5EFjIp1BwTdCNevO4bFMgVeua/DWEfRhsdE0A5w3jZ69Hw4ttj+rY8sM3mzYt+KEZDDzR
eW/nMpDYMuFh1hq4HpYQeisCor9/4TXvCfhsFysCCkH6g5TG9iGgNFDuywsgLlgaoLQCU4qu
hrkjlDxT4mvzFchomPyL82cwXgyekR0DpWqLAqo3vPkgofabhWBMkH7RB4L3UC9zvhfgUK3X
lHvQdFm9jIZ7wG+mV6B/IXhzK21T8AsosTBfW90eeKN/fd4yApqcq5VccCs8injUV74AFcZW
n1vyC8hda//6w3pwrVvMxNfTwb9S0BWfufBUi5l9LQJa7mi6ru9yOFz/6oB7odCgYpGSehs8
/jKuxMN+4DHdPM77ICgHdamPZQhur99maQhJXXUlvK+DNlRM8QwFaY16I2cfyC5lGdshsK1p
h6gNnP1jzerdrfxS50udL3UeHvCAB8CBWQdmHZgF/elP/79af27q3NS5qTCXucwFDhw4cODA
Afj8888///zzv49vu2C7YLsAdKELXSBgcsDkgMng/cj7kfej3y6XabVptWn176+HdEO6If1X
s3i8G+t8gQtc+Pu3fyuB0VZqK7WV/8XywdpgbfBfHb9hyjBlGOCDDz5/Xv3/3f6n6iGqiCqi
CvCQh/zVhZJOp9Pp/sD/Ju+GZvzFu1lfmtKUpv9z9XUnzG5ubv/I+5yOTkIA/iKVAOBnZGKA
OyJSagtSAF9rxUBuYa4QuB7EPrlQzglgiSjPL4Bem0k48JjJHAYxCj8hAS0Ik5eCtF6bpx0B
cVoYtSFAB2Ws3AdEgmgjxYO0mNPaYBCfKPmNL0BMzI3PuA5av5xesfVA+sF7qPdLyH16/eHN
YBC7vSv69AVHkrpLfxByz6S2zMwFyS71yWkKjuVCseyGDF1G9eS9oFslr5cmge6RctPgCZK/
vFD3JXjM9n7ptxWUWbkt/GQwrcqJzBoAgd+bixuHgStE11y/BZQguaNyBOjjnOzsAYZhcpQ0
GwKPGG77lgBXhOcZYy/IPeNY7/8rpK6xldbfhKRvnXOtkWArltIv+xho37rs9npgSpSumC6B
YZ10XuwCjztyWaUcGJs4XfZIUJc96H1tEHjbS84ofhp8toVPc34ESQsz59o9wXE6s3dOBGQ3
TdAXuQKlu+ev22wQhH7vXTbfZjiwOnptdCdIviZ9bf0eXsQnzLg4DwJu+Qw2roCCXwXU97bA
S5f2RooCh8WlsROKEXyu8im4uCpm8UUfiHuR9iB3AYQt0tf1+xpCRkSsNX8KxkVy/brfAuOV
dYm1IW5CZvUnjaGAn0d05BQoNyvMWPMCxG16UzP+KtyenLH8VVV4MTqhdvIGKDC1UHhQFyj+
Q/7TQdfBv5i/7LcF/KsEbMj9BERLuasuCQp2KfVjwX6Q8onlUzkROrxu3ar8XDgy8UAB5QkY
E02zrMOhrn/VgcXWgccVZZvzJyhdvuSl4K5gl+wXDIFwQlxu8XIu2FfJrc29QP+1sbf0BHSl
HOOyB0HoS5+GARK8jrJViL8OBVf4nPP9j6EJLd5H8+oe3T26ezTMZCYzgTVV11RdUxX8d/rv
9N8JbWe0ndF2Rl4CctF50XnRCUv3L92/dP9vxy3YuWDngp0BCQkJOuXvlL9TfhjeZXiX4V3y
1ns87vG4x+Pg5cuXL1++hALzCswrMA/Mvcy9zL0gPCE8ITwh7yGsU4tPLT61+C8dzpxadGrR
qUVAa1rTGiLbR7aPbA+mGaYZphlgy7Bl2DJ+//Hw2OSxyWMTBMcFxwXHQXJUclRyFJzofqL7
ie7QLqFdQrsEOHzk8JHDR4BudKPb+6///xb/rnq8u8PBLnaxC8z3zffN9yEsIiwiLCJvCMS7
WV9atmzZsmXLvDsfHTp26NihY168Ez1O9DjR439vfd3c3Nz+kfc7VANAQkUCnFIIemCvkCgI
so3vda1BDJFGeNQDZZthibIaxGPhpX4Jah+y1fsgPZFWaTtAril2K58C20SalAmipLJDqwXy
aFHdNRu0hWov2QZyU/kzSQ/aeTFRtwGUGdo651lw1hfNVD/I8b1W4/JnIGqLec6ToEyNGBPs
BVkFYm+lloXkq0k56ZdB7et6bv8VciamRCdPheejk/dnvYWsg7rVho6gHDQ29CwAQS/kj42x
kC/IXMSjO+jKmqWsWSCf1sW/bge+mX4T5SCwTRBDXetAaqCf6F0LDBWMq732gv2x1pOuoLaU
Gxi3gKGj8ZRxGsgX9Qa9CaRQncnxDRjifB4ZyoKpofRZ4ERIyFKXW7qCVsUupS8EzyuGqiIV
zDVEJakamN/KS9S+oHwiz9PvBKnGvSIxFyDgkF9p5xDw+TDqUdwFiI1LePDmU8ieZ6yb9gWU
K1TqUMda4DvN6l/0Adz1jh/y8BtIyszocG0CGHyD1cR9IJ+WPnPsA/9a3se9/cDxyLpZegG+
gww7fVMhO8UxXzggKNN8ylAEwod77o1UIfFJrCH/WjBUCVpl3QyZ8+PPPv0ZogYHBwbFQM+e
TV/0bAlHn15btK0IvJyctfLJeUi8aC+VsQTu98+KvfwjZGdnfWPcBwGVfL7LrQanPzkxJa4P
ZP5YabcrFTr6NusWroegjYEPvD+H0wMu/vjwJbR41Fgq5wMvZj/v+LYzpCxMu5Q1FXRlDGHa
TvDr7l/aJxU8TgQuUTwh7VliutUfrtuvTbrTCF58n9n2qQD/kfoTwZ+A5bBzyzMFvA7rkmyT
wdFQzFFkyNnj6JJRCbzzaR2CP4DsS8pAEQFUfD/Nqs3PbX5u8zNc/uXyL5d/gUMdDnU41AFm
z549e/ZsmO8x32O+B8gesofsAY4VjhWOFXkPmf2lJ/ZvegrbH2x/sP1B2By9OXpzNKzXr9ev
18MTzyeeTzzzehLfTWPHda5zHTbU2FBjQw2gF73oBX1L9y3dtzR8VeSrIl8VgVmRsyJnRcL+
2/tv77+d93DgO31tfW19bf/cMfg//GePZJd1XdZ1WQerVq1atWoVzO40u9PsTrC1+NbiW4vD
i4AXAS/+m4co31f9/2zvqx7vpjm0X7BfsF+AL2d/OfvL2TA2bmzc2DjIdyPfjXw3oM+EPhP6
TICFiQsTFybm3dHYH74/fH84PC/9vPTz0nlx3o2xfxf/T6/vG97gngbQzc3tX/B+E+f/mI7O
iQkw4SleArBXSwB2SMOoCZQVtTUNhKcUIyWDKC2t0+UAzaRw0ROkfWIxF4C9cqw8FdSfswY/
mQL29i/23/IEeUKAf6GPQJ9pempQwXXbqrN9CLr1YWVLdgBN1l8OPAm6DtRVKoEj4u2S3IaQ
9jh16KuTgCv/s9DvIG5/XGJSN7B/b7+qHQQxVhx3BYHtO+sKTOBTybOa3wwo2K5QtSIpEBjr
dzkyBTw7GL/2MYEUq8uiOTivaadzz4DV23oiQwA3LaHZkZC9LS06ETDqfXoaY8AYZzoqtwHd
I11RuTlIt+RJuh9BOkZhqQVILcQpqQro+qhb1GggSrucOwY8X3oOkKeCZ4BPso8nuM7mnOA6
GCaIMEcT0C9SY2zHwPzUfkh9CPppHu0DjgOKsjD9MGhXnvVLvQEp+Z355MagTzS08ewOyjJL
C9cWiOtrWne+HBAccDl3LXjsslQutg28Gvt+6hUBRRuajtc/BY19qt6sOg9el8tt9GgLbCl3
ovjGzeDn4eUIPg+2isk7pO/hTmO70+tr8Myn3ag+Emq1rJPyKBmS8iVGZ/aEnAHZY13Z8Hx3
tv5CNKjNHNHGCKi7tdSLRv0gfHm8PV898DH6xAV9CKmmJGv8QPC6UHpipAdkNc4ZFlscTP1M
NyxPwLXIHpu6B7Z/t6/a8Y8gnyF//nBvKNY2wq/gInAtsv+sjoSyaul5EWPgeamXR9+eBc+l
3l8ZioGxgLmFdzjoN7jaiW6QKaRXjnpgeOxXtPQoaC2XGFdvE2R3yagbVxFeTU9Wrd/CSzlr
TY43yJ4M1E8Dkz2npP0HkHy9+mdngdmDLFPYe2xb/5kozho8a/CswVAptlJspVjYPXn35N2T
4Xmz582eNwOjyWgymqDFnhZ7WuyBMQPGDBgzAMbGjI0ZG/P3YcPCwsLCwmD1qtWrVq+CZWWW
lVlWBi59d+m7S9+BdF26Ll2HyhUrV6xcEYZLw6XhEpTMLZlbMjcvTtdCXQt1LQTqZ+pn6mew
9dXWV1tfwfWD1w9eP5i3n97Pej/r/Qy6HOlypMsR8saU/Iv6l+9fvn95yOmd0zund970aInX
E68nXoepnlM9p3rCrPaz2s9q/++r/5/tfdVjCEMYAqzbtG7Tuk1w6dKlS5cuQe6d3Du5d4BF
LGIRdD/e/Xj34yC/kF/IL2Db9m3bt22H66uvr76+Gvwq+1X2qwx9Z/ad2XcmDB82fNjwYUBz
mtP8z6/v305H6Obm5vZ7Sf/xxShEjRo1atSo8c8HsFrtdpuNv8yqgQfgAm5jQQKxFA/pDMjn
+VH6AOjMLFc4aN+om+1pIMXKTeUWIBWUPY3dgZuav1IPtO91B0RTUFck37t9EnKHnx5y6DWI
eF24b08wlAp/FZIBomjWw5T5IA/wXeddH4zTK7fq7AVKPeljXXvIjD0z/XJzSO79akjscnjq
F6d7kgSZ89JfafnB8ZP6vZYIik0NtD0Gw4+ywVAfwhoFbA6YA+EjohZEfg7sUD7T5YL2szxS
GgmuFuQ4woFK9kDneJA76xvpe4DfkajLBYpA/JGnp19+A9JleZo8GMQteZpoCbby9pu2pSCi
XBZ1GUgdRFe5JmDUTNpMUDfZf7H+BNo89Wuegf2JPBMLvH2ZOz5zAFhvZS5M/RJ8Qw1PpRJg
nmjvwjYwjdFKG4qA3ub70FeAIKFndgiYrOpydTAcH1W60et0iPlG3vWgIvj0t5fzGg8Z+8SJ
DA3SP1b3qKeh0FSvhBpnoYRnqFI+GuSx+im5v4K1uj1NvwkC2pk+Ej3g2k/Pw66thKh473HV
FkJq2tuRr2+A/rGnM18hSNqe6X2nABQqGNrY1RcMn8svAr4E7ogTrlhI3ZT+Jm0UjKrSb9Q3
BUC/Vm7kmQCxXm/WPlwJ0TVu99i9EPRnHJuNaaCWdawz9YDnr97WSBMQXiTQW7sMUrrpCy8z
+H6o+77IBdC+tbVWekH15hUL1BwEQV7+n3j2gPBL+e77NYNj1tNXHq2HjL4ppV/dgHr+dU+V
+wrsfo6C8jFQ/HTrpOVQal/ROfk7wd7cI7sutoSdEScK7oqG0O+D/OzDIG1uRrXcBxBeQ3/J
Eg3SGO2ckEBERPqkZkL+S5G9vEvAJKXX98e//bOb+f973vWor66yusrqKnnL3z0cWOpsqbOl
zsKNoTeG3hgKQ64PuT7ket5QlvPnzp87fw70G/Qb9Bv+7Nq4ubm5uf1vd/ny5cuXL7/PHmcF
gQAyJA9kkOqK60ggfcl1NoLWEYfwBvkeW+WOIIZr4a4uoJSRxnlkgrZNNFXKA4NYrD4Bqavm
K6aBVN1xkhvASq+BBX4AsS8rKWMVWDe//CRhJGjTHe1yVoHUL7ljRiroUvOb31wAaXz+16XO
gmf+KvtKLgHb4dTgxNEQ9KHPvMg64Bxu0Cx7QWtlE85k8FvpWTX/T2C+rySqQWAyilLCBbnL
rC+yJoHOUz/W+BL0W1SbuhK8M5SeoiSYPg6KC34Opv35Lxb6FpRi/pM96oIol7HFcgGyPrQe
zb0L1gr2TTYH6L6TdulOg5pPGi0ygVaSXZoA8gK5lWIB0VYboZsI4qA0SP0KDIuVTKUlBHxp
muCTDjkb7BOy+oAu3Pl9tgnUtbZ+DgW0auYlPp+CwBGTvQAUk/cMwwZAznktxoM2JrOsZx3w
n+hXyzMOKmWU+SQqBl5Of/p1saaQODi1RKAvKB5qfWkDJO60dc7sCaaXXjYpFNgnTyu8Dp5l
xPeyXocCzeXbtXuBVjd7u+4siG9cUUF7QD1nO5GVCGE5/s0rdgRrQHZGZgdw1JYCyQX1AL1z
tkHud87RNgucSLw29cxkMD8xHwmdD1ebPN75c00oP77AyggHGMOtA/yi4HqPO4mZXaDBoQqi
0TNIbpRd8Wl+yDhkXXW7EHjd8D4bNAaKVykVWKsZFMspvjTsZ3hx5dn9+M5gGppx2/g15NyL
Px17C0pcL7s2Mh2c82xTZTPk+y7yVpAdble9pTwtD/oDrp7CE0yPlIIpB8DrC8998S9Af8Rc
XpkE+a86oh02sO303IEDjAN08c7+4ByuXDLPhvjZjouOZ8DMP7up/7/JsMGwwbABrgy6MujK
oLwfrtg0fNPwTcMhNCI0IvSvxuC+ewix6YSmE5pOAH2qPlWf+mfXws3Nzc3t/zZ/vMc51263
OQENDRegYUABKYJUnEBVYrkGYhy+VATJiVW2g3ZFG2VvB+KVNEN/CpR5UjyFQCrCCm0iiOIi
SDKAGOHYkP0tWFtfe3TiEVivP+7w8C24almL5Y4BQwXfvsEyGKYVH1r2O3DNsn+duQR8plZ7
0LwGyCXkHoZcsD9+1fP5W8gZe2vGjWZw6XCaMXcHvNVSCqQVhvxJXt/4NwfdPkc3ezaYRkpv
lY5gPGcqpq8ExhjiXYMhOCrf86j+EPCy2pqq50GWw9WgByC59L21mmB7dn3V/e2Qc+bl+YQv
ILVgzuCc/WBNsj9ylAVtITO0HHC8ddxw3AZRTVonYoByopdWDfjKlagtBi3M+VTzBDFYF6Rc
AyYaSxpTwHrOejJrLmTsSPSNnwrZ2bfq3JEh8GHQmJBD4Nk88HDYAtCyffeGHATrCa2+cRk8
/MXTZW8HlgWGB662YFgi7qndQXtuXSWbIeug/VvVDyytM37W+oMrn2tGzhZQ060xzl1gm+Rc
bWsCuly9S/kGtLvO+vae4LqgPpTDwFBNH2scBlRUOgp/MB42jfE+BJ4PDL3kHqD70LRAzAVH
KfHQ5A2qTddJCwElTLdQToHALb6nnGfAy+l3yHMRVFhXYlaTcaC8cSVr+eBRzJN+T65CYGpA
qLkRxLeKv/XoOdTL1yCkxq/gem39NHgvBO8OrWt+CN6xnl19SkFumn0QReHN1ZdK5lXQoq2u
V2ehbEaV2RUy4NGdmCWvO8BL3zfVYo2Q/GmSz7NCELcvdX/caFAsPtlpGniaTHOzDoA8Jr2P
qy/YN3sEuPpDQDX/cf5fQuoCV5/sKWCdKPeWq0NOWMaCjET4Pnri5gtpf3Yz/39X2ry0eWnz
YMnZJWeXnIULZS+UvVAWsnpm9czqmTffdbOmzZo2awrDqw+vPrw6mDeZN5k3/dmld3Nzc3P7
v8W7Huc/njg77Lm25yAVl8KlUiAeiLciDkggWaoGqKSRBlJngkRhoArLlWMgfhTDXOWBKfIM
6RFIA0WkmASupSzSHQC5if65/hao02PeHt8PL3ZunbwlCtJ+zfnEtAXMDzw/8xkF/r28ogxW
MIuAX6W14PGw6un6HmD2KtO5RmGQI4lTboD6jc2UdQ9cK68n3VwPT7UnE272gdxpWob4Fbx/
kOaH3AL1HMsMKeA9zXuPbxHwiDLm9+gH5iqeLzxiweysnFBsHPBDsMM3P4jdtrK2y6D7zjIv
czbkBj08/koHKXtfVkyMgWwv6yfWSuDsLrXVFBAWhosF4HjsWOH4HhyDXUbr1yBPJ1gUA85p
F/kJiNSilAqg7ZP6KBqQanitbAa1ihhIEtgu2j6wDIfMwW8f526HjNsZXW3PQNkeujxgCogZ
JuH5A2Q4HXusvSDtjSsrvTuk5iSJ9JJg0WVMyVwLtpeW2pmPwX7csdGVDvot3JbPg17WtTBs
Avm8vr9eA1OIUWd4CdJm2a7UBsWhL6qfAXJjuZ9cGeTJ8jhxGsQMUVKOBK2JmkE5cH6mfa0V
AK02zVVvEPe0HcIB8jh5sr4rKFOMxUwvwVjM9EiqDYbRPsbgDaBv6uvhHwN+zwNuBESBrpC5
pHEJOJ8nx71oBxm1rB8/DoUiHpE6/S1QdzjuedSEhrMa5O/fAMzjdF2dbcF5X9aJySC3chTy
Pgq55d9WeNQYcl9Ln8rNgL3aNWkXqCbR2dgZHpZ63v6iDcQWq+fTXZDVK2es/AHo+5o2uYaB
taD5Vux8YIzjC2kpWM3OWsp4MP3q10IXA68fptVJLwypDZJ6cBn2O5a2Olfzz27ubm5ubm5u
bn/E+xuqkSsFSNNBVBErxGGQPKWiGICe4g6fAqmMpQuIslK2UECqIyyiNhCmrJYGAse0gdJa
EAmioPYtyOuV59J+0H2etSa2ATw8uE23/Rpc/eT5dtEdCj0uV6eSCUol1htc+QI4A2I3Pr4A
uvOeG+UroO8Snh65CeRw/Tyvz0Fzum7Yl4DyiaGq51zIHW636KdDoethTaNagvWQNionFRJ2
v7E6qoEcbD5o3gCGzfpUpScYivi2Nc8BBho6ywngqpH9c+ZF0H/ls8P4BDCnn8zIhpxdj169
KA25sxJW5Gjg7KmeEQkgPCUfpoN2VB0proB2gaZaOEhH5Upya5CbuwK0z0ANFaGOkiCFSYfl
IyB3lyfKySB3E8lqJUCvfcFUcOTTzfI9ArmjPH/1ug+5Q6I2OktCanXf0rljIKdW9sK0LZC+
Pm5czAFI35HwItEAOU9zWtpCQI6Vb2vbwSvBa4x3OATe8Lvp/yWYsr3Peh0E4x6PUNNS0K00
5ddvB50ib5S/A22diOUmiCvCKvaClJ/WYiroSkqfSwdAuqBES3cAozRLPxOUCHkRkSDfEsuk
pqCFab2Ue6C1Ep+5WoE61l5Is0POHnum9Q7YmllltRLkXn8blNgKxNDUi0mtILvg26p+TjB9
4lXLLwS8PzZWcqSA/0qPWf7N4XbHp6fsAmqrURYpHJ7+cGfJhVdgcci9PJZDvuWhmz2joNaW
GicbFoHrfo8nxawD6wmjVdsIRQoVyw36Dowb5UleFtClqoll+oBfGd8NVWuCx9mALoFz4GSp
y9e2rAU1OfPLhC4QeMPjS2kEeBSQX1b+Gu78+PbI5cIQ2DTkM1MrUDeLMvZ3s1fE/tnN3c3N
zc3Nze19+OOJ80DxPZuAutI9yQLE0IzmwEO6i4+BHzgjrwORnyXKAJDqaK9cOqCU6KKUA+ZL
WfwMWiaNKAn6H/T5dXGQ89U9j6uxkNrsXnZyJSjwuFJOnUQoM65F+wrzwHdzaH7fBuCs7v+i
6EoQ27VnuUPB1Sa7V1YDMF4K2yp5gdREVJazQGvmmGc/A6Ki059kyD7meBS0D2xbs644q4Kz
Z2bHuG9B22cb4ZoPlpLqV9LHYAhWGsi7wfhRaUeUF0i+bHddBFfvl+dfW8FxOulE+jzQdmSZ
XR+Aq5Z8Tb4CrgnOw1p5EOmuoywHaTwmMQx0DeV9cldwfq2laO2AVZIqdwZmavdYAaKGKK41
BtFL3eoaDzzQj/OcCVkNpHkeH0NStrOsZoFUYW2W9QmkLn6zK64sJB163e3VfkgTbz9PaA/a
BfUHV0fwvOy/OWARRHkWLVLQBR5mP8XrJui/M5xSjoDrhGu8ZgVHT9vXVh3kpmauz+wAYmz6
SHEF5J1immQEbTsdxG5gjBwr+YAun7JQtxMMyYqPUhiUkkq2ooHOrPjKP4JWQt4nLwK5rZLE
LdDl6LZKRjBU0y3UbQQ2m0vpfcAzw2uIVw5oxZR0uSo4M1zLRTWwZ1jruSpD7sWcD3NKgq1K
yoGslpCyUJlriAbzGq8t5lQoPqZMw9rhYHzhF+B9GModK3YwvDYEx4ZFh3QH007TDcNAMHY1
DBUzoWJg05X1vMH0pbmZ7hAQyErqgNKPcHkHGDp4GAMagu2taKl+CL5VzOuNM6BsZsnOvcfC
U78XWc/DILeNQ//6OHiFBeq860DBJt6xTxZAVlHP3MzrEBaRr55XWcCdNru5ubm5uf0/4z30
ODNeTQE+FIflzcAsikoJgF1aRXfQ9ogxqg50K3mrawSOt9I0WoLUXpwRQSB3UXrLY0HX0jVF
XgPc/o+wrprJ6Sk1oXCPOh1qfAZRw4cV/zgUpGde5Q12yC31ov6DMqCG2Xpl7Ab5ufzSlR9M
2wvuKDcJtC6utTY/YJP+pjQDtBavd2ZMBVcD+z7VBRk/Zc/K7gCZB9/OSNkLru3WAFtXCO7t
W8l/OgTtCGjuFQbKD0o+IkA99mZxaiqIaYVehqwEZbvRpvMBzlJQFw2ikJTPFQVKIyZLRlCO
aHPpBZJReiFNAemo6EQEiMparKs+KOelWcIAyhppqvwTaGWkS8rHILYYdnrcBnt//RdeCqSM
V0coNeHtitxtFh9IrBv/6sUZSFn1+O3DY5ByI/lB0glQ2hgnG3PB/5uIIuFfgeeq4DZBrUBO
0MdgBmcny3VbIGQ9S36aGgmObo7BWjlQ6skV9Zlg+sxsM7wFjwDPHV5DwWOGZ3XPjWAc76GY
GoOhh3GFMQN0O/UL9KdAJyuV9QkgjVYO4g2iulBFLkjDhUHrCtoldbh2F7Tl2nGXAtoi11VH
PxArHJVcQ0Ar4DKoDwC98xdHP9CluD6UrGBA/kz3HLxve5kNs8C1y/uuMRGcLZ02LQ5yRlvC
nE3BsjN3e+44ePrLhQ9PVgR7bsSR8CtQ3BU6rG5DCNflnxr4OWgbRYDTCdo110dmJ3j19KxJ
NOT0y/G1hoB8Tv5EvgQZ69J6WT4F0wDTUJMDIlcEzPHOAfWca5C2ECp+UO7rEmtAd9e0ukAp
uNz3Tvizo2DLVBY5pkDpkOLbim2BGwdjMvd/DzlHHMsfLQf+F/26nJubm5ubm9sf84cTZ11X
/Uemj0At5izkbA4Mk76kHrCAddJckJMZLW8HR3NXS4cRHC+T57/9CAxhxiSTE+SNAQEBd8G1
2eHtqATyM50q1QTD6pI1ik+E4B5RdjUb1M+87F69gclZdxLegmKVuzq/BvWRdWVWV1DCii+r
eR3kA6bpvqOA2moBdRKIYLWMvRPk9nlRO7Ew2JZnfWbLB65WtiRtCnBNOu2XDa4TUhlVhjev
4g8lxoIrwJ5gMUJY4cjiBYaCnOTq5VwK+rJMFLtBlItMCv4A9JEhC73Pgthqi7NNB/yyb9m3
ghisnySugu6ReoHF4GrsOKgOACFLD6kHYgCLqQa6Q7o5xi5gsxtXeu+EzKWG4+YJkKzZLjoS
IfGDN51fToLECvfX3vGGJN/XjldTgFummh6hENi6sHeRqWAuE1jCrxk4SjpLOsdA9rikh6mD
QK1mq6Qmg6mJeYjhCvh+G+jr9z34bQhpEHQF/EYG/OzfB3ynek/z6gPmJZ6FTF1AN0P/QtcE
lINSMWUciB8ZJJaB1lcMYCnIH4ogKRFEf/bTEhgpOolNoF5Rp2ofAnvoKJoBp7TDwgKuH7Xr
2m5wNVF3qo1B89RuqIdBJDiHO6+Cs511UG4wqJ3sxaz3wPWjetwxCVwp6iIxFQyddQ+kymBa
5LvN2Bt8KvoIkwS56+35XEPh7YDUQcmB8OPQzS1+6gP+FwI+DtoBIQuC2weVgsqxFQaU+BXK
li6zr+ACyBydule6D46B0n3XNXh7K+Fk6lIwzDIE6X+F8p5V/YvkB2mzbrzcFhSrdt25Fkos
LuJrOAJ3nt9t7/gEnry+c+BOFPicKT+jzFGop5bZ0ucInHp0afze0gB88Gc3cjc3Nzc3N7f3
4w8nzmfqXRh5aRTUKlf1ftXaIF+TtokEEKtEknYLiJaGyykgl5d+UsqCx6qApOBrkFQ5oWty
CvgWNC21XwLDRUMp6QvQ1qmebAFD59DUIqNAvZLVK3sdiGoOnf0nkBZIr6RDQJbc2RgH+mFF
Glf7GvTLgkTkDSDafjP3LoixOk/9c6Bf7ngtC5Qb9llCAzlVeWLcDZ7bPZMMN8HL07tBYCNw
Zonx+X8Ei0fi0rgyEPf90wt3toF1R1pqSh0I+ykqqOBbMN60ts+JAmVDaliaAXSRPq19H4DW
2/nEdQvkFnJFqQkYPhCN5CiwL9CEtgt0NZQDygJwNdDqaP1ArYNBtw1c8X7H/IZCqtMZqUkQ
Nyt5SOK3kLDmsf7OBHh99WHIgzVgXeOaqRUA341RxfO1BuPuwPE+P4PTy7lZnQMpjeNmv5kG
8hP1GuEQXC+oXmBhCE0rdTKfC0IbRK4KnQO+P/p7+vqCxynzBFMGGErrVymeoDdI56UgUCSh
owuIq2pTURGsj10z1e9Be6x9qTUG6bn8SDaAds31Sp0IroGaVRsGWjlxQDQHpbFoQT6QhkgN
pTKgPJRXid6gVEZIyaBcZK1SHSTkbBnQldULwytwTDatMB8GVx+1uisExAaXxWEFe23HNNtA
cJWzlrTWAMcQ+yLnUFAmqJKWCYYQUyX5JniMN+X4fQDWe9bOjpKQ1i+zeFp7SC6a5ZteDrJn
5ljTF0Ha1eRKb7Oh/q36l+rfAMNPvk/9CkBQl6CdfpngqqGOUGeBLr/eoThAbeGKF7HgUlzF
5Z8hlWRjzneQMyLjUsIZyHQkTnv2HVx4mrM7tjeUGFc8spQdam8u07Px5j+7ebu5ubm5ubm9
T384cc5unR5lrwm6UUqWVBxczdQKmh/IPaXRHAAxHoeYBVJXuZ50FZTGnpJHJJgCAif5TgJn
F8ctZyx4NvUe55cNrhfqOHUtiHXmG0GDQZdpCvc3gatY1tvUFqD/ylTafBWU6uFDSs0H6Tn1
lGUAjtG5lUB8rvRXXoEoK9XEF0Qr7ak2DsReea6oAATzmTYa5JHSaFcH8Boml7WeAOdoLcK5
F4w7/BN0hcEVYwmP+A7e6hPSX7YH53FrckwNCP4i/EjgFPBq6ncnYjRo+a297R+DmC21Ux6A
c7PrG+dlECu1lcIC0h1phDgMcn9nV8evIDXQzdEXBnspz1FBIRAban9ki4XY716OftwPXmXd
fHJjHyQ2f8Or6aDE+ff0bQq+n0WWiYgFpbboKa2D9BJvSiQ5QDdKsysLIfKbyLnh5aFAXPEj
hT6D4K35ksJXgW8B32yvE2C6oj9k2A38yDqlEaitVFV9BfIcrZ7QwDWJkdQA+0x1o5oPtLEi
BAPQWPKXvweDRaeT84FusNSTXNACpa+1keA669qgdAHbKPW+WhKcmcwUR8HVRf1a7Q/OTppR
nAJlq/yVFAV6p3RY2gZqKe0Jh8AuqcmuH0CUpRojQIoQO6TKoFzUbTJ9B6KP9InRDMpH+ice
CaDPdV2wjwf9Smsd631wxdvT7fdAV1d96GwN+g7mkkomGD43HfPxgOytucn2IfCmdcKepEiw
jbNPdXYDXhobmDqD/2Kvr7zKQHZmxo6cbmCtaxmT8xPYExx1HZ6QO9jm70iD3FfWrbkV4U3y
2/3pbcGyxtI++RD4jvWdrcwAa3F7uNoC7n74sPK9byB5b0qjN4WgHvWp+wfa17sf8MjJycnJ
yYH6W+pvqb/l79fLKJxROKMw/NL+l/a/tIfelt6W3hZYW21ttbXVYMiQIUOGDHn/XyBr1qxZ
s2bNvx7/j27v5ubm5ub2P+kPJ87Xf3qu3XkKUfEPW0Wuhsoly48sPhlyStgm231AacgmMQvY
QLw4DK45TovzBvh19FnmvRvYI05JX4Ejy9nI9QVIIyWFEyA1V84pFUAEskz3BHRbfBJNRsCX
xpIetMNqX9UC8keUdjQDhki99R+B9kDMU8+AfIgY7Q2I7bkFUluDfVt6RvJLsL+ynklPA5q6
XKnt4NGa16WexUNqrcQe8e0h3+yQL0Jqgv9W/zmRKmR6mV97Fod0P1df6QG4Or1pmL4YvIdY
Bmdbwb9ikG/4CTDuMtfwNYNWUy2mrQEpWIRKVpCeOjprw0FeqLP5tgBLtG8L7wfweE5Ww7RI
eJF579j9tfB89I1dV3MhO9n2zFIGPGIjt+TPBUMHv/6e18C6OfNK9jPQiuXUtH8P4baI+hHf
QpFeZcoUjYf8+Qu8yj8GvE/4DvE5DnIL5Yg8EaQvpEnsBhGpntaeguio9XMVBLGbL2gDrmpi
jxgOogyvmA3SG1kvnwLRTfPWhoP2kzZQM4KrHL9wCXQHpVfMA31tpbTUEsR+Mcp1EERpx2nR
BJyh6lj1ArgyxV1XIRDPtBvEg/REncwBYDDhUlcQr4SEN4gxIkuUB/FWNBUFQOSKCeIKiG3a
VK0PSHNw0g9cV8VbyQdEP2WFMQLksh7lDYmgjzA8tY8C+Z7jV1tP0Okdm+zVQQlw7HB8Dfq9
5g4Gb8h9qBuhrwXp1qz12U442Piw7lQV0H2uP2PeAPpTylVlJOSOyzqT8RbS56bdTCkKak0p
3nkbNB+tnCsZXFfEWt0SMFwx7JEqgytE8/AMAD+dfykvE0g7aK7WhaRLad9nTgRqUpaV/3r7
Krqw6MKiC+GnaT9N+2ka1K1Yt2LdiiDfkm/Jt/LWe/eT24XnF55feD5IJskkmWDglYFXBl75
932BDKw4sOLAin/e9v9u4pq4Jq7B7ma7m+1uBl3Tu6Z3Tf8dG65mNavhzp07d+7cgZiYmJiY
GHBWcFZwVoDg2ODY4Fho+Kjho4aPQFmvrFfWw8UVF1dcXAGvf3798+uf88Ll75i/Y/6OUPtu
7bu17+Z9/s/9nvs994Mrq66surIqb/3qw6oPqz4MCmcUziic8Y+Le6zQsULHCkFGdEZ0RjR0
Ldy1cNfC//zx+tsLIfeFkZub2/9r/nDi/GJTSp8n5+B0gVvVAixQ6oMSOyMHgC5HfiUvAvG9
aCsVBzrzkoaAgxhcoJ7RjJoepPrSQoaB9FD+mgnAHrKlAGA5ZTAB5UV7bTWIxdJiZSXgEvPU
T0F3j+OiAohDWOQnIO6LDk5v0C/QH/PsCE5Tas8X/SB7wIWip+aAWiipb1JnEDfU07mV4HmT
+8uflYIbnz/88Y0fSNvsDaQY8BWlxnoXAv0L5XTSh6BOxcu7DBicfkr4r6C7qisinYfMXa5j
aW3AsTEjINkC/p7OjdbBYD5h2GC+A1IpNdAwEnSnvSsHL4Ckel4pAQvhwZSEt2908OzKNelq
H3jsee/I9VRw5FecBh34fF1gboEckNN0wdIAyFr+ZlXqLfBVPKqbG0OJArUiK12AgmdLTiqc
AEHLAs4G7gH9JP2H+p4gHWANNUAsUiWtIog0LQEnCKsYJMwgq3zPclCmsUDSQP1K2sqnQCtt
ufYtiG9FkBYB+uq0lvqAOCKVYQbIZbV7YiCIS2IFO0Ecoo/WFdgu8ok1oFSTC4s0ME2VgpVc
sH+hHhHVwSVjFDJoS7RFYg6op9Tx2mPQylFQGIBaYp+mgWgtZkh9gVTasQukX0RbxoBoLLaL
ViDWIxMA6nxRU+QH2ooUKQm0NnJ/gxdIQcYDypegL6+U15cHcUj6IHcSMNFZ1/UzSEOk29QC
5ZayxzQDMs9ZCsifgv22OsF5DbyDfI96x4BhnqfqUQHsByVVWQ+ZpdJuJpmBJ/I9uSqI3WKq
GgDWLrb9rkGQ9E3KuZyRYDxvGKi8Bq+OPo3Ni0B7I/apPwF/MGn18fHx8fEBvwl+E/wmwOuG
rxu+bggFKECBv1rvXeJc70S9E/VOAK1pTWv4/tb3t76/BUOqD6k+pHpeIlPzds3bNW/DE98n
vk98ocWUFlNaTIHoBdELoheAtbS1tLU0FEorlFYoDW7rbutu6/4+Afqt+BUGVBhQYQC8aPai
2YtmeRcAVatWrVq16t9v3zigcUDjALhx48aNGzdADBaDxWBQV6or1ZVQ+mzps6XPQsWVFVdW
/AMXIr/Xs53Pdj7bCY+2PNryaAukf5X+VfpXv3/7x+Mej3s8DuL94/3j/aHzpM6TOk8CpYZS
Q6kB523nbedtcLny5cqXK4PHZo/NHpvB0d/R39Efeph6mHqYQKwWq8VqOJl1MutkFtzceXPn
zZ1QhSpUAc4tP7f83HLotK/Tvk778tbfZ99n32eHwhTm9+S/Lya/mPxiMgxOG5w2OI3fv6Gb
m5vb/8/IfzRAoUFmXeg4eC1eXUmYAj9fPHD8zDMwHTHYzF+BVkM0YxkQQTwPQfpKWiwtBlRc
OEEMEFNZD9JycUyqDhJEMADECVFEfADSZGmTEgPyJhGt9QJuU5xVoJWQFureAI203S5P0HZL
fowCtYSlccI8cBxIGHF/JljrvfSLOQLaZ66I9F1AltbJfgxMP3qVMa2DOoNqNazoAbViGrvq
+4BxVXBOZCVIaWvb4PkLSC6vBf47wPOF2ctjEuhUr/Fem8GzsnfFyBUgVin1AgIgc0VmYYsP
ZHxsOZf9E9gfeoz3qQzJb7zb+1+Fh+fe1H9lgJgNZ8uffgQxO28uvhYGjh7Gox5HwBweeSz0
A3DVcDjsKlg/eNs4/R4U/jrKFLIPGlVvPq9Oa6h4tvqtCt9D1I2IYZGlweuFYYrRCkoL7ay2
FnRHRTGtOZiWyL3kNaCvQhH5W9BVE19IVUGKFS34BvhFnasGg+4D7awaCUos87VHYPxA6SKP
Br3MXhEG0ueuva5b4Njk7O/qCtYhzvWuNMgd51TUdaCNFasoAMaHersYD7oD0iHXIJA7aQ21
aFCmaWdcF0AJErIoBrqrci9yQLkodxc5IJ2XgqQyIF2RxohaIIfRRHQA3YdyvNQfDFtlnfwY
9I2ll1IVMPaS1kntwTBQ6k4wGOZJ10QHUEKlHtJwUM7rMo0XwSB5PPVeBeZ95lYeb8HjS3mr
VBrMm6Vv1L7g6+FVQ18FvD/W5ShbIKtiSlTKA7BXsmdZoyH0dtiU0AcQeSaiWpG1IN8Rl029
Qf6MdcITdP2UWcplsI10DNA6QXr7zOmWe6DeUlur3UB2iPnOyPfXUItlFcsqlgXPdjzb8WxH
3vLME5knMk+As7+zv7M/hL4OfR36+vfH7dy5c+fOnfMSuSLpRdKLpEOPHj169OgBvk98n/g+
+efLGzkrclbkLGif0D6hfQLcXn97/e31v73+vZH3Rt4bCVVWV1ldZTV0z+ye2T0TOr7t+Lbj
W7g6+Orgq4P/+XLYbDabzQbOS85Lzku/fzvvR96PvB9B2bJly5Yt+8/v98HmB5sfbIZqUjWp
mgS6EboRuhEgVZWqSlWhevXq1atXh9LnSp8rfQ6eNn7a+GljqKRV0ippIK2V1kprQZZlWZbz
lv/t5//up8etZ61nrWfBes56znoO9Bv0G/Qb/nE53yXk7xyIOBBxICLvuB0/fvz48eOwJWZL
zJYY2N5oe6PtjSC6SHSR6CJ56/3ez+H3xtu7d+/evXshJSolKiUqL87+/fv3798PZ86cOXPm
TN7ydxcqJ4udLHayGDgcDofDAUeOHDly5Ahs897mvc0bDnU41OFQh98u97sLvzsj7oy4MwL2
TNkzZc8UeD7x+cTnE2HX813Pdz2HHb47fHf45pX/UYNHDR41+OfPEzc3t//7/OEeZ9kgr/UY
CA13VzTWvQ3VzZXTC7cHq9PxxN4W5Hj5pHQMpBHsFDkgDovnoiZwm8tcBOZI06TPQVzXamuv
gRJaPFnAD/JhKRdow2hxAsRjqkr9gMfcFJOBbeSI66ClSB9JRpC3uRam+EDqhIM1Nv4KmvXS
V/fLgml9rS3Va4Ao5t3cdyBISfd73AL8lxovGJZCZhV9Of9m4Nht1JsSwZnqmOb5LWgRprqG
VmCub9CMI0DXQDfTcySon/KdczcYmsg+wgiGhz59A5ZDboDlqaEVWJeZahnrQ+75gD7h6+Hu
4df34krDvY/PPDjjhGfmR18+NYGzjM9Vj4HgWSygqv+n4OycHWkrAfrtWrTrNpRfWalFGaDk
sAqrSsRBflPUynwnwWOprrN+EuSctQy3rAN7dzFMfAOGrbryhmgwfak/aCgFjin2evbvQcnF
iBcoM+UAPgXNqhm1XcDP0nRRFBxlXYGuHqBNEee5A7aWor9rDYgA1Sy8wdVci6EcyM+kadpk
kPJp+cQmcL4URaWaoNSQCopCYFitbyPSQE5jpPgSlED6iMeg5MjRUgtQW4tG0kBwVlETyQCq
ikHSHZB2oanLQBlOG/aD4bCusbwQpDRpAvPA9Z0ao90FaZYK9UB7Kj4UtUBrwGPJBHKG1IAE
UDtwGS8QF8Q5MkD6VrolR4JazxBs2ABaFz6SPgajyfbAZgXsjun29cBj8w2lKYhM2nIAsgtb
m1pegRGzMLog5JN8q0IWgrRf6W74HN6Oi/v40UJw3SLYfgjUBfIRoUKuOfeU2gpse6wmxwPw
yFEGyxHvr6EW+arIV0W+gquhV0OvhoLrW9e3rm/hxcgXI1+MhCL9i/Qv0h8YylCG/uN4pUuX
Ll26dF4i90b/Rv9GD40WN1rcaPFf7bd7ke5FusOZO2funLnz+8sb8UvELxG/gBwjx8gxoK5R
16hrfnv9Dvk65OuQDxJ+Sfgl4Re4X+d+nft1IOVoytGUoyC2iq1iK1CZylT+x/tP7pTcKblT
XqKlu627rbsNXXO75nbNBQ8PDw8Pj9/ePmR6yPSQ6X+1YA1rWPMPd/sX6V3Tu6Z3hfjV8avj
V8ORzUc2H9kM9gv2C/YLEN42vG14W6g/pv6Y+mMg51nOs5xn4PuN7ze+3wBNaUrTvHh+jf0a
+zWG7LvZd7Pv5i2vu6nuprqb4OdDPx/6+RAQRxxx0CasTVibsH9czkY+jXwa+cATnvAEaBfR
LqJdBBzverzr8a7gGeMZ4xkDvTb02tBrA0iZUqaUCVcaXml4pSGcL3O+zPky0ORZk2dNnv32
fs71OdfnXJ/fHy+/T36f/D7wpt2bdm/agf8V/yv+VyA3Nzc3Nxfs/ez97P2AdNJJh4QDCQcS
DkD+t/nf5n8L165du3btGkREREREREDL7JbZLbPh/o/3f7z/I1zqf6n/pf7QcFvDbQ23/Xa5
311Ybqy1sdbGWtAlqEtQlyDwyfTJ9MnMe/bg3YVnCUpQ4vefJm5ubv8X+sM9zo7rhqfxFnjq
Gfv5sTbgXdyrt1clkK+IKdoekOzivFgBope4hA3I4RXPgQc85SnI30mXpRHgqOt47ewB9l3O
Us56IGtyZfkNiF1iqQgDssgScSBVwo8MoJx4RjzIn2k4ZcjNuFLsdCBI9dOzcquCNLx064ou
8Pmsyd1eWyDY0ubwwA/Ad3DLqC4lILh3lV4VsyE0NWCN9wdgHM+PymBQPzGd8lBB2aG7aooF
Za/utVmA/YrmZQ0HtZdjvHoW7G3tkyxFwNbF0iJjD3iVCBweXB1cXgXPl5LhvuHN129qQsza
s/vO3Idn3R7Vi+kF9kXe+4yPwfTYp4pfT3B2zgnJjQSvJ8oUuSnUGFXzdRU7VP61zuJKP0P+
nvm75ysP+wyHqh96AWtSN9/9cSX8MHLHtu0rYLXXhukbVsPJu+ePnPkY3pxMOhP3PRiOmHzk
+iCbdSd0k8F1TTstPgei5SW63iC/NYzVDwf9h6bm+s3gcdzwgX4IGIYwTroA0gPhrc4C0yA5
R1wGQxN5jrQHGC2uimKgNlALuMaBdadrhXMQWL+xzXNVBHmwqCeVBZ9M82vlOpjm63VSAdDr
pclqeTAUk6aqy8GjhrKe/GBeKn8k3QX9FjmK7qDuVp+ou8DxrVNzXQfnETVR6wSuSWRp/cA1
lzZaLDhVMcSVAa5r2gi1O7gs6mKxE1xtRBvtZ3C0E/VFEriSxAiKgfxa56nvDoatpq89PMD0
xHjWtAU8lhMsyoApxbRWag/eIaZ4ZSpkn0xvkvoILBMsx7Prgd+RkDE+B6FwgQLXCvqAqbL+
rLcVDDHG6R6ZoM2Uh5rKQ86m3GGiPrgGufaaZ7y/hmr8wfiD8QcIjw+PD4+H2ODY4NjgvCEa
RaOLRheN/v3x3vWAvqNd1a5qV0FeK6+V1+Ytl4ZIQ6R/YWzq347B/kfe9Qw+efrk6ZOneT2+
lQdXHlz5X+hpfje04t1Qj3cJa86inEU5i/7wx/EPuVwul8sFltOW05bT0KVgl4JdCkKfM33O
9DkDgS8DXwa+hBPFThQ7USxviMVvEWvEGrHm79d7lyA2n9R8UvNJ0CygWUCzALg2+Nrga//C
cXvn3RjrSoMqDao0KO8Cixvc4AZUvFzxcsXL8OqnVz+9+un9x3uXAL9LnJMPJx9OPpx3J0Me
Lg+Xh+f1sCfMSpiVMAvy5cuXL18+eDn55eSXk6Fkr5K9SvbKK0cpSylLKQvEtYlrE9fmt8v7
txeWEbMiZkXMgpM9T/Y82RNu3bp169atvMS5RfMWzVs0//efV25ubn++P9zjXK51/u21JoFB
yA8y/eBN8USPxBZQrFzRLYVuQ1a1nI7ZI0F/XP9QPxIYz2YqA/0Iog5wUVzmGmR6ZERkHYCA
GYGeARbQuonSWhRIW6UIaSSQLi6L2iDuMIZtIO2UV8me4GqSWSZZAWv92PD46+BMSAu03oTg
i/1WDtgF+rPB3SNug3OEPdVuBeOWAkfLLAXxkf1L+zXw71p1ll8aeEy9sOVJU3hV8+X55FVg
G0OUXBNcVRwB9hNg2G/wFhaQ3zqfqVEgHVCj7UtBqiCEtBlsJ7wOen4Iz18nPUyaAo/sl8Zf
OAFPkx+tevAFZHXxWGa8Cr5JXvW9loOcYm1kvw0+No/WpukQ8bDosfwDIfSroifzfQuG2/od
xqFw+8G9o/d7wL2mMTnP6sDr+NjTb+ygjFC26F+DLVN94fgK7uhjPnieBYe+OVbrhB9U2V3R
Um4clGhY9GHhXFA+1hU01IfEgYm5iXUhyCvol6AloGsinuo7g3mWXlW9IKRU6OyQTuD5wDzD
vxo4PrFfcnwBzj2uMNdBcH7uytE6Aw3kFsqXoEwUdaQBIAfoPtVZIC0p55ClFGQ2ytInnwTf
rt4f+y0Hwy7jMlMKcE8x8R24PnNVdP0Iztmuc2wGtasYIDaCNlp8TTKo/cTneAP7eaJ9C9pn
AnERsJLOXeBTxohWINcSH/E14CmOiqYgCvNAnAOprFBFWVCHiMdiDwiXOCtiQJ4qv5ZOgFTQ
WNw0BAzfaxmcAK9B9pbWYyCSDUXZBBQSQUppyLqT+jJ5I3g28x/kEuC/OKC9XykIPSbOShsh
6XjilbfHwZEihCUJMgKyCtsrgfZK/7HnL++/wRbrWaxnsZ5wc+3NtTfXgnpFvaJegYD5AfMD
5v/rcSPaRbSLaAdP5j2Z92QelKIUpYCnO5/ufLoTOMMZzvzr8f+RxMTExMRE6DG8x/Aew8Gc
Yk4xp0BcXFxcXBxwiEMc4i8P3f2jnvV3FxJWo9VoNYKxtrG2sTaEnA45HXL631ePd0z3TfdN
96FqdNXoqtFgqGuoa6gL3OMe96CSo5KjkgM2jdw0ctNI8F7mvcx7GWTtydqTtQf88MPvr+Jl
98jukd0DfAr5FPIpBAxiEIMgZU7KnJQ5EBUVFRUVBSJKRIkoiJ4TPSd6zr9e/ncJutxb7i33
/i9W+M/j/+7hScpTnvLvL15IXEhcSBykPk59nPoY3oS8CXkTAmElwkqElQDlsHJYOZw3dMW4
3bjduB1MyaZkUzJYblhuWG7Axmsbr228Rt4dAwUFBaRz0jnpHNCb3vwX5fnbC8sWgS0CWwRC
6ujU0amj4e3BtwffHoSbr26+uvkKOMIRjkArWtHq3396ubm5/Yn+cOIcXzf582fHoblHnah2
Cpy7dfnZ5RCwebl62GtAodh8alQtUILl3sp+oKuoLLaB9prN2ijQyqpZrr1AI9FX+w6kj0VF
eQzIS1gkTwPnbtdO502QC8hJSguQIqQoBgJOyYAZeG1bYhkFopv1qr04eJyqUK56Lug9wssU
rQHaa9vd3O4gBSi3jadAfIJFXg4u39RgS3swlg7vV7gG+HesNaXUz+D8MfsrWyCkR2Yvdg0C
Ghu/1qWB1kz1cbQGJjoLZx4FSqjt1FdgPxrRreBEeLE/+7W9BDwteCnywgl4FnGv281sSBuq
L6VfBR4tTdm+JnB96+ztKAnyQfmG9ByUrT6/6JfDixlvFr/sBHGnkj6NzwLbfltpV3eI35f4
a/INsJW2lnVUAV2c3FGpB2qKaOYIBNHalSFugCtM6MV9yNidHWVfD7/8fPTQqf5wwXI581ot
kJ/J3+qskPNL7ke550CuI42WSoI5vynQXAvEL+yU2oBPG9+LHqWg+5sO3m2rgb+P76CAgWDo
qq9m9AH9j4YdhtqQNSJ7YU4yOGY5VzjT4G2jlK6JIXClyrW6t0ZA6uq0Uan+EHw6tETAazBl
mYqafwXPHNNWsy9UVMpXL+8Cr25GX++LoN7UvtBagtaanmwFbayYpRUHbZAmsw3ELdFCVADp
E2mEdAq0kdqnWjMQvqg8AM1TRIi6oB0VH/EBSC+pKZqBNFT7kSGgDRSBIgnUmlQXO0BrwjqR
A7LFuMBwCfTV6KH+CB41rVVtH4P4zDBFzgfmGlp9pS9YpcyktDkg5xrn6otARMcChJaBUkcK
Pov8EHy+NNw2LwHzBx5l9L7goQtdHbEAgIZ/ZFaNv/UuQTrd83TP0z2h/Lzy88rP43cPYfgt
devWrVu3LkR7RXtFe8HdnXd33t0JhQsXLly48F/1RA9hCP+G2RGq3ax2s9pN2F9nf539dcA0
wzTDNCOvhz04PDg8OBwutb3U9lJbqElNav438d71SFagAhX++o2SlKTk+y9/ds/sntk9wXub
9zbvbVCwYMGCBQvmDQ2oWKtirYq18nrwH+of6h/qIbR1aOvQ1hCWEZYRlgF3at2pdacW1F9d
f3X91eTNzvGfy4tsKbKlyF9NR/hufykNUxqmNASRIlJECviO9x3vO56/JNj/rHezeNyucbvG
7Rp5Y7XfuVXpVqVblSCqZ1TPqJ7vP967sd3BU4OnBk+FhwUeFnhYADoc6HCgwwHQzdXN1c2F
C/0u9LvQD4pnF88unp0Xz6eRTyOfRtB4R+MdjXdAcMvglsEtIftU9qnsUxDnEecR5/GPy/3O
rma7mu1qBm2WtFnSZgmUtpW2lbZB/p75e+bvCXte7nm55yVwkYtcfP/nl5ub2/8efzhxLl2u
WKuq0yF3tuNx9iXwHutx1/wJJO+M35/8KeTzCPHxj4esD61HpU5wc8a9PZcXQ1Bt35dhhSGm
6us657tAhL9/2YLNIfJ8zukSOigQV3R3wfZgXKdPN40D8UDK1WLBKamPXbNA/0Kki/3AKNmC
Fxi+yTcnVAMvY515jTuAq6UcwH2QVR6IX4Di3NGCgfbGXCUVdA38m/gDWrq+lMdQMAeUuFNi
BPiViJ+TkQFam7OXrzvBGqv9LNUB14Oct6kBYBmd/dwZAK51hQ6UfgvJX3lO8ykFr6bf1l89
Bi9K3p5/wwIpz7XJ9AfdMa+nXvPAYFG6sRWypmdXzBkB6Q3US7ZBED8ho+3bAuAa6fDRNoCj
glpW+wWUOMM0gwXUQmpP1QLaIGdnlw3kZfIdLKBtdi13dQC1lTirvAFyUNSn4OrrnKumg7ma
qb7XNrDUsIZqzUAd6bTljgTTQOMe0/fgytT6qv6Q5ZvdwqoDNdPVVkqBpDKppqyGsGbMjxk7
O4DPBJ+Snueg3P4ScSU+AnWltkGrDQ+ex3g9Ogu6AXqL3BCs1W0f2M6ClVwvxwnALErKQ0Dr
orSQT4LjlONJ+j4QD1wDHZ+AobgxVd8RijgKvC48Efwe+N4LmA1itvpQGwzSbSRxHvTLla66
5uC6qS51TgWtg/qWAsAi4RJlQNg5LZYBzUUWgSBNwFv0B+0LMUNeB6KNlq5+A9JlylMDtFC1
pTof5HrKOe6AOl86I7KAfnrF4Af6ntpAbS+YY23DnBWALwwh8k3Q9or6ujVgfZReJnUByEne
ez36Q7Xp9VZWHghV31SrVukmcE4qQ2XQokRx7r3/BqtUV6or1eGj6h9V/6j6P17/b2fB+K1p
wVILphZMLQgtY1vGtowF02jTaNPovFvhMaYYU4zpX4//e5eXzSybWTbz/R+3f7c9Lfa02NMC
PuIjPgJq6GroaujgXOFzhc8Vhq1eW722egFb2cpWCGkV0iqkFTTu0bhH4x5gGmQaZBqUN0vG
7t27d+/eDWK32C12Q1hYWFhYGFSqWKlipYrALW5xC+qOrju67miI7hHdI7oHUJSiFIUGxgbG
BsZ/vT71POp51POAs9Fno89Gw7aUbSnbUvLeD34V/Cr4FdTbVG9TvU383Zjs9xUvf1L+pPxJ
kDwneU7yHPAq4VXCqwTo4nXxuniwLLEssSzJW48wwgiDhg0bNmzYEM58eObDMx/mDZ15N9a9
9qLai2ov4jd7nP9WxYEVB1YcCPvD94fvDwdpgjRBmgBSJ6mT1AnqX69/vf71P+fcc3Nz+58l
Xbp06dKlS0LUqFGjRo0a/3ogLcg1SL0GqalpG5Iugscg81O/fXDnh4fPT46BWFesI60XFNEV
3Vb6OCR2ze707C7cn/+88OlgCE/x3Jg/DF4XTpgSfxRaxtY91Lc4eId6tTPdAj+jz3P/guB/
OWhmyAtQF4sWYiaoa1LO3X0EapqarasKhknhO8vMAPmm/bkqgRqjTFfHgpClsvJi0Pmp30iP
QO1jbCMXBt1xeZtyC6xeDzfcvAmZhfcHHo6DtyMSm2Z+A9kV7Utzn4LjZe5EQyToEguUK2kF
Nb3S7tIB8Ozgo3m3Z8PtsKP59oyEJ1eSBmdYILeBh9n3HPge9gzw/Ars3a0brVUgpVDGjNT2
YOnsCLA+AF07fZb+Pqh2LUWcBl0b3XVDW9BmyrW1FKCtqhd1wDHTPts5A8RRUV/rBVKEVAt/
0MK0aFEShLcIZi+ILBGtySA/lrtIDUF+JO+T24N8QR4gVQNpmrRU6g38KJnpDY5xjjdqeTBE
69so+0GVxBvtNkhjRXOlKUgu6Qt+BSlUyq/1A5c3SVoW6JJlu64+GAbpL8ozQJ2rnhBNQX4o
HVPyg7bFFSnOAp2YI3Sg///Ye8s4ra11cftaSR4dH2aQwd2Lu0uLuxUtVqBAsQLFiktLS7FC
seJeiru3SHF3ijMwMMP4zGNJ1vvhHN45v71PTzeFvbv/58z1ZSbJnZW1bslz585Kctieqm0E
2cFcawyDXBNylMp2EDJty5QxfB1k+zjzgSwFIcuLjJsyx4HP5fvE7A8J7oQ6cZshw6IMX2a4
AsIq4i0dQCmh9DcngXHFWK2fA2mRjSwjQV9tVPIFgugoXopvQd2p/KK4wVfLO8YsDGoJrZBZ
GtydfIvkeZA9hVXsAm0RlcwewCe+mnoX0Ed7Snkug2uJVzOGg3uJEUc+SOrumeDrAhbdPsgx
GHItzJU7+wmo+rCMUuIbKNKpyML8c0CN8WtqvQKOvtasjv8HEsGfk39O/jkZ7CvtK+0roYws
I8tIuLjk4pKLSyDh64SvE76GunXr1q1b9+2P97+NrVu3bt26FZo3b968efO/ujfppJNOOum8
a06fPn369GlQe/bs2bNnz/HjXz9U8aZs+/nnCTPLgtvqK+/aCqK2csLvNtznydA7N+Fc0I3f
zmyE8G8DzbzxUHt1jRHVssEL+bzp04HwtOGz+g8Lw6sF8fNdYRAzKKVkdC/Q7os9sZHw9O7z
hdEbwHzf9cr1MeScm+NerhzgK8RYzQlqP3OAey5Yc9iTQx6CeVKt6K+A8Fet+tegmGpe5yzg
sRjCKqCcOKgb4Jt3e8SZUpDQ/MS+I7cgofjG/rv3QOzQ33a9DAKvm3mhNUBp4GyefShYy2Yd
U2AfBLerVKjEQ3ipxCU+/gWufnJI39MYHrge53j2GcT31b7wewxBs/1M+0WQU/RK+i6IO5TU
K74qJJ1PHZJcB5io3hT9QAtW7ol7YBtg3aQNBdFeXNd/BeWK3GGuAF8b34eGCnoR44beEORM
OUouA+O4cVv/GNiNagoQHyofcgCkIq+bFYB98ghRYF41T5r5wNSlQ+YEY6oU8gPQ442Neg+Q
FeUT8zewHNUKicogq4kj8gbIK7K2cINcbjQzuoNpNVeboWA6KUlHYK/ZyjwNhjSzmmvATJDb
5DqQYXIy+8DMbE4w64FZUf5sPgHztBmpHwaZVfRXI+Dlh9Gzkk5DbJvYz1/tAG8DXwfXPTBO
66G+SAg/Hv44U06Iav9icZQDrEtsm20DwBJhaWwPgicrn7R5aICyWq0qLkJKbld573q4cOby
5kvTISZPzLmYqqAVsq7WloNfjF8he3t4mS0mJr4SnBlyoeSlRhAz/1WdqB8h428Z24QUBO26
et0RC0Qpe5TnoOaioNkbjOHmUn0wEKneVn4AV0X3KO8VMC7q/YxfIGZZ4vykGPDmd9X0PAX/
zw27uA2B3TIGhY76q8P9jwk/FX4q/FTa+5pPzj059+RcMLeZ28xtUC2+Wny1eLDlsuWy5fqr
e/vvR6FChQoV+idMAUknnXTSSeffg8jIyMjIyHcwVePMD2cDjwl4uCFnwyvFwTbYSCoxFkI+
9G8VEgsvJ7qfXL8EoWu8SkgbeHTo0ewHRyFhnud+kgFnZz089KQaZI213QyxQL4tYU1K3IAX
6stKKYvAFmkfkLAbrhd+2eZMIBQek+9kkUoQ3C+rN89xcM/XvgmYD6a//ETZAOo0Udr4FVLz
XlN2dwPL8gx98mwHrXzgo5Bb4D75vMZvbvDceFgyKgjEz1qYfzT45a/hrVMBAn0ZXVm3g31i
aMeQzhC35sSuKwXAHBUyKug2PFfMHLHL4d7eM3VOxsDTgY+CHiVCzFAM9TQ4w52H7CawQnwv
dEhpmVwh6R4kZ0oNSn4CyhDrDGUu2Ofbd1u6gRxtRMqX4O1oTPX4AwPZzyugg9lTfADynllI
rwPKIPE+s8DoLf9jbu4cLZtSGsRI4775KdgG2fKL78FMljXUWEhNTEnWTVBS1RkYIKdQT7kD
5mDjrnkOxBDOK3dBWSWW8j34cnkSzGgwblGKwsBBbulDwFfZPCnrgxbPD0orYAyrZVEwfWyU
VUHMNH8V50F8K14QAiKWrGZhkE9lfqqBLEpfToNSUm8keoIWaAk2ZoB5WlaVcyE5Qwr6aYha
/aLUi1XgtDuWWdsDPe4dVzeBfYCzobMF3P/qYbZHl8GreXuZJcF91b0w6XNI3pRcI+xDePEo
7kScArHfJM2IXwWsTxykLYIHhSPnPrZByWPvifw7IfLok+mp+yA6IC5PXE0Q9WLX60NBaaZO
kr+C2lD53BYA2mPLXnkVcnoyvcyyBcxOzDFyghYphmmjwV5TOybyQZKeMDN+KiifO485PoTz
Sbda338Bj1Y+LvpsEnxM0cR8f3W0/wP4Vfer7lcdmtOc5vBf/vlPspGNP3FhnU466aSTTjr/
m3jrxNnd0VbZq8DDL2I6v4yC0A5BvX/tB/fGPr7t0qH4mbD7tcPggPdc0w15wNvAOGL+CDnI
HpinNmQO0o5kAOo1LtOncSeouaG2p+4BeHTyUZn7geA56bmVOgDcxGczaoGvh37Q8znoV+U4
rw7KI8uDgPJACWOH/hmI7GK0pxp4Q3/jznR4lbJ+9o5UCKvTPlu3nGCfkydXGQfYduau7EwG
9aq1sjoF+FUprj0CX7/YAs9iITnLuQ6nx4JWzbopSYJxIMutiG7w8O7FBZd2w5PS10pfyQUv
c7pmew6AnOEI9H8BtqbWtep3kFoytWnyU3hVO2lt/C/gPa/nNY6DmCGOqLXBG+nO7P0M9Ba+
dUYR8C0yC8hlIHfLBLEKZAZpMhGkV7rM3iBcoh3BIGLV9nIciLYsE2vA1t72qRoAooaZizog
FTPEyA/WOc57ygXQW3pWGWXBzKo/NCJBi9TyiLIg18iuxjngY3FLjAHjfRkrb4K+RK9oLgHZ
j4G0AzFQDdUyg1lFjpcClH1yhZgI8icxQ34Gsoo5zqwEzOYQQ0DEieziBWCITWIG6IvMRLMj
qLEMUsuDWc/bwHcAVM1ShIGgJmittJ0Q1y8hY0ofuFDh8twb1yDXghy3kuwge8tr1pbwqn3s
49icYKlgGa8ehcB8AV8E5ALvTt8eCSQlpxROTIAUX3LX5BNgTJFfsgbcRz1BSfngeN1T9ZNm
gZgpq6vjQB6lkFoIlDLKt0pGuNfzwc3IG0AtMVG6wJzIdeM7eJnlRZWoLJBXZGuYqRUEDgn4
LNNWEAXVUlpFQNdvmR0gKTA6V+wQ4IA4qh4C34feV77XbxkY9FeHeTrppJNOOumk8y54+8R5
gzmGYEgZ9SrEnQAWI85lvwS2hn7zgyvAswBR74oPLO9l6q43BJfd2PRqCCSvemEJjoRPElpm
6Dsa/JtZd/p1BDGZueZ0yNszT7NCHoh5mDj1mRMu3EiK270Wgn7yTSrXGTIVVItb3wdPnHez
ngRiuWa3fQFGb5YZTlBnB/YISIXgVVU+qbgP7D8Xr1sjEkQ50+qrALKTeVS/AeaPviKMBO/7
L8rfHAcJDXeM3BYA3g7xx/TMELCw/JYaDeC5I2VsYiI89p0f/Ot4iNoUeyOuIqQWFc+UlhC4
1lHELzPIIP2ZUReSziZnSFoCnsvGKXMAyFU8FbdBOM2b5o8g64s42oIZIBfwIfC9LElWkC3l
HdkHRGX2cQNEdVrhBvm5PCJ1YIk5An8wrzNHTgfPPX2gngzaE1FCCQDRVbyHHfhGz6hXBtNi
3JebQV4zi3MdRJDyWMkPspc8JTcCnSilRIDxm8xitgA2Uk4+A7W16KkIEDGim9wIZgvpRzsw
yhkJxq+ApJD8CdQpSha1P5hfyrbmJJA/yi1yIojvREORESwHRTsugtbH0pD+QAFMvgf9S7M0
t8BTypNsTAD5wOwja4HIK35UKsKd/b9VfhoFutvoa2QGdYTWWD0DSpKSX/kZYi3xixM+gmyW
iDnhzSCufMKr+OygtzMzyHbgPek54IsDxaUWV5uBN4N3oOcc0MIcI6aDcle5oG4BzV8TylZQ
JoiKrAFxVc2umiAbySixGV5uf7U+5QY4vrEufZULrMMtg5wXwXbWFhOUFaRVy6T0AE+iZ7ur
BbiqJA5P2ArGbmeEtRKwiei/OsjTSSeddNJJJ513w1snzolfvGqQOhYyn7e0LFocegU3iR7a
Hqz3Qxb5asCBpZcKrpsFvk7O9u6r4HfYHpzSFH5sfnLorPHQuYiz6JDH4N6Tuln8Cqe67Yg7
ZAHnbb+FYRroNZSdxmTINzD0fN4r8HR+wqqoIhBeKGj208vg7whpkykSzMbmcGMJKD+KvraT
YJkYsTRPf1C+DagfkgIMV4pKAfKm97CvFsiyygHtKODW1shX4Et9lHJrCXhnv5wafwLUUVkS
C1YBb3LopQAP3O73y8+HN8LTZQ923hsALyvoucwCoM1xTA1oA+oYPpYnIOF6iivxICRfdJd2
DwJLO5upHgT9il7MOAyKVUkU50C2Y50ZB76ffNuML4D9TBVPQI3V6qj9wSxoFNJHgj5JL6WH
gGJTeivBwFI5TMwB846Zx9wIvsNyjNwNXilXYoDiUDKJi8BaLotfwFxv3jO3gxglM4ji4Ivz
jtSPAS1FKbEHKC+OyVZgxMnVZlZQB6nxym7gvBgmK4DZ2PjEKAOyjuyEAuYyY7WRHdSsWldt
O8iN8qgpQKkiprATtGxaHfUOyKEyk+wI6j5xg29BHaLN5gvQPzQ+l/2ANTIX/mA0NWoZ0aD8
pGnKfqAqc8ztoPc2z0sNlChtvpIN9BDpM/cA0/STsibo4foLcw08bPvI7+Ur4J6yWT4DsVz5
wMwE1pvWa+r74Lvr83oKgnHY+MhcBOpBtYm2DGSIDDIB8aPRThkA5lIxlNqgdsUld4A5Wn6s
fQbyoflcqhD1Xczw+AoQGB5Qxm8pZP4s9EObHZSsXLN+Cmp7kVl8Br6UlBXJ34LWwXrLf8Jf
Hd7ppJNOOumkk8675K0T50KDMo2ptAP6yrbNh2cCv8CQgo4vIabvi5Ov8kByjug8ATfgVpdH
N+8XgBcvXvo9uw/KOmu+DDlhp+V0kYN9wDlFXes3COK/8Y19nAGe1/e2+O1XSFmbHJ46CRKT
k0+9WAcBCd7NflMge6+s1TM3hJAKmYxsqeDZ7urg7Qa8pJvdDeqwsMO5NaCOa+arvaCcMY4a
mUAvoQwTJUHZLx9wAShvFnX7QBsQlOAXD6qaaY5/N8hwo/I3pdvAKz939hQLPDl74cC59hDV
K9HnzgquT8VyLRBsZc3xxmNIPZv6a7IO8a7UcYnLwdvMHGV0BbWnHi91kCvler4HX1FflPkR
+EYabiMFlJmEqMuAFB5SD4zdvuXGYTBfmnH6dtDGKafVT0FEKEPFNPCV0zvoRUH8RFVRHMQT
86m0g+wjEkRvMDLLEXIoiLEMkHdAlqU7bpAXRVtagzpcBCPAzGXulktBPlBW8Zj/eP/ojyC2
K83FaRA7xBRyg7yiP5JRQB3ZmpqgebVNWiiIjYpVFAKqME3eBFFBFBBBYH5sFjObgpjL+3IF
GBOow0rwHXVrsgOYxeRlmQOsq7SVSm4wfzFHiB+BbLIhZUGuEOOpA/KxnC9Dgd4yj3kOxDX5
E8VAZjYHyKNgfsQFZoJvobnPqA3qau1jLQwkZk+zE5jvy/1GA5DzzBzyLsivZCuZC+RxuUaf
DUpvMc2cD0xQO2uXwFLSUlYBqPkf38zVK+kvvV3AttK6Vc0OrtOer8VAiHzvZZfo1uB3z/6e
nwf8TWds6AbwxosJIhTMAr5ozxkwj7uOKjeBlrT6q4M8nXTSSSeddNJ5N7x14pxLZq+X9Xs4
3fNy8rHGcPTOWduhHPB0ZNxXkUHgWJehctwUCOwQ/JOjBcQpz4Z7Z4N/Z+dQezAkZXPPeFod
kjaZp5KA7C0CegddhcAvg1LLJoH/3oypjqwgHLyQNig3rsS6JhfgjuVmzrO/Qc4nBafkLQl0
t+y3tQJq6YXd00GLD8qU+QeQ02yLWAfSNDbqNUCUE7eVJFDuy2FGU5BFpOl4DLayeT4qVhcy
LMoYltcAv6GZ9+SbAVcmr/5hyVh4HvlwzKP9EDfWKMIHYOwQLr4Fz0rXyJQRoIcqo6gBnhRf
I2MxmJvMWEaBfGQOMZeDWd8MN9eAMVG2l1vAKG1mMtuA+EApL68DSxlPYTB7y0LmS5BbmCc6
gJnAS5kJRCFZjnVAODmoB9KfMjIbkEdMZROI7hSWlUAmmX1lPHBQTOAZKF2li2jghugqMoH8
ggLKl2C2wqq7QE4yh1ADKMwAsQaME3qIPAfqd2pxEQLqM0s15S7IrbKDiAYGyKGyD7CbxkwG
mce0y11AUyWDXAPmBaOS+RBkVuOY6Awio/aREg/W0tZwYQO+sv6qPAKlhr5XfgbGdL42c4Gc
Yr7S1gC/0oMZQFVymBnAaGU+kGsBVR7SwkBswyKygdlDltYHgByFlzlACTPeyAFijLBquUBf
qD+lLShFRJDIA6IsH5sfgMghs5kfgzmCe+IOGNPN0kZLEMV1XYaDqZq3RWcwvtUHyNLgrS66
YgFlg1ZLyQyv4mMDXIPgZc2AsFdx4Jxqj3HuAOszMcd5DFI/FcvMXODd7zrgCfrPILn59oF6
+/bt27dv/ytOCemkk0466aTzv5eCBQsWLFjwz+//1onz0ezXN+xcAY8vxi5OGADOgtZu2veg
PzIOm11ARMQvtBqQMTzDi6Dy4P4io/1ZTcjcyZuzcEl4HpE0JepD8LtnDbOegPsbXr5nLIOA
+QkVojSwfKTN1x2g2ZwitTt4993rJTfArZVXnVvbQsZxWZP0RlDhYo1zfb+A1KIuq2sYqDa1
qNMBopFzXJZuwFMZKWuAUoMw+oJ5VFhEFpCRxJqBIDZqxzMFg71LpsfWgZDY+cm4B+/BpTY/
5z5WFl596crgjYfUNcwX08G5xxbsDAI9u9gkgiClpPuqyx98i/TF5koQH4oU5VdQotXsWh8w
P9SneveBct5sacaDEq2WUEMBtHQAAIAASURBVHKB2di8L48D2anMcBCK8IrbwGw5TW4CbBTj
U5CmLCZ/BfG1qKSMAdlDdpHNQatjmaDVBGOh2c98H8zZZn1zBqiVRUYRDspN5ZbSCsxnZoh8
CmYTSrMFLEmW7rZCoFcwsurZwTSMyWZL4ENpZwSY0mwtXwIw2cwMSqJSSd0Lyhj1snoCjDxG
R6MrqIVFAfETyKymyygHcoN8znnAVKuIc8CXwkIfkKmUIQ7kAm9REzCLGdXNPSBjRVt1BXCd
I3I5yDPyA9kXKE1ruQLkNaMYgSB+EFn0YiB6KopyDqgobysbwTxonjVrAdlEDN+BGEktYyfw
kYw3fwLfe8wx3wOxXy5XMwOHKGyeBLFH/ciYA3KQNkpbCkZJo7f4EdQGiib9wVwuw5QkoLPI
x0OwrBQVlTrgK6GPM2wQuyFuYHJpCO8QYk+2gH8vJ9ZHIKz6dLKBflKvIDxAZ57+OwR6Oumk
k0466aTz9ihv24B7vXdvtAeK23LazOZQsm7JtklNIMsvOcqIXyAq2nXVOwxu9/1tRFRG8Gvm
vqMFgDwd2PPVGcjTsFDBfOUhOiq1jOwAZhGupX4FMUuSz9/5EV7cTGr3aAjElkrd+uw0XLxy
ucfRYuDXL6x0vsZwikvV91WCpC1R/e8PAMVqm2TpC8YXMqP+DMyD1LNXBOrSXWQHKtJAHgbK
UI8hoFQwV4qxYFbhrjkTmM10Xyg8iD+16lQMRDZ7GPDECjHDvEvlp6B9YbvvrANBu/3e9x8L
6nLlB+UWmEFS4yFYE205bONAqatcUO+DudTcYswDZaPyo7IUtHCtoFYElH5KB+UwiKxYeAzi
ttgrPgflA+Uj5XMQOdQiqgMsWS3FrOdBPpbnZXWwlLCU0HKB/YT9pP0yWLtamli9YKthO29P
Asdpey/HSFBWKdu1vqBWV+tonUC7punqIxC7RW7KgLJf+URdBw6LbZ49Apw/2m/bioN9jvWm
NRdYn6nDLadAmSBRPgR2GPnNOSDqmN/KpWDJrG5Rx4E0qcE5MGLkXG6B+RVj2ADygRlungCR
TFVqgFFfzyxzgdnaEyFjwDxsjFaugKwqT9MQRG1hVyoDi9jPJ0BRFoqXIL4To9UkEJHCX+wA
FrCIVUBbOstrICqJ94QBcoJZWLYE02oWVVqDoioWazewpGqbnb+CrGjuVW6B8VIvzR5gEj+p
I4HZ5hoqg7FBL29GgiH0RNMCHJZPZBMwCviO6g/B+MGXydwJ+l1juN4TYnq9mpVcCuIeJkQm
NwFaS7unH2ifKR+xB4xaZma97F8d3umkk0466aSTzrvkrSvOjmH2c/axkLjFMy2pMUSk8oGz
C/hNkM/1DyBLZEgjeyKEX9YGBC6EHK0yWJVH8NumxDUvFkP2/vbyZT6FovNLrskeA4/KPLl9
+QEk/5po+o0CDcsMSx5Qb1s6JYWAcszzk20WhBwIVIJWQtSD+MKp9WBPjf015oZBu9UdrkzP
CymP5GGtESitRKwcADKbuCfnARmJVToDu0U72RrM8rSTvUHZr7TRYsHXIP5KQhm4pp7tcaoI
xAxOCU9ZCik+OUz5Fpw9HS39wkHZI58bJ8E3znPSkwdwiPFiCygXxUeKACVBqWFGgj7fe12/
Dso4cV1xg2iulVGrAt1ke/EdiPUkGJ+DtHNYNgFq01UcA3OItBAJptMsK5uD8p2yQv0BVEV1
qvVASGEqJ8FQDbcxGJSu6g7lexBbxVHlFKiDLYb2C5gHzdLmr6CPN+rqN0GbrY5XF4GxzEwx
LwKTZQH2gWWCWlVJBPFYSVSqgNJA6axUBeOa3l56gQpMlinAb2IFU0FMFQPFZdBm21qp/mA8
cd/zXgDzkJ5ZzwJKRcVPKQ8kmV+LWDBLihyiEojZshQHQJZRe6iPQcus/qg5QKbIRDM3kIeV
IhNo15RR2vtAF4HMC8wUw9VRIOYwhjogbMoA2QnEU16IRyB6qgtEHrCet5UICAS5CruoAuoC
Oih1AZ9ckHwefDO9I1z3wJxpNFBMYLj5hfkUlG3yCrsBm+grm4EZbK7Xp4K6Qe2gJYE4KfMr
xcBx1DHYvgyUDVoT2y1ImpJSwDgN3sW+5kYwqM3UQLEXZJS0+5YAbf/qEE8nnXTSSSeddN4V
b11xftk1OpNrM1hDbNPsPSBUhEXnbgluuxKTcAEsXSgqx4K+3rrU9StERXu+issNqX1S87p2
w5UyzzccuA13ajwdfaU2JMa+qivLgSXGMc5+B5yO0FP+S4FN+ln1DMiORg/jDjwocNf6JBSS
SsddVnvAs0PG+QeJcGfV/cGLl4Dzpv2atT6YX1LPcAPLuKQeBi6J+9IEMsrlfAesMNuaP4F1
rqWWlgovh9+qcv0yPO54r/u9T+BVjPe4HggyREy3aGALsr1Sm4F7o7ey9wqk1tQ17zYwc8sr
phW8K73lfCfAmGrs1+2gnbQ8si4E3zK9krERpDROm0vB1txSQnkIyjGti2YDVVNraufAMs7S
xFIfbIUtn1pCgMtcltWB4pSU7YEB9KceiN1iF+tB1pI5jLvgXusakfoKfF19wd7u4CumPzN6
g24YeYxtoEaoxVQXKNfEOWU6KJ+Km1wCqTDJvA7iojJeyQWMkWvkQCCFEowBsURxcQnkDpGJ
z0Bbrm3TToA+0fzW3AJqE7lc1ADbMGsp2xRQm2t3rTVBDdOc6ncgy8oiohZIiznRXA5mJFPJ
Der3DFQV0B4rzS0BINZRTPkSzDjTSlMwdhtPzCDw9fF11jeDZYXYoxUGyxLFz3IBrHusQ5wP
wfzKbCKLgFlc32HuBe8A183kmeD9JPVeUjlIrZVSL3EYGO/5luqVwK9OgBrsgiy3skYXKAgh
60OX5zwPto5+fTJsAGdwcKOMH0PYvvCpOWdC8NdhHbPnBUefoPFhfSCgaki/LM0g49FMCyNs
YPnSsSq4CPi66JvV0mD5Riw3FoHWUVTVxvzV4f3mDKs9rPaw2tD2UNtDbQ+lrZ+ed3re6Xn/
6t7936Fs2bJly77BHYu/lf+r7PXPOm7C4YTDCYfh842fb/x8I1S7We1mtZtQZUCVAVUGwIDr
A64PuA7Pxj0b92zcm8v/Wd7WTv9sfs8e/y7+8kdcLHex3MVyMGjQoEGDBqX9fVfy/1f4q/1U
fiw/lh/DrFmzZs2aBbUCawXWCoTKKyqvqLwC+i3tt7TfUnj69OnTp0/fXP5fzVsnztlPZ2xn
vQYRi7JlCIqESFfsnbjj8Nj7aLjrMLxsnvLc3Q5iH7j9Y6fDk/YvLygXQatldHDUA9d3cm5y
Y/CU108Z2SE1h6+ErReIu4l5E6qA0o9XifXAiNLmqOMhNcYMMGeB66zZOXE+6Gu03Q/qw5NW
ryxGdljabefUTSfhcsPjActjwHHDftavJ+jLZB7Pj0Bm2VKEgswgS4quIFaJ0mpWkKOMXJ77
8NuE8+XOL4KYznFP4ktCUmfvc3Sw3LNfdSwENVxcVzpC6nRXndRPwXNZ3jQHg8whosVmsEyy
LNASQZuqNrZMBXWLOkxZBdZK1nBtD5j35VpzP5g/yflmS9Daah3UD0CtpNZQa4MyXhmtTAaR
LB6zGjjJY+aB+EGsEhXADDcLyi0guosuymdgLafVs9nBftn2xDEIlMHKeu1rMBNkbfaBEqZ2
VjRQvCJWXQ9GY+MTUwGtv1pfrQu2JKtizwvaAs2pzQbhUh4oFUE0EIhlwK8YfAHWPFo5bQQQ
zHUSQSknqolCQG25FT9QrWKq+iFoI9SlajmQqWYV0Q3kMDab84EKOOWXoB3X4pTGIJqKhywB
c7lRUH4LcqX5XP4MIoqJYhqQIK4qLUE9rD6ylgbvQV8J73UwxxvbjSDwLEz9Nfk5+I74Dvum
gLnYnCXXgjgvugkT5AHZzfgBKCqq0AyUrFpNrSIY+U2bfA4BlwJq+/sg48ssvbPlg+yXsw/M
/xiy18w6Ou9MyFEtW7ccIyDnqswJmY9DrnMRncL8IfOh4BWOFAhebNut5YKgG85P7I1Bq6Jc
U3qA0l4MU9qAGq5sUzr/6wP6bTmSeCTxSCKsv7P+zvo7aes3hmwM2RjyV/cund/j5EcnPzr5
UdryX2Wvf9ZxX/+AHpp+aPqh6dDuULtD7Q7BEP8h/kP808Y/eszoMaPHvLn8n+Vv9f7vxu/Z
49/FX34P/T39Pf09mPpq6qupr+BX76/eX71w/Pjx48ePv738/zX+aj89Pvv47OOzYfXq1atX
r4bup7qf6n4K+i/tv7T/Ujg9//T80/Phq7Zftf2q7ZvL/6t568RZv2VJcS+E203uv3hohUvT
by29tQMyVctW1b8AuM7L1JfPIPpcbElHBVDuihDbNohekdLZPAdx/RLyBu4AX1OjbYb9YOsV
8mnCPUit5OuRvAxe7X+cNUWBhBMvJ3omgDnOuCGXgNvPNVWtAi+T4zsmNIeoDrGlI8fD7XyR
z+P7w4rzh5pNSYBI262ehyeDPZu9TUBdMLObBfQuINaJfbIVKPe1z5Wl4L4XvTWqIDy8e/3k
9VcQ18Y11xMLyXWMqSwEaxXHN7Ze4B3jK2BcBNf33kWuTKBXpjTJYCwxdxtDQSjiGk3BPGE2
MQHRmfXcBW2/1kdbCZa+2seaBPOlWUn+BvoHeiN9JxiZjVCjMciasq7sC+ZCc625HuRSc6C5
E2R/WZsfQOQRXtECWMRHbADGcMVMARaJDbIisJQZ+iAQEewyNOC+fM5REJ2VeUpmUJep99SW
oCxRZ6mbwLJQ+0mbCfIHuYtKwE9yqSgJisFk5QoIN6XELmCUdPEzyILmOHkT1BVKa2Ug8COK
cheMKeZSYz2IDmKAooDoKrqpVwEvkaIaWJZZ9mr1QcmixCofgfWq9Yr1OMgnOI14EDeoIJuB
DDW/Ms6AHqIn6pdBrjOfyAbg22QM9pWClCWe6fp80JcZYwkE9aW6XpsAaAjxAfia+j7Ud4Fv
tm+BcQxkJWk3NoLeTT/ouwOpv6S2SPwRomo+v/CoFcQujBkQORdSOyQ1i34GZpKvWPI2SMma
0irhV0isn5gjoT2kOFPupn4G7iGeCN9DSCqY0ssVAknu5KpJoyDhUnK35ETwnTGaeneCrbU6
y7z+7gL1QOyB2AOxaZXgFjla5GiRA5pNbDax2UTYNnbb2G1j0+Tj4+Pj4+NhxIgRI0aMgIbb
Gm5ruC1NfuQHIz8Y+UGa3NjIsZFjI9P271O+T/k+5f9+fa/zvc73Og+dOnXq1KkT3Kx2s9rN
amnbe/bs2bNnT5g8efLkyZPT1u94tuPZjmfwRcMvGn7REPbu3bt3715o3bp169at08bTuHHj
xo0bw7Iry64su/L3enhdCVl1Y9WNVTegfVL7pPZJkJycnJycnFZhahLRJKJJRFpl4vU4/4h3
3a+YHDE5YnJAX7Wv2leF5s2bN2/ePG379ZXXV15f+fv9eZ0INN3VdFfTXTC/xPwS80v8vdzr
Sszv2etN9fOm/f694/6jtJraamqrqb9f6YqKioqKioLwLeFbwrdA7/O9z/c+n7ZflmdZnmV5
BjcG3hh4Y+Cby/9ZXuv9tf5e37GpW7du3bp10+Lt+zPfn/n+TNp+f9ZfX+tnjmeOZ44nrf0F
CxYsWLDgH7fHH/nLpN2Tdk/aDTt37ty5c2faduOMccY4Aw2eNHjS4Am82v9q/6v9787Or1lT
c03NNTUhV65cuXLlgmzZsmXLlu3dyf+jvOl59G/tNPfk3JNzT6bt17lI5yKdi8DTjE8zPs34
z/eDv7X3m/rpu7KrvYq9ir1K2u9X506dO3XulKaX1+i6ruv6m8v/q3nrxNlXxIgMnAi+mFi7
pR/4ZTC9Qa0g4xUnmb6DwpnCt4Q9AEdGP0t8H0h6qPR50QC0VdYysdOBh8mDYzTwlNF7JDUF
4sU3qW4w5viXT7gM/lvtXscL8Muk1rEOBkrrW907wbY3oId7JHhHe0tZXkFkw8ibyjlwf+6a
664CWu2gJmEHYEmlLQ+GzoKkOZG9b5wCbbjtU7/HYIbrvX0/Aye0QUoQxNZ7UOx+OXjy6Fng
08MQF+8K81UE46VSQf0VLC7rWUtvcCd7e3peQOoEX3FPUxBlhFtMB5nbuGo+B0PR6+pFwGxC
a3MvyOLGZ+YDIN6sZ/YHZZD4TSggGssxYjWYeU2HmRM4xhn5IZjXzatGRRCDRTcBqNGqS0SB
YlCDliBfGnmN6mCc0eO8J0B/Za4xm4HMJn0yBzBY5mYlOOraNHsMWLda2llCwZrdIq1hYG1t
KWqtBaKg+UqWA96XRVkIai+1n9oSxAPlG7EYlFilvDIK1G5KqLIbWEsgv4HZz7xvBgJNyEoP
MK/I7XIJsElc5TAQL6ZSFTQ0tzUPaN21cjY72OrbbH4ucHztiA6oCg6Po1fgNXDUde4IqAu2
MdZCzh0QWMP/cEghCGga+CC0CRgTjAzGIzCvcIt9ELAiaGroLNDa2sra94Esxn1+Ap+/3l7P
BMZpo6DpATParCqrgDsk9UZKV/B94Q12WUFv58mZ+jG4tyX9Ft8BXjiipjy7Dg8/fbDkrh0e
fP2k76NzENkyemH8dEjs4tniKwwJKz2nSYTIAXG9XBUh+qirhS8M4lqkJOonISY04SPPAXCd
8LYy9oFyH4tZ/90F6sRsE7NNzAbftv+2/bftYcvjLY+3PIaFvRb2WtgLfu74c8efO6bJT9s/
bf+0/RD+OPxx+GPY+Wzns53PYOuTrU+2PoGI8RHjI8anXbFPzDox68SsafsvKrOozKIyv7++
krWStZIVzi08t/DcQvDO9c71zoWYmJiYmBi4vPTy0stL0/a70OdCnwt9oPLVylcrX4V1d9bd
WXcHPi79cemPS6eNZ/mV5VeWX4Hvz35/9vuzf6yXNavXrF6zOu0H4/WJ+3WiXmNNjTU11sDM
X2b+MvOXP27vXffrq3xf5fsqX9pUga1bt27duhX6L+u/rP8ymFFwRsEZ/8PbUmrVrFWzVk1Y
WmFphaUVYNXqVatXrf4f/OR37PWm+nnTfv/ecd8Vr3/Q92Tfk31PdrAssyyzLEtL4KN2Re2K
2gVFPyr6UdGP3lz+bXl9gRMcHBwcHJx2AbYlfEv4lnBIap/UPql9mvzb+ms5UU6UE7Dk4pKL
Sy7Ciiorqqyo8ub2+D25+vXr169fH/bn3p97f+607adOnTp16hQU6lioY6GOkOGDDB9k+ODd
2fn1Bc+aGmtqrKkBw2oNqzWs1ruTf1Pe9Dz6t4TVC6sXVg92N9vdbHczqL2+9vra62H6kelH
ph/55/vB3/KmfvquKHex3MVyF2F40PCg4UFwcPrB6QenQzdfN183H2R/mf1l9pcwocmEJhOa
vLn8v5q3Tpztk3wf+fZC6OLADX5NIcwRuNfSFZT85jqjAiSsMlIch0FrYt6V9SB4lLYvQ1aw
LbatMs6D+5ySPWobeEv5tscngDcpJXtABsh5PrBPliSwV5T39IZg+S15gRoDjnNGHltpsExx
/CgfQYYXWSZZS0BYWIZy+jCI8ITO9SsMqadjLIoVIlu5p7l+hTW3N7b9vDcQnyLja4BYYBnq
bA7aTlmF5hB19kmjO4XgVcG45sluiH+p7zBPgprRIrQ+ICaI8spsSMnrep7UATwr9CTvdBDD
jabmWkCnllgFrDUHifKgDmaI8gHIy0zXz4ORzfxKjwajneEzfgIWMYpyYDY2O8p1oNiUJCUU
lM/F+6wCS0+tv6gG8lsOKSVBzaOdtfQGcV0ZoWYA466Zg2lAJuLlIRBtRH2lKjBYTFIngVFb
LqAryJnmVOxgbNbH+DaB8lJsEztA7auOUcsAHWnAHRBdRVvRGdSVqke9BnQRgewB5Xu1ktob
eKjECwuIueI2TUHZyBkWg6qrc/gVtA3KHuUaiFuyjBgEWkvrd9olyDQta/1cwyHLjSzN8zsh
YGLQ47BcELw+LDljXQj3ZP4lZ1UIzxZRNEcgBF/OWDJTbsjUJEt47lFgv+KcEJICmb7LMjtv
O1CWaQ51DBj79TmeSaCP8EXpJphfGCf1r8D80tjlOwhyjXHYvATmRqYppUDkIcEcDHqKEag3
AGfJwDvBh8A6ytbP0QKMBrKSUQNS7iXtS7gM3k/dq1LLgDnd/MZYA5a9lv22CeBo7qwZMh/s
y2xFg7KA+YFo7XgEKSP1n22bIHmDNzPTQQYpn6pvUcn6W16fIMfuGLtj7A5Yvnz58uXL0344
Znwz45sZ36TJn+x6suvJrtDjVI9TPU6B8onyifIJiMVisVgMXed2ndt1Lpz46MRHJ/5E4vA6
AT6/6Pyi84vSKnfllHJKOQW0y9pl7TLEToudFjsNLioXlYsKVKxYsWLFirC04tKKSytC6I+h
P4b+CBuGbxi+YTjMPzv/7PyzYH5vfm9+//vHb9O6Tes2rdPG9XqKSbNdzXY125Um1zK6ZXTL
6LRbe3/Eu+7X60Tjb/tVZXmV5VWWw/xu87vN7/b77b3+QQ0LCwsLCwNfN1833/8g/3u8qX7e
tt9/xN9WqB5tfrT50ea/H/ffVbBKU5rSsL3R9kbbG0HvRb0X9V4EeQ7kOZDnAExtMbXF1BZv
If8neX0r/HWFXtM0TdPS/OD1hdiftcffUrZ32d5le6dV1P+sX/weZRaWWVhmIdz//P7n9z+H
xK8Tv078GnZN2DVh1wRo+rzp86bP372dZ3SY0WFGB+jWtVvXbl0h4xcZv8j4xe+3/6byb2zX
tzyPNsnSJEuTLGnLLWNaxrSMgQu9L/S+0Ptf7wdv6qfvyq5/S84pOafknALVnNWc1ZzwJOOT
jE8ywuKLiy8uvvj28v9s3vqtGrbx2iWlDCT/7Am0tAQzSAu0esA9S39upIBmt+1KGQtyj/6r
nAWirHnbPQ+cubEwDqL6Gb/ZPwbbQO2QazHYJijfWRdB0uaE4QSCecrTPGUXGFOU1s4sEDAi
opwtDpJuJpfxqwQvjrifp/SBoEf2NeqPEFSf037HwH41YmhCNLhbJ3YNiIZznSInPFsBRTvs
b720PFQrVK9Rr60gPlV9YjhE5rgz9VEmiHO7Ut3VwHNN36LnAUdJ/88dRcG8IAfIYeAe6o5z
3wMesVX8CkY5OcWYCvSU45UnYG6XF+RCEMP5kZXAQexyM8id5krZBngpGsr1IPYrXrEctN5a
A20ImPPN2TIEVKm10D4Bc4yZYu4F0Vc4RTFQV6sblZZgnjJPyWPAWLmfAqCMYL/6FSjZhKL4
QLugvRJ1QH+lj9KfgCik5leTQEkVZcVMUKYpB8RL4LlwqteAIaIvL0AVWhktByj3DWGcBX6S
zwkDeUjJKh+BqCD7qH1BFBFB4iQoP1OWXCDnEy6agngofBY3+P8QdDfoItjP+MnAHaBn008b
dyChf8LGF5eADUZMSgXwfJdSLmYqCIua1f4M5Anzqt4B9G/1gt4poPZTI+InQMAU/732fuBp
5errskNShcQhcX3APO8t6ZsFRjE93DMM5PtUMD8EOUFMVVYCl8Qo5SaII7yQ5UEPMj4RIWDb
5IwLMsG2wPlN4EhI/TCVaAvol4wgXw0IeRTozhgLwV+GdMsSBuILNTcfgyiqYb8BWiVLWUcp
kKmyGPVAS9GKa9dBy2fOcn0A+m1v99RLoLczFAYDm980ov57vi34bcFvC8Lte7fv3b4HVwZf
GXxlMCw9vvT40uPAIAYxCOYwhzmALC1Ly9Kg7dX2anv/vj1xXpwX58F8Yj4xnwAd6UjHf7w/
xX8t/mvxX+HOrju77uyCc8XOFTtXDErtKLWj1A6wnrWetZ6Ffa32tdrXCgJWBawKWAUhN0Ju
hNyATyt/WvnTyhC+N3xv+N60ymrVqlWrVq0K29nO9v/h+PYb9hv2G2nL0Tmjc0bnhFq7a+2u
tRsoS1nKAlasWEFME9PEtD8e1+tbpu+qX8b3xvfG92C2MluZ/803JF9f+OQiF7n+m/ZeV0rf
ljfVz9v2+4+YU2xOsTnFwNfB18HXAT61fWr71AbPmzxv8rwJbNq0adOmTWnynpOek56TMCZ4
TPCYYDjy4siLIy/SbuUOvD7w+sDrYBtuG24b/ubyb4u4IC6IC0AjGtHov9n+n/FGKKGEvr2/
viu/+D1eJ1K1Z9WeVXsWbP9w+4fbP4RLSy8tvbQUJn4x8YuJ/0CC+qZ2fj0V6Ei3I92OdIMZ
ZWeUnfHfJF6v5R7Ofjj74ex/XH5dwLqAdQH/uB7e9XlUWawsVhantfuv9oM39dN3ZdczPc70
ONMj7Y5Pt+LdincrDkP8hvgN8YMDWw5sObAFdsbvjN8ZD+/3eL/H+28gP5rRjP7H1fDWvHXF
Oc6Z9L7RBcxxagZvV/B9oncgEZ5vix7m+hr0b1OEmh1CKqsnw36DTBmCfkt2ghppnBFLIONB
/4ZBUyBjowxDxGyw1LbUjukL4eGhBy1FwPlRQEZbb/AfbWvANoiZn3Iy7hToGQO9CcsgfFC2
aS4JGd4LWuIsDMo2+0hmQHK+hM5MBvcLT6CvP3iPOm67WsP6oDNdNnSFvcV2hCxZCp5qz9c8
CIBnTR45nkZAQgdvkC8/pO4yvjTHg9rE0tnyHfi66Xl8+8E90uvyDgNZhMHqHGANnZQKYNrk
HHM4yF7Eyz4g/eVZeQ+M2ma03AhMVJ4qrUAcUbcrQ0AuohifgdKKBaIWiO/lS+6Dnl8/o58B
c7AMkA9AXpK/yGNgrDGmm4sAJ6lIMM+ZR829IHvKnmZ3UCepc5WhoLRS2ol6oI5SJyjzQFkr
FomPQH2hRqrbQdmr7FWmgfKtmCzyg6W0ZYDlK9BaKtvUfKAVVadrMaA5tepabdBStDhLSbBW
tl637QPLZi2fNRDkNBElIsCazRZg1cCvbuDjgMtgHWDfa88JsqE5zZwByXlfLY06D/TwzU4p
B8ptkU3LB0yW15UnoF7lrLcvKBXlAmM8WO4oPZVCYO1qeaWq4Dcr0B5yDkJrh13KuAJyZso9
uOBLyNQi+6Z8QPZiee+8Fww5LuSbX7oiREzL3b/E55D1Zp45JeZAlu9yzCt8BLKXzZtYqgzk
1vIvLL0G1DrW3MEVwf9m6KCMHshf4b1B1U5ASOaIwMJ3wLE49FVYCviFBPYKKQzifa2lpTAY
j1nHZ6Au11aqu0AGpbSOPgjJuWK/efoNuDqlDHLtBqOSsUj6vbtAbft126/bfp1WCW0T1yau
TRx8fu/ze5/fg8s/XP7h8g9p8q/ntK0YsGLAigFpTym//rts+bLly5anJYT/KK/3f12pKJxS
OKVwCvxU76d6P9WDUmYps5SZVrFaWXVl1ZVVodLVSlcrXU1r59KlS5cuXYJ+l/td7nc5bUrA
60rC/89/Vgz/iKwTsk7IOgFWVllZZWUVOHfu3Llz59IqjSNHjBwxcsQft/Ou+/W64vK3c9DP
yrPyrIQvMn+R+YvM785Pfs9eb6qft+336+P+rr2aZm2atWnanFTrMusy639JAF6vf/339S3t
1xW61xdur/1vf679ufbnSrvV/abyb8vrt3W8niLyeu7l6zsUi8QisUj8l/G/I399Uz94U7nX
UzbmG/ON+QbUvlv7bu27oF3RrmhX/ri9N7Xz+rvr766/m5Z4vf6bZUeWHVl2pO33+g7bm8q/
KW97Ht3xfMfzHf+lMr85fHP45nAofa70udLn/vV+8KZ++q7s+noK37wS80rMKwHfdf+u+3fd
08Yd3SK6RXQLyJ+YPzF/4pvL/6t564qz/WamyLhyIFb66ngzge+KT7f3hORdnmEJFgj5RD4M
XwQFWmdekGUYhF/3b5Hxa7gZZen2LAReJN7tYGYE+2mlVFAHEBNFamodeLE85ZkxDLTT8eWt
myG0U+gw7TR4y4WueTUSIqMfOlzHIUMLR93A6ZBSMbCKTwGSknr6fwcB/QK9cjbYOoYJ+0Tw
OqO+eTkc4k/5Kr+YBccr3PngcEEwtqXEWKZA5PrEyu6VkPLc4/CdA9MicprrQauhva+NAfcP
eh5vE/CVMGr7vgR9JmXFPBDDjEVmT5ANxCa2gFwlJ5EI5nxzpBEOykolp9gJZguzp7Eb9JH6
F/pc0PppCy2jQQwTl0RVMDYaC/SZQD7FFIfByOfda54DriCpC0ovMUW0AVFAxIlGQAUmMQiM
n2VTIwOYt+Q6uQnkQ0qJ78FcL98nHtR1Yoi8CaxmEiNBIC6IlyDryfq8AuOYPk9fBcpn2njt
V1CuKUeEB5hENnEC5AfysVwDYrJQ1MLAfS1cWQmasBSxpoBlnu2pozXIO2KB9StQbotxWgVw
T0zJkdwazPf4ybsNZGm1rDUFRIzisS4AbZN46J0MmlW1qpGgtrYddC4DkcPy0CrB70u/XcG9
Qa2v7bDVBl3KwWYSmN3oJT4H60u/hYEDQFwkUGkIam+ttdUKtCMn20D+QqjcAEoEWU0baIrl
tnUouIe5UpIugrWAatf7QFCXwF+y/QDmBKYaBUB5rC5Xi4McKctxGIz+ppDVQXwoNspuECj9
Z1kvg37ePUA/A+6nWoT1NDgehS2O6AaWCMcc/2ogxovByhRg2LsJ1I9OfHTioxPQs1TPUj1L
gRKtRCvRoK5UV6orYcyiMYvGLEqTH5VhVIZRGWDq6Kmjp46GZrea3Wp2K217ke1FthfZnvZw
yx9R+FjhY4WPQcczHc90PANrWctaoPK1ytcqX4Obfjf9bvpBlsgskVkiwRHviHfEQ3SO6BzR
OdKmdlCSkpRMe/jl9cOEwfeC7wXfg9JmabO0mXa8WQtnLZy18P8vqP8u48ePHz9+PEz6ctKX
k74E9xb3FvcWcKxyrHKsgs+yfpb1s6x/PM533a9R7496f9T7aYnm+oj1EesjwDnIOcg5CMZm
Hpt57D8hcf5be42vNL7S+Er/uH7+bL9/z0/+iJ9G/TTqp1HAKEYx6u+3n5p3at6peUAtalEL
rla6WulqJbjKVa7+N+3lP5L/SP4j/7h8k3NNzjU59+f1/frhscn6ZH2yDg0yNsjYIGOavlrv
aL2j9Q6gC13o8u789U394Pfs8XtyRY4VOVbkGNgr2yvbK//jUzT+rJ1ztszZMmfLv19vnWqd
ap2athwxIWJCxITfP86byv8eb3sevf/+/ffvv5/2MGVortBcobngy7tf3v3yLsT2jO0Z2/Of
7weveVM//Uf5I7u+vgC7NevWrFuz0i5wvL28vby9oIJRwahgwMicI3OOzAkR9SPqR7yB/L8a
8R9z2aSsUKFChQoV3ryBbu+NvVt8D5QOzrezfD1wx+jnvL/AmVO3np68BEEbnAP8RkPmMoEV
sj0H84Wyx/IRvHr64oOoc3Br4YMSCQ0gfGbmE5YbUOJapg9znoFHzV719PggsAU1zL4Q3VKb
mDgU/Gyhg/WWoFwzKsiF8GxVQmlPLQjpKQ5mWwDm4+TxqT9DpmlZRmeIh8Dr1p2uWxBfMsXh
9oBvi7Y/fjrkvhJasmIvKPAw1F3XAdsuLum1ZBlcKv24xMMr4OovO1iXQMSpbONzx0FybMqP
CT/Bk2nP6j/aA0Z+kU+7D+Yxwya7AAp55FUQ7bjOMjDDpWkWBrlXnpZdQeQSzUU7ME+Y+80d
oORUBymVQFknLqkLQd4yPpPPAYfoLZ+B+Qlfislg/mxeN06D8jVuGgPl5HrRHERl5ZwYAcKj
3EYHS0ENe0MQD8RSeoEyRomS10DppexXN4MSqW6xTQLtuHZP7QtamHbL1gnkFHKbG0Feky7p
Bvsx+yXnQ7BqtozONqA+VYqqpUDJqA6yngZLsnWILQsocdoztTMY+8RHbAOlrHhgOQzcNMPN
2+CJcldPmQ3sZKLxCTh62bvYX4C5yjjtbQn6GPcI1zegVdS2WweBKGfZYR0D4lt1lXUuyAWs
Uj8C0zAjzNUgT4owTQHxRFmu7AFzl3lIXwDuZa7HSe1B8We3TARZm0ClE/iizMZqSXBNSMoZ
dx48fX0uV38I7RlaKexT8P/WPznsC/DM9fi5ioJ+2nyeOgEsy5Rt6l6w5HUMD60DnlhPW+9q
CP7MgbYQlP185xsL8TWTvMlfg7rR+jjgMaj5lEbEgnKAy3peyFE2Y4LNH5bYl15c/PO/PrDT
SSeddP4sryuQF9WL6kUVvmn/Tftv2r/5VIf/q7y+Y/O6gpzO/w5Onz59+vTpd1BxfjEzPo/q
g1Pf3Yu4eQrkLu+jpFEQ1s/va2cAKHrAceU0xLy03oneAueTTke/Og/+FRwnxQmwtZIV1DaQ
YS4hGSaAmt8/pzkB8lxyqpaL8PT040exCaBvtU5JyQYJfVPn+WqAlsc85hcOzsGqtMwDbz5P
klwFzq3Bg8RhSM4rlj9vAS8C4m/ohcG209bbvxgEDDdz+E+FciMK7K7+FAwlvqVtCsRlT/w5
aRy4PzPKGnVA+UmrJN4HsVM9LX8Fj8Xzga8JGJX0ZdICMlorZgqQy80JZlOQYTKbvAyyAoNk
ZjBPy6MyFtTrYp5qAbJxiOYg88kHxADdzR7iABhj5U+GAGrilgC3ZAMxE+RZEYoNlAHKUVqD
Ei4+VY8Bj+RNEQcyQJ40lwEtRWlRAYz3ZA4zGzh62i44Q0GdqnVXVbCOs/f3+w0Cvw96HvYb
iAPiU+kGZbjoY1HAtBpdvKvANI1L5nGw/Wa32heClt821L4M5CPR3tIM1FR1hCrAckrdon0A
eoJZxFsZhMeo6/0AZGVpGNVBqab5q17wOxUw2i8ZzAG+9cYoINbs6O0CQvCEoWC76d8q2Ada
Zq2ZFgZqD22t/RGYx40f5DAQp0QTeRPMlhyVk0BvoH9oVAfzmn7WVRjM1Z4iqYfBWk/6GdfB
e98IIR48X/gW6jkhXon9Ia4wpMxMPRKXBbR+NJFjQFfc3VJ+AbNKlrtmR7CXcBS0+0A/6DXk
FhBlla1yPvg2pWRJGAtymuyuDoVXezxVU9xgLjcL6i1AdLees+4BaxZjsvsnMMbqv8kXEJzD
f4Z/adD64FRvAsv/6lBPJ5100nkzdk3cNXHXRPg25duUb1Ng6typc6fO5fdL9umk83+It06c
c7zItFzpDwld3SejekLQfnWVsw5k6KD5OVZCnCU1W3ID8IzSftaHQDGzQIi/AanljCWyL2iJ
6k/2KWB7mXTdMhrM8i63ry4Em8GX/b8Eu8vd2pgMfgFiRtZR4Nlg//Tlc/BcNma7TgD7fA0c
LUEsZGBcFLjL6120q6BtUYprCoQMDmsbehzcN51X3IPAHBM30HEJwr4IsuYKg19unOx89BB4
TzKfPaC3178xx4PlJ2sx0RZYKNoQDL6pxgA9FKzBDtNvFliuOUMC4kGP8g2Vt4CLOEQQ2Cc6
7M5zYBtmu2ovDmYB4ze9F/gO69IXAcptdYLaG4Skp7IWjHlGe/0TUC4r78tUsNyyRgdUBdMq
7ptlgTUySvwI2veWurZVwCuZl8NghPoiPD+DOkiUMUqAtszisxYALVqraM0D6uea1aIBSxWh
fA6WfJZxziZg/oI09oE2UNmlfQKiEz1kB1DLq/PVEDA+Mc/pOYAveKD0AjFebOQSsFXWkE9B
NpO99GqgteWK3A+qw9rdUQaMeNlGeQxijtpUPQP6J74avm4gvyOOSmD91DLUVgwch+wfWs+D
55b+vWwA5jIzSbeAHGh+bYSD8ptohQdELHeNQDDeI0XpBsY9o4fZHjgtq8nc4H/SL9T5DOT3
+nbza4g6G22PHgmxjlcDXnQGbytPteT7YB43DphNwXXel818CuZSDikBEHMuulXUCPCb6xwQ
lBNs7R0Z/H+DhFNJX8bmAvv7Tp+1FIgn6kT7RvAleY56aoFtrBpg6QiWI/ovymlIjfNlTZkP
zjz+RYJWQMLcpM7JfuB/QQ22TH3jcEonnXTS+ctp8rzJ8ybPoQlN+Ave9vX/PFsfb3289fFf
3Yt0/lm8/Xuc9ydlcGeFnJ1D12cG/AvYCjsfQXIpNVEPBXWh/psaAxkitTx+NSE0Z85Lxqdg
r2DPrNSHsCZZIyKOQYxqiYwvDC/yvihk/Rny3g0sXiIMMqqZCgQvgwzugNseEzK0t6Vk6gHK
F3xsbQDcY53cAb5XrjbyONjGWr7XeoEzt62hOhM8u+xVXy6E2GbRtx7sh/cK575XaguIsUoA
DeBJkajz9/qC73PzquEA84ZZnR9AfKY0UBLAzGPmFj1AidE6qc8huHzYifAdEJ478/Lc/pC1
c+67BQIh4lDOMvl0COmY8Um2+uDnDgnItBz852X4NMs9CFTD72RvAsE/ZyqbywGBenj1HP0h
qHmG7yJWgH9wcL1wJwR0CtmXeTMEhAW3yfQzBF4MuRZeFhwVA66HPAXHkID2oacgIH/IsIyH
wDkq6NtM+cG6yO9GyGZQIxzNA2uDKGnt4JcTrPvtJf33g3rEmuiYC9battt+q0AdZ3U7AoCG
tu+dv4C5QampzgGlgnrY2hOUlupTiwVs/S2PbWvA/tQe7dgPRmvzlBkBYpJWQfsORBX1gLIH
tChLhLodRLSIUkLAPt1+0Tke/Fr4ZfZPArvTzxL0McjuIqtlJygDjB7mU9AeiWhigV3me24V
vJGeAgmNwJ3Z1St5HqRUT1gUPxDcHVztUvxBeaIsV+aAslLbbR0FxgJzqrcKhLcPvuRYBpnz
hxUIqQlKf2W5TQP7I3snRwfIfDenf04rZLyU/Uz20RDcKLhC8E4I9Ass4l8RLE9tD7QMEFw/
uHToMwgrFdwtU22wGspV8who+bVzSkkwLyleEQ/GLNFPHwa23tY62gpgAqNpAvoY0ZMfwTeY
HfwLP62bTjrppJPOvwfZXmZ7me3lX92LdP5ZvHXF2fKp/nXwWDBbxx6xNIWX7TzLXOtBCwtx
u0pCUh72G7vBOBz1jecQhJRzLtTiwbZVXav4Q/xYeeJBMjgyBPV0HoSUY+6pievgzJJrZ88B
2mfWiWovcOwPrM3H4B6flKA3Ab0MlfgB/GL8nys1wVLXfdIZBr72qY+8qeDJHNJWawiWSamB
/u9DmEWbJ9tDwYLZslZsBHKga7jiAm2PeURUBU8jvZeRE3xF5FPZHxzN1FE8A1mA1bI0kIfT
2jjQzliXB34CRhVzo+8l+BanDkq9ArKNbCyvgvKdNtDaG9TT1nv+WUFdqhZ3LAWln9rSo4Mc
oF81GoMoSyOjNYimai4qgyVZXeHnBLlOrvWVBLOCWdMsBkp9YdEWg+mimFEPmCTqKEfBnmL/
OMACwiY3mKfAkHyGH/C1KGqOBe29/3jrhjpVTJIdgBc4PQaI1qxSV4G4QYxsAVoLs7m+Fkzd
m5g8C2iifGZ9AEo+NV7rD8ZkPQIfmG1oRE9gkuwrGwN15T6RAYzLRkMjIxgV9XuugWA00Lcz
DLw3fc/dUyB1dkJcbEawXbfPtHUEe1d7X8dR8NOCtob1ABEopmtTQOlldvCMBHOY3CnygHlB
9uNjsE1SMypHIbWCp6qvN8RZEzYnpQDugOaOqWC5oa5VF4D/2YCfg69C0L6wbzNfBNXhfJFp
ICiPtEw0AvU922BLeVDnGiMlIOuI0nIKKHM0f0sMYKh9HUPBF+JakrIF3KdTmyXZIGRyQLOA
raDmV4tau0LqWM83qevBaEeUuhf0grrBl6DmVSvbBajLrLMoDBTRtmt9AOj0Vwd5Oumkk046
6aTzbnjrxPn5hdgfkubDg7Hqodi2oP4UUJRPwd4ltZ5/RzCd7o/kEUje4rW4EsB0u1/aO0Cm
CY6HOZ0Q81Vy3K0rkLeq7SN7XkjNoFXTskH8OE8+oxMYyUldUw9DQLHsPbwTwdHYvtZzA1J+
vjzRvQN8VaxFNR0yrQl4FdIXnC2ob98AGdqr650/Q/ITb5+o5lBja2lPvTuQe1eGwQV/hIf2
m09vZQZPf3nJVMDIJEYYhcFYySr9Jsja5lBtP8i8cqioB7hFoJoXlPctSxxVQHZXcmrXwVbS
MSfgDvjW+/J4p4FW35pJqwZKJfFYawBmcb2yqy4QTJTRCPjCTBajQbmpthbtgEgxW+sB2nFr
A0dvMDbKOHaCNa91skUBeUtPNG6D/MFowyPQvNoqsRK8P+hnU6PAnCOf2AaDNp2h8geQbYxB
rsrgK29e8fUC73h9gjs7iPrKMTkP7ANtW/x7gXuGJyJ1JNBJyU090L7iQ1sskFfL4ssDws/4
iK6g6moWbRgYgwyP70MwP9bf890FtQSzzJvg7pZaLLkJJKxPqPrqEHi6e6a7C4GxXK/uzg3W
rJb22nDwTPdcE6UgJSxhuDICPDc941zdwPQqhm0K0Njs6+sBrgbJicmrIeBZ4PGAJWB7FEDo
QbCtsN22lQZLqCW3xQT9sKxolAFHfkdf++eg1Xd85P8A9G/lUXJA2N0sta0zwbMkdbfvU/DV
8EW7N4GIFB5fKfC0c9VKrgrmBI6Lk6BsUn5OagOeaq46STUhoGzI8CALOPv5T/U/BSn5E5sk
3wRx1EjS14O2RlgJBs/HHhv1wPux60zCXTC9akZcEDBALeSX5U8GVTrppJNOOumk82/J27+O
rouzeXJDsLnshRxDwBWv9zL3QVB9Wz2/EpB3X676zsJwJ8uT67GvwH0y9Tv1ASS3dIdF3QHr
dvuPSgTEH0oO1X4CvbFrjnETUu4pxVzZwJFfLRpwHMSNJ5tT7ZDYwfXCp4Hvpr7X/xh47EZJ
d0bIkRK8w3sfsn5UvmLIJlAuOJrGvQ9Fe+lNyj2Csg0LjmrXAJyl/YuFR4P9hNTvRILa+mI3
8Rj0lfog8RLUfWYOcQ2MdmKUdxqY2WRxsw/QVq4xcoBcYW4z74DlK0sBrQl4+5u9jeKg1rdP
sMeBslWrb/kAxHxzvtwJoqOexRcP+nGjs3kVTEVO1s+Dek1mtPQFy3HrWmsB8P3o62tMBDaK
fUpf0I95W+qLQGlLZmUNGB/7niUsAW8xVwFvR1A7qq+ck0CUs+ZXDoJZzhft+RzkeCOPryYY
t7hqLgclh3SZAWC9YdlgHQ9uiysgJQD0CL1K6kHQumsbLOHgXW9ckl+Dd7tnly8vWBdqim0c
KBeUEuopMBbrlzwHwV7IckXdC+645H6J0yG5Y1LT2PFgLtCXGPdB7+7tlfobqB4lTvsNzMLk
ERdA764fNOwgmsrBvmyQOuNlg+ca2DI51/k9AmUfg4QPjEify5cAMY1fvXLtBGdb3ygjBLTZ
lmr2YFBGKju05WDraJtgtYPRVyzVhkFiec8kYwSYIfI3vOCbq0/wZQZtlnWb9gTEXuMLpSJ4
v/D9ot8Bbz/vUO848NR3lUs6BGpmbbdtMKg+JaNsDPoQr/QOgudrXtx+GQwpIYlKfAuwFlDL
y7xgW2+/698NLPW00X5O8FRw3XJ9BdpjtbMNUHaaZzzlgabAX/CeyXTSSSeddNJJ593z1omz
cVpfaSkB4dccxewmPItPau3bDJoi7Y4W4Grt62UeBNeXcd9bBAReDMwTmAL3e0VmfPIYfK1c
yWoXCPALmKd3AKmaD9URIO4bHeLngrldHacegNivnk1RKkGmT0N+sC8D/5rZV5rlQbmX1M/Z
AwLaWiOTNfDleVTCnAjt6zWuNPljyPdDzso1p4M3SM/Hl6DmVvoaGUAci50U8BTY9epnX16w
9rWUs94HY6X6QD4H5arRResMYh+DxAkw75mjfAfBdSjpbEwV0EO8VRzBoPRSYtQYMH/Sntob
gvlIG2/7HuREo5osCLbF9jr2UmANUadZvwRXPnfrxJMgmzCUAPBdNfYYP4MqLD21HCBmmBO8
PcGs7W3nuQo41HbqSHCnJp9JuglmY+Ou/gCs0fYiMh68vuT7LyuDbb69uv0Z+E8N7BLSE9TD
SgnLatBHGfcMG3jrete7C4H62BKvzARRhsvGQVDma0ttd8DXXDpcV0CrS3OlPcQ3jt0XlQqW
umqicgbMzOYd/Qq4FrFKWsCsbk4z8oL6pZqkBgCdOaV0BtFFfI8OehFzpHES1ED9rPgMfHX1
BUY+MJuZO3zTwIw2H4rBYEaySowEStJArAbrVctu66dg3OeYjALfYHkJCepA0VCZDjJVIiuB
jJS75FzwNvXE+eaC2UaJMrxgHW09bXsAerC3ppkInqV62fgZIKL0zb4KoJRVu4mHoM0QHi0L
aNODmoVOAGdwsCfTYeC+OUSuAjlCn65XBbOQ9wdjMjjmODdigvBS0TcaaK/8Yk0BmogVYgsE
5A64H/oN+A567hilILHLK/uLYUD8Xx3i6aSTTjrppJPOu+KtHw7UGtivySOQWN8YH90L9NXe
k56zEFcpNrOrK1z13h6WnBtSGtq20wBePfDWfzYVIrKEbJYRkLlIhlvKUkh56ZyaehvYy0rZ
CZSuapDlIYR2sRzyTQFbc7WAOQ4eVksOjr8GSWNTQnUHeDoy01MKij/ONKz2E+hXvPXM9dch
98QceWuvgNQH7vs+f/Bm872f8AM8vf+0+uVlENP8RtbIoZAx1fa1sxzYNHWmagNlkHKC+yDv
idbGGRDrlJ3KHJCaGcUjkLuMFvpc0Iar66yPwbkr4HymSPD/IviL8DLgUP1S/eqB9ZzTaxkN
tju299SSIJDO5JvgWBt0OLg0+N8JrBraEpwXHdVtucAWos3Xy4I6GCF/gcQRCR+8OgbJZRN3
xFYD5Qf1mZYIekN9js8BrnKJFV44wNytN/DdBzlBRKqBYLSWQeYq0Efq3d3nwJzOBnkX7OXs
5xxVQMthqWPdB9rPlgOOkyCvKWstr0B+LuItErw93NW840Cv6xvgLQvJWZPux5wH93NXhsRM
kNrAPS25BsjHQjdXg7lO3pEbQTQRm6UfcIwWYjeY/kZLYx2Yk41Qnw6M17t4h4HRzzdCt4H5
3FzhawG+g76Znk4gQ8y24hZ4yvimeOuBdbD9on9f0LYpn1t/BJ5JH9lB3a7V07qA74zeQ/8W
vJHe9a7RYPYz4vTbYJbnayqB5RfbSEcUqCesXwaUAvbZz1oeg72Ms4B/bXAuCn6S4Qn4VQ/M
H54VbD0sibaCYJlgeWHrAR5/b37jF9D6K03VduDc5HxgbwV+eQNahsRAUI1Qa1gX8IsJqhaY
CJa29qa2Y6AdkC18hUFdbatseUcfP/l3Znre6Xmn5/379a/fY/qv4vWXvGbNmjVr1iyoFVgr
sFZg2pe/Xn/Y5OnTp0+fPv2rtfb/DqtXr169enXaBwxefwFywPUB1wdch5gcMTlicvzr+vPP
9qvf8+f/7fyr4/VfxZbHWx5veQxTX019NfXV32//d/PvdP7f4K0TZ7fNNipxDzgCgs/4PQbL
Q79SsjUkRxvl40yI+TT221cbINsiS3LQGYivmFhI2QD+OW37suQEvxz2r5VzUCBn2CP/WAiK
93MpiyBXr4A+maaDlqQVVr8Ay0W5wroYtEk+T1AhiDnz4nZyY3hvRpi14GfQ9la321NPgXNG
mJY1H3i+c8clzwGRU0brpSHhyvPQFz1B7ey7E3QZlDVJEcYCyByfRQ/cBEoTcdesDOoj9YHt
OcjBRhtfSxARsrr+AdgH2h5ZZ4PfzJBZ4Z0hsFGmrlm/A9u8wEUBGUFNsj2y/QqWLg63cwME
nA2xhy8Hbzd9fspzSHYmnH2xFdSzvvnJncEblFovYQF4BqXmTqgOqSWTv0g8CFjkj+YZ8NcD
qoWMBPW6Oo+NoNy0LlcbgnW70+MIBPvnjj2B9cF/ZUhcxgjwy+vn738cZA/dY2wCWUD0VbuC
tlVLUfeBWdvs7qsDKUNTRiR+Dq5FHplaCmLnv+j3tBw8O/204J2n4JrqfhS7Hzzvucu5FoK+
y7fXqAnmJuOoWQxYI5fyE3hLeuO9U8BXxqd4L4JhNUrqeUDpq4QrjUFUERbRE8x2lBe/AC2U
eGUWECw2izWgTVX7WX8E9bAYJZzgK++rnPoeKIfUbKoVbHtsuf2ugIZaWasJophQRCoo87XG
2mFQXfZV9tJgfWDtag8HtbvaUhkNsp6+X28E4qRM8N0Cy3hbqmqCY7+zRMaBYDZVZqvtQPnQ
Ot8eCdaMlhD7VDA2ec9774H7i+QtCeeBGnKu7xlQgVHuLuCxuBsnLoHUPam3E1uB55j7XFIt
8JxPmZzyHMw+vh2ueLB1c35heQ/CxoW9yPT1Xx3e/3w2hmwM2RjyV/cCjs8+Pvv47LQfwu6n
up/qfgr6L+2/tP9SOD3/9PzT8+Grtl+1/artX93bf3+OHj169OjRtAuRGkNqDKkxBIauG7pu
6Do4+dHJj05+BDMKzSg0o9Bf3dt3x7+LP6fz5zjc7nC7w+3SLoCmHZh2YNoBOL/w/MLzC9Pk
/q/6dzrvhrdOnP1MT5+MkyHY9LfmvAkR5QJPRDSC2rdzrilbCOpvq/Gg/CkIHRZyX7igzJf5
DmbrDHKfVtfwgv99vy9D78LjfMmzUppDQm6Xn6U5GGXFcFduUH4S6+2pkHF5cMHMdSHbdTUg
rho0vFhoe8lB0D2g9+U59cEdIjuYVcG47L3v6gfaHC3OfgxcE1KKJwaBo4d9iXIa4mKf5H9W
HGzfW+3WGCg8sHR0GQG27tp34j3Qiomtlqogm5tRdAAjWjRSvwHF1H6xrwRlq3Jf3AL5zMju
/Q0MP689tQsYv7jrJb0E/ai7dXIt8GZNbZ7cCKRhZLYsB+d8PzN0JXiypPZJuQ2ujKmvEgww
vtbfk6dAaanUt5YBzzVjjGsMaPdtq7Qn4MwbbAlLAttZv8cBkyHgbmhCpnvgSAlZm2kxWLbb
Xjl00FN0Rf8YzKHGOWMJCNO8b34JTDRKGpXA63VvcI8Aa19bTUst0C5q2y2JEDAudFtYH4io
lc1ReDQEDPb7LdNnYH6nj3Q1AOM94yffAvAM8IZ4roJX9Z7yNAdjq75YPwamT0q9DPiG6118
k0D3Nw8agNGVWvIJGC59iXc2mM+M8941oKYou8VMUC6ruy2tQMttjfdfDQGhGSpnfAEhZtgn
2TKCtZl9dkBBEIvsM51DQM1ijbAlAOeMr0V/sHbiPesIkNlFjLoJ5CScan5QH2g/W34GWUoe
FrdBOWHk01+CLO4b7NOASkY94xdQNysllQxAgvqpPQ+oU63XbCrYNziP+Y2D8I8zzslcGex9
HV8GRYB/z6ADmSpB0Jqgi5nCQYnRGjtvgbis5rbMA+tl269+bcBcp4105AFLEfuPzurvLlDj
4+Pj4+PTPpnacFvDbQ23QbOJzSY2m5j2ydfXcnv37t27dy+0bt26devW0CJHixwtckDjxo0b
N24My64su7Lsyt8f5/cqT3+7fmzk2MixkWnLvc73Ot/r/N/v97rS03RX011Nd8H8EvNLzC/x
5uNvNbXV1FZTf79/9ir2KvYq0PZQ20NtD0HnTp07de6UpqfX6Lqu6/qft8M/qp+/XT+jw4wO
MzpAk4gmEU0i4OvDXx/++nCa3V6/N3dO0TlF5xRN2//P2vFt9bm72e5mu5ulLX9S/pPyn5SH
Cn0r9K3QF/ZN3Td139S0TxK/rT7nnpx7cu7JNHt1LtK5SOci8DTj04xPM/79fn/kV28aL7/n
z2/aTlRUVFRUFHTzdfN180Hz5s2bN2+eZtc/8pNVN1bdWHUD2ie1T2qf9PZx/K71mpycnJyc
DIMGDRo0aFCaP7++o/NaD//o+N6Vv77mV9+vvl998GLSi0kvJqV9AfGv8u90/nfy1olzUK6g
A85ckBydfDxqFXgvptyKaQv6OfB9B2MHfpSyvjx83Kbxrn4bIDxjQKArFfL1ylovyzDIskDr
H/ArZG7kbGldARlyZOxknIDnhjfEegMev598O2YyKPk8Ze70gQZqOcuHNaFzh97K3KKgtAgq
GShAlPR9qRYD0U4NUa+Bfl2OMk6ADDQ/9j6ClL6+xe5vIb7785dRIyHnNyVPVHsJfgvDc+YY
C44kyzotE9jzav6WYDA6y+3mfFAc+BkfgDpR9BXHwPMgtb77FXjyu/fpT0DON6/iBl16Qj0b
Qdr06r5ZYOzVv/JeAy272Gj0AfZaqzjiQLtlD/S3gANn9UAH8L71lHIQrNsdVR0/g394YFJo
KXCc89sVPAls4+zf+keBJVLWF3lAv+X6zTMXxCitgsUH6l5rPUdVsOBvCw0F61r/giHHQfRX
t1o+B+8cc7XaAizNnYlBJcH6i/NwhmHgtAb2jTgB/ocCCmQsBP4dQsqElwBnu5BxmeZD1gF5
JpX6HMKTsy7IEwmhOzKNyBEIoVszHc/xA/h/GBKTuQZYCttS/INBSbbU85sDAfWC9meqACEL
M1TOdgUcvfxXZNIg4H5ovuxrIaxdttFFlkNYnhztim+CUJE5NO/XEJYt08h8D8He2u9Exskg
6ihl1eJgqaP+LD4GZa50Gr+AsceonFoKXI9cHeM/Ad/nrq6Jc4FZek13JzDCvB+mRoCSTQab
tcCoqW9QsoOZnVDvQjBbyvIWBbwVvdmMGPCt836f0gOMPl6vaxIoBWUhsy6IhdxiHnBTmPJD
8Bb37PQ2Bn27L0ZfDTKH6TXngOKnjJHfgV7As8n4EVQrfuI8OHNaLDLq3QXqtP3T9k/bD+GP
wx+HP4adz3Y+2/kMtj7Z+mTrE4gYHzE+YnxaRXXdnXV31t2Bj0t/XPrj0mm3LJdfWX5l+RX4
/uz3Z78/++f7MzHrxKwTs6YtLyqzqMyiMn8vV6tmrZq1asLSCksrLK0Aq1avWr1q9bvTy2vK
XSx3sdxFGB40PGh4EBycfnD6welpCUz2l9lfZn8JE5pMaDLhL/iiQ53hdYbXGZ6W6GwYvmH4
huHQbnq76e2mw9K+S/su7Qvr1q9bv2592n7/bDv+Hk+ePnn65L9MaenatWvXrl3TEsEPP/zw
ww8/hJvOm86bzrc/Xli9sHph9dISmtrra6+vvR6mH5l+ZPqRv5f/I79603j5PX9+03amJ0xP
mJ4AHzz44MEHD2Dr1q1bt26F7Huy78m+5x/Xx5rVa1avWf329n/Xel2wYMGCBQvSEtgdz3Y8
2/EMaqypsabGGpj5y8xfZv7yj4/vXTN68+jNozenXaj+Hv9q/07nfxdv/XCgWBd6IGYZ2Ctb
toe0hdQf43d4n4LtGQscfrBr4s4Rs46CudndPWkk5H+U+Wqt6WBN8SzzDocHunH82mQoet0+
ploEpH4pvHGV4UjE2RqxuaFgpbDRuYZDl9Vd2n2eC7Kczr+urA28fXxf+X4AvYt3u74ElPvq
S3kClJxkUmNBX++LcAeDGGZGGz7wX2XfEFod8t0q+0O1whC4N6szpASktIue5ZkMGRoH7wuo
CFq9mO9S+4Ks71nv8YB8YK6jLChXtWHqIBBzXIfch8H1SVKd2AXg9Vm7O4+Bpbj2nHngNl0z
3OtBa6hdtlwGNUZekrnAHCs9Rj0QO0WY2AL6c72u9xewWC2XbQ4wPnOvT1oD+lcp8cZgELr6
SFsP1oH27v7fgxiq3rQUBTXJ9q2yHPTb+lJPX6CScdWYDiyQvxl5QEQqmbRlYNyWr9RxoORT
ThqjQLzHYw6CcV/fLS6BEmbtKLMCe5Rf1WlgztHzGLdBu2Xta/0G/LJbNmaaAc6WZnR4Cijd
LQFqG8Dnnee6DL7Z3hcpnwJnjMnyE1C9WlfRF+R8sVYpC5YpyjixCqRXfm9cAKOOVERpAKGr
FUEG8kTpCHoDsx1FwWipOz3dwVbI+kwpBlwzulpMMPIZbk85sF/TIjQJxhDrIXtDUPYQYAL2
DywNxFwwzptXZF3QpR5uxoBZXMQYYaBMUtZbRoFaVivoCAHVFDe1K6AFKbX1RNAL+154B4PY
wGdqJGhl1ByWvuD5wHPZ6AjuWO8tQwWljdLQMgcM1SwotwFTpVtcBVFF9dm/AXHJUt3sAX4+
tYm+CeyGtYsa959B0u7tA/Vk15NdT3aFHZl3ZN6RGZS1ylplbdr2ru27tu/aHhp91OijRh/B
kfxH8h/JDxd6X+h9oTdsiN8QvyEebp+9ffb2WTAbmY3MRkAPetDjn3eCef0DawmzhFnCwFff
V99XHzjHOc79/n6vK0yPNj/a/Gjz77f7mnPnzp0791/ayzkl55ScU6Dazmo7q+2EtRnXZlyb
ERZfXHxx8UUYzWhG//OG/XeUmFdiXol5IBaLxWLxf7N+i9gitoCvrK+sr2yafpZWXFpxacW3
t+Ob6jN3bO7Y3LFAKKGEwsCVA1cOXAk59ubYm2MvdPy247cdv4UpOafknJITtrGNbfx5mmRp
kqXJf3l9Y8uYljEtY+CHsT+M/WEscJzjHP/7/v6eX71pvPweb9qOLCVLyVIwMdvEbBOzAXe4
wx2o91O9n+r9BFOYwpT/QQ9tWrdp3aY1KDeUG8oNWHpm6ZmlZ/68/d+1Xo8kHkk8kgjrz68/
v/480IlOdIKW0S2jW0bD0vlL5y+dDzSlKU3/eHzvyl//Nv7/CL2EXkIvwb/Mv9P538VbJ86/
WX9r5dUgW2xgW+NDsE9VPjfnwa8bnha6cBJ+bv2g/dHtkP9y6IqIsVB4XL7rRbbBy24EPl8N
F2vfPvNyHmRzZGmvpwCOFH+3D94rWuCTfBPhw6ztVgxsACGWLCGlE8GzJWVy6gEwki2v5ClQ
2opL2qcgvzRXGQ1AKaTloicYbd1JqXeAqdpz63lQ9itr/PaDccE968U88H3j+sw2AcJuRQTk
7ALZk7LPyzYBzpkPv43ZA8qvXkNpAWZHs7eZDFpdS1nbVyD2+nL4FoOawT7R0hgsTZQuIhb4
TC43ALGDwspj0DTLDPsmUOc62jlfgaild/QJUEaaQ00biB/cemp18OX2PHbPAVMzP/QtA59N
X+nWQEtUOyqrQX9hRprnwVLF0cqvMCil1GtaD5BFza6yE+g3hSYLgKxklPAtBnt52ywlDBwT
7e3tw0FGS1V0Bawy0OwH7r6+Oa6joBd3NxJtQKljrWQfBsoZcUvdDNp6PmQKWC/aomUkiO3M
N8MhvkXS+ynZgOfGS7kStItajPUgKBHWxupdMIa4J7sug9xpbvMUg9S54j4HQDXkGT0bWHap
+7VCIK7IqWZWUJ9T0WgDyl1ZwSgGapD6qeMGOFO1EWotENO0h8ZBkA2JVztB0HuBRYNjwZ1d
L89VMMKNreZ9sGa0b9Tmglwg8xtjwNfKuwgXeGJ8KzzfgMNuG6c1BXFcmMpd0Pf5thq9QTum
1hRbQC1g6263g3gg88pXIDorZcVL8EuWhZTfIGSi3+GA4eD+UX9mHAS9vOlWPgdZQH8ky4B6
VZ1iLgQtg+2wrTQE/mw5rY4Eq7SFiooAfPIuAlWWlqVladD2anu1vX+/XZwX58V5MJ+YT8wn
MMgcZA4yIXxv+N7wvWmVpKpVq1atWhW2s53t/8BxvXO9c71z/3y/LcssyyzL3ny/OcXmFJtT
DHwdfB18HeBT26e2T23wvMnzJs+bwKZNmzZt2pQmf6bHmR5nesD1lddXXl8J3Yp3K96tOAzx
G+I3xA8ObDmw5cAW2Bm/M35n/LtLnP9R/fxtwvxH61/z+pb429rxTfX5+pb9g94Pej/oDZUq
VqpYqSLYb9hv2G9ASP+Q/iH94WWLly1etngHivwblMXKYmVxmt//LX/kV28aL3SkIx3fvp3X
UwPUg+pB9eB/kbsgLogLfzzu1/p9zbuy/7vSa3TO6JzROaHW7lq7a+0GylKWsoAVK1YQ08Q0
Me0fH9/v8ab++qaE/BjyY8iPf51/p/P/Nm+dOHt/TPjakh9cB7SGiTpYvxDTgkuCfajR1HgF
gV/7Lc41Al4VUI4YQXC1/IN715MhS+6wa8EzIbBGpk/868PLZd7wG8lQdWGhsvVbQ4eC7ycP
igNrRGDRPFHg2+B6kXoXlOuqQxQGLUKuVXuB7CGz6zXA3M0z4zgoN5klLoB3he+gKwqccwKj
wh5C9OBnGZ7fBMs8S0sjAKydnNH2iaB4LY0clSFiZY5KWXeC84j12Y0jkHTV287WD4zxcrFI
AudLaz5bOUg6mlA4YR4Q557urgCWwUHfOFLAE+TJqucBW0t7sLMRMFa8T2bwzE4o+/Ie2Orb
1/ofArFZZNO+AG2mZZ79OYhB6g/aI7BhC7GPBO6KXaI8iNVGfyMbGN/oFT0TQM2vhKpR4M3u
raXnBNtyrapWH9SvrFabCfID+bW6BihovNQbQ9LAeC3mGVDNOODpDZ5DemV5DexP/S8EJoL2
2PaNf0uw1LVo2hbQSqi3rdeBpeYGPRjEErnZ+w1ov5DB0hocP2tlzcJga2I/J66A87bzsVoK
1EQZ6csNcpD1pGqCt6bnJyM3uJxGHhkA9lHOOwH5wXXO144E8K3jG+UoeM7pW3Q/sLVU86vt
Qb2r/mB5H+RCZZLcCg6X46C9KYjvZX21OuilZISvHgQddmS1ZAWtodrJmgn01WY3RoK4Jyoq
BsjZFpf4GHwP9OWEguU7y0wtGcwaZiW5FpQJjvOWY+Dr4NvoLglqM220qoKoLpfLHGA2M1ca
YSAyK69UCUpudmiFwS87cdIAUYHRZnOwLuRLZS14Q/Ul5m3wXDW/NiLA9ki5I78C50hrdmuF
/wyS998+UF+/HWLFgBUDVgyAvmpfta+atn3Z8mXLly2Hqturbq+6HU7MOTHnxBzYennr5a2X
IcPNDDcz3IRTp06dOnXqvzRcmtKUBi5wgQtguWK5YrkCMTExMTExcLf33d53ewMrWMGK3+/f
67da/FEi+I+StWnWpln/S8XKOtU61To1bTlXrly5cuVKW74RcyPmRgzMKzGvxLwSkNI1pWtK
VwisElglsApEe6I90R4oMrvI7CKz/3y//qx+/iyXLl26dOnSm9vxbfVZ/Xj149WPpzU3q8us
LrO6QPCC4AXBCyA6R3SO6BxQ3VrdWt369uPc8XzH8x3PoT3taQ9sDt8cvjkcSp8rfa70G1QS
X/Om8fK3vPbnN20nZWHKwpSFsCdgT8CeAGhJS1oC+1rta7WvFTCZyUz+19n/Xes164SsE7JO
gCktprSY0iItnp6Nezbu2Tg4NeLUiFMjgH3sY9+f94c39dc3pfrN6jer3/zX+Xc6/7t468TZ
eTswT9hsyNo1sFCuQlCqYqYPcteFkAtBB3wBcNr8bcvDFDg/Krr1jVOg/5SplvNHCDW8o7xB
UGSDd54jEepubTR69hEoFpK/e+UgcC8R45x9QAwVX1r7gIwWC/V6gCI3kQryPVGWYSDay6FK
F1DDlOlqSdATZHMlBRytbbP9O0DCgxfH4p/Cb+cvZ/81HgoNLD2nwktQM2hPbKtA7gNxB7Lu
zN4w2yrwC7Evtx8DJYurr3sWMM04oCSCJcqSwTYXrEn2TY6NYBSxjFA/Br08UeIC+Fn95wWO
B323L9JbH4xBej9fAXBkc0YGrQPfUD2ab0Gppj1Tu4JawRJND1D6mzPEfBAFlN3KLjASjMt6
ZfDu81Ry3QP1kXJT2wnyvAySPwHxWmslEORuMUl+DL4N3qjUxsA1JVY5DcZszzlve5Bl5W+i
FgjVGu4/GpzPnYMsgcAqvjJygLnEO95YAt4rptd4AL4mip/nChgn9RfGDZCX9SpyJpgR9DIf
gSXaYmoGWLtTQLSA5BFJE1MeglHSiGQqWD5VD8jmoJvcMA3wfxw0JegFuCN9g5RYkEmKoY+E
THmCFwbdhACvrbtSACxbtNVKURDhophSA3znvbP0j0EdQUblAxBr1LOKhJQK3nX6ALCMUB6a
60AZqJZVp4NRTLY3L4LvN+9Ez2CgHFvUAuAb6z2p62Bm8fX3NAHbRNssrQUIu/mITaA8p5lc
CsZGva3+EGwFrF9qQaC2FiMs40Cvbsw3D4D8Ssw0e4J4KDsZGqiX1JvaIpBH1Q1KCLh3pux2
VwfjjhIoW4NxXHsmroM2wBqv7gXmv5tAff2QytTRU0dPHQ3NbjW71exW2vYi24tsL7I97WGl
PSX3lNxTEnr27NmzZ08Ivhd8L/gelDZLm6VNKHys8LHCx2DWwlkLZy2EQQxiENC5cOfCnQtD
j/k95veYDzU+q/FZjc9+v1+v2+l4puOZjmdgLWv5/9p7zzipiq1v+9qhc/fkPIQhSw6SDCTJ
IjmJgIJkUUBQVEAByUEFEVBAAUERRIIoOaPknHMcBianzr3D+8Fn3vHBw330wLk9z3339aV+
Vbt2rbX37ur5z+pVtb/l8fPDqB9G/TAKGMUoRv3xeMF2UhdnXZx1cVZhRMrf39/f3x/qqHXU
Oiq8V/y94u8V/9f9+Kv351EpWHT1V5/jo97PbmW7le1WFjJ6ZPTI6AE/xv8Y/2M8+H71/er7
tXC7v1FjRo0ZNQb4nu/5/l+/zutNrze93hRa3ml5p+UdiEiKSIpIgqlXpl6ZeuWvj/dX50sB
D36e50XOi5z3F8ZxPu182vl0Ya7tt52+7fRtJ2jSpEmTJk1Aqi3Vlmr/9z3/x31fx40bN27c
OJgwdcLUCVPBu9a71rsWLMssyyzLYETiiMQRiX993H/GP/u8/lX+uz/fQf5nIfz2n6uu16lT
p06dOn99gGeT+o8u1hfqfl/8ZM1t8M7e7jdeS4PTiVdePzMPlpT/uevyASBesL9tagL3fkpf
kJwGLzes9XSDjdAxr3WZD38B37eBbuY5IK6xHTZtAsNXthv2WBAGa4N1H6he/UfnWyBuF962
TAL9BWGpHA3icV5UtgJ7tRTpGpBjLC7fhNxO6QNvR0HW5tRjmd1BfVN5KbM4JI4s1bSKA6yr
LU2iNoK0yTRW6gvXqh94Y4cTJvgmVJ83FS6/cT8lbQYYD5hKhpyAsIUJPYtVBGfz7J/uvwK+
uepsvSUYDLZTIT1AcKhbAj8CEzWrvxgInzJGXAliC6m6YR5oh8UMOQesPcNbxd0BdZ/nGXdf
yBubXSz1IOjRaqnAJjCclpfJxcDwiynElgzaLp4Wz4Gq+NJzj4G2wFDJegrkIeJaqQToBq25
/hVIh+W5hkHA57wjHAXNpCdoe0D+2rjcooH4gx6nXAJfGXfRvGoQyPX3904Ceb60w9wLhCek
8oIdhGriKO0OyBulfFsIyC8bNxhLgR6tVQuMA2GWNla7Dd73fKO9C0FL1cuqVlCu+U/4G4L9
qrWPaS+YsF0KBZTTaiMpEyxfW3YZTRA21Bpp6AHCwkC8vwEYvzNckd4Bw4tSM6E6mIsZroqN
QOohOgkHf9XAE3o/cKd7V3nyQT6pm9X3QSmmhvkk8IcHtgfqgOGifNRgAbWbNojmQBdhHTtA
H6E6GA0cF9/kEPC07lCeANswuxThBu2k8JxcBaQa8hWTDt5e3jHuONA2KpsC1cD4lbGs5Aeh
q7hHrAuKXxgrfAHaz0ojsR8QqlkDs8F4y1RZ+hyiVlrv2mdDaP2IN8yj4M133j/6/rm/e5oH
CfKfSUGu6l/NUf1PpSAHuHq16tWqV4Ow62HXw65D1pSsKVlTCneTKNi14d/F/7T7GiTIfwKH
Dh06dOjQY4g4kyqEhZ+E8zWvDTheHWY99831GS3BU1M5Yz8P+bMMXl0EcXfuyNTG8Mqs6GZ1
9kG7KtV/+KAj5J7NSXX1Bm9oWqfLeyDxwNO2xj3AP0BdrSwCcbyepOSCqAkLjb1ByBUbCINB
GK5n6QtAqydMlRcBU5ijrASTVWhoeBJ8E6UrngzI7Xpk18bj4Bqyef6pNyB22tgm4+6Cfrfy
3uiroH/MU+JOiL1WrHTSCihaKXxLeEO49nxmJ+dB8BkConcCaCV1RYgF+Z7xmsUE7hO5z2V1
BcNKyxMWBaRk6by0GNTOtBZ6gqGdvMZ4D9SPtRHSU8AcdXUgGQLbXfczF4F/nneHvxZYTppf
sSSBkMo9kwG0U3oPrSXo4XygLQf/3MBT3iogfIgirQVhPemGH0GZHzgbuAUk6939L4I8RMzX
V4H/UOC8EgZiP3GkeBzEw+Kv+k0Q+xmjjA4IWRB6JkwBntKeDSQCW6Rr5kHgm+ip5esD/hTf
IFcn0GL0BNdpcK/wpOZ8D5by1nE2N/jWKlXVQaBe1Capc8A6y3bZOBKkNtY4owOMlw1jJSvI
H8seloBxrfS+/h1wm0/Vc+Ds4W8ovgPS80JAGgyu7/ylCQXDPnE3d0Bo7YsMWMB43HDWsBr8
xX3fBb6HQEv/x+o0kN7TVGUYSEelU2IC2GZYz4eUAHmh+LzYF3w9vce9ncC1ybPYOweUDuJg
SQL/TndR1QLmLoZvDS+D9KGvn68xBCqpH3kGgOpjoKcSiLPlMabloMhqkjAQnHZnqLstmM4a
fzD3AfUH/yx/ElgHWNrLe0ALE5aZJ4H6i7pfXAHyBesh4QQIXnm1PPfvnuZBggT572SfZ59n
nwfOWM5Yzligf4X+FfpXgBV1V9RdUReqx1SPqR7z6HaCBAny9/HIwtnyjam660UIyfa9EAUk
L7/nDnwLUdviBmvjwXROS808DR2d0V/XPgZttrQ+MtYLt3Z7B6dpYL2c/rX7Z4gsVmnBk0VB
W6At5TQISfo4vS+oIfqC7I4g2cVDYW5gAxeFi6Bf02+L84BQ9Ud/J5DSrEttz8HtyjeOHKgC
d4dM/GjcajD1+PXH1O6glfDtk26D+Ik3UW0BsoJfrgZ3xH1td2SBbW7UFMfnUE6s4i3VEfbP
uvVi6gHwJ/hq+l6CwLO+osqHYOhtHhq+H4T9OcuyXgG9rN/oTwH9Z+Ovlq1AH72E9B4oy5V1
+mugbFAiXBcAn5gvZIJ/XfaO1FCQehumGyxg2mj5Kbw6eF71nvYsA8slayvrIVBLq321s2Cq
xqdSfZA2Scvln4E3xKvsBW2j+oG6HrQ01WXYD0IpbqqVQXpZeF/JBb/mT9dGgdBFuxn4CKKe
D4mxJYL3oudbz3eQL+ZaszYCndSn/cNBT+MHaQ1YGtvWh94BoYy0VewJuq4s8y4FX2vfend/
kJoZGhifB0clexfLaRBKaW65N6j7tFeUkqA0o4I6F3znfVfz7oI+QVuvfQfyVcN4a1sQbgg/
mV4CxnNW8IP1Z+tmA6Bc16aJg4AaehNmgTfC94z/W9BOCPuEvmDYY7xpbQC+Zr5O3kHg2eI+
5rkLWc872+VUA9NEg026DIZL8ijDEMje52zpHwnh2x0TrC5wbLTvFxuD2lbsangPsnc413q+
B5NLCAtEQGCiZhHeBf2wEC9fAXmjNFr6HEyHTb3lmeD/3tvXew1EoxDBEfB/qfgC60Fxq5HK
EbA3ML4vR4H5inlIqAOkU+IX8nMAjEH9u6d5kCD/may7ve72utt/txePj4ELBi4YuABG1hpZ
a2QtaGBtYG1ghYqvVHyl4iswcePEjRM3/vv9+J92X4ME+U/ikYXzk13CGhbpBzk3xCkhMRA2
09bSsQVCK5k6BtZD94pdIt4aCJUqlezbbQ5om6Lzo3ZC2BPnvAe3gy0jOq28A0zPhS2MuAe+
8MCPgX4gPa+d97cCcYo+TV4I4jyOmw6C2lefq38MQmUs/nZg7Gh6z7we3NFONa0enJrzydWP
kqDswoOdMvxgq/7EzjIahH1lqBsSA9bq5QeV3geKJyAo+WDNLNqo6FqwHrO1NjmhiDXqVlQm
hDW0nwjbAc4jrvi8beBq4fzBnQxhudGN4nuCsYR5lnUV+BupFdUQMI8yD7JGgr5X2KrPBvUF
/zW/DSwHDOUNL4Dyivy2rRyYn7CmB2KAImpd/xfgu+Q77qkOxq6G5+SPIdA/0EppDEIPabnc
DAzvS8PUdFAkNijfgjhVdwp7wVBVjrP4QI+X2mtHgR56K097ECKE9vJkMMw2zTS+DsZxhnPG
LPD2cd7L3gCp8r3XUqqA2NvwvHEdyHZDZVMMmOym6catII+Q1xu7gn+096h7MIip0gnjTyC5
jPdMUWBoIfcWI0CexRXlIhi6mt+SbgId9CMmDXzjlQH+scApLVbqCrQTL+ivg3+5d79/MYif
6nXyLkN0i7AIswziTdXBQDBMkz2mPWDYYMQ6ADz9/F0DVgi0VCsE7oBcRxkhimBoLdTWp4O0
1RhPPCg+tZ+4EvSPte8DySCMEhONTSH8laj+0Y3BP8A3Re0F+nF/N/UOqKK4WaoJ5qWmI6ay
YJ1vnmOJB32vvlSsBaYthkXSVjDUFCpJqaBeVq74EyFwXM6mNAi3TL9aXgGP1bdfKQpWk+Ek
L0LMxvAnjIMgvFlYz/CyoAYC/ZRawO6/e4oHCfKfS5G0ImlF0v5uLx4fMe/HvB/zPixhCUv+
UYc61OFfSIn8q/xPu69Bgvwn8cjCOQQ5MXYxeEeGNs9PgyI3i9cJdIIO85+8MzgX4meWyqwZ
Be59wljxNohlPEtdZyD0TOmuVacAN8R5hq0QkHyx3i/AsEvcaKoDgfL5ZW7uBfF5K4ktQE9h
gtQPhDkc8r8LvCnGyffB+6Xb7boN+4svfevrBWDtlTMhSoKEBe8aWumQ3ffCtDNlAf1SnbsR
oO1XPnB9CtJBy0JzEQitnHishA3MlwwVxG0gRzm6Wd4Dc29LY7sLDHct8xy54HK7emSuAVuV
8CJxw8D4knlKyGDI6Xj/2I2awDva80I9MB+yLbf/AloZdYf/I9BExglJIFmoLGwHxawu4joE
3tLuq2VBj1EHKiHAXUrppQCz8JV0E+T1+lYhG7RG+v7AZyB4heGaD6RZ8i5LOliWGo+JL4P3
BbfoXgniMOorW0FcLQ+y1Qb1BXGwtABUzT/e/Sv4Rwfsvnch+tOiHUrVAdMm6T3jFyDJHPX7
QKqveZSvQGnoX+JaDdIgY2s1HALpvgnqRvDN94z2GUFtKk4QQyGkigPrl6CfZwGrwZ3qfsWb
Cmp1rY63BNieMf0g3YGwNMfrISVB8Whv+m6DPECvZ6gB0nEhQwiA9aZpof4FeJ/zLRc9kD4n
d6uvO1gaGJdq74K5g2jnDHgt/nTvOdCj9V1CTzCvMkQb3wayxLPiCNCvq5WNH0Dm4fTuafOA
IrLJOB2UZ4S20pMQluaIMn0A4V5bmcjd4An4jd6DkHvcHa/eArGKMM+zBOQnxe9CfgXPEM8x
XzMw9bUMkK+BUk5YIp6GrAMZgZzdELY9JMJ2H8wbxM2aD0qcLC6EmcC+1rHOEQeuWFc17x0A
Ov7dkzxIkCBBggQJ8nh4ZOF8t5Gzn7ENhGfG91Fbgi8l/YObL4LnhZxDmWMh/7hQwtMJTKul
2pbeoFzlU/1jkPL1FswEJqr1/FNAXCp2Nw4HVVf2Z9UAfbD6g/4VCJ+Y3g6LA/1FDMp0YLx2
UTsBpmnGsua1cKjDwaWHs+HYaye7Z+6Anhm95r38PITMei67pgnSV/T5aFhzcCnOIpkdICd/
Q4Xlr4PD/Oy9F18B08US2+PWQU7d7EauInCnXG4vSzzEfhN3I3oRpLfKq+edAu4u+dZbO8H9
qsvnqgX2QY4eoXfAOsV00zYL9IxAB1dPUEMCu/T7YIgyGR1Pgu4VQsV5oK8lTp8L6tNKUf8V
MPQwjpOPg8FpHRwxBPQk7SMxBbimzVcugeYPrHbtgMAQ3ynPZZB/MtQUR4Ivy3vNPQj08b54
wQb+TZQ3/QDW162HQ4uCvYettPgOaAHPfmdlsKTaz2obwDVDkc1twTXN2819DgxV5DmeDaCH
BmI8sSANlrpqT4LdYR5qbgNMlzItGyH3grDPVw0corzYNBH8IwID+AC8XndX71VwDc7fk74L
IndExlp/AHNjQ6b4AWTG5K1zfgG5ZbLn5/sg7OPQN+2RoIrCe2IDUNcSLb4CBkvedqUrqM38
jfOvg+lJ623DSMitnvuBegf8HQOjfDWBOWJH9oN8Ql5ueBeUc/lj8oaBPNNQ0TAf+FhbqncH
49PWlZb94Kvij/QmgOltkgIdQXw5cFwLBbm5Xss3H0L6GVfIGSBdtXQwDoSAQTlm+AC0OsLz
alUw+G1rxG0QWKL21uuBt6US76kI5hRjijgIvN3yY3J+hdKrk47aJXgivdKoYt9DXlR2W/EY
6PeF10M8f/f0DhIkSJAgQYI8Th5ZOFe6WrlpsTOQPPbsGXdLaPzD054eKyB+Qk1z3WXAMFMZ
qw5aNWULJ0D4TvhS3AhsE7IMc0E3qJn+l0CYIpYRM0F/x2nIygPDaL259QgwS/xKbA3+484S
+RVAGCfMU4uA1iLQj41w+/KdcfJAaGR4qVn9NIhq+1SpCingqnF/csqrIAg5O/P2Q9jJIidL
xIMpv8SLlY5C5pOzuyxpD/HS6A79r0NOJac18DIYv7JGxUyHMlNK7i4ZBjdb3o/Kqwy5M3MT
7JPAfTQvkP4lWL522IpXAkvtkBHhAhgGcDuvGYSscHSUZXD+7Dns9oOjvO12SAWghrBfKgLy
7vBq4Z+A/44QbfwM1G3Kl75I8FbK2Z0xFPRqeh/lZSBevCIJIO2UxguNQNwqRImhII4xi6bB
YK5gu25fB6FFjRZLGljfsqwxFwF/vvMt5yRQ5/u3er6AjCfzj2lx4Kzrn6ttAf2IFCdWA8fZ
0E/NVUDeLb6v3QDDDqmo3gnYSW2/CVxl8xcqHUFtqa/Qr4CmCgbjNtC6aqq2C0zN5O1iOpQw
li6ZcB/klvoZbSRc7ZKi53cDCcNQOQ78Z7VWWlnwX9LfoT+EvxT6a1gYZG3IaeAuDhme3KP5
2WA5ax6vfQnKJWc7pR7oNox6DMjHjOPk2aBnkYYJ1B/Vmep4MO4zHTaFgjZLE5T6YOhtmmSM
B6W9atGegUCa9oP+M1hftmab7kJgp3pMmAwZh7NaZOwB+2j7246LYDxqGGz8AKQoua/5InhE
d0/XHUDRHcpsUDfpt4V1gOqu4EqGQJjkF++BuYr/Su4yqGQpbooKQOR9y1JHMuSMTB3gvwqh
7aPtjmz4b309XZAgQYIECRLk38qj76oxyvvM7WtQ/VKJiWWLQiWaRL9YATTFGim2A3+rzI7Z
9UH82rzBFAWiwgdKMqjzhAGKDYy1zDn2l0BdLj6jDwW1de5Kd2kI1Nbv2fuA5YX4EH0D5HfI
2+ArAqFa2MWwWeBp7P/RXxeeOdHwvTJmiO+QqIY3AZ+SZ0jrCqqa2zmnCRgTXDq5IDaPKWWe
A4aPw0Ningeu28aHlQf/ydz7ueUgalLsjLgXIWar/WO1NEjJMYMtkWA/GnJcWAfGamFjYlLB
eSm9yM0O4CnmaR2/Ecxmy+rwZSDaXa95HRBWzrjLvABsY4UflAYgW9X0VBGEc8I5qRpob3mm
5b8P6tfqdskC4mJtstQSfPeEuWpLUI5p1fUZoH/lX+WLBrmZpaXtFxBqakmKG3S38oxrO6hF
PBukzSDGC5OM24EjQinvF6AX1bJcv4JQ17DDNg7UteoP/oEQqlrqycXAes563dYerOcNS/V6
YH1dnhYSAerIwBDf8xA47Z+o/gz2WiGHhCUQ4TDNM7wGeT38/cQZ4H/O09C/CpJKxCw2SaDE
KQuly5C73lXSewiKRMW8bQ0D98vuKYEykFVc6y10AfW2L83TA5SVzryM61D0K2t/tQE419t2
h+yBdGPel4FOoCUrVZx9wFHDIhqXg6GWoawxAdhPCiNA+1GPFkpBQNFi9RMQ+EDJFA+AMEs4
KJ4F22FLG7kURA8MHWKRwayZE+3poKwLJAtDQNe54gP0Qapb84A/y7vLmwTCfsNmJQXyRzqj
8oaA4NXd2jvgq6P9rCog1FQbKgvBc9rfU/0USl6PP2EaDWGjE58pkQgB3dNJLAPG12x9LM+C
rUXEDyEX/u7pHSRIkCBBggR5nIiPOoB0U2+QJ8LTZ5trHRTgim2+4UvIC03tc6cN7J34Y48V
4eDaeedM8hpwD8/Mzn4blPL5sfkvQXqtk/uPrAD1affnzlTIrZTzqgqoT1nOhn4HyhH/LsUK
yn31qiUPhKXydUGC0C12ybgd4jJiW4a8Dr56rjKu90E85ZgbkwF6CechbQ2IEzMrZ/4M4jeG
4VYvSPND+oQeAeE52zlbJdB3SXsNkSDk+j92toVS5uIZxXZD2L2Ir7U64NhmVX35EGoJ7RQT
CpJszDUPBfe0rGkpo0GNlaqYJoLnkDDE9h6cn5/8UfZoyBvqi9Bqg+mn0L2J18Fusn0R0Ray
O+YP9wK+r1wz8/dCdsus9JRW4H7bfTt3Cain/YNdp8D8vikgNQRrUWMr2oOpqslqGQTqZf24
OB6Ui4GXXBUg+1JumeTrkO90LXQOgYy7OfHqQEhpl9klrzxELgqJsk0FS1nT+4a9oJ/WnvRc
BOGE/rLoAMcCi2Z+HUJ2OoaGTQRDtPlJyxAQo6UajvWQUypvjrgKnL1yrb4poJzyL3QdAF8P
z9u+98D3kn+lMwKsW6RsTYHYj0OetcwH5Qd1rR4Gzqm+t9yTwR2uttEOg003vqpXBC2N5yQ7
iKPVcDUCDOWEtuJ8iHot1BCeDfJs03prO7CmWD+2bgPpWYbLw0FfJDxNAEyviqo8BEwlDa9J
80HoKCUSBv7cwHX1S/Bf932jVQatnB+fBKahcjzrwdRSfN/wKRiXSm/IJUFoIUwzXgPXtbzX
/M3AleVp4twGvhya636QQo0bjVVAbGMpZfkGwm6G9LPvhJJHS6YVLQlaTzkjdAOkTczb5J0J
ca8kdot0g+mM1lcs+ndP7yBBggQJEiTI4+SRI87FXNaWDV6DhPol1FpGyDNlrkxNgMuVjtc8
PA8yrkcvFwfDTzP2nlv7NCTlmpKLLYZ6c7uFdRaA3YaxBjvQyLUvOxwCW3LWp28Ak/OJZZWq
Qna71MTDe0BqpT9jOQ+GvaZ3qs0Ef6PAJkUB+qlX9CkgnxRyDJ+DUFXoL10E5VjKovRboPSR
frKkgjk+skyMHYTycacSDGD8Oiw1pA0IV7Wqem0wJNueMTWD7C9sdS9Mhow5uXWPbYYnfnni
ekRruH8gv7d/EDieifq6WB5klb67/Gp98G5xds9/Dswv2MxhLhC+8Oe734Lcbr6y+g+gDUlz
ujZCyOfG9poKEe/HDI/eCvp8LUSrAOZJzob5YyFyRejcsNqgn8AgvgGuz/w3Pfch/6i7tf8T
8Bg8pb01QUiV+ptbgXaH/oIIYi29jToQXIL3m3wjCG2oykKI7xk5zzEOQkNNrwkNwDXUu0jb
BsJ7Yk9hN1i2G9tJ18FXMtBK7ws5J7LzsvqDv6Rykbng+USJd34H+h3tTd8MsH9qnKl0gMBF
ny9QHDwz/bMZCHH1woZHn4CbfTOWZ74B2T1d87UnIfC1Xlz8HCwzTKMDlcGeanxdLgMMU7cp
E4ARxi5SFchf4a3IGMht4J7rtYNxmRQp/Qhx34ZVN48HMVncKdUDZaq5k8kExsr+3f5WoB0U
NvAmiEOUZKEk6NlKNX08mFwmkeLga+2d6psM0jJhkpgCOd3zAq6tEKiiTtTrQiBGW6V8B4YN
pqNWK3jP+NJcxyD0ldDD4QtBuaz4tc9AGaNvUgBxrT7D8DMUiw47JR6FSlfLGJK6guVDQxnb
MJB6yJvtzSEiKSIzXIHjy3/tfakpVOPp7ez/u6d5kCBBggQJEuRx8MgR5ycnNp7X8XXwe9TO
yiKQThhMFhkYEfGFvAly2ru/yasNGWPkKa4yEBKWuFCvBIFGGR9dSwfju5HlI0cCMz3HModA
1AuxxRw3QKpjnmwcCpGVoms8cQGiVsU9V6ovKCeVH/ShIESxUa8F4vf6OVaDflXw8iVoO0HP
AP1TtawQAqyzNXJsAt3mW6K9CoYBBothE0jmpAVhi4GN+hRxHfhF9133bCizvUhc1KeQP11P
0UPBPSlrZsbnUCw0YrtYCQybHFOimoO5hiMi7Dr4xmc3SasAQoI2wTgVzAtsX9hagOeKr7Pw
E+SN1tvKDsjxCNHm6eD5TBkr9AFtq9ZeGguG7ebtNg9ob2oj1DRwnXLddHUD6aya6d8JCS+G
R9tDoVhyzJXw98EY0Bb5NJAC6tFAOjiqmRfYvgbzRuNSQ1uwzDIclnaB+Z582NAdbrRMy848
Cn6bPlD9CmydrVMcpcA9ztXSGwZ3X81IzFwKORVcZ/M+BvcL3urZU8Ezyx2VXgeU7wJ9nPng
uulprIWBFC2d1BZCsWeiv4lKg3PhN15Oj4DkJtkh3r6Q3cM12DMPhHm6oq6HUJNUX1wNMfNs
9cV2IKw1NpRKQZbFWVPKB/83gR/U9yA6MqylZR3YFpkPGCxAQH9N2wDpZ7OkvPqQPSP3XZcN
vDU9Vs+n4N2W78v/DtybXC1yO4H0IrO9E0A1eDPEU6Bn6+3lNpB91rnI1woyxziLeVpB2rWc
+jm5kD3SOdq9DLIP5zbP6QDGM0YPc8FYVtws7IKQFbanjZ9A2CJ7uG0LGAKGHKZD4r7iKVHb
If5WXPe4CAhdawq33YOil0tfKPMFBGq7h2omuOY9br7Y8O+e3kGCBAkSJEiQx8kjR5wdJ6LC
EmqC9oa+lAQQdWOE4SSkv57zQ/YL4NLuWO7boOaw8neq3YRKX1dd2mgUKMdN8+S7INXXDukW
UGt581w/AAeETjQHVqrLXaVBu5//s+d5EMtFtE64C9KUwCrlOmi/iKvYCpQUX0EH/2y1me9V
MI3w9/PfArWNckz6EvRcU759GAgb3P3kicB9kLaDcXVirdgKwPdKcuBT8LfOaHC3KOT1c3RO
y4JyzWsYn6wLZ4+cO7DAB3XbVvmq/Mtg76QvilkOv67wbijaG3IO3x10sTR4huW9nroCLG3C
X404DNKgwFu+2aAlKgO0saCNMV6OrgJ5T+rPqN+D8q6vgasFGK6r32n7wfWS55C7DNg6WRc5
jkPIPKGxdAisHxnaGX4GaQfztAOQdCh+ZuQgcB31CcoS8EzOX5bTDIpMjj0WHQHOCt5QtRaI
deSPZAsUed7+WbFbIBp0vCp4prkvO5eB874nNXcLeI96lnm8YN5qOmEKBWYJe00fg/2idX2I
DSwD5VDhTbDMlaopX4JpnPETqxGuTr17zTkDXAu0HF9/sOwyvG26DtGbQiqYFkHK+NSh98Ig
eoGjt/VFsDe3tQ2tBucCd8bffw5MH5qi7MPA8YJhhrkcyAYlwTUAtC5amrgHkk25I5TmoCer
6/w3QavKC8bOkNNIHRJIAU30dlJWgfa8csG1BZxT5W/1DBDtQnW9B4QHomvGvQuBiUp9skAO
F++r58GRZvlEPAV6rj5QTwTjenmX9hSE3DZbKALqnsAtXw8wb7fvCTeBvtK/Re8IYT/FlrRH
Q9SF0vvKrQVPtqab+kB0enzJmGYQbkxYG50CR+LXDPrVBjfW3n/1TgjQ6e+Z2Dk5OTk5ObBk
yZIlS5YUtvfq1atXr14QFhYWFhb29/gWJEiQIEGC/L/KIwtn/bKQqC8C1eaqkz8aspT7M67E
QImpqs1SCcpNrCo/2xcSi1Td9PSzoP0Q0yyxLIg3/Dd8CSBe1UOEheB8/1arU4PBmh7rrVIe
dKd7YP4bwAR3/+zawL2IbxOqgn5JbKRngv6McA8ZpH16mrAS9FokBU6C9yNfuKs3BGpeX5G8
FbSFWl+6Q05f2Z73EjhO3Vl5cTp4Nx3rcawqWJ58YmeJc2CuXE0rfRD0+97aIRPhybeKfGrx
gG9Yk423r0HF8hXebx0JzWfXHeitBamnpj35XSc49aV7WJwH3J9kXrl7AuSGlnTHW2CaYj4W
9gv47uT/nL0J3JNyjmR/BAafyW5sBUJxYb7QA9yH9ST5E7A8Z3SFlQfvN+oS9kJOC2mJ2Bx8
kYFt9ITojY4XbAKYTObytg8gv40z130XAhHmSaamELrQ+rT1JMQ+E95BTgNvE98UfQw4ycvP
vQJSL+Gm/iFIc+wlDWPAdt3cOvRj8I72NbL0BzoonwSqghht0I3XILuze5vyPQQW+gVhMrBT
Hi5WgrMf30xMS4fAFTlOmw0Oo2mjqQwwW6mTUQ7utk8fLXYH+5OWr00eIE1M8wiQYcr6yfwl
hP0aNjV6KMQZw1OsIyBXzqmRdx/8Ln95/SXIGJV7x/kp+NaqJ9TLELUi5BdzYzCJpg/0N8D2
ZmCAeBAyNI7K+0COk9TwSxC9N+S4KRZMZeXFahb4W/nrijvA8xzb1HIgdTMKBh2kzdpRS3XQ
K+sNAz+CukHrrM+C/KXuyqoDpFdNu42LIK+rc593BDhOmDcZVkLC2oRjMdtBKC8esC4FtbVa
Tb4I9iOxW+MuQWCMa7HrHTjoO+A+ZoKT1W82uaH/fRO7YcOGDRs2LBTQBRQI6ZMnT548efLv
8y9IkCBB/qfgdLpcPh/MmLFo0a+/wuXLN29mZ//77JUtm5QUHg5vv9237zPPgN1us5lMv/fH
5wsEYOrU3bsvXIDLl7OyvN5/pz8REWYzvPtuw4bly4PdbjIZDIXHvV5N0zTYsyczMy8PcnMV
RVH+ff6EhsqyLEODBpGRISFgNoui+Mj5FYU8+q4a21wbXGvAm+++lLMYbLXCVsUOhaJNWhWt
UxG0KZzTD0OgrPK2mgr6fK/qvQX0FcP01qAaA2+5jGAOD381shbINYsuLF8RpBn2eiGNQN9m
iwwfA5qm2oV3QO8hfE9LEOZxXogBrQJd+R5MawWHYwao9Wy28PUQvrl2tYTacOrI3UZePxyv
HfPZpUvQdbSUdSsc7m8qr9/9CBKulninWDjY3jb1in8VpDLmOWEfg4Te2j8Bmr7RxD+qIuif
6tn0AeG9hCO8DR1rNou72A5uDlzT+vQ3kBPhOphTHpwfZDW6lwlhYmzZoh+AqYwtMmQxeHrk
H8/eBYFZnmbaIRBai/vYAcKvhtmiHcRbgYmWr0EJlasYPwL3NnNfOR6klb5PPT3Al6e+zDeQ
v9DVNvcjMJ9SHXnPQfaQjDv3fwTmm78O7w/MCrRSNoA4Ql6kTgXzSssq03oQhtFBPgF6fiDU
expCepruSHVBM0oOW0tQ0sUMczy4o9xjlGrg6uAxeJ4BVmmDvH1AfF44Yt0CYbkRt+wGcD2R
tz3HAZ777q9yN0K8KdoQ9S5k5mZUu9IDQjqFLU6qBqFfOkbHvgPZd31d/efAn5PzlnoWMt72
ZqXMBPNWy1emryHrRP6v3tvgae+N9SVBkaz4uRFnwLDfUNM6B3hJ7eiNhvAToc+aG4E63t88
rz+kxrjCXZ0hUxO+kQeA/hFp2keg9aQUTcD0rcFlTAT1oPCcfgQCP2sfafPANz4wR/sFlCeV
1z3dQaqkfSrUBH0IrTwiONZYk+STUKJiMWcZDSL6RV2MrAWGj/yvaOkQ/lO0M3onmG6LS8RQ
OHBw7epjy+CX0xedlz+GtHjFoF35930xPIzdu3fv3r0bTp06derUKbhx48aNGzcKj5coUaJE
iRKF/QoEdpAgQYIE+deYOvWLL/bsgczMvLxAAMqUKVUqKgoEQRAE4fHZ0XVd13VIS8vIcDoL
7U6cOHx4s2aF/SZO3Lbt7FnweDRNEODpp4sVi4j4zZ/Hed2/eQM3bmRmOp2FdqdOfeGF6tUL
++3YkZGRkwNWqyRJElSrFhpqt8Pj9Qb0/xOsunvX4/H5Cu22ahUTExHx+Ow8snB2l3MWz34K
jBeMC8xzQcoNmRi+DzxObxtPMRCKabeFVFBXyFsZB8ITYgt9NEhxhBg2gr5Nfcf9EhifL/59
xXNgPGLb7rgGam1+4joQwyCxKBhMek//UxB4VvCxETioNxZzQfcKh/U7QGvqqGEg3vTvMRQD
a/mGb9R6A/LPZiVtyYacMsm7/B0grym73LtBnV7qSNGq8Gvby+f2ZkCzvSEny70E3rC0o+aj
cP/j25ZMBYx1DUuyhkN2l5TF909A9qL7A66kwKm+t15MjgLrB45GIb+A+wW+KtcevENvHji2
CfJHZu9Nbw0htyIjYjaBsb7F7K8DAaeveO7LIPUT2wtDwd7TGhHSCphhsBiHgfE5OVmcBKG5
4gLtHBhKGG87DsHdG3kT9VjwdXR953sJsk7pAwx5oNQz5kTpUGReSEnjR5A5LmuxezhIC7il
50Cey/2zbgFfKbW+zwxyCXmJkA7e8lop7TmQW4ghuW/CPS3nnGsPSKKxhqMiGGsZfMaGYJps
qOR4EazHueHdB777ns+zUkE9PUoqhgAAO1BJREFUyXTdCqYh5m1aCCjH1fe0KlDkudhKZadB
eL2IWNsZ8LzouiDPg7yU7IueDuDqoY3zdwJHDfs5y3HwNg4ka2XA21PdSgeIfSNmYdRpsM6z
trYUgbuOe+Oz3RAYFOjvOQYc1WcHVkCOwbvW7wLhc/kVa0MILNZuUxfMcyxfGL8B4wE5WzoO
ymgtXOwIijFw31sMbDMNw4XVYPlSdsilQf5RWhF+BXI3+k8HOoF9inGz2A7KDS1aLzYVivUv
Nq3YfTCsFO5Kb0JsROTQ8GsQFR75ZVQXuPTmr0mXv4d1bTaV2h0KyXd9ZV25IHcUt9nf+j+T
ZOvj/XL4r6hWrVq1atUK67NmzZo1a9Y/7xckSJAgQf41zp27ciUrC+LjExPDwuDmzXv38vL+
ffbsdovFYCi0+yBnzqSk5OZC6dJxcWFhcODA7dsZGf8+f+LibDazudDug6Sn+/2KAiVL2u0G
A1y44PF4/o0vCAsPlyRZhvT03wT04+aRhXPKG1eN118BnzX1TtZEqHaj89qOGeCP8JUNvAL6
SdnMdyCd1U5wFITmwgBhAegJ4ineAf2ifs7XCMSSYpT8GWg/C3fkROCq1ifQBISXhEWCGwKT
hdfFqSBe1O6KDYBY4aSigzBM3y8eAS0Eh2wFvhK+CpQBtbz7ZeVrKDMi4Y0qn8At1evZOwEy
wuUD+Tsh0aRddbSHlBfUb+XPIKvm/V73dsMnjrevf7IUbprSDIEPIHKMaUreLNAPKnOcIyEz
xrXI8yp4PrevL14d4rsX/SkpAZgX8nzoZki/G5Vb7BB4D6R3So4F7xnjc+Y94AgJfTvkNgi3
+FxPAnO2uCAgQVjAoKtXQX9Pvep0Qmhn48tiKTDvksICUXC1VfLLOSfB117Ls9YDdT/9JBfo
HampDQP5J6GzfhZSU3ND/LvB1thR3twG5EFyVUt/8NbwZHreh9BMubcqgRjgFeE6GMvKXWyn
wRxmDjfHgHG+fYsnA4QitOQGiNuEZOEJUItqHwa+B9syOV26BuaXjaWiZoD3aV/H3KogtKWF
8TD4cgJPKHPBt935bH4OBJqa1lrd4DK6Z+ZOAn2B8LYyAYp7w3sJNcDoEiKl8ZBt9izQ7kFM
l9AdlnwIPWlK105ATlL+4vwe4Fa1z3Q3EEe64RPQsulNUzBftFW25oDlFcPThqOgNtWPqF1B
jVG3CZ1B7aMfEW+AvFbSA7XB1NdcX/ZD+PrQ2Y4O4F3uTZIvg/sjXy1fJbAdMdilSVB8c+zZ
0PMQayy2vPiboBcVPrIEwH5Q7Go8BUkflLIktgRXIPumezpsfuHnDftuwJ0uubdu1AFLcT72
xoEyW0eIAp799305/CMKcpcXL168ePFi6N27d+/evQuPF7QHc5yDBAkS5PGgKJqmqpCb+1vK
xqOPFwh4veD1uly/T7Wz28PC4uIK7RTYfRC/3+8PBOD27Zwcp7OwPTX11KkDBwrrsbFVqz71
1KP7W2CnwO4fr0dVdR0yMhTlHx3fsWPLlqNHYd++Awdu3IB69Z56qkQJaNy4efOaNf+6PwV2
Cuw+bh456yPbrzbKGA8ZAdrmtQH5O0GRroPQVd+lRQMlWMUxECYJq4QtQLq+VzgMwkfCMqE6
+ItcDfnFBMrO7Lyc3SDekJPlAGiRQjfxTdC34hHKgHBb+IwewCihqnYN6MAQoSLoIpX0aiCM
FZoLxUBcTjTTwacI7+rroOj40p83vAhNE2vN6NgS7M+ay8XXhMubM+TzZcBstpwMzYZ9yQef
PlAebl60mO+8DX6rtaZnB9hblP289CmoVu2F95/PgVKNqpWpOwiGlu5fq0sXqOeooMdMgNj3
WZU3D6wLYpoWWQGyP+ynyPbg2ZvzXGopcPd0N/e+D8bG9uoh7UHL1EX5GHh6emZ5JoPxSflO
IB+8eD9x/wjn42+8fv87SLakf5dxC7zZnlGuUiDdM1qMP4PZZ33V1gU4JXilviCdM3iMe0Hp
r2UYdkNeP1cVrxVMi80vGBdBmCWktvVriKoYUj2kGZiPixHKIWBQwOfsDSF3zGd5GuK/ivgk
LBlibtj89rqQ+JGtu2MpGAWxmT0H/FuUWf4wyP8299n8REg5dP/z5KmgOtRegZmQH6KEeV+G
60czJ59cBHI94ZZ3FrBLv5R7Gty/+pf5S8G9I5k3Mq1g+EyK9O8E+xPWEtJbkGLMKO6cD87J
ntv+HeCr6K3m/R48c3ybA05Q7rNKWABSKT7VZTDGGHfKY8Fe3h5tag62cuaVtg9ArmHMFEUI
dNL3ipmQ+VFelnYHrsy92Ss9ATI2ZidlXgFlh/K95yeI/jrqResyiN9T/JmE6yB+Jw8xtQTv
Dn9l7UNwNIx7PrYz5I1zpgmvwpZ7m48ciYLDv1z56kInSN+btyetAzjrZnW63xr8IzzT7//w
+Cfsn6VgEeCfbX9UatasWbNmzX9edtnRZUeXHX/ffXncdJzccXLHyYXX97D7UtDvP4UVjhWO
FY4//9wKyssjLo+4POLv9r6QyZmTMydnwhf9v+j/Rf+/fn5+t/xu+d3gKeNTxqeMhdd5p+Wd
lnda/t1X95/7+Qnyf6OqiqKqoKqqqmn/eunzeb1uN0yePGRI48awfv38+QMGFJZ/PO83uw/i
9/t8fj/4/YGAohSW+/d/9NHbbxeWDx5/9PI3uw8SCGgagKb9JmMfLA8cOHUqMxPM5sjIxMTC
+sP6/9mywO7j5pEjznKd0taY6WDOCF8ZPhv0HTzJGNAb043XQNipxfoTQP1Wv62/BUJb8S3D
ahCfE0pLiSAeFLobloO00x4TsxTUd/UfiAfRw5NKeRCa8pxkBv2APoaGoDfASC8gGkFoDkIX
4Sn9DaCtXls/DXoGq8UeIP4kapYDoByUiwVmQ1GtqN7gFoirZaTLkJkpjrp8C647U9Ou/wgX
06+f8dSGcisbpzzzApz9+MdOJ/pD2MDiHRwpUD66zNJKm+HFY91u9KoI1q22YqbnYVfnnaW/
KwaN98Tczh8DISeO52ob4WxF/xul7kDWBO2wMgl8izKKpCwAY29pRtGyII+wPxkeBb6P/TPz
JkCOL29F3kxwlw3MFDpC9kHvXT0LTMcMnxiagOFbYV2gAog9lKNuAQJhXpecDOaplp9Mz0Ng
uv8VnxVyDuW9lH0ObEUscy1jQHlGs1jOgPOSt4g0AYyl5OLGk+A36nO1I6CcDwz1XAbbZMNs
2zbwtMtfHZgK/q98rbOugetD5eZlI6SeStufsQKkn+XGXALDMmGaZTR413tFqTPoq6Rocxjw
pVglPwAuv79z1kkQazHD/gvklcsflhcNZ+/feN+VBCUPxo+KUiHmjHW/IxFSnkt7Kn8/eLuS
5R8LllqMkteAuYycSjaEfRNa2bwIhG+E+aZjoOwVL0pLQd5rWC+9D2pc4K74M+SG57+TnQnU
JEpqA9bB1mPWihAzL6S93gLUXH9P0yowtDd3MT4BRaaGrw3bCxE3i0lxC0DeZKnjuAZqTe9g
RkL0V/GWyPMgq7beYToceOmXXy5Vh72JR1ufehHSG7Ah8BNonxtnRcngfZpudz8Bob3UVKoI
3Pt3TNuHU5CzvGfPnj179vzxeEHOXYMGDRo0aFCY6/y4iGwW2SyyGbz++uuvv/76H487Ljsu
Oy7/996Tv5OxP479ceyPYLfb7Xb73+1NIXXr1q1bty6MXTp26dilhe3j24xvM77Nw59j3Ddx
38R983d7X8ia5muar2kOxTsU71C8AwxgAAP+wvnbt2/fvn07BKoEqgSqFLZv6bil45aO0Je+
9P27LzLIfzyKUiBkCyTbv8bUqW++2bQplCpVrFhU1B+PPzh+gd0H8fs9nkAA/H6r9b9ahOf3
/5ZCoSgej8tV2C7LFovNBrquqooCgYDLlZ//W7vVCqJoMPx+MeKDdh8kEPhtcaCqFuYh/x5Z
tlgcjj/WH9b/z1Jg93HzyMI5y3o3IbkXxA0P31pmAgifqPF6FjCY17EAPj1XugDiOvE5YQ4Q
4BMpBrTPtBZaH5BaFB1edjGIB6yDo/eCEKEO9u0Fbb1+Qz4NjBRHsxgEi75eHwZ6CqGYQSiB
i5pATf0jwQD6FUroNuCebtR/AL0557S+IHWQ60gJoDyjfqb8AtJ9w1TrTnhid2ypBt0hIlf/
OeQkRAVKHDZvh9WnF2dtjoNS7SqejnBB9dxqh0wNITnkbuy5SpBQL+2Yth0i37SXtneAMtXC
VljeBKGt1iLhBUhZKKdc+gTuJdg3hD4Hei3Cyn4PzqX3vjknQ5498+dkH4RPj1yUuB70WdZZ
Di/kVAl006qDOtLrSDsJhhbyUPE7iFkbUTzqRTB0IEUdC6n7sxrcqQChNUIrRDwLWlHfSekg
hEaF6GGzwL7DclvaAc5f3L+4h4O/pfdI/h4QLhs6GWOBdL2n7z64cjx3PNPBMtr0krwP1GHK
RK8L3He8+a4i4M0LtMj0gLbJuMPXA+T1hlb2aeAe5n4651kQc81zpTZgXWzew0mQGwjv6adB
RB9jewriwqOjqxyB/Mmu53OuQpE7kY1jr4P0lbgsvS8kbA6NCpkEWeUyl3hWwt2vMsn5GUq9
Ev+kfRMEYoX8QC0QJ5pnWiaCMpcufAz2eKYqXjAtE0/pF8HgFNvJVSFzV17TjG8gOsEeb5gK
cRej3ov5CczvmL+Wj0HKM5nd3eXh5tjU5veGQtmXSi8rcg4cm4q8G10SDAuNXWwnwdM+/1qg
F0TVi0mK2Qshy2LmRjWEG++ca3XXB4ffOJFxshrcv6hX1Y+AOkL+NOoaMMMfnXIQjPOsM+Sb
YGprSYp/8fFP2H9GQUS5QECPHz9+/PjxhcfHjh07duxYSEpKSkpKevz2CwRi64TWCa0T/kGH
BBJIAG2+Nl+bD1/W+bLOl3Vg3bp169atg4yMjIyMDIiKioqKioJ27dq1a9cO+hzqc6jPIRAH
iYPEQYWRuALB9MOoH0b9MKowMndrza01t9bA0aNHjx49Wmi+4Ly4uLi4uDiwLLMssywDZzln
OWc5GH5x+MXhF6FpRNOIphGgVFGqKFVgeu703Om5sLHoxqIbi0Lp0qVLly4Nnvae9p72wBrW
sOaPl1uQY140rWha0TRotKTRkkZLHp8f1bXqWnUNbre43eJ2C7j7490f7/74x+t+kBLbSmwr
sQ1KUIISv2sfz3jG/1fP8W3e5u1C/4tNKjap2CSo82WdL+t8CVmdsjpldYId03dM3zH9zz+f
a6uurbq2CqaVmlZqWik4e/bs2bNnC82We6ncS+VegqHnhp4beg7m7J+zf87vXixUMN6wtGFp
w9Ientv/IBvTNqZtTINyn5T7pNwnYFxiXGJc8jvhXKNvjb41gOMc5/ijf44+9X3q+9QHm9I3
pW9KB6fT6XQ6ocbnNT6v8TmMHzd+3PhxEHU76nbU7UJ7vv2+/b790HV61+ldp0PezLyZeTNh
yNkhZ4echZYxLWNaxjy+efWw5zqty7Qu07o8/u+N/9dRlN8EpqI8mlArXfr/Fszt2w8fvnr1
P7f7IH6/z1cQCf59RLpy5YEDJ04srEdEVKhQqxbExXm9v8+BvnEjOzszEwwGtzsnB2rWLFOm
aFG4ePHOnRs3IC/Pao2KAqPR4QgP/6PdBwkEfhP8D/u3QpbNZrP5j+3Tpk2dumHDw6+/Tp2a
NYsUgfr1Gzf+/WLEB+0+bh45VcOQ7w8N3IbwqqalISMhkERl4Q3Q6wsfCs+CsExcYdgAPCV4
pUxghbAbE9BTme0eB9rQ3BZpY4AK2m3xNNCad4RlIDQW++luQKaZPgcQySIaMAhmJCCVfG6B
/jwd9GQQqglVdQfwHc8r34IuaEP8Eui9mWHsAdJ8IVRqDmpv5ZznJIQnOazlr0L5KiXHtpoB
3tvy94bGYBbLtLb1hR6OFye2aQaOJp6REf3Bf/f+0Nz94BTOHUpNhpB5htthO6H40shAXFfQ
B8r9pCIQOqzoClNfiBxuq5xnh8jR9i+lZDAPjNtZbhsY9xvGW1aAu0GW464EanvPBZ8TQmaE
PBvaFBwtY04XuQCxtaKux6RCbFxUTPREiPSGhkbrULpv0fDSZyHiJ9uZkL0Qtc/R01ARTDv0
4e5PQGrsfTtrEySlRA6Q90BoN0MZZRrYbNJn3o1gWEN5ZyJYvzKWMjcEb3+PPZAE2d9mqmmf
gWe/e4dPA8xaguMbMMVpRytrEHbS1LdkCFgbGW5a+gJ3Vbt5ITj2mPYWz4fsZq5A+jDwv6hP
pyhkNUrt5lLA8Lb+akgTcK/0Juc3hlKpMUeLzwfbB3Ja+F5wNfPN8R6F2OURidYbYN9tWmTa
AfHlItqFx0Fig7Ci1s/A2zz/bMAOjg0WVRwFxhb6x0oSZFS+/+rtvuD/0b85dQDkJnqWZXSC
KyvTyp/qARcT7oQnL4XcA3ln3cWhwrEKZ4skQIlOpYUS34HpgKlXqAKuYu6d2vdgPeaoFNYU
woh5LyoX7l2/9W1WKTj65LHsU7fhRsn8fe7D4K2ve8S+4Bnr2ZD7Ojg/c95NSwRDluVe1DJw
T9U3mj9/fBO1YPu4cePGjRs37uH9CoTzw/oVCOmbN2/evHnz4eMUnP9Xt60rEDAP+6l/U9FN
RTcVhWUXll1YdqHwJ/ayu8vuLrsbZuTOyJ2RW1gvOP7N8G+GfzP88d3P1AmpE1InQKcpnaZ0
mgI5O3J25OyAGbtm7Jqxq7Df0meXPrv0WVgTvSZ6TTQ0u9HsRrMbhT/tp01Im5A24eF2cnfm
7szdCfll88vml/3X/Vi2fNnyZcsL/Wg+qvmo5qOg7MyyM8vOLBTM/90kJycnJycXCvdnhz47
9Nmhf32cKVunbJ2yFY4POD7g+ACYuHHixokbYVrnaZ2ndYbk2OTY5NjCiPikiZMmTvqdAIjf
EL8hfgO81+y9Zu81++f27ifcT7ifACdqnah1olahwG0a3jS8aTjcaHqj6Y2mcPXq1atXrz58
nD/7/L4yfGX4ygDfOr51fOuARo5GjkYOmFx8cvHJxeHixYsXL16E2ZVmV5pd6eF22k1oN6Hd
hP/ic/KY5tXjeq7/W/hXUzXy8rKy7t0rLB/kweN/NlUjEPD5fL7fhPNvkeffyjNnPv98zJjC
sqB95cpRo/r0KSx79apbt0wZ2Lx54sTXXoPZswcO7NwZtmyZNOn116F27dhYi+WP4xfYfRC/
/7dcY1X9bR+OB0tJMpnM5j+WNltiYunSDy9Pnrx61ed7+LgFdh83jyycjYvMGcYnILxP6IGI
GNDe1CcqbhDyhRAhFUjDpDcEtuuVhWUgfCB+Ik0E4WPfjNzZoF7Kq5MXAuLnwnzzXlD7CRn6
KhBq618zC6ikjxQiQHdTAgGQEAD0PDLwgjCXuUID0L9BEuaBnqVO90ggdvJc8fQCerl93nWA
iTlaCgjVhSpkgVhPeotpcH9lVvX0eyDuvvbU1XQYa+m2auibUOVYhfqtr0K1enVebNUOWmW9
1LRTPzCMq/BRYjj8tHJnqx2rYXu7vVmnN4HxVGCulgcVGzvCwxtAvENP8LwHpfym6NwnofzT
MZeNbSEkKa5vGQGkvZZ9ju7g25z1atoZ8A9zXnT1BmOybAktC/rzJlPkGUjbkDdAqwJ3q+TO
8DWCzG3OMmpbSN2eedAtQvqX2YNcX8K9Fhlbcr4F83FzNckJwm1/mjYM5C5MUYdCVLb1FaEy
RH9n/dxcAxznZJtaBqxnTG8Y48Efo7xOffAOVW/kpkKuGNhzIhLSXsupee4MZO0I9Lw0HJy1
fF+7Y0G6ww6DDO7WgRDPF0C41N9wD9w9fcacipC/PbA/eSGk98s5dnMmZHyY87XnHmSsdRrT
3gPDC2HXHX0hRHBkR20BRzvT19ghzBBy2FgBhJeVaaZxkH8hP8HzLBhPSGcUD/CUaKcdqN1F
u20taHPMTX2DQGhv65+TDLmXAsXTO8Pl+vdCr8VBeqTnzL2LUGRkqc5hM6HY4WKtS/cBQRHi
rf3BXSy/eCAdLLGOQSGvQejqmDsxlSH90+TQvH1wJvbI16cEuPli7sHcMFDrGoYbTgGdNZ/Q
BVgtNBFqg/RCeGrROFA2yKHxAghZ4nDhT/wB/7MU7MdcIHwLIkYP7tP8zyhIzXgw17lgnIJx
C+z81fELBMzq1atXr179x7LehXoX6l2A7dO2T9s+rfC8MWPGjBkzBup/U/+b+t/A6DWj14z+
XQT3wf6PSpG2RdoWaVsYwSuIHGZNyZqSNaWw357ue7rv6V5YH7ps6LKhy2DA0QFHBxyF8Ovh
18Ov//v9eDClZoh5iHmIGV5f/Pri1xdDyNshb4e8/fjuz58l9LnQ50Kfgzm+Ob45Pmh9r/W9
1v9CelLBdRcwY+aMmTNmwrbsbdnbsmGIaYhpiAmWmZeZl5khLiUuJS6lsL9xsXGxcTHEPh/7
fOzz/9ze5smbJ2/+Xc5wkyZNmjRpAo3fafxO43cK27d02tJpy3/xEqM/+/z2/bLvl32/FNYL
UmAaXWl0pdEVWHRi0YlFJ6BHjx49evT4o53E8YnjE8dDt/xu+d3yC+3kzcibkTejsN/jmleP
67n+b+HBVI0/W+7YsWTJG28Ulg/y4PEHz394qsZv+zgXRJwfjDwX9vvH7e3aPf109ergcFgs
/ygS3L17vXpVq/5x/AK7D1IYcf6t/mBZEHH+q+ULLzRqVLHiw8f9d0WcHzlVo/icyN7FPgfD
TfNRqwO0FXq2Vg6EeG7ot0G36l2FzSAmMFVpAIwQ5lu/A99TObPyroP/uEcKPQxGg6GH1APE
zurlwFJgrR4mbwSWiz11Lwif6PPIB32/foFfQegndGEZqJF6Gy0BpK5aSeEq+Abkv+0TQEjx
OL13QdDlsqYFILUyrdPWgPCsLMotQF+kHVFHgWGDd6UnFhqGPulrXx3Cr9tulUoAX7g/2zsA
7N2ihxUfAQ6j0KBEQ4jyJrmVnyDCE/Fm2BOwp8+eYdsnwKrUSwcyK0LMdE89/QKUuhA2ydYW
jPHibm8UFOkaJqpNYO0TWiXy4JjNUKfUQNB2Z/W9sw4CE/LWp+8F3lZ76j3BUi2kcfgB0BbJ
64Q54H/O313bAu77eSPTcyAQ6QvJbwf26uaW0mCI7GVTzZvAftZwwFoWPJ/ojfUwiKobvtgw
BSIGhCWG5ULaVxnfe5aCbbD8mWsNmDbKmdI+SCuWJaTugIR3I/vGdYP0Hb6h0UMh/Utf/SsD
wB5pre8YDfp46T2zCulr3NqtdSAszouVT0DIcct3sUVB+sn6o3sD2Co4WofOB7Gb8kPEp2D8
VbxjTAZtGkmun+BW/bsTM8qC71VvunM1FG0cs9heEm7uTauivwTuBGVVen8okhPeUu4DgbnK
5+ZD4G7heS4QDtn33f21mRBZxv5tkXPgejUwkFJgizYtMI6CEh1jtpU7AUVuF/245CEIez18
ePwS8LcKTJEagruWv4IvFEKPhXeIiAXH5eiKER0h+6n0Lc6lcPP0qdjz6+GOI/vN1AGgTTdG
hg4F5quvCG+B1pX1vrMgVjA1DjOBME07EogA7WlfhewDIN0P6K4YoOTjmagPplasX79+/fr1
hRHhP7sfc0Fu84MUjFMw7sPs/jMKBEzSqKRRSaP+i44ePPxuOyLhmHBMOAY0oxnNQDguHBd+
99O41k/rp/X74zAPtquH1cPq4X/upzhQHCgO/F19obhQXPjHfno/vZ/eD7Bixfo7Pws4xjGO
AZ3pTOc/f5/+qh+BqoGqgaqFdWmgNFAaCIJdsAt2kEZJo6RR/9ze4yZkRciKkBUgjhJHif/A
/p99Ph8mfpj4YSK0+7zd5+0+h8MvHH7h8AtwqM+hPof6wMbEjYkbE2HZtGXTlk2DVaxi1b/i
cA1qUAM2ztg4Y+PvBGfBP4wPUpCyMbjG4BqD/0HKxp99fgUpFH/o939SX/4ZUm2ptlT7n9t5
kH91Xv2z5xrk/6YwVeMfC9nHaef34z8sVSMQ8Hp/vzjwYTzs+PLlhw5dvgzLlh05cuMGfPBB
y5ZVq0LnzjVrli4NtWuXK5eU9Nv5x4790e4f7fzfEecHeViqxvjxnToVL/5w/+/cycvLzwe3
+x+P+x8bcTYfddWTm4ChKt2logD6PG4D14VKwlUQffJr8m1QEaboa4FhwiH9CKjve2dKF8HX
TKoZOxvEQdJCFKCMdpYFoA8V3uMGcF5foUeCno6HCGAPTs6D3lWvwxdg6C8dlL8DQ1PjTGMV
kA45EmPqQvJ630RjUbi0OHOUPh9yZviKCUNA+lFsTRtQNiq7/DshpEh88bI/QKg9OqloR/D+
oHjd90H4VGzHQFDeUjO9SyHwTGCJdzhoJ71vqvMhoXdcheqHod2a2tLTFaH+p5UrRORB2JAS
dQx1QVljHOD7CEpYondGxEC5qLLPhJyAaro1NKcGPDHSKGktIEyJDim+DCTCGhdrCWoj342c
uuCKzzmSMhG4pNVgKoSeCP0lchTEjkn0JeVC4t2ir5cYAqE+W6WIUiBcN8yUy0Po/ugFEQFw
mCxTTV9D6t60djlX4cz2i2XTJkDuZm+IfznYettbRGSD/QubZGsLVXsmbS2+GMr0iIgrFgUG
O218X0Kx/KhDJX6G8oPCsuu9A0Uv2RsW/RpsVy0WSz0onVDifOUWEGEL6xV5HCImhpriJoE8
VZIiyoGnq3rMo4AyXLfn7gGTaJ5h7gbha+0vEgYJH8VtDNkHqojLWg2i3oz62fEtPHmmbJmE
sxAabvsotB9IU4RIuQXYQi3Jlp5gddt6Ga0gNjO1NR+G2Nth8UlfQJmuxTPKylD+QIVnajYF
e3LI94m/QG431xQ9H3KGeE3KfbDWicyJrAmm8ZFzIvMgV7/bN7cK3Dp77KUTJyD1QFaf64dB
jTBXtaSC/ooUbTwPmqKv0luBUEL4jCLAfXW7tx4oNt86531QKqnPuq6DYuU5Zffjm6gFArZ4
8eLFf/9FUvAH/8FXa/9ZCs57UDgU2Pl35UI3Xtl4ZeOVhfUJmyZsmrAJ9pXfV35feZg4ceLE
3+fiNW3StEnTJoX1ghzc1I2pG1M3wqrGqxqvagx3x94de3fs4/PzmSHPDHlmSGF91suzXp71
MiwQFggLBMjunN05+18QzH+V2idqn6h9orD+6YFPD3x6AOYdmXdk3pH/Pj/+LH/1+bxpe9P2
pq0wx7n6kepHqh+BQbUH1R5UG6xvWt+0vvnHCKuwUFgoLCzMFS5IMXgYV0KvhF4JhevvXH/n
+juF4z/4y0hBRDhlbMrYlLFw9uuzX5/9+l+/H88sfWbpM79bhPnxvo/3fbwPdnbd2XVnV3h1
3qvzXp0HKy6vuLziERbPPuq8CvKvUZg68dcizk2aDBz47beF5YM8ePyP4/xjoR4I/LYt3IO7
XjzIw9p3775yJTW18PjixQcOXLny8PMLygK7f+xXsDjwH6dUyPJvqRkPlnv3Xr+ekgLnz7tc
Hs8fy/z83/Zrfniqxn/o4kDbr5Fj4xaB3kGqY7gE4nLG8j4oKf7dgV7ge8Kzyl0FTK+EYv8U
jMWE0foZODv3Wm5mHwhtmNQ9qTUYRzNTGwbeD4W24gIQfuZn3Qf6OxzXkkGcKXSXDoNQhY3C
atDPUosy4HzNmZdzDVbPXHN2gwV8n6nmiO1QbdtTbepvA72I4S67QOohp8lnQYzWtiklQOsn
njD0Al6mlvAZBJ7y39DPguiXWrMdWK93JROEFbwlTgHmiUnqy0ARbbBshUAP0sS3QFyZ+E7V
ElD5sPiBfT2UeN204PRsyCoVnpozEsQLeUc9NhA/Tnz3CQ9UGlNpb+ACJK5OS3NOg1NJWT5l
HZyZJ162vwN3ypubJN0B7WbezrRR4OuU2TS1P2hF7V+GbgX7eyFfhihg+tnS1JQI4sf2r+xn
QAsonfxNIW17TrTQD1zFPOfVXHDN1F807AQxRi6p3gCGal/qUXDntbTTGV5gk/qaIRTCmocW
t5wB5UXpjG8/lNoW0qf4CyAnGOZHFIW8My6PZzHoM4WtvnfBvEUbGLYTaK01ZgCYJsvtxa/A
eIlWEWlg6Gvrm3MRPN97pKyLkGnM7cznoI71T0o+D2VKxcSWD0DoeGlf/CtgWxc2Ex8olVyn
nBLcH5GsukZDWi9nqssC5pfNquk0iE2FneoRcKSZp9h6QGi5iHoh88E+1mEIWwHmD+2zLBXB
l+8rKewG5wfOQX4BpHdN75jCIVKNXRyzBMydzTsNoyB/0u1eqZ9A+pqb/a6aIK9JrnarNHgw
GsI/BXUoY4yvgz5Vm6v+9vkbpF4A/Y5+SK8E2ghi9cpAhJClrgPRTrTxbeBZWurV/s8kaf/4
JmxB7nHB/sy5ubm5ubmF9YLyYZHlf7brxoN2/l287HnZ87IH/Lpf9+uwbsS6EetGwIiMERkj
MiD6VvSt6FswsNjAYgOLQY9Aj0CP330hD7cNtw23wSzzLPMsM3w38ruR342E6NvRt6NvQxpp
pD0GP3tX6V2ldxW4/8L9F+6/AFsmbZm0ZRIU211sd7HdEDklckrkFMjcmrk189/4opv+en+9
vw73Rt4beW8kbEjZkLIhBSpFVIqoFFGYolAgVP9u/urzKRCwM1bMWDFjBYywjbCNsIF6SD2k
HipcjDmi+IjiI373j2OH9A7pHdLhx24/dvuxW+GiwYctYitYVMl5znMeWn3Q6oNWH/wxVaRg
sd1nfMZnwJbJWyZvmQyVvq30baVv+cv07du3b9++4JzlnOWcBZt3b969eTdsvLXx1sZbUNtf
21/bX7j48V/lUedVkH8NVf3tFdIPE7L/+rj/9XgFdh8kEPD7/X6QpN92zXgYBbtqPMiFC3fv
/v7FKg/WH3Z+gd0/+vNb5PdhiRM2m91usYDPpyi/77F9+8GDycmgaYFAauofz3viiaQksxmq
VXvyyX8U4Cmw+7gRDh48ePDgQV2vU6dOnTp1/voAblwNsmsClw0n7V1ByOJDrQpo9fyf+w+B
L8bdzeMDmzF8XsQiUC/rb/n6wPmpWyOP94CSkXVGV78O1lfDjxsGgXpezdSTgKOqU98GbNNX
qK+C0NPwpKEcXE+6m3xuORTfHFOrdF1Q+ijt9DjYk7HXeaQ6OH91WdRIoJXj+6LdoWRmKV+R
X6D8vfh1hmSwdrEWZT+o5dUW4j2QOgjjOAlKeXWzdw+IfqG7fBSE16RK4mzQ39baS/uANeLH
WgD05xCEBBD366LyLvhrOCvkdQBjiqGNuhDUF1xTMt4A7YuMlzO/A8kVOSOsM3jvZG687wB9
Svq09DdA2iXrrABvqnTHkwZZSdd35qTD6mt7StxvAceHZf8kpYN/iXdc1hzwZ7pbZE8BoZo8
0nIZwt4MqROxCRxvh24wbwSTw/Cafg8YqHb3y+Ct6Frv/RZ82f7tgU9BWaZf1IaBP9Z/1ZsO
voEuS84BMDst66yDISI78o2wt8B7xz3G2xU8xdxZzp8hs2pWTmpjUGcIG523QWsvvGwpCs7O
/u3Z6RCS51ghVgF/mnub8CHk1nfnunpCubT4cUU/BfmCGGWpDDfDM27ePQqGuvJ2Sy+IWhOm
xraHyD3m86bSoO3RRyld4O6gO8O820DzGgexDhwTQyWrAOZX5G+sNyEmN36DTYGI5pHFozLB
MMh8LeQcaB8ouw1vgivVWV7JB2+muiEwHCxK2LmwYxC6LHxu2D0QK2o/G3aAM+p+zv3O4Psm
e8CdVPD4lM9yp0C23/V24ADkbdNHhXUFvbQ433wMAhOZKT0HvvvK+7wGgV6B7oHWEDigrPSd
BmVmoJP3HLBQveeZBlIlfYmvJxxL3ffJhlOPf+IWCNuC3QMKBPS/SmhoaGhoKAwbNmzYsGH/
fuEc5K9R8MtASuuU1imtoU18m/g28YW5zS/teWnPS3sK6xvbbmy7se3f7XWQIP87qFz5+een
T4cqVWrWLF/+Xx/nm28+/LB168J69+4ffPBf7Spx+vTRoxcuwJkzGzeOHFnYHh3dufPUqWAy
FSsWH1/Ynpz80UevvFJYL1JkxIilSx/e/iD/rJ/Pd/v2vXuQnv799+++W9g+ePDRozduQKVK
CQlW6x/HTUu7f99ggBMn7t37K/94+P35+VlZ0Lp1/fqhoX88fvZsSorbDXPn1qxZosSfH/dh
HDp06NChQ48h4qypnh+9/cHwrbGp5QhobbSP9I4glzV+a6gO8hKTYk4ENUQfrn0PLPGs908E
x2eO/bZdYPzc8oWhN4ibpbqiCcQnhIvCs6C15UX1B5Ci5QzD65Calz0nJR+uv3F9waEtULxN
XJe4JpD5ubu2exA4naaJppeg2MoyCysWBX8R91u44dbM+y+7BkOCO7yv/SZYj9jLGrJBr6UN
ZihwXG+unwdxkrBQ9IOwROwkfw56Uf1zbSpo/fnBmwVUVNepw0FaLJ6wjAT9iDjIeA/kOY51
kVGg+dV2gVDQOximqytBWWip6mwOclvLndj3wRwWWd88B+gZk1i6LzDF0SZmCljuSWY5GiIW
V5/tPQJvnK7x3rnv4Ndley6c+AnWzd1fRv0K7r1mOh2aBMqhvE7p+yD7QGbl+++DN8+90bIY
wreF3YyoD2GnQ8vabWBpEXnLkg/6M/oSdQDoGxSvfzX4q/jGmbaDa5ilnuE0mM7LsdIgyLyY
/aX3e/A+q+wOvAvyeeP4wDHIWeLtkz0ErG3MeyyTwB5pWWe7B6bDlna+liCvMYzTtoDrTl6I
exaEFYuYFZYE+bX9Rt8RyFmR3zGnNwiHpRHiJjB+bphoeBkuj7nZ8FoO2F6zHjK0g9AtYY2M
fogaVexikfUQOT0kMrwphN8O8zk6gWmmyRmqg6Gcbbt9HAQMgRXSMHCNz/3J9yTkr/NdDDwP
ktmaYxgL4cdirsZKYNlhPeQwgfJK3kXvPsjIvnP71lDIWHO3yoX1EIjXG+fNB+1j/R3hfchP
clfVvgFnd1XOqwGBbK2IthT81dTv9BGgbNM76E+Aul/pq24Gf/XAm4FI0MdrW9VpoJ9U+wae
ATUQaOJ7/9En6sMoELYFQrdAQBcIrFu3bt26devh5xekYhQsEiwYJ/hGwf9MCrad2/XNrm92
fQP96Ec/gBnMYEbhdm1vZr6Z+Wbm3+1tkCD/u9C03yLD+flZWfn5YDJZrf9on+O/it//j3OG
fT632+crtPsggcBvb87T9bw8pxNE8R8v8vurKRwP66dpHo/XC4ryj98M6PP95md2ttutKBAa
arHIv1OfpUpFRXk8v+0PHRICFy5kZgoC/Nfxcnj66RIl4uN/i2S73YXtubkej6IU2n3cPLJw
Vqa48vWfwFAv7BsxDtSl/o1qTfDN1r8ILANjQ1MTYkBuLTc0JILnUOArXzMQzwtLtLlgWGbu
bHgH7o+5f/vmOlC2K7/6vwcT0ld6T3ActQ0NPwj5T+V0y/OB/VXztYgxYCptXm8fCFHh9s3m
CHCudhY5o8GVFSntcr+ExAqRM6PSwLbD8pJaH1K+TdvrLwPFGoUXMZ0Ctangowgoo5WSgcMg
TBbbio2AoiwUwkDYzn15Jeg20Z09DoTa1BCrApGKU30WlLtOV85TYGhsb1qkNaiVhXvqJZCd
jutxNcBw1h4WVxm0Z5UjzmxQ23gP5lcAYz1zveifQd1hWG17FtTPtJd1CTSr/LL5MNiqlz9W
/z14vmz5Pk/3gXKTylTb8DUs6PrDV4frwuWtVrnUSfBWdDXLWAWegfnXcmPBvyNt490h4Poi
b7N5PIR+6ciPioaQ5JAVpoNgu2x9xfwdhL4bMsGhQNT5qFpqGvjPeta4ngWDYkvMKweB3Upf
sTQoiV5N3wTyJyXzi3WEvD65b3k1MDUxvGGuBtJddU1IKrgN7pr+BWDfb+kvlIL4HyMqRp8G
O4ZnE6ZA2gxjq5RXIGSX/YBtEkTtC1kVvRucnYq+7ekDhtnGa+wGR0q41dYPLNfMzrCvwNhQ
NtsHQ8CvbZeeAn/RgIkYyMlJ/9z7AgS+VnPYCtqvxi7m9mD5KnSk5V2wVw1fG/E8SMV8B3FB
bsObx9M3gKtd1v3k3qCcVRamfwS2LvYvtS/At0W5YlkA3rL+Pf5uYBctSdohkNYH5ruLgu9D
pYJeGvT6cgXyQbmt9VVDQX/KFMeHoPTVTfrToB3TNmkiCJcEg9EPiqiskB/hJ9c/S4HQLRDS
D24jV7CPawEFuczVqlWrVq3av9+/II+Hqq9WfbXqq7CUpSwFGMIQhjzqqEGCBHkcPPFEqVIR
EXDnTkpKRgbExSUkREU9PgFdQIFgvn//NzsFdh+kYsXixSMi4PTpW7cyM0EUQ0NDQiAsbNCg
L774Y/+Htf+zfrru8Xg8oGm5uXl5UKVK8eKRkX88LzTUaJTl317N7fdDQsJvCRRhYRaLJEFW
lihKEhQvHhqalwd16yYm2mwgSYIg/hcr8W7d+s1ufr6uyzLk5Hg8qgopKbm5fn+h3cfNI6dq
3Gtw8d0bWyBy/RNTi42AQLqnk1oClEw1NjAKTL2NLQ3HQZcVl88GuSN3dz0UAnmz9a/kqlDk
8nNVn2kD2Z4cz7364FuuDFNGgynb+I1YDc6+cTnh1xTIvaS+lv8ylCkVvbxUV0hQI9dUzIXT
nS44j+fBuffv+i9cgotn7p6W6kCVNytOaPkC1JlYKbPYaHjiWNQGoSUIJQ0dxWIgbtS36CtA
n6o1U2+Dniq2EdJA7CYUNzQGIVXcoz8Pqabs65cGQHoX7+wbZSFiWES7kF6gfeJ0ZU+FcIvJ
WfEDCJ3r6FWuHvjaaRXcF4APBFmUQdhFitwLxM+1iMAwUGbqP2ttQNTFqoY3gEQ9WksF4St9
vn4a1HS9gZAAVGSfFAW2zy1V5EawKnRmn4/vwrq2R403+oCeYJsRdRHcU7yNA/VAXe8ukfsr
6Bc9s/KugShrp/xLwfqenCfNBPMuexd7PjgsDot1DoSMsL5kPg3mGWaTQQbDCHmU+hxov5Ki
GcBfWv1I8YJ+UiuldAdtvnY60A0CJuVpVQNPNe/r/tEgrJSThedBmifEiTVBmi4sEC6BtkBr
IQhgcpveN+4BbaPQXPsFTFXEZ4wvgSHf/JP1SdDCWSOcA21yoKGYCt7K3mZaeXDu9RbzByAw
KrA1kAFqPWmR8BZIMcYjtuNgHG8JN+ZDdJmQuhagiC92kO0S3AncfyPjZ8hXciqkfw7ZtVMT
LnaG3Pw0j38GqMfYFPgV5DiljZYEoklcaWoArDaa5QiQPxTXSUVBf4d3pHfAP1Ety7ugf0y+
PhYQaCScBD1B+EVcAXwgbpG+AF3WTum1QHtLuCHuBD1DPCdPhx+7/Tzy+22Pf+IGCRIkSJD/
DLKycnKcTujd+513vv4azp+/ciXtcSyyeAgVKpQpExMDixdPm/byyxARERb2+zeTpqfn5jqd
8MILo0cvXAgnT1658o/2iX5cVKtWpkx8PPz006RJ/fpBdHRo6O/9yc7+LXb8wQdnziQnQ1ra
b5HnfxcxMVarLMOHH1auXKQIhIc/HgH92FI15HGO74xrITAjp26+G/RXsr/N2QXCeFeKywr6
6LLzS7UEtbS7j3s5OItvPvfr2xBmfvHtdvkg7LMkCMchYZLxlaIDIHuQu0qeHU5kHNcOzARL
WaMx9CXw7LOt0W9B1A5ryfiGYHjHWC68LuxI2xV+pzfcGyH8cLczuCOkdYEbsPXYrvPfXwBf
Jz9dv4ZSiY3XF68HFpfpPD1B3a+9LnpAOCXeFeaCOFLYI3UELZcP/QkgL6Ce+Qy4a+f5svrD
5dVXeh4vBcphfYbhC9AXmoZrPog+FRGZfBEqbi/ymS8JopOtjRN3ARZxsMED+jciWkNgsrBZ
DAEBWhpbgfChXl2tAPo6erAB2C4sFSaBGC7cphhos+ikBCCgKUW0gyBU9Ofm6yBuyGhyHZDH
afPU90HuY+5q3wDaC2ElIi+B8ktI1YiroPbyC87vwd/ftzm/AyjRgTFaTQhsyJqedRFynFnP
yO3BVN/4ofgOmC2mHZb2YKpkGG4qDWK4ab60AaQbkiwfBKmuoZx1Jxj3yE3E9mAwh+wlAMg8
p6WA4GWiuASEEF3SN4DWVL9FWVCG6qlaH1DLKZEsgvzmShleAd/anD7eWPD2DkxVRAiIgRLK
BVCPspezIK8xJZvng3GpdYVtGhg7mBtYD0LcKPty41Ko0bncrKg1UOO7mi9XnglxnyZdLjUV
Nr+7dfbXJSH1jbzJN0tD9QY1fW3bwOpNa+79PAT0zZ5XDSWh6XdVatVPhytxZztklIVj3x4r
d74C3FmUFZE1BnzPK4OVLmAZa1pm7gXyMcOrhn6gVVSL6O+CWkv7UjkB+tfCAPFbEJvr3cVQ
0C7rdzUDaMf1feoooNu/78shSJAgQYL8/RQI1/Xrv/jitdf+bm8KheuhQ5999uabf7c3hcJ1
zpx/vIjv/zUeWThbvlCm+FtBYPnNvHvrgUhfC08V0J7xFvG/CMbdQpuSa4BQ12zXz8AW//XA
EjB9HBMZUg0My5kub4TMt9xrMwQ4vv748H2zIWGWcVvcW+BKNjd3hUNYmjDCkQixm+JKFO8F
p05d+zJNBPF0yODEBaAvylyTEgpFi5QfXqUtpNS43ufKPLiw4Kr3WgYc2ZLUPiIBnutScZa9
FwRWBZb5JoO8zRRheRbUw9p6bwoIp4S5pqJAX72MEA6GDyyTTLsgpkQFrQyQfPiU58owKLVb
iohbCfZLrkhLW7iWunn3qjiwzyudVq0NCOuEjlIS6LdZL7cHw4ii28t0Bfmd6OwST4O+XW/I
fGCF0JNs0Bfq59FBSGYUR0GsqUcLpcDQUE9QPwDha22x2hVcXzmfzLwP8qvKbk9pEDuZdzs2
gBxj2R8RDcY8y4XISyDWsMy1/Qimn0Pd4QJoU539s2LBixKrzYPA+/o9LQe0Q3pxTQdnc89a
z3EQX3b58y+DIqm79ItAc93NGRBWCWfEyWBcyBPCedB3in3oA/qrwiLBBUJDFgsJoH/BT+Jq
0CcLCwkBrb/+rLIP9DDhPbEM6K8JReW7IKyVtsstQDppOGY4CPLJkAZht8Ay3TLd9jOYHcY1
5oMQl2l1azuhRtPitS12qNaqdpWqz0Dc7rJyDQmURcI5czQETuqz2AkN363v7jIOnEWcgUbv
QkSvhNdKfwbRlu4Ly+4B+0JHmTIyhF4K6138PaiQWXP63X6QtLV613ND4Xv38lsbboP/vfyc
cx5I7pj6dXZFUHuK0yUnGB1mzXoUDInSEsMXIJulheIzQDecYmfQV6nx2hnQBirH9U8BKEej
v3uaBwkSJEiQIEEeB48snKUN8hHpNOhuR33bjyBsikmLHQVCBy4ImUAl2S83Ad/yO3HXb4Dc
JerV8DEgvx8TEfsteEIC9/OrQ97ovOR7g6D61sp16y6E6P7hM+JtcCD9fOMNoyE82tY9ZjLo
7eTrhjfh3MDj1XfsAuMsa9vii6H4LNuX5aOh1rayV5+ywYUGkT1LAsLz6pfa01A1o6wnUgDf
aNez6e+B8JancVZL0FbJqq04iMut/W0+0BsZ8ow/gHTJvFGMhpSBJ+SrlSDlbO57F9qBbUH8
h6YsiEiNapw0C8q/X9nXcgh4zBWr3fWDnpxV614R8C241/nGD6Anud7LqQqqFF7esRYMz0bE
R+cBTwjDQqsBZ+mnzAf9ec4xGjhFMitBayn8yIfg+9jfQW8Gvnz/BpygDZDvGjqD93ZgkXsZ
YPAedm8HIS93VeYvYMo3Zd+3gbWlfUyYH4ptKZYYlQLto/vWb1YF7qffu539EtxecS3+bj7c
7p8x2NUTMj91lwhMg/yT/oVCHXDn6OeUkyC0ViP1kRAIVdHiwX1CTde6A08I4/T1oEcLe5gP
rOVDMkGMEYeKT4EYZfjA8AMIG6RIwzcgrzO0NjYAaaacIU8CeYTBY3wfDEniW/JyYDydeRYM
0ao1kA7a9IyG96vDc8Wf71CqOTz9bBvalwTve2LrqJvg+yIw1hsN+mHxc18zEGOly2JnkF40
h9kWQdQouYIlH/QxVDUvhsRiRfc2GQcBkzJN2Qr+TP9l/3Ewvm/bbW4BgfPq4LC28PSr1dtV
8UH83LCMYq9C8kH3Nv0l2H5uyyd7XZAyN/ONu7vAYzacldeDRVC+Mh0H00pTTeMGEA+J+8Sj
IEcYnpR/2z4nGHMOEiRIkCBB/ofwyDnOQYIECRIkSJAgQYL8T6Ygx/mR3xwYJEiQIEGCBAkS
JMj/BoLCOUiQIEGCBAkSJEiQP0FQOAcJEiRIkCBBggQJ8icICucgQYIECRIkSJAgQf4EQeEc
JEiQIEGCBAkSJMif4P/fjq5gtWCQIEGCBAkSJEiQIEH+yP8HJdMlcRIgfwsAAAAASUVORK5C
YII=
--------------020309090105000709050303--

--------------070805090301010504070406--

From donald.coffin@reminetworks.com  Wed Aug 28 10:19:05 2013
Return-Path: <donald.coffin@reminetworks.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2583721E8064 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Level: 
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZola8JgUtXK for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 10:19:01 -0700 (PDT)
Received: from oproxy13-pub.mail.unifiedlayer.com (oproxy13-pub.mail.unifiedlayer.com [69.89.16.30]) by ietfa.amsl.com (Postfix) with SMTP id CAB9121E804D for <oauth@ietf.org>; Wed, 28 Aug 2013 10:19:00 -0700 (PDT)
Received: (qmail 30084 invoked by uid 0); 28 Aug 2013 17:18:39 -0000
Received: from unknown (HELO host125.hostmonster.com) (74.220.207.125) by oproxy13.mail.unifiedlayer.com with SMTP; 28 Aug 2013 17:18:38 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=reminetworks.com; s=default;  h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:Cc:To:From; bh=IWO0hr7xhQR7tnFJHy1NGAjSPnWDwXvMIMorwAkIvp4=;  b=Ja1yiIxHWWojgPUP1w74Ns1I44h7ANgADypji35qRJb+AFvTRoHB2OFGaswJcALVP++cS7KbZW1xUEFCHaMTS+h2p6mrunis+ZC48mcm3SafhtftfAr3mIb9xaSuyNvt;
Received: from [68.4.207.246] (port=1921 helo=HPPavilionElite) by host125.hostmonster.com with esmtpsa (TLSv1:RC4-SHA:128) (Exim 4.80) (envelope-from <donald.coffin@reminetworks.com>) id 1VEjO9-0002xP-Su; Wed, 28 Aug 2013 11:18:38 -0600
From: "Donald F Coffin" <donald.coffin@reminetworks.com>
To: "'Justin Richer'" <jricher@mitre.org>, "'Phil Hunt'" <phil.hunt@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net>	<4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com>	<B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org>
In-Reply-To: <521E1A34.30204@mitre.org>
Date: Wed, 28 Aug 2013 10:17:30 -0700
Message-ID: <00b701cea412$7ad1a7d0$7074f770$@reminetworks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQK+LBuYX0MP19aA+n2gLHy0oQjvrwLA631YAsPhEqgBK9e6XZeWR5Bg
Content-Language: en-us
X-Identified-User: {1395:host125.hostmonster.com:reminetw:reminetworks.com} {sentby:smtp auth 68.4.207.246 authed with donald.coffin@reminetworks.com}
Cc: 'oauth mailing list' <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 17:19:05 -0000

+1

Best regards,
Don
Donald F. Coffin
Founder/CTO

REMI Networks
22751 El Prado Suite 6216
Rancho Santa Margarita, CA  92688-3836

Phone:      (949) 636-8571
Email:       donald.coffin@reminetworks.com


-----Original Message-----
From: Justin Richer [mailto:jricher@mitre.org] 
Sent: Wednesday, August 28, 2013 8:42 AM
To: Phil Hunt
Cc: oauth mailing list
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28
Aug, 2pm PDT: Conference Bridge Details

Except for the cases where you want step 1 to happen in band. To me, that is
a vitally and fundamentally important use case that we can't disregard, and
we must have a solution that can accommodate that. The notions of
"publisher" and "product" fade very quickly once you get outside of the
software vendor world.

This is, of course, not to stand in the way of other solutions or approaches
(such as something assertion based like you're after). It's not a
one-or-the-other proposition, especially when there are mutually exclusive
aspects of each.

Therefore I once again call for the WG to finish the current dynamic
registration spec *AND* pursue the assertion based process that Phil's
talking about. They're not mutually exclusive, let's please stop talking
about them like they are.

  -- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
> Sorry. I meant also to say i think there are 2 registration steps.
>
> 1. Software registration/approval. This often happens out of band. But in
this step policy is defined that approves software for use. Many of the reg
params are known here.
>
> Federation techniques come into play as trust approvals can be based on
developer, product or even publisher.
>
> 2. Each instance associates in a stateless way. Only clients that need
credential rotation need more.
>
> Phil
>
> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> I have a conflict I cannot get out of for 2pacific.
>>
>> I think a certificate based approach is going to simplify exchanges in
all cases. I encourage the group to explore the concept on the call.
>>
>> I am not sure breaking dyn reg up helps. It creates yet another option. I
would like to explore how federation concept in software statements can help
with facilitating association and making many reg stateless.
>>
>> Phil
>>
>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)"
<hannes.tschofenig@nsn.com> wrote:
>>
>>> Here are the conference bridge / Webex details for the call today.
>>> We are going to complete the use case discussions from last time 
>>> (Phil wasn't able to walk through all slides). Justin was also able 
>>> to work out a strawman proposal based on the discussions last week 
>>> and we will have a look at it to see whether this is a suitable 
>>> compromise. Here is Justin's mail, in case you have missed it: 
>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>
>>> Phil, please feel free to make adjustments to your slides given the
Justin's recent proposal.
>>>
>>> Topic: OAuth Dynamic Client Registration
>>> Date: Wednesday, August 28, 2013
>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00) 
>>> Meeting Number: 703 230 586 Meeting Password: oauth
>>>
>>> -------------------------------------------------------
>>> To join the online meeting
>>> -------------------------------------------------------
>>> 1. Go to 
>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&
>>> RT=MiM0 2. Enter your name and email address.
>>> 3. Enter the meeting password: oauth 4. Click "Join Now".
>>>
>>> To view in other time zones or languages, please click the link:
>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&
>>> ORT=MiM0
>>>
>>> To add this meeting to your calendar program (for example Microsoft
Outlook), click this link:
>>> https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&
>>> ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>
>>> -------------------------------------------------------
>>> To join the teleconference only
>>> -------------------------------------------------------
>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>> Conference Code: 944 910 5485
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth




From bcampbell@pingidentity.com  Wed Aug 28 12:14:48 2013
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A7B021F9E3A for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 12:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.827
X-Spam-Level: 
X-Spam-Status: No, score=-5.827 tagged_above=-999 required=5 tests=[AWL=0.150,  BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R1mx5Q05s+UP for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 12:14:44 -0700 (PDT)
Received: from na3sys009aog127.obsmtp.com (na3sys009aog127.obsmtp.com [74.125.149.107]) by ietfa.amsl.com (Postfix) with ESMTP id D160721F9E0A for <oauth@ietf.org>; Wed, 28 Aug 2013 12:14:43 -0700 (PDT)
Received: from mail-ie0-f174.google.com ([209.85.223.174]) (using TLSv1) by na3sys009aob127.postini.com ([74.125.148.12]) with SMTP ID DSNKUh5MIxPWveeCsH130X9QRDcuun2UACBn@postini.com; Wed, 28 Aug 2013 12:14:43 PDT
Received: by mail-ie0-f174.google.com with SMTP id k14so9413045iea.19 for <oauth@ietf.org>; Wed, 28 Aug 2013 12:14:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=VdtWicjicAkRqQFe4itby/kIidIA555JswrxmI1mHYk=; b=AGwqdaTpXTSDCDYWydZX02oww3ytcJL2Gm9y0XStVXhAZfg29jUQMt/WQAou0Ko9fG anZTyQrl9rdI7GAUUAQjyHUUNW1BEPaBNzNpOpX/ZO/0C4MN7SF4vuf7qJut3dwww+1F SkTqwwgEjiYuYkppQDKlDadMAc37/KEuZy0hFDrNf9oFZMelAKykTRyn8JXcK6X6R5qu RrYr13+1SrfBIfa0xB57cCYQHqQo3bfp2O4xd9BYuH6VV4ILqD2z1cuAChGimGAi57Sb UO/M/8lIDPAGkvgrHXqB1wV+ADQXc90PAauCLZ54ZtasxZbO51icw4HnDkxy1TgVA8ox LSyQ==
X-Gm-Message-State: ALoCoQmV/1D+v9oQMS9w4/0OQ4xGGf4S69hTGTUV/SM952OoISQF2uT3PJRgFAKx3yTU9NZDcaMqKrygTZKNd8/Vxgax/wNk4WK+UrLWzc1viVdzdDnaMFlJfnb6686zFom0/rHLeY9npCzdxq09C1gQGaPgKSGU8Q==
X-Received: by 10.42.58.75 with SMTP id g11mr1591004ich.47.1377717279955; Wed, 28 Aug 2013 12:14:39 -0700 (PDT)
X-Received: by 10.42.58.75 with SMTP id g11mr1590998ich.47.1377717279838; Wed, 28 Aug 2013 12:14:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.183.133 with HTTP; Wed, 28 Aug 2013 12:14:08 -0700 (PDT)
In-Reply-To: <e9cc445675f24c19940a6d3428749950@BY2PR03MB189.namprd03.prod.outlook.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <ea3ca23616a042928e211e6c79879739@BY2PR03MB189.namprd03.prod.outlook.com> <521E1C70.3070801@mitre.org> <e9cc445675f24c19940a6d3428749950@BY2PR03MB189.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 28 Aug 2013 13:14:08 -0600
Message-ID: <CA+k3eCQGQqcp7SK+9FNgrBrjAcAZLGVaHU-nGrY30j6N7a2DCg@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28 Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2013 19:14:48 -0000

Not everyone has the time or inclination to follow and respond to all of th=
is.

On Wed, Aug 28, 2013 at 10:01 AM, Anthony Nadalin <tonynad@microsoft.com> w=
rote:
> So I guess we should have different specifications for different use case=
s to solve same requirements, I guess we should have done that we OAuth and=
 not worked out common flows, patterns, parameters, etc. I have only seen 2=
-3 respond to the implementation status, once again people should post if t=
hey:
>
> 1. have implemented this as is
> 2. plan on implementing as is
> 3. what use case they are solving
> 4. what modifications needed on top of this specification to actually sol=
ve use case
>
> -----Original Message-----
> From: Justin Richer [mailto:jricher@mitre.org]
> Sent: Wednesday, August 28, 2013 8:51 AM
> To: Anthony Nadalin
> Cc: Phil Hunt; oauth mailing list
> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed =
28 Aug, 2pm PDT: Conference Bridge Details
>
> Except that folks are already actually implementing and using the spec, a=
nd that all of the discussions around different specs are pretty clearly po=
inting to different use cases and assumptions about the state of the world.
>
> Your arguments are invalid.
>
>   -- Justin
>
> On 08/28/2013 11:49 AM, Anthony Nadalin wrote:
>>> Therefore I once again call for the WG to finish the current dynamic
>>> registration spec *AND* pursue the assertion based process that
>>> Phil's talking about. They're not mutually exclusive, let's please
>>> stop talking
>> I see no reason to continue to push finish the current specification whe=
n there are so many discussions/issues going on as discussions will only le=
ad to better specifications that folks can actually implement and use.
>>
>> -----Original Message-----
>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
>> Of Justin Richer
>> Sent: Wednesday, August 28, 2013 8:42 AM
>> To: Phil Hunt
>> Cc: oauth mailing list
>> Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call:
>> Wed 28 Aug, 2pm PDT: Conference Bridge Details
>>
>> Except for the cases where you want step 1 to happen in band. To me, tha=
t is a vitally and fundamentally important use case that we can't disregard=
, and we must have a solution that can accommodate that. The notions of "pu=
blisher" and "product" fade very quickly once you get outside of the softwa=
re vendor world.
>>
>> This is, of course, not to stand in the way of other solutions or approa=
ches (such as something assertion based like you're after). It's not a one-=
or-the-other proposition, especially when there are mutually exclusive aspe=
cts of each.
>>
>> Therefore I once again call for the WG to finish the current dynamic reg=
istration spec *AND* pursue the assertion based process that Phil's talking=
 about. They're not mutually exclusive, let's please stop talking about the=
m like they are.
>>
>>    -- Justin
>>
>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>> Sorry. I meant also to say i think there are 2 registration steps.
>>>
>>> 1. Software registration/approval. This often happens out of band. But =
in this step policy is defined that approves software for use. Many of the =
reg params are known here.
>>>
>>> Federation techniques come into play as trust approvals can be based on=
 developer, product or even publisher.
>>>
>>> 2. Each instance associates in a stateless way. Only clients that need =
credential rotation need more.
>>>
>>> Phil
>>>
>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>
>>>> I have a conflict I cannot get out of for 2pacific.
>>>>
>>>> I think a certificate based approach is going to simplify exchanges in=
 all cases. I encourage the group to explore the concept on the call.
>>>>
>>>> I am not sure breaking dyn reg up helps. It creates yet another option=
. I would like to explore how federation concept in software statements can=
 help with facilitating association and making many reg stateless.
>>>>
>>>> Phil
>>>>
>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.=
tschofenig@nsn.com> wrote:
>>>>
>>>>> Here are the conference bridge / Webex details for the call today.
>>>>> We are going to complete the use case discussions from last time
>>>>> (Phil wasn't able to walk through all slides). Justin was also able
>>>>> to work out a strawman proposal based on the discussions last week
>>>>> and we will have a look at it to see whether this is a suitable
>>>>> compromise. Here is Justin's mail, in case you have missed it:
>>>>> http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>
>>>>> Phil, please feel free to make adjustments to your slides given the J=
ustin's recent proposal.
>>>>>
>>>>> Topic: OAuth Dynamic Client Registration
>>>>> Date: Wednesday, August 28, 2013
>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
>>>>> Meeting Number: 703 230 586 Meeting Password: oauth
>>>>>
>>>>> -------------------------------------------------------
>>>>> To join the online meeting
>>>>> -------------------------------------------------------
>>>>> 1. Go to
>>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQz=
MDJk
>>>>> &
>>>>> RT=3DMiM0 2. Enter your name and email address.
>>>>> 3. Enter the meeting password: oauth 4. Click "Join Now".
>>>>>
>>>>> To view in other time zones or languages, please click the link:
>>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&PW=3DNNTI1ZWQz=
MDJk
>>>>> &
>>>>> ORT=3DMiM0
>>>>>
>>>>> To add this meeting to your calendar program (for example Microsoft O=
utlook), click this link:
>>>>> https://nsn.webex.com/nsn/j.php?ED=3D269567657&UID=3D0&ICS=3DMI&LD=3D=
1&RD=3D2
>>>>> &
>>>>> ST=3D1&SHA2=3DC6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=3D&RT=3DMiM=
0
>>>>>
>>>>> -------------------------------------------------------
>>>>> To join the teleconference only
>>>>> -------------------------------------------------------
>>>>> Global dial-in Numbers: http://www.nokiasiemensnetworks.com/nvc
>>>>> Conference Code: 944 910 5485
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

From torsten@lodderstedt.net  Wed Aug 28 22:42:09 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0955E21F9ED2 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 22:42:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.047
X-Spam-Level: 
X-Spam-Status: No, score=-2.047 tagged_above=-999 required=5 tests=[AWL=0.201,  BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TnLOH0P1EmLj for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 22:42:05 -0700 (PDT)
Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.31.27]) by ietfa.amsl.com (Postfix) with ESMTP id 2A0CD21F85E0 for <oauth@ietf.org>; Wed, 28 Aug 2013 22:42:03 -0700 (PDT)
Received: from [80.187.101.96] (helo=[10.50.83.42]) by smtprelay04.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VEuzX-0002bq-Ii; Thu, 29 Aug 2013 07:42:00 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <0D768920-8000-4176-A55B-1B2BE9791E08@oracle.com>
References: <1373E8CE237FCC43BCA36C6558612D2AA28D6A@USCHMBX001.nsn-intra.net> <4D9D4AAD-55F9-4B7E-A56F-5BC42F028E13@oracle.com> <B14A12F5-EF5C-4529-90B7-C30E17958907@oracle.com> <521E1A34.30204@mitre.org> <BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com> <521E2353.2030904@aol.com> <C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com> <521E256A.60908@aol.com> <9F232504-FC58-41FD-B040-31F898034AD2@oracle.com> <521E27BF.3030408@mitre.org> <5B2C7096-939A-4EA2-81FF-F15BDDFB7ABB@ve7jtb.com> <146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com> <521E2B74.9080104@aol.com> <0D768920-8000-4176-A55B-1B2BE9791E08@oracle.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----X8C3ZSRBY3W6HBFJAJMAJFPRUR4G51"
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Thu, 29 Aug 2013 07:41:53 +0200
To: Phil Hunt <phil.hunt@oracle.com>,George Fletcher <gffletch@aol.com>
Message-ID: <c521a42d-d194-42c2-b1f6-eefd0c776532@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: oauth mailing list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration Conference Call: Wed 28	Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2013 05:42:09 -0000

------X8C3ZSRBY3W6HBFJAJMAJFPRUR4G51
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 8bit

Authz server and resource server need to agree on a token format. The client never needs to interpret the token content. Since we are talking about clients, where is the connection? 

regards,
Torsten.



Phil Hunt <phil.hunt@oracle.com> schrieb:
>I think many of the parameters in dyn reg need to be specified in the
>statement -- the main change is we're moving dyn reg parameters into
>the statement and locking them down between instances.  It keeps
>hackers from changing individual instances and it minimizes state in
>per instance registration.
>
>The reason OAuth doesn't have to define token formats is they are
>largely "local".  Federated token scenarios (like UMA) obviously have
>to have some OOB agreement on format.  Given that registration in most
>of these cases is federated, it seems appropriate to define these
>assertions. (In the non-federated cases (e.g. like Google), they can do
>registration using workflows with the developer directly.)
>
>Phil
>
>@independentid
>www.independentid.com
>phil.hunt@oracle.com
>
>
>
>
>
>
>
>On 2013-08-28, at 9:55 AM, George Fletcher <gffletch@aol.com> wrote:
>
>> OAuth has never specified anything regarding the format the "tokens"
>that the AS has to accept and that's one of it's virtues. It allows for
>many implementations from local only to federated. 
>> 
>> I fully believe there is value in defining profiles of OAuth for
>particular problem domains that put restrictions on client_id format,
>access_token format etc (e.g. the assertion set of specs). However,
>those should be layered on top of OAuth as a profile and not be forced
>into the core. Otherwise, we are forcing all implementations down a
>much narrower path than is supported today. I definitely don't want to
>see that happen.
>> 
>> Thanks,
>> George
>> 
>> On 8/28/13 12:48 PM, Phil Hunt wrote:
>>> You can pass anything as a client_id.  It just has to be accepted.
>That's the point of us writing a draft here isn't it?
>>> 
>>> Phil
>>> 
>>> @independentid
>>> www.independentid.com
>>> phil.hunt@oracle.com
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 2013-08-28, at 9:45 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>> 
>>>> That is my concern as well, sending an assertion to the
>authorization endpoint requires a extension of OAuth to add another
>parameter or placing it in the client_id which you can do now with the
>dynamic reg spec if the AS wants to. 
>>>> 
>>>> Holding up client registration for something that will require an
>extension to OAuth is overdoing it.   We need something for the OAuth
>spec we have now without requiring clients implement the assertion flow
>and other extensions.
>>>> 
>>>> John B.
>>>> 
>>>> On 2013-08-28, at 12:39 PM, Justin Richer <jricher@mitre.org>
>wrote:
>>>> 
>>>>> The initial_access_token doesn't assume that it's from the local
>domain. It merely assumes that the authorization server accepts the
>token, which would be true in the UMA case due to the federation. It
>could also be the exact same kinds of mechanisms that the software
>statement would use to achieve federation.
>>>>> 
>>>>> I still don't see how an auth server is going to know about a
>client's configuration state with the assertion swap method, since
>there's no defined mechanism for sending a JWT assertion to the
>authorization endpoint. 
>>>>> 
>>>>>  -- Justin
>>>>> 
>>>>> On 08/28/2013 12:35 PM, Phil Hunt wrote:
>>>>>> George,
>>>>>> 
>>>>>> It would be reasonable for a client to submit an assertion, and
>obtain its own client assertion in return.  This is very close to what
>is happening per 2.1, 2.2 of
>http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06
>>>>>> 
>>>>>> In this case, the Software Statement is an authorization that is
>exchanged for a client assertion in return. Then the clients
>authenticate per section 2.2 of the JWT spec.
>>>>>> 
>>>>>> Regarding initial_access_token.  This does have some of the
>characteristics I am speaking of. But it is unspecified and the
>assumption is that it is issued by the local domain.  This doesn't work
>in the UMA case because that's more like a federated model. Thus the
>specified software statement works because the AS can approve the
>client software based on name, and/or developer, and/or publisher --
>whatever trust requires.
>>>>>> 
>>>>>> Phil
>>>>>> 
>>>>>> @independentid
>>>>>> www.independentid.com
>>>>>> phil.hunt@oracle.com
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com>
>wrote:
>>>>>> 
>>>>>>> I can't say I understand what you mean by a simple assertion
>swap... but if you are wanting to use a client_assertion flow instead
>of the code flow then that's something completely different. If you are
>saying that you want the client_id to represent an "instance" in a
>stateless way using an "assertion" then that's already possible today.
>>>>>>> 
>>>>>>> George
>>>>>>> 
>>>>>>> On 8/28/13 12:23 PM, Phil Hunt wrote:
>>>>>>>> George
>>>>>>>> 
>>>>>>>> That case can be solved with a simple assertion swap. We just
>have to profile it. 
>>>>>>>> 
>>>>>>>> Phil
>>>>>>>> 
>>>>>>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com>
>wrote:
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>>>>>> Please define the all in one case. I think this is the edge
>case and is in fact rare. 
>>>>>>>>>> 
>>>>>>>>>> I agree, in many cases step 1 can be made by simply approving
>a class of software. But then step 2 is simplified. 
>>>>>>>>>> 
>>>>>>>>>> Dyn reg assumes every registration of an instance is unique
>which too me is a very extreme 
>>>>>>>>> If you have a mobile app that needs to do the code flow...
>which requires a client_secret in order to retrieve the access token
>and refresh token, how does the app do this without per app instance
>registration? 
>>>>>>>>> 
>>>>>>>>> I'd argue that almost all user facing mobile apps will want
>the above flow and that's not a small, rare edge case.
>>>>>>>>> 
>>>>>>>>> Thanks,
>>>>>>>>> George
>>>>>>>>>> position. 
>>>>>>>>>> 
>>>>>>>>>> Phil
>>>>>>>>>> 
>>>>>>>>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org>
>wrote:
>>>>>>>>>> 
>>>>>>>>>>> Except for the cases where you want step 1 to happen in
>band. To me, that is a vitally and fundamentally important use case
>that we can't disregard, and we must have a solution that can
>accommodate that. The notions of "publisher" and "product" fade very
>quickly once you get outside of the software vendor world.
>>>>>>>>>>> 
>>>>>>>>>>> This is, of course, not to stand in the way of other
>solutions or approaches (such as something assertion based like you're
>after). It's not a one-or-the-other proposition, especially when there
>are mutually exclusive aspects of each.
>>>>>>>>>>> 
>>>>>>>>>>> Therefore I once again call for the WG to finish the current
>dynamic registration spec *AND* pursue the assertion based process that
>Phil's talking about. They're not mutually exclusive, let's please stop
>talking about them like they are.
>>>>>>>>>>> 
>>>>>>>>>>> -- Justin
>>>>>>>>>>> 
>>>>>>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>>>>>>> Sorry. I meant also to say i think there are 2 registration
>steps.
>>>>>>>>>>>> 
>>>>>>>>>>>> 1. Software registration/approval. This often happens out
>of band. But in this step policy is defined that approves software for
>use. Many of the reg params are known here.
>>>>>>>>>>>> 
>>>>>>>>>>>> Federation techniques come into play as trust approvals can
>be based on developer, product or even publisher.
>>>>>>>>>>>> 
>>>>>>>>>>>> 2. Each instance associates in a stateless way. Only
>clients that need credential rotation need more.
>>>>>>>>>>>> 
>>>>>>>>>>>> Phil
>>>>>>>>>>>> 
>>>>>>>>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com>
>wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I think a certificate based approach is going to simplify
>exchanges in all cases. I encourage the group to explore the concept on
>the call.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet
>another option. I would like to explore how federation concept in
>software statements can help with facilitating association and making
>many reg stateless.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Phil
>>>>>>>>>>>>> 
>>>>>>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN -
>FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Here are the conference bridge / Webex details for the
>call today.
>>>>>>>>>>>>>> We are going to complete the use case discussions from
>last time (Phil wasn't able to walk through all slides). Justin was
>also able to work out a strawman proposal based on the discussions last
>week and we will have a look at it to see whether this is a suitable
>compromise. Here is Justin's mail, in case you have missed it:
>http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Phil, please feel free to make adjustments to your slides
>given the Justin's recent proposal.
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco,
>GMT-07:00)
>>>>>>>>>>>>>> Meeting Number: 703 230 586
>>>>>>>>>>>>>> Meeting Password: oauth
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>>> To join the online meeting
>>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>>> 1. Go to
>https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>>>>>>>>> 2. Enter your name and email address.
>>>>>>>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>>>>>>>> 4. Click "Join Now".
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> To view in other time zones or languages, please click
>the link:
>>>>>>>>>>>>>>
>https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> To add this meeting to your calendar program (for example
>Microsoft Outlook), click this link:
>>>>>>>>>>>>>>
>https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>>> To join the teleconference only
>>>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>>>> Global dial-in Numbers:
>http://www.nokiasiemensnetworks.com/nvc
>>>>>>>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> -- 
>>>>>>>>> <XeC>
>>>>>>> 
>>>>>>> -- 
>>>>>>> <XeC.png>
>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> -- 
>> <XeC.png>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth

------X8C3ZSRBY3W6HBFJAJMAJFPRUR4G51
Content-Type: text/html;
 charset=utf-8
Content-Transfer-Encoding: 8bit

<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1" /><meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" /><meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1" /><meta http-equiv="Content-Type" content="text/html;
              charset=ISO-8859-1" /><meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" /><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Authz server and resource server need to agree on a token format. The client never needs to interpret the token content. Since we are talking about clients, where is the connection? <br>
<br>
regards,<br>
Torsten.<br><br><div class="gmail_quote"><br>
<br>
Phil Hunt &lt;phil.hunt@oracle.com&gt; schrieb:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
I think many of the parameters in dyn reg need to be specified in the statement -- the main change is we're moving dyn reg parameters into the statement and locking them down between instances. &nbsp;It keeps hackers from changing individual instances and it minimizes state in per instance registration.<div><br /></div><div>The reason OAuth doesn't have to define token formats is they are largely "local". &nbsp;Federated token scenarios (like UMA) obviously have to have some OOB agreement on format. &nbsp;Given that registration in most of these cases is federated, it seems appropriate to define these assertions. (In the non-federated cases (e.g. like Google), they can do registration using workflows with the developer directly.)</div><div><br /></div><div><span style="font-size: 12px; ">Phil</span></div><div><div apple-content-edited="true"><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-
 mode:
space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px;
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br /></div><div>@independentid</div><div><a href="http://www.independentid.com">www.independentid.com</a></div></div></span><a href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div><div
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br /><br /></div></span><br class="Apple-interchange-newline" /></div></span><br class="Apple-interchange-newline" /></div></span><br class="Apple-interchange-newline" /><br class="Apple-interchange-newline" />
</div>
<br /><div><div>On 2013-08-28, at 9:55 AM, George Fletcher &lt;<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt; wrote:</div><br class="Apple-interchange-newline" /><blockquote type="cite">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">OAuth has never specified
      anything regarding the format the "tokens" that the AS has to
      accept and that's one of it's virtues. It allows for many
      implementations from local only to federated. <br />
      <br />
      I fully believe there is value in defining profiles of OAuth for
      particular problem domains that put restrictions on client_id
      format, access_token format etc (e.g. the assertion set of specs).
      However, those should be layered on top of OAuth as a profile and
      not be forced into the core. Otherwise, we are forcing all
      implementations down a much narrower path than is supported today.
      I definitely don't want to see that happen.<br />
      <br />
      Thanks,<br />
      George<br />
      <br />
    </font>
    <div class="moz-cite-prefix">On 8/28/13 12:48 PM, Phil Hunt wrote:<br />
    </div>
    <blockquote cite="mid:146ED1AF-DE42-4DF1-8DEC-7F82B4C91D07@oracle.com" type="cite">
      
      You can pass anything as a client_id. &nbsp;It just has to be accepted.
      That's the point of us writing a draft here isn't it?
      <div><br />
        <div apple-content-edited="true">
          <span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; ">
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
                <div style="word-wrap: break-word; -webkit-nbsp-mode:
                  space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">
                        <div style="word-wrap: break-word;
                          -webkit-nbsp-mode: space; -webkit-line-break:
                          after-white-space; ">
                          <div>Phil</div>
                          <div><br />
                          </div>
                          <div>@independentid</div>
                          <div><a moz-do-not-send="true" href="http://www.independentid.com/">www.independentid.com</a></div>
                        </div>
                      </span><a moz-do-not-send="true" href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                    <div style="word-wrap: break-word;
                      -webkit-nbsp-mode: space; -webkit-line-break:
                      after-white-space; "><br />
                      <br />
                    </div>
                  </span><br class="Apple-interchange-newline" />
                </div>
              </span><br class="Apple-interchange-newline" />
            </div>
          </span><br class="Apple-interchange-newline" />
          <br class="Apple-interchange-newline" />
        </div>
        <br />
        <div>
          <div>On 2013-08-28, at 9:45 AM, John Bradley &lt;<a moz-do-not-send="true" href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>&gt;
            wrote:</div>
          <br class="Apple-interchange-newline" />
          <blockquote type="cite">
            
            <div style="word-wrap: break-word; -webkit-nbsp-mode: space;
              -webkit-line-break: after-white-space; ">That is my
              concern as well, sending an assertion to the authorization
              endpoint requires a extension of OAuth to add another
              parameter or placing it in the client_id which you can do
              now with the dynamic reg spec if the AS wants to.&nbsp;
              <div><br />
              </div>
              <div>Holding up client registration for something that
                will require an extension to OAuth is overdoing it. &nbsp; We
                need something for the OAuth spec we have now without
                requiring clients implement the assertion flow and other
                extensions.</div>
              <div><br />
              </div>
              <div>John B.</div>
              <div><br />
                <div>
                  <div>On 2013-08-28, at 12:39 PM, Justin Richer &lt;<a moz-do-not-send="true" href="mailto:jricher@mitre.org">jricher@mitre.org</a>&gt;
                    wrote:</div>
                  <br class="Apple-interchange-newline" />
                  <blockquote type="cite">
                    
                    <div bgcolor="#FFFFFF" text="#000000"> The
                      initial_access_token doesn't assume that it's from
                      the local domain. It merely assumes that the
                      authorization server accepts the token, which
                      would be true in the UMA case due to the
                      federation. It could also be the exact same kinds
                      of mechanisms that the software statement would
                      use to achieve federation.<br />
                      <br />
                      I still don't see how an auth server is going to
                      know about a client's configuration state with the
                      assertion swap method, since there's no defined
                      mechanism for sending a JWT assertion to the
                      authorization endpoint. <br />
                      <br />
                      &nbsp;-- Justin<br />
                      <br />
                      <div class="moz-cite-prefix">On 08/28/2013 12:35
                        PM, Phil Hunt wrote:<br />
                      </div>
                      <blockquote cite="mid:9F232504-FC58-41FD-B040-31F898034AD2@oracle.com" type="cite">
                        
                        George,
                        <div><br />
                        </div>
                        <div>It would be reasonable for a client to
                          submit an assertion, and obtain its own client
                          assertion in return. &nbsp;This is very close to
                          what is happening per 2.1, 2.2 of&nbsp;<a moz-do-not-send="true" href="http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06">http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06</a></div>
                        <div><br />
                        </div>
                        <div>In this case, the Software Statement is an
                          authorization that is exchanged for a client
                          assertion in return. Then the clients
                          authenticate per section 2.2 of the JWT spec.</div>
                        <div><br />
                        </div>
                        <div>Regarding initial_access_token. &nbsp;This does
                          have some of the characteristics I am speaking
                          of. But it is unspecified and the assumption
                          is that it is issued by the local domain.
                          &nbsp;This doesn't work in the UMA case because
                          that's more like a federated model. Thus the
                          specified software statement works because the
                          AS can approve the client software based on
                          name, and/or developer, and/or publisher --
                          whatever trust requires.</div>
                        <div><br />
                          <div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate;
                              font-family: Helvetica; font-style:
                              normal; font-variant: normal; font-weight:
                              normal; letter-spacing: normal;
                              line-height: normal; orphans: 2;
                              text-indent: 0px; text-transform: none;
                              white-space: normal; widows: 2;
                              word-spacing: 0px; border-spacing: 0px;
                              -webkit-text-decorations-in-effect: none;
                              -webkit-text-size-adjust: auto;
                              -webkit-text-stroke-width: 0px; font-size:
                              medium; ">
                              <div style="word-wrap: break-word;
                                -webkit-nbsp-mode: space;
                                -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate;
                                  font-family: Helvetica; font-size:
                                  medium; font-style: normal;
                                  font-variant: normal; font-weight:
                                  normal; letter-spacing: normal;
                                  line-height: normal; orphans: 2;
                                  text-indent: 0px; text-transform:
                                  none; white-space: normal; widows: 2;
                                  word-spacing: 0px; border-spacing:
                                  0px;
                                  -webkit-text-decorations-in-effect:
                                  none; -webkit-text-size-adjust: auto;
                                  -webkit-text-stroke-width: 0px; ">
                                  <div style="word-wrap: break-word;
                                    -webkit-nbsp-mode: space;
                                    -webkit-line-break:
                                    after-white-space; "><span class="Apple-style-span" style="border-collapse: separate;
                                      font-family: Helvetica; font-size:
                                      medium; font-style: normal;
                                      font-variant: normal; font-weight:
                                      normal; letter-spacing: normal;
                                      line-height: normal; orphans: 2;
                                      text-indent: 0px; text-transform:
                                      none; white-space: normal; widows:
                                      2; word-spacing: 0px;
                                      border-spacing: 0px;
                                      -webkit-text-decorations-in-effect:
                                      none; -webkit-text-size-adjust:
                                      auto; -webkit-text-stroke-width:
                                      0px; ">
                                      <div style="word-wrap: break-word;
                                        -webkit-nbsp-mode: space;
                                        -webkit-line-break:
                                        after-white-space; "><span class="Apple-style-span" style="border-collapse:
                                          separate; font-family:
                                          Helvetica; font-size: 12px;
                                          font-style: normal;
                                          font-variant: normal;
                                          font-weight: normal;
                                          letter-spacing: normal;
                                          line-height: normal; orphans:
                                          2; text-indent: 0px;
                                          text-transform: none;
                                          white-space: normal; widows:
                                          2; word-spacing: 0px;
                                          border-spacing: 0px;
                                          -webkit-text-decorations-in-effect:
                                          none;
                                          -webkit-text-size-adjust:
                                          auto;
                                          -webkit-text-stroke-width:
                                          0px; ">
                                          <div style="word-wrap:
                                            break-word;
                                            -webkit-nbsp-mode: space;
                                            -webkit-line-break:
                                            after-white-space; ">
                                            <div>Phil</div>
                                            <div><br />
                                            </div>
                                            <div>@independentid</div>
                                            <div><a moz-do-not-send="true" href="http://www.independentid.com/">www.independentid.com</a></div>
                                          </div>
                                        </span><a moz-do-not-send="true" href="mailto:phil.hunt@oracle.com">phil.hunt@oracle.com</a></div>
                                      <div style="word-wrap: break-word;
                                        -webkit-nbsp-mode: space;
                                        -webkit-line-break:
                                        after-white-space; "><br />
                                        <br />
                                      </div>
                                    </span><br class="Apple-interchange-newline" />
                                  </div>
                                </span><br class="Apple-interchange-newline" />
                              </div>
                            </span><br class="Apple-interchange-newline" />
                            <br class="Apple-interchange-newline" />
                          </div>
                          <br />
                          <div>
                            <div>On 2013-08-28, at 9:29 AM, George
                              Fletcher &lt;<a moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;

                              wrote:</div>
                            <br class="Apple-interchange-newline" />
                            <blockquote type="cite">
                              <div bgcolor="#FFFFFF" text="#000000"> <font face="Helvetica, Arial, sans-serif">I
                                  can't say I understand what you mean
                                  by a simple assertion swap... but if
                                  you are wanting to use a
                                  client_assertion flow instead of the
                                  code flow then that's something
                                  completely different. If you are
                                  saying that you want the client_id to
                                  represent an "instance" in a stateless
                                  way using an "assertion" then that's
                                  already possible today.<br />
                                  <br />
                                  George<br />
                                  <br />
                                </font>
                                <div class="moz-cite-prefix">On 8/28/13
                                  12:23 PM, Phil Hunt wrote:<br />
                                </div>
                                <blockquote cite="mid:C7CBA9A2-92F5-4AE3-8AEE-1259B6635DD9@oracle.com" type="cite">
                                  <div>George</div>
                                  <div><br />
                                  </div>
                                  <div>That case can be solved with a
                                    simple assertion swap. We just have
                                    to profile it.&nbsp;<br />
                                    <br />
                                    Phil</div>
                                  <div><br />
                                    On 2013-08-28, at 9:20, George
                                    Fletcher &lt;<a moz-do-not-send="true" href="mailto:gffletch@aol.com">gffletch@aol.com</a>&gt;


                                    wrote:<br />
                                    <br />
                                  </div>
                                  <blockquote type="cite">
                                    <div> <br />
                                      <div class="moz-cite-prefix">On
                                        8/28/13 12:02 PM, Phil Hunt
                                        wrote:<br />
                                      </div>
                                      <blockquote cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" type="cite">
                                        <pre wrap="">Please define the all in one case. I think this is the edge case and is in fact rare. 

I agree, in many cases step 1 can be made by simply approving a class of software. But then step 2 is simplified. 

Dyn reg assumes every registration of an instance is unique which too me is a very extreme </pre>
                                      </blockquote>
                                      If you have a mobile app that
                                      needs to do the code flow... which
                                      requires a client_secret in order
                                      to retrieve the access token and
                                      refresh token, how does the app do
                                      this without per app instance
                                      registration? <br />
                                      <br />
                                      I'd argue that almost all user
                                      facing mobile apps will want the
                                      above flow and that's not a small,
                                      rare edge case.<br />
                                      <br />
                                      Thanks,<br />
                                      George<br />
                                      <blockquote cite="mid:BC009D74-FEF3-4827-8C0D-1B2FCCF9DA65@oracle.com" type="cite">
                                        <pre wrap="">position. 

Phil

On 2013-08-28, at 8:41, Justin Richer <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jricher@mitre.org">&lt;jricher@mitre.org&gt;</a> wrote:

</pre>
                                        <blockquote type="cite">
                                          <pre wrap="">Except for the cases where you want step 1 to happen in band. To me, that is a vitally and fundamentally important use case that we can't disregard, and we must have a solution that can accommodate that. The notions of "publisher" and "product" fade very quickly once you get outside of the software vendor world.

This is, of course, not to stand in the way of other solutions or approaches (such as something assertion based like you're after). It's not a one-or-the-other proposition, especially when there are mutually exclusive aspects of each.

Therefore I once again call for the WG to finish the current dynamic registration spec *AND* pursue the assertion based process that Phil's talking about. They're not mutually exclusive, let's please stop talking about them like they are.

-- Justin

On 08/28/2013 11:17 AM, Phil Hunt wrote:
</pre>
                                          <blockquote type="cite">
                                            <pre wrap="">Sorry. I meant also to say i think there are 2 registration steps.

1. Software registration/approval. This often happens out of band. But in this step policy is defined that approves software for use. Many of the reg params are known here.

Federation techniques come into play as trust approvals can be based on developer, product or even publisher.

2. Each instance associates in a stateless way. Only clients that need credential rotation need more.

Phil

On 2013-08-28, at 8:04, Phil Hunt <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:phil.hunt@oracle.com">&lt;phil.hunt@oracle.com&gt;</a> wrote:

</pre>
                                            <blockquote type="cite">
                                              <pre wrap="">I have a conflict I cannot get out of for 2pacific.

I think a certificate based approach is going to simplify exchanges in all cases. I encourage the group to explore the concept on the call.

I am not sure breaking dyn reg up helps. It creates yet another option. I would like to explore how federation concept in software statements can help with facilitating association and making many reg stateless.

Phil

On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN - FI/Espoo)" <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:hannes.tschofenig@nsn.com">&lt;hannes.tschofenig@nsn.com&gt;</a> wrote:

</pre>
                                              <blockquote type="cite">
                                                <pre wrap="">Here are the conference bridge / Webex details for the call today.
We are going to complete the use case discussions from last time (Phil wasn't able to walk through all slides). Justin was also able to work out a strawman proposal based on the discussions last week and we will have a look at it to see whether this is a suitable compromise. Here is Justin's mail, in case you have missed it: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html">http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html</a>

Phil, please feel free to make adjustments to your slides given the Justin's recent proposal.

Topic: OAuth Dynamic Client Registration
Date: Wednesday, August 28, 2013
Time: 2:00 pm, Pacific Daylight Time (San Francisco, GMT-07:00)
Meeting Number: 703 230 586
Meeting Password: oauth

-------------------------------------------------------
To join the online meeting
-------------------------------------------------------
1. Go to <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;RT=MiM0</a>
2. Enter your name and email address.
3. Enter the meeting password: oauth
4. Click "Join Now".

To view in other time zones or languages, please click the link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;PW=NNTI1ZWQzMDJk&amp;ORT=MiM0</a>

To add this meeting to your calendar program (for example Microsoft Outlook), click this link:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0">https://nsn.webex.com/nsn/j.php?ED=269567657&amp;UID=0&amp;ICS=MI&amp;LD=1&amp;RD=2&amp;ST=1&amp;SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&amp;RT=MiM0</a>

-------------------------------------------------------
To join the teleconference only
-------------------------------------------------------
Global dial-in Numbers: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://www.nokiasiemensnetworks.com/nvc">http://www.nokiasiemensnetworks.com/nvc</a>
Conference Code: 944 910 5485


_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                                              </blockquote>
                                              <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                                            </blockquote>
                                            <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
                                          </blockquote>
                                        </blockquote>
                                        <pre wrap="">_______________________________________________
OAuth mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>


</pre>
                                      </blockquote>
                                      <br />
                                      <div class="moz-signature">-- <br />
                                        <a moz-do-not-send="true" href="http://connect.me/gffletch" title="View full card on
                                          Connect.Me">&lt;XeC&gt;</a></div>
                                    </div>
                                  </blockquote>
                                </blockquote>
                                <br />
                                <div class="moz-signature">-- <br />
                                  <a moz-do-not-send="true" href="http://connect.me/gffletch" title="View full card on Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
                              </div>
                            </blockquote>
                          </div>
                          <br />
                        </div>
                      </blockquote>
                      <br />
                    </div>
                    _______________________________________________<br />
                    OAuth mailing list<br />
                    <a moz-do-not-send="true" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a><br />
                    <a moz-do-not-send="true" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br />
                  </blockquote>
                </div>
                <br />
              </div>
            </div>
          </blockquote>
        </div>
        <br />
      </div>
      <br />
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br />
      <pre wrap="">_______________________________________________
OAuth mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OAuth@ietf.org">OAuth@ietf.org</a>
<a class="moz-txt-link-freetext" href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a>
</pre>
    </blockquote>
    <br />
    <div class="moz-signature">-- <br />
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><span>&lt;XeC.png&gt;</span></a></div>
  </div>

</blockquote></div><br /></div><p style="margin-top: 2.5em; margin-bottom: 1em; border-bottom: 1px solid #000"></p><pre class="k9mail"><hr /><br />OAuth mailing list<br />OAuth@ietf.org<br /><a href="https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mailman/listinfo/oauth</a><br /></pre></blockquote></div></body></html>
------X8C3ZSRBY3W6HBFJAJMAJFPRUR4G51--


From torsten@lodderstedt.net  Wed Aug 28 22:49:19 2013
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7950721F9EF4 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 22:49:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.114
X-Spam-Level: 
X-Spam-Status: No, score=-2.114 tagged_above=-999 required=5 tests=[AWL=0.135,  BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28c21ZlVBCX8 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2013 22:49:03 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.31.24]) by ietfa.amsl.com (Postfix) with ESMTP id 736DE21F9E89 for <oauth@ietf.org>; Wed, 28 Aug 2013 22:49:02 -0700 (PDT)
Received: from [80.187.101.96] (helo=[10.50.83.42]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1VEv6K-0005vQ-Lk; Thu, 29 Aug 2013 07:49:00 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <0e624532-be36-4887-8d11-56dcf8eb8ecd@email.android.com>
References: <0e624532-be36-4887-8d11-56dcf8eb8ecd@email.android.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Thu, 29 Aug 2013 07:48:55 +0200
To: Phil Hunt <phil.hunt@oracle.com>,oauth@ietf.org
Message-ID: <d6c822ce-0159-46fe-8d4b-b269edb9b1c1@email.android.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Subject: [OAUTH-WG] Fwd: Re: Dynamic Client Registration Conference Call: Wed 28	Aug, 2pm PDT: Conference Bridge Details
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2013 05:49:19 -0000

Hi Phil,

You would send the client's credential to the authz endpoint, so it would go through the browser and would be exposed to other parties.

I agree with George and others. This is a topic different from dyn reg and should be handled independently. 

I personally consider assertions as means to client authentication an interesting option we should further evaluate. But this would be an evolution to OAuth itself.

regards,
Torsten.



Phil Hunt <phil.hunt@oracle.com> schrieb:
>You can pass anything as a client_id.  It just has to be accepted.
>That's the point of us writing a draft here isn't it?
>
>Phil
>
>@independentid
>www.independentid.com
>phil.hunt@oracle.com
>
>
>
>
>
>
>
>On 2013-08-28, at 9:45 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> That is my concern as well, sending an assertion to the authorization
>endpoint requires a extension of OAuth to add another parameter or
>placing it in the client_id which you can do now with the dynamic reg
>spec if the AS wants to. 
>> 
>> Holding up client registration for something that will require an
>extension to OAuth is overdoing it.   We need something for the OAuth
>spec we have now without requiring clients implement the assertion flow
>and other extensions.
>> 
>> John B.
>> 
>> On 2013-08-28, at 12:39 PM, Justin Richer <jricher@mitre.org> wrote:
>> 
>>> The initial_access_token doesn't assume that it's from the local
>domain. It merely assumes that the authorization server accepts the
>token, which would be true in the UMA case due to the federation. It
>could also be the exact same kinds of mechanisms that the software
>statement would use to achieve federation.
>>> 
>>> I still don't see how an auth server is going to know about a
>client's configuration state with the assertion swap method, since
>there's no defined mechanism for sending a JWT assertion to the
>authorization endpoint. 
>>> 
>>>  -- Justin
>>> 
>>> On 08/28/2013 12:35 PM, Phil Hunt wrote:
>>>> George,
>>>> 
>>>> It would be reasonable for a client to submit an assertion, and
>obtain its own client assertion in return.  This is very close to what
>is happening per 2.1, 2.2 of
>http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-06
>>>> 
>>>> In this case, the Software Statement is an authorization that is
>exchanged for a client assertion in return. Then the clients
>authenticate per section 2.2 of the JWT spec.
>>>> 
>>>> Regarding initial_access_token.  This does have some of the
>characteristics I am speaking of. But it is unspecified and the
>assumption is that it is issued by the local domain.  This doesn't work
>in the UMA case because that's more like a federated model. Thus the
>specified software statement works because the AS can approve the
>client software based on name, and/or developer, and/or publisher --
>whatever trust requires.
>>>> 
>>>> Phil
>>>> 
>>>> @independentid
>>>> www.independentid.com
>>>> phil.hunt@oracle.com
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 2013-08-28, at 9:29 AM, George Fletcher <gffletch@aol.com>
>wrote:
>>>> 
>>>>> I can't say I understand what you mean by a simple assertion
>swap... but if you are wanting to use a client_assertion flow instead
>of the code flow then that's something completely different. If you are
>saying that you want the client_id to represent an "instance" in a
>stateless way using an "assertion" then that's already possible today.
>>>>> 
>>>>> George
>>>>> 
>>>>> On 8/28/13 12:23 PM, Phil Hunt wrote:
>>>>>> George
>>>>>> 
>>>>>> That case can be solved with a simple assertion swap. We just
>have to profile it. 
>>>>>> 
>>>>>> Phil
>>>>>> 
>>>>>> On 2013-08-28, at 9:20, George Fletcher <gffletch@aol.com> wrote:
>>>>>> 
>>>>>>> 
>>>>>>> On 8/28/13 12:02 PM, Phil Hunt wrote:
>>>>>>>> Please define the all in one case. I think this is the edge
>case and is in fact rare. 
>>>>>>>> 
>>>>>>>> I agree, in many cases step 1 can be made by simply approving a
>class of software. But then step 2 is simplified. 
>>>>>>>> 
>>>>>>>> Dyn reg assumes every registration of an instance is unique
>which too me is a very extreme 
>>>>>>> If you have a mobile app that needs to do the code flow... which
>requires a client_secret in order to retrieve the access token and
>refresh token, how does the app do this without per app instance
>registration? 
>>>>>>> 
>>>>>>> I'd argue that almost all user facing mobile apps will want the
>above flow and that's not a small, rare edge case.
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> George
>>>>>>>> position. 
>>>>>>>> 
>>>>>>>> Phil
>>>>>>>> 
>>>>>>>> On 2013-08-28, at 8:41, Justin Richer <jricher@mitre.org>
>wrote:
>>>>>>>> 
>>>>>>>>> Except for the cases where you want step 1 to happen in band.
>To me, that is a vitally and fundamentally important use case that we
>can't disregard, and we must have a solution that can accommodate that.
>The notions of "publisher" and "product" fade very quickly once you get
>outside of the software vendor world.
>>>>>>>>> 
>>>>>>>>> This is, of course, not to stand in the way of other solutions
>or approaches (such as something assertion based like you're after).
>It's not a one-or-the-other proposition, especially when there are
>mutually exclusive aspects of each.
>>>>>>>>> 
>>>>>>>>> Therefore I once again call for the WG to finish the current
>dynamic registration spec *AND* pursue the assertion based process that
>Phil's talking about. They're not mutually exclusive, let's please stop
>talking about them like they are.
>>>>>>>>> 
>>>>>>>>> -- Justin
>>>>>>>>> 
>>>>>>>>> On 08/28/2013 11:17 AM, Phil Hunt wrote:
>>>>>>>>>> Sorry. I meant also to say i think there are 2 registration
>steps.
>>>>>>>>>> 
>>>>>>>>>> 1. Software registration/approval. This often happens out of
>band. But in this step policy is defined that approves software for
>use. Many of the reg params are known here.
>>>>>>>>>> 
>>>>>>>>>> Federation techniques come into play as trust approvals can
>be based on developer, product or even publisher.
>>>>>>>>>> 
>>>>>>>>>> 2. Each instance associates in a stateless way. Only clients
>that need credential rotation need more.
>>>>>>>>>> 
>>>>>>>>>> Phil
>>>>>>>>>> 
>>>>>>>>>> On 2013-08-28, at 8:04, Phil Hunt <phil.hunt@oracle.com>
>wrote:
>>>>>>>>>> 
>>>>>>>>>>> I have a conflict I cannot get out of for 2pacific.
>>>>>>>>>>> 
>>>>>>>>>>> I think a certificate based approach is going to simplify
>exchanges in all cases. I encourage the group to explore the concept on
>the call.
>>>>>>>>>>> 
>>>>>>>>>>> I am not sure breaking dyn reg up helps. It creates yet
>another option. I would like to explore how federation concept in
>software statements can help with facilitating association and making
>many reg stateless.
>>>>>>>>>>> 
>>>>>>>>>>> Phil
>>>>>>>>>>> 
>>>>>>>>>>> On 2013-08-28, at 5:43, "Tschofenig, Hannes (NSN -
>FI/Espoo)" <hannes.tschofenig@nsn.com> wrote:
>>>>>>>>>>> 
>>>>>>>>>>>> Here are the conference bridge / Webex details for the call
>today.
>>>>>>>>>>>> We are going to complete the use case discussions from last
>time (Phil wasn't able to walk through all slides). Justin was also
>able to work out a strawman proposal based on the discussions last week
>and we will have a look at it to see whether this is a suitable
>compromise. Here is Justin's mail, in case you have missed it:
>http://www.ietf.org/mail-archive/web/oauth/current/msg12036.html
>>>>>>>>>>>> 
>>>>>>>>>>>> Phil, please feel free to make adjustments to your slides
>given the Justin's recent proposal.
>>>>>>>>>>>> 
>>>>>>>>>>>> Topic: OAuth Dynamic Client Registration
>>>>>>>>>>>> Date: Wednesday, August 28, 2013
>>>>>>>>>>>> Time: 2:00 pm, Pacific Daylight Time (San Francisco,
>GMT-07:00)
>>>>>>>>>>>> Meeting Number: 703 230 586
>>>>>>>>>>>> Meeting Password: oauth
>>>>>>>>>>>> 
>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>> To join the online meeting
>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>> 1. Go to
>https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&RT=MiM0
>>>>>>>>>>>> 2. Enter your name and email address.
>>>>>>>>>>>> 3. Enter the meeting password: oauth
>>>>>>>>>>>> 4. Click "Join Now".
>>>>>>>>>>>> 
>>>>>>>>>>>> To view in other time zones or languages, please click the
>link:
>>>>>>>>>>>>
>https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&PW=NNTI1ZWQzMDJk&ORT=MiM0
>>>>>>>>>>>> 
>>>>>>>>>>>> To add this meeting to your calendar program (for example
>Microsoft Outlook), click this link:
>>>>>>>>>>>>
>https://nsn.webex.com/nsn/j.php?ED=269567657&UID=0&ICS=MI&LD=1&RD=2&ST=1&SHA2=C6-AjLGvhdYjmpVdx75M6UsAwrNLMsequ5n95Gyv1R8=&RT=MiM0
>>>>>>>>>>>> 
>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>> To join the teleconference only
>>>>>>>>>>>> -------------------------------------------------------
>>>>>>>>>>>> Global dial-in Numbers:
>http://www.nokiasiemensnetworks.com/nvc
>>>>>>>>>>>> Conference Code: 944 910 5485
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> OAuth mailing list
>>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>>> -- 
>>>>>>> <XeC>
>>>>> 
>>>>> -- 
>>>>> <XeC.png>
>>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth


From m.zdila@gmail.com  Fri Aug 30 00:41:38 2013
Return-Path: <m.zdila@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFF2711E80E0 for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2013 00:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level: 
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5--YIoXyS0db for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2013 00:41:38 -0700 (PDT)
Received: from mail-qa0-x22e.google.com (mail-qa0-x22e.google.com [IPv6:2607:f8b0:400d:c00::22e]) by ietfa.amsl.com (Postfix) with ESMTP id ECBE421F9FCE for <oauth@ietf.org>; Fri, 30 Aug 2013 00:41:37 -0700 (PDT)
Received: by mail-qa0-f46.google.com with SMTP id i13so3402921qae.19 for <oauth@ietf.org>; Fri, 30 Aug 2013 00:41:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=OxDy0THuKKr3UgARaHbhOU1p6TX+KcTjlVphsJL0gTQ=; b=z2gOedctYI1hO0tvcGp+/LmNYyOPsrlW0F6OQj1k/I43XXehtU/zo9mz7gQ5HNQhdw ZqoYFMZ6DCLUDRqt3RejjnekyYLY/K0RyezMAXBBKyedjfWXAcx+vLppB9P9m93cZGIU X7Hr3e0VEDsYE+fdX+55EFKNNy6Y34B6qHdKo9olM1xoapW3M7ovCScU1xVTmITLzgiO RhR5wWSeUr8E/pwSN3S6dpufx4kaN7Z6YuslURmvlgIg4D2/8CejjE7UmqeBtyNLNI8F vt03NnieicPdA0+S01J80Htgk5wZ1o9DzuZWRu9VTZvcHgXKLruRU2J/5l0iDdKdfnFp u7ew==
X-Received: by 10.49.72.66 with SMTP id b2mr8935193qev.20.1377848497472; Fri, 30 Aug 2013 00:41:37 -0700 (PDT)
MIME-Version: 1.0
Sender: m.zdila@gmail.com
Received: by 10.49.74.136 with HTTP; Fri, 30 Aug 2013 00:41:17 -0700 (PDT)
From: =?UTF-8?Q?Martin_=C5=BDdila?= <m.zdila@mwaysolutions.com>
Date: Fri, 30 Aug 2013 09:41:17 +0200
X-Google-Sender-Auth: W1QMn-UN1JhE3elTs242hboPLiA
Message-ID: <CAL520Rm0pRca3DJYC+mxeep2wDf3CH5nQfcgrD+FAo9pfgOGTQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary=047d7b5db1243f0a2504e5255a7e
Subject: [OAUTH-WG] Unclear parts in OAuth 2.0 specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 07:42:41 -0000

--047d7b5db1243f0a2504e5255a7e
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello

There are some unclear parts in OAuth 2.0 specification.

*1.* In 4.3. (B) there is following statement:

   When making the request, the client
   authenticates with the authorization server.


In 4.3.2 there is following statement:

   If the client type is confidential or the client was issued client
   credentials (or assigned other authentication requirements), the
   client MUST authenticate with the authorization server as described
   in Section 3.2.1 <http://tools.ietf.org/html/rfc6749#section-3.2.1>.

First statement states that client credentials must be always passed.
Second states that it is required only for certain client types.

Also, if client type doesn't provide credentials, there is no mean to
identify it and so impossible to check if client credentials were actually
required.

*2.* Authorization Code Grant and Implicit Grant use different URL part to
encode its response. Former uses query and later fragment. If request has
invalid or is missing response_type parameter then user agent should be
redirected to URL with error response where
error=3Dunsupported_response_type. But if we don't know what type of grant =
we
are handling, where to put error parameters? To query or fragment part of
the URL?

Please clarify that.

Thanks in advance

Best regards

--=20
Ing. Martin =C5=BDdila
Senior Analyst / Developer

M-Way Solutions Slovakia s.r.o.
Letn=C3=A1 27, 040 01 Ko=C5=A1ice
Slovakia

tel:+421-908-363-848
mailto:m.zdila@mwaysolutions.com
http://www.mwaysolutions.com

--047d7b5db1243f0a2504e5255a7e
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hello<br><br></div>There are some unclear parts in OA=
uth 2.0 specification.<br><br><b>1.</b> In 4.3. (B) there is following stat=
ement:<br><pre>   When making the request, the client
   authenticates with the authorization server.</pre><div><br></div><div>In=
 4.3.2 there is following statement:<br><pre>   If the client type is confi=
dential or the client was issued client
   credentials (or assigned other authentication requirements), the
   client MUST authenticate with the authorization server as described
   in <a href=3D"http://tools.ietf.org/html/rfc6749#section-3.2.1" target=
=3D"_blank">Section 3.2.1</a>.<br><br></pre>First
 statement states that client credentials must be always passed. Second
 states that it is required only for certain client types.<br>
<br></div><div>Also, if client type doesn&#39;t provide credentials, there=
=20
is no mean to identify it and so impossible to check if client=20
credentials were actually required.<br></div><div><br></div><div><b>2.</b>
 Authorization Code Grant and Implicit Grant use different URL part to=20
encode its response. Former uses query and later fragment. If request has i=
nvalid or is
 missing response_type parameter then user agent should=20
be redirected to URL with error response where error=3Dunsupported_response=
_type.
 But if we don&#39;t know what type of grant we are handling, where to put=
=20
error parameters? To query or fragment part of the URL?<br>
</div><div><br></div><div>Please clarify that.<br><br></div>Thanks in advan=
ce<br><br>Best regards<br clear=3D"all"><br>-- <br>Ing. Martin =C5=BDdila<b=
r>Senior Analyst / Developer<br><br>M-Way Solutions Slovakia s.r.o.<br>Letn=
=C3=A1 27, 040 01 Ko=C5=A1ice<br>

Slovakia<br><br>tel:+421-908-363-848<br>mailto:<a href=3D"mailto:m.zdila@mw=
aysolutions.com" target=3D"_blank">m.zdila@mwaysolutions.com</a><br><a href=
=3D"http://www.mwaysolutions.com" target=3D"_blank">http://www.mwaysolution=
s.com</a>

</div>

--047d7b5db1243f0a2504e5255a7e--

From dick.hardt@gmail.com  Fri Aug 30 00:53:36 2013
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20C5F21E809F for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2013 00:53:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level: 
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVG57j1475Sf for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2013 00:53:35 -0700 (PDT)
Received: from mail-bk0-x236.google.com (mail-bk0-x236.google.com [IPv6:2a00:1450:4008:c01::236]) by ietfa.amsl.com (Postfix) with ESMTP id 147DD21E805A for <oauth@ietf.org>; Fri, 30 Aug 2013 00:53:34 -0700 (PDT)
Received: by mail-bk0-f54.google.com with SMTP id mz12so557307bkb.27 for <oauth@ietf.org>; Fri, 30 Aug 2013 00:53:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=O9LbY4gt+DtSC2m/iclJVTUYfaXtjPI6skfb30kSCqw=; b=LoHKoZLfSKkYVVaVGugfDahJH/p2NGnpiDYBQpyLYtGN/4CIUnBmg3mkE/UQrwgNDV M5iucNL+DGbd9AQMixaxlAmzyecujDiPA0NdgkuUGFk/9BkazjNFRF7DF3s1nMy1wLyF /TJXqxMixE6ZM1T0rITSebjzH+FNPNa8YsqCo97o6i478KLU8FJqimpJE2wfifHa72bY fwlfk4Zp4zvhD24sq0XbNaHxlFeo5sRCr17NJQv6WKOthx4GGKB66F6PbYVPzE2mzoMT rV0mKy9O7ZATeDaTzj916zEHzVbI37mfNVbBR1dJrHexuBU8XhpE2to1CIbwtxJV6DPI jApw==
X-Received: by 10.205.35.136 with SMTP id sw8mr318925bkb.35.1377849214077; Fri, 30 Aug 2013 00:53:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.204.239.6 with HTTP; Fri, 30 Aug 2013 00:53:13 -0700 (PDT)
In-Reply-To: <CAL520Rm0pRca3DJYC+mxeep2wDf3CH5nQfcgrD+FAo9pfgOGTQ@mail.gmail.com>
References: <CAL520Rm0pRca3DJYC+mxeep2wDf3CH5nQfcgrD+FAo9pfgOGTQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 30 Aug 2013 15:53:13 +0800
Message-ID: <CAD9ie-tT6+hT1Znf-bKn1dCqH3eKZeGiCN-HAGWf3E6c4usUxg@mail.gmail.com>
To: =?UTF-8?Q?Martin_=C5=BDdila?= <m.zdila@mwaysolutions.com>
Content-Type: multipart/alternative; boundary=bcaec51b9e69f5bf5104e5258436
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Unclear parts in OAuth 2.0 specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 07:53:36 -0000

--bcaec51b9e69f5bf5104e5258436
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Fri, Aug 30, 2013 at 3:41 PM, Martin =C5=BDdila <m.zdila@mwaysolutions.c=
om>wrote:

> Hello
>
> There are some unclear parts in OAuth 2.0 specification.
>
> *1.* In 4.3. (B) there is following statement:
>
>    When making the request, the client
>    authenticates with the authorization server.
>
>
> In 4.3.2 there is following statement:
>
>    If the client type is confidential or the client was issued client
>    credentials (or assigned other authentication requirements), the
>    client MUST authenticate with the authorization server as described
>    in Section 3.2.1 <http://tools.ietf.org/html/rfc6749#section-3.2.1>.
>
> First statement states that client credentials must be always passed.
> Second states that it is required only for certain client types.
>

> Also, if client type doesn't provide credentials, there is no mean to
> identify it and so impossible to check if client credentials were actuall=
y
> required.
>

I'm sorry the spec was not clear to you when you read it. Unfortunately,
 your question is not clear to me, so I don't know how to answer it.


>
> *2.* Authorization Code Grant and Implicit Grant use different URL part
> to encode its response. Former uses query and later fragment. If request
> has invalid or is missing response_type parameter then user agent should =
be
> redirected to URL with error response where
> error=3Dunsupported_response_type. But if we don't know what type of gran=
t we
> are handling, where to put error parameters? To query or fragment part of
> the URL?
>
> Please clarify that.
>
>
The grant type is a parameter in the request, so the authorization server
knows the request type from that and hence how to respond.

--bcaec51b9e69f5bf5104e5258436
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Fri, Aug 30, 2013 at 3:41 PM, Martin =C5=BDdila <span dir=3D"ltr=
">&lt;<a href=3D"mailto:m.zdila@mwaysolutions.com" target=3D"_blank">m.zdil=
a@mwaysolutions.com</a>&gt;</span> wrote:<br>

<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div>Hello<br><br></div>The=
re are some unclear parts in OAuth 2.0 specification.<br><br><b>1.</b> In 4=
.3. (B) there is following statement:<br>

<pre>   When making the request, the client
   authenticates with the authorization server.</pre><div><br></div><div>In=
 4.3.2 there is following statement:<br><pre>   If the client type is confi=
dential or the client was issued client
   credentials (or assigned other authentication requirements), the
   client MUST authenticate with the authorization server as described
   in <a href=3D"http://tools.ietf.org/html/rfc6749#section-3.2.1" target=
=3D"_blank">Section 3.2.1</a>.<br><br></pre>First
 statement states that client credentials must be always passed. Second
 states that it is required only for certain client types.<br></div></div><=
/blockquote><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div><br></div>=
<div>

Also, if client type doesn&#39;t provide credentials, there=20
is no mean to identify it and so impossible to check if client=20
credentials were actually required.<br></div></div></blockquote><div><br></=
div><div>I&#39;m sorry the spec was not clear to you when you read it. Unfo=
rtunately, =C2=A0your question is not clear to me, so I don&#39;t know how =
to answer it.<br>

=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div></div><div=
><br></div><div><b>2.</b>
 Authorization Code Grant and Implicit Grant use different URL part to=20
encode its response. Former uses query and later fragment. If request has i=
nvalid or is
 missing response_type parameter then user agent should=20
be redirected to URL with error response where error=3Dunsupported_response=
_type.
 But if we don&#39;t know what type of grant we are handling, where to put=
=20
error parameters? To query or fragment part of the URL?<br>
</div><div><br></div><div>Please clarify that.<br><br></div></div></blockqu=
ote><div><br></div><div>The grant type is a parameter in the request, so th=
e authorization server knows the request type from that and hence how to re=
spond.</div>

<div><br></div></div></div></div>

--bcaec51b9e69f5bf5104e5258436--

From lainhart@us.ibm.com  Fri Aug 30 05:40:12 2013
Return-Path: <lainhart@us.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F66C21F9C12 for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2013 05:40:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.298
X-Spam-Level: 
X-Spam-Status: No, score=-10.298 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CmrLaN19a7JA for <oauth@ietfa.amsl.com>; Fri, 30 Aug 2013 05:40:02 -0700 (PDT)
Received: from e8.ny.us.ibm.com (e8.ny.us.ibm.com [32.97.182.138]) by ietfa.amsl.com (Postfix) with ESMTP id 3950C21E80E3 for <oauth@ietf.org>; Fri, 30 Aug 2013 05:34:35 -0700 (PDT)
Received: from /spool/local by e8.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <lainhart@us.ibm.com>; Fri, 30 Aug 2013 13:34:33 +0100
Received: from d01dlp03.pok.ibm.com (9.56.250.168) by e8.ny.us.ibm.com (192.168.1.108) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;  Fri, 30 Aug 2013 13:34:30 +0100
Received: from b01cxnp22035.gho.pok.ibm.com (b01cxnp22035.gho.pok.ibm.com [9.57.198.25]) by d01dlp03.pok.ibm.com (Postfix) with ESMTP id B4973C90041; Fri, 30 Aug 2013 08:34:29 -0400 (EDT)
Received: from d01av05.pok.ibm.com (d01av05.pok.ibm.com [9.56.224.195]) by b01cxnp22035.gho.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id r7UCYTZG19202214; Fri, 30 Aug 2013 12:34:29 GMT
Received: from d01av05.pok.ibm.com (loopback [127.0.0.1]) by d01av05.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id r7UCYTxa005375; Fri, 30 Aug 2013 08:34:29 -0400
Received: from d01ml255.pok.ibm.com (d01ml255.pok.ibm.com [9.63.10.54]) by d01av05.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id r7UCYTBi005372; Fri, 30 Aug 2013 08:34:29 -0400
In-Reply-To: <CAL520Rm0pRca3DJYC+mxeep2wDf3CH5nQfcgrD+FAo9pfgOGTQ@mail.gmail.com>
References: <CAL520Rm0pRca3DJYC+mxeep2wDf3CH5nQfcgrD+FAo9pfgOGTQ@mail.gmail.com>
To: =?UTF-8?B?TWFydGluIMW9ZGlsYQ==?= <m.zdila@mwaysolutions.com>
MIME-Version: 1.0
X-KeepSent: A0F347F9:2565A20F-85257BD7:0044B789; type=4; name=$KeepSent
X-Mailer: Lotus Notes Release 8.5.3FP4 SHF39 May 13, 2013
Message-ID: <OFA0F347F9.2565A20F-ON85257BD7.0044B789-85257BD7.004512CC@us.ibm.com>
From: Todd W Lainhart <lainhart@us.ibm.com>
Date: Fri, 30 Aug 2013 08:34:27 -0400
X-MIMETrack: Serialize by Router on D01ML255/01/M/IBM(Release 8.5.3FP2 ZX853FP2HF5|February, 2013) at 08/30/2013 08:34:28, Serialize complete at 08/30/2013 08:34:28
Content-Type: multipart/alternative; boundary="=_alternative 004512CA85257BD7_="
X-TM-AS-MML: No
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 13083012-0320-0000-0000-000000D833D7
Cc: oauth@ietf.org, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Unclear parts in OAuth 2.0 specification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 12:40:12 -0000

This is a multipart message in MIME format.
--=_alternative 004512CA85257BD7_=
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64

VGhpbmsgdGhhdCB0aGVyZSBhcmUgdGhyZWUgZGlmZmVyZW50IHR5cGVzIG9mIGNsaWVudHM6IGNv
bmZpZGVudGlhbDsgDQpwdWJsaWM7IGFuZCBhbm9ueW1vdXMgKG15IHRlcm0pLg0KDQpDb25maWRl
bnRpYWw6IGlkIGFuZCBzZWNyZXQ7DQpQdWJsaWM6IGlkIG9ubHk7DQpBbm9ueW1vdXM6IG5vIGNy
ZWRlbnRpYWxzOw0KDQpZb3UgcHJvdmlkZSB0aGUgdHlwZSBvZiBjcmVkZW50aWFscyB0aGF0IHlv
dSBjYW4sIGFuZCB0aGUgcHJvdGVjdGVkIA0KZW5kcG9pbnQgd2lsbCBhY2NlcHQgb3IgcmVqZWN0
IGJhc2VkIG9uIHRoZSBvcGVyYXRpb24gYW5kIGl0cyBwcm90ZWN0aW9ucy4NCg0KDQoNCg0KDQoN
Cg0KVG9kZCBMYWluaGFydA0KUmF0aW9uYWwgc29mdHdhcmUNCklCTSBDb3Jwb3JhdGlvbg0KNTUw
IEtpbmcgU3RyZWV0LCBMaXR0bGV0b24sIE1BIDAxNDYwLTEyNTANCjEtOTc4LTg5OS00NzA1DQoy
LTI3Ni00NzA1IChUL0wpDQpsYWluaGFydEB1cy5pYm0uY29tDQoNCg0KDQoNCkZyb206ICAgTWFy
dGluIMW9ZGlsYSA8bS56ZGlsYUBtd2F5c29sdXRpb25zLmNvbT4NClRvOiAgICAgb2F1dGhAaWV0
Zi5vcmcsIA0KRGF0ZTogICAwOC8zMC8yMDEzIDAzOjQyIEFNDQpTdWJqZWN0OiAgICAgICAgW09B
VVRILVdHXSBVbmNsZWFyIHBhcnRzIGluIE9BdXRoIDIuMCBzcGVjaWZpY2F0aW9uDQpTZW50IGJ5
OiAgICAgICAgb2F1dGgtYm91bmNlc0BpZXRmLm9yZw0KDQoNCg0KSGVsbG8NCg0KVGhlcmUgYXJl
IHNvbWUgdW5jbGVhciBwYXJ0cyBpbiBPQXV0aCAyLjAgc3BlY2lmaWNhdGlvbi4NCg0KMS4gSW4g
NC4zLiAoQikgdGhlcmUgaXMgZm9sbG93aW5nIHN0YXRlbWVudDoNCiAgIFdoZW4gbWFraW5nIHRo
ZSByZXF1ZXN0LCB0aGUgY2xpZW50DQogICBhdXRoZW50aWNhdGVzIHdpdGggdGhlIGF1dGhvcml6
YXRpb24gc2VydmVyLg0KDQpJbiA0LjMuMiB0aGVyZSBpcyBmb2xsb3dpbmcgc3RhdGVtZW50Og0K
ICAgSWYgdGhlIGNsaWVudCB0eXBlIGlzIGNvbmZpZGVudGlhbCBvciB0aGUgY2xpZW50IHdhcyBp
c3N1ZWQgY2xpZW50DQogICBjcmVkZW50aWFscyAob3IgYXNzaWduZWQgb3RoZXIgYXV0aGVudGlj
YXRpb24gcmVxdWlyZW1lbnRzKSwgdGhlDQogICBjbGllbnQgTVVTVCBhdXRoZW50aWNhdGUgd2l0
aCB0aGUgYXV0aG9yaXphdGlvbiBzZXJ2ZXIgYXMgZGVzY3JpYmVkDQogICBpbiBTZWN0aW9uIDMu
Mi4xLg0KDQpGaXJzdCBzdGF0ZW1lbnQgc3RhdGVzIHRoYXQgY2xpZW50IGNyZWRlbnRpYWxzIG11
c3QgYmUgYWx3YXlzIHBhc3NlZC4gDQpTZWNvbmQgc3RhdGVzIHRoYXQgaXQgaXMgcmVxdWlyZWQg
b25seSBmb3IgY2VydGFpbiBjbGllbnQgdHlwZXMuDQoNCkFsc28sIGlmIGNsaWVudCB0eXBlIGRv
ZXNuJ3QgcHJvdmlkZSBjcmVkZW50aWFscywgdGhlcmUgaXMgbm8gbWVhbiB0byANCmlkZW50aWZ5
IGl0IGFuZCBzbyBpbXBvc3NpYmxlIHRvIGNoZWNrIGlmIGNsaWVudCBjcmVkZW50aWFscyB3ZXJl
IGFjdHVhbGx5IA0KcmVxdWlyZWQuDQoNCjIuIEF1dGhvcml6YXRpb24gQ29kZSBHcmFudCBhbmQg
SW1wbGljaXQgR3JhbnQgdXNlIGRpZmZlcmVudCBVUkwgcGFydCB0byANCmVuY29kZSBpdHMgcmVz
cG9uc2UuIEZvcm1lciB1c2VzIHF1ZXJ5IGFuZCBsYXRlciBmcmFnbWVudC4gSWYgcmVxdWVzdCBo
YXMgDQppbnZhbGlkIG9yIGlzIG1pc3NpbmcgcmVzcG9uc2VfdHlwZSBwYXJhbWV0ZXIgdGhlbiB1
c2VyIGFnZW50IHNob3VsZCBiZSANCnJlZGlyZWN0ZWQgdG8gVVJMIHdpdGggZXJyb3IgcmVzcG9u
c2Ugd2hlcmUgDQplcnJvcj11bnN1cHBvcnRlZF9yZXNwb25zZV90eXBlLiBCdXQgaWYgd2UgZG9u
J3Qga25vdyB3aGF0IHR5cGUgb2YgZ3JhbnQgDQp3ZSBhcmUgaGFuZGxpbmcsIHdoZXJlIHRvIHB1
dCBlcnJvciBwYXJhbWV0ZXJzPyBUbyBxdWVyeSBvciBmcmFnbWVudCBwYXJ0IA0Kb2YgdGhlIFVS
TD8NCg0KUGxlYXNlIGNsYXJpZnkgdGhhdC4NCg0KVGhhbmtzIGluIGFkdmFuY2UNCg0KQmVzdCBy
ZWdhcmRzDQoNCi0tIA0KSW5nLiBNYXJ0aW4gxb1kaWxhDQpTZW5pb3IgQW5hbHlzdCAvIERldmVs
b3Blcg0KDQpNLVdheSBTb2x1dGlvbnMgU2xvdmFraWEgcy5yLm8uDQpMZXRuw6EgMjcsIDA0MCAw
MSBLb8WhaWNlDQpTbG92YWtpYQ0KDQp0ZWw6KzQyMS05MDgtMzYzLTg0OA0KbWFpbHRvOm0uemRp
bGFAbXdheXNvbHV0aW9ucy5jb20NCmh0dHA6Ly93d3cubXdheXNvbHV0aW9ucy5jb20gDQpfX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KT0F1dGggbWFpbGlu
ZyBsaXN0DQpPQXV0aEBpZXRmLm9yZw0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0
aW5mby9vYXV0aA0KDQoNCg==
--=_alternative 004512CA85257BD7_=
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: base64

PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPlRoaW5rIHRoYXQgdGhlcmUgYXJlIHRocmVl
IGRpZmZlcmVudCB0eXBlcw0Kb2YgY2xpZW50czogY29uZmlkZW50aWFsOyBwdWJsaWM7IGFuZCBh
bm9ueW1vdXMgKG15IHRlcm0pLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFjZT0i
c2Fucy1zZXJpZiI+Q29uZmlkZW50aWFsOiBpZCBhbmQgc2VjcmV0OzwvZm9udD4NCjxicj48Zm9u
dCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+UHVibGljOiBpZCBvbmx5OzwvZm9udD4NCjxicj48
Zm9udCBzaXplPTIgZmFjZT0ic2Fucy1zZXJpZiI+QW5vbnltb3VzOiBubyBjcmVkZW50aWFsczs8
L2ZvbnQ+DQo8YnI+DQo8YnI+PGZvbnQgc2l6ZT0yIGZhY2U9InNhbnMtc2VyaWYiPllvdSBwcm92
aWRlIHRoZSB0eXBlIG9mIGNyZWRlbnRpYWxzDQp0aGF0IHlvdSBjYW4sIGFuZCB0aGUgcHJvdGVj
dGVkIGVuZHBvaW50IHdpbGwgYWNjZXB0IG9yIHJlamVjdCBiYXNlZCBvbg0KdGhlIG9wZXJhdGlv
biBhbmQgaXRzIHByb3RlY3Rpb25zLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTIgZmFj
ZT0ic2Fucy1zZXJpZiI+PGJyPg0KPC9mb250Pg0KPGJyPg0KPHRhYmxlIHdpZHRoPTIyMyBzdHls
ZT0iYm9yZGVyLWNvbGxhcHNlOmNvbGxhcHNlOyI+DQo8dHIgaGVpZ2h0PTg+DQo8dGQgd2lkdGg9
MjIzIGJnY29sb3I9d2hpdGUgc3R5bGU9ImJvcmRlci1zdHlsZTpzb2xpZDtib3JkZXItY29sb3I6
IzAwMDAwMDtib3JkZXItd2lkdGg6MHB4IDBweCAwcHggMHB4O3BhZGRpbmc6MHB4IDBweDsiPjxm
b250IHNpemU9MSBmYWNlPSJWZXJkYW5hIj48Yj48YnI+DQo8YnI+DQo8YnI+DQpUb2RkIExhaW5o
YXJ0PGJyPg0KUmF0aW9uYWwgc29mdHdhcmU8YnI+DQpJQk0gQ29ycG9yYXRpb248YnI+DQo1NTAg
S2luZyBTdHJlZXQsIExpdHRsZXRvbiwgTUEgMDE0NjAtMTI1MDwvYj48L2ZvbnQ+PGZvbnQgc2l6
ZT0xIGZhY2U9IkFyaWFsIj48Yj48YnI+DQoxLTk3OC04OTktNDcwNTxicj4NCjItMjc2LTQ3MDUg
KFQvTCk8YnI+DQpsYWluaGFydEB1cy5pYm0uY29tPC9iPjwvZm9udD48L3RhYmxlPg0KPGJyPg0K
PGJyPg0KPGJyPg0KPGJyPg0KPGJyPjxmb250IHNpemU9MSBjb2xvcj0jNWY1ZjVmIGZhY2U9InNh
bnMtc2VyaWYiPkZyb206ICZuYnNwOyAmbmJzcDsgJm5ic3A7DQombmJzcDs8L2ZvbnQ+PGZvbnQg
c2l6ZT0xIGZhY2U9InNhbnMtc2VyaWYiPk1hcnRpbiDFvWRpbGEgJmx0O20uemRpbGFAbXdheXNv
bHV0aW9ucy5jb20mZ3Q7PC9mb250Pg0KPGJyPjxmb250IHNpemU9MSBjb2xvcj0jNWY1ZjVmIGZh
Y2U9InNhbnMtc2VyaWYiPlRvOiAmbmJzcDsgJm5ic3A7ICZuYnNwOw0KJm5ic3A7PC9mb250Pjxm
b250IHNpemU9MSBmYWNlPSJzYW5zLXNlcmlmIj5vYXV0aEBpZXRmLm9yZywgPC9mb250Pg0KPGJy
Pjxmb250IHNpemU9MSBjb2xvcj0jNWY1ZjVmIGZhY2U9InNhbnMtc2VyaWYiPkRhdGU6ICZuYnNw
OyAmbmJzcDsgJm5ic3A7DQombmJzcDs8L2ZvbnQ+PGZvbnQgc2l6ZT0xIGZhY2U9InNhbnMtc2Vy
aWYiPjA4LzMwLzIwMTMgMDM6NDIgQU08L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0xIGNvbG9yPSM1
ZjVmNWYgZmFjZT0ic2Fucy1zZXJpZiI+U3ViamVjdDogJm5ic3A7ICZuYnNwOw0KJm5ic3A7ICZu
YnNwOzwvZm9udD48Zm9udCBzaXplPTEgZmFjZT0ic2Fucy1zZXJpZiI+W09BVVRILVdHXSBVbmNs
ZWFyDQpwYXJ0cyBpbiBPQXV0aCAyLjAgc3BlY2lmaWNhdGlvbjwvZm9udD4NCjxicj48Zm9udCBz
aXplPTEgY29sb3I9IzVmNWY1ZiBmYWNlPSJzYW5zLXNlcmlmIj5TZW50IGJ5OiAmbmJzcDsgJm5i
c3A7DQombmJzcDsgJm5ic3A7PC9mb250Pjxmb250IHNpemU9MSBmYWNlPSJzYW5zLXNlcmlmIj5v
YXV0aC1ib3VuY2VzQGlldGYub3JnPC9mb250Pg0KPGJyPg0KPGhyIG5vc2hhZGU+DQo8YnI+DQo8
YnI+DQo8YnI+PGZvbnQgc2l6ZT0zPkhlbGxvPGJyPg0KPC9mb250Pg0KPGJyPjxmb250IHNpemU9
Mz5UaGVyZSBhcmUgc29tZSB1bmNsZWFyIHBhcnRzIGluIE9BdXRoIDIuMCBzcGVjaWZpY2F0aW9u
Ljxicj4NCjxiPjxicj4NCjEuPC9iPiBJbiA0LjMuIChCKSB0aGVyZSBpcyBmb2xsb3dpbmcgc3Rh
dGVtZW50OjwvZm9udD4NCjxicj48dHQ+PGZvbnQgc2l6ZT0zPiZuYnNwOyAmbmJzcDtXaGVuIG1h
a2luZyB0aGUgcmVxdWVzdCwgdGhlIGNsaWVudDxicj4NCiAmbmJzcDsgYXV0aGVudGljYXRlcyB3
aXRoIHRoZSBhdXRob3JpemF0aW9uIHNlcnZlci48L2ZvbnQ+PC90dD4NCjxicj4NCjxicj48Zm9u
dCBzaXplPTM+SW4gNC4zLjIgdGhlcmUgaXMgZm9sbG93aW5nIHN0YXRlbWVudDo8L2ZvbnQ+DQo8
YnI+PHR0Pjxmb250IHNpemU9Mz4mbmJzcDsgJm5ic3A7SWYgdGhlIGNsaWVudCB0eXBlIGlzIGNv
bmZpZGVudGlhbCBvcg0KdGhlIGNsaWVudCB3YXMgaXNzdWVkIGNsaWVudDxicj4NCiAmbmJzcDsg
Y3JlZGVudGlhbHMgKG9yIGFzc2lnbmVkIG90aGVyIGF1dGhlbnRpY2F0aW9uIHJlcXVpcmVtZW50
cyksIHRoZTxicj4NCiAmbmJzcDsgY2xpZW50IE1VU1QgYXV0aGVudGljYXRlIHdpdGggdGhlIGF1
dGhvcml6YXRpb24gc2VydmVyIGFzIGRlc2NyaWJlZDxicj4NCiAmbmJzcDsgaW4gPC9mb250Pjwv
dHQ+PGEgaHJlZj0iaHR0cDovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZjNjc0OSNzZWN0aW9uLTMu
Mi4xIiB0YXJnZXQ9X2JsYW5rPjx0dD48Zm9udCBzaXplPTMgY29sb3I9Ymx1ZT48dT5TZWN0aW9u
DQozLjIuMTwvdT48L2ZvbnQ+PC90dD48L2E+PHR0Pjxmb250IHNpemU9Mz4uPGJyPg0KPC9mb250
PjwvdHQ+DQo8YnI+PGZvbnQgc2l6ZT0zPkZpcnN0IHN0YXRlbWVudCBzdGF0ZXMgdGhhdCBjbGll
bnQgY3JlZGVudGlhbHMgbXVzdCBiZQ0KYWx3YXlzIHBhc3NlZC4gU2Vjb25kIHN0YXRlcyB0aGF0
IGl0IGlzIHJlcXVpcmVkIG9ubHkgZm9yIGNlcnRhaW4gY2xpZW50DQp0eXBlcy48YnI+DQo8L2Zv
bnQ+DQo8YnI+PGZvbnQgc2l6ZT0zPkFsc28sIGlmIGNsaWVudCB0eXBlIGRvZXNuJ3QgcHJvdmlk
ZSBjcmVkZW50aWFscywgdGhlcmUNCmlzIG5vIG1lYW4gdG8gaWRlbnRpZnkgaXQgYW5kIHNvIGlt
cG9zc2libGUgdG8gY2hlY2sgaWYgY2xpZW50IGNyZWRlbnRpYWxzDQp3ZXJlIGFjdHVhbGx5IHJl
cXVpcmVkLjwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTM+PGI+Mi48L2I+IEF1dGhvcml6
YXRpb24gQ29kZSBHcmFudCBhbmQgSW1wbGljaXQgR3JhbnQNCnVzZSBkaWZmZXJlbnQgVVJMIHBh
cnQgdG8gZW5jb2RlIGl0cyByZXNwb25zZS4gRm9ybWVyIHVzZXMgcXVlcnkgYW5kIGxhdGVyDQpm
cmFnbWVudC4gSWYgcmVxdWVzdCBoYXMgaW52YWxpZCBvciBpcyBtaXNzaW5nIHJlc3BvbnNlX3R5
cGUgcGFyYW1ldGVyDQp0aGVuIHVzZXIgYWdlbnQgc2hvdWxkIGJlIHJlZGlyZWN0ZWQgdG8gVVJM
IHdpdGggZXJyb3IgcmVzcG9uc2Ugd2hlcmUgZXJyb3I9dW5zdXBwb3J0ZWRfcmVzcG9uc2VfdHlw
ZS4NCkJ1dCBpZiB3ZSBkb24ndCBrbm93IHdoYXQgdHlwZSBvZiBncmFudCB3ZSBhcmUgaGFuZGxp
bmcsIHdoZXJlIHRvIHB1dCBlcnJvcg0KcGFyYW1ldGVycz8gVG8gcXVlcnkgb3IgZnJhZ21lbnQg
cGFydCBvZiB0aGUgVVJMPzwvZm9udD4NCjxicj4NCjxicj48Zm9udCBzaXplPTM+UGxlYXNlIGNs
YXJpZnkgdGhhdC48YnI+DQo8L2ZvbnQ+DQo8YnI+PGZvbnQgc2l6ZT0zPlRoYW5rcyBpbiBhZHZh
bmNlPGJyPg0KPGJyPg0KQmVzdCByZWdhcmRzPGJyPg0KPGJyPg0KLS0gPGJyPg0KSW5nLiBNYXJ0
aW4gxb1kaWxhPGJyPg0KU2VuaW9yIEFuYWx5c3QgLyBEZXZlbG9wZXI8YnI+DQo8YnI+DQpNLVdh
eSBTb2x1dGlvbnMgU2xvdmFraWEgcy5yLm8uPGJyPg0KTGV0bsOhIDI3LCAwNDAgMDEgS2/FoWlj
ZTxicj4NClNsb3Zha2lhPGJyPg0KPGJyPg0KdGVsOis0MjEtOTA4LTM2My04NDg8YnI+DQptYWls
dG86PC9mb250PjxhIGhyZWY9bWFpbHRvOm0uemRpbGFAbXdheXNvbHV0aW9ucy5jb20gdGFyZ2V0
PV9ibGFuaz48Zm9udCBzaXplPTMgY29sb3I9Ymx1ZT48dT5tLnpkaWxhQG13YXlzb2x1dGlvbnMu
Y29tPC91PjwvZm9udD48L2E+PGZvbnQgc2l6ZT0zIGNvbG9yPWJsdWU+PHU+PGJyPg0KPC91Pjwv
Zm9udD48YSBocmVmPWh0dHA6Ly93d3cubXdheXNvbHV0aW9ucy5jb20vIHRhcmdldD1fYmxhbms+
PGZvbnQgc2l6ZT0zIGNvbG9yPWJsdWU+PHU+aHR0cDovL3d3dy5td2F5c29sdXRpb25zLmNvbTwv
dT48L2ZvbnQ+PC9hPjxmb250IHNpemU9Mz4NCjwvZm9udD48dHQ+PGZvbnQgc2l6ZT0yPl9fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KT0F1dGggbWFp
bGluZyBsaXN0PGJyPg0KT0F1dGhAaWV0Zi5vcmc8YnI+DQo8L2ZvbnQ+PC90dD48YSBocmVmPWh0
dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGg+PHR0Pjxmb250IHNpemU9
Mj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9mb250PjwvdHQ+
PC9hPjx0dD48Zm9udCBzaXplPTI+PGJyPg0KPC9mb250PjwvdHQ+DQo8YnI+DQo=
--=_alternative 004512CA85257BD7_=--